2008 R2 ADS Vocabulary - Session 6 Flashcards
Certificate Authorities
Secure communication of data over a network can be achieved by encrypting the data. You can encrypt the data before transmission by using a key and decipher it by using the same key after it reaches the desired location. You can ensure security of data by sharing the key only between trusted objects.
When configuring a CA you need to specify its type.
Enterprise Root CA or Enterprise Subordinate CA
Enterprise CAs are integrated in Active Directory Domain Services (AD DS).
Enterprise CAs are integrated in
Active Directory Domain Services (AD DS). These CAs use certificate templates, and publish their certificates and CRLs to AD DS. Certificate templates are predefined configurations that enable a CA to create new certificates by using predefined settings. Information in an AD database is used to approve or deny a certificate enrollment request automatically.
An enterprise CA can be specified as a
root or subordinate CA. Only one root enterprise CA is permissible in a root hierarchy. All the other CAs in the hierarchy should be enterprise subordinate CAs, which obtain certificates from the root enterprise CA and can issue certificates.root or subordinate CA. Only one root enterprise CA is permissible in a root hierarchy. All the other CAs in the hierarchy should be enterprise subordinate CAs, which obtain certificates from the root enterprise CA and can issue certificates.
Stand-Alone Root CA or Stand-Alone Subordinate CA
Stand-alone CAs do not use certificate templates and do not require AD DS. These CAs do not respond to certificate enrollment requests automatically.
A stand-alone CA can be specified as a
root CA with a stand-alone subordinate CA. If only one stand-alone CA is created then it should be a root CA, because every CA hierarchy should be traceable to a root CA.
A root CA is the
first role service that is installed in AD CS.
After setting up a root CA, a subordinate CA can also be installed in the
hierarchy of the PKI of an organization to secure the root CA. The root CA can issue a certification to the subordinate, which in turn can then reply to requests for certificates from users.
Setting up an enterprise subordinate CA requires
a network connection to a domain controller.
Configuring Autoenrollment
Two tasks need to be completed to automatically enroll clients for certificates in a domain environment:
- Configure a certificate template with Auto-enroll permissions
- Configure an autoenrollment group policy within the domain
A CA evaluates
certificate requests and issues certificates, if the predefined conditions set for allocating certificates to requesters are fulfilled.
The allocation of a certificate to an entity or a user is known as
certificate enrollment
. A user needs to submit a request for a certificate to a
CA
The format of the request, such as PKS #10 or PKS #7, should be able to specify
the identity of the user requesting the certificate.
The CA issues the certificate to the
requester after verifying the identity of the requester.
When a CA receives an enrollment request, the following actions take place:
- The CA decrypts the digital signature in the certificate
- The CA performs a hash on the request
- The CA digitally signs the user’s public key
- The user distributes copies of its X.509 certificate
- Entities authenticate the user’s X.509 certificate
Issuing the Certificate Template
After configuring a certificate template for autoenrollment and configuring the GPO settings, you need to
issue the certificate template. This will ensure that certificates requested based on the certificate template will be automatically processed by the CA. Some certificate templates, by default, are already configured to be issued.
If the certificate template is not already configured, then you need to configure
configure the template in the Certification Authority console.
Configuring Default CA Settings
The administrator can configure two default actions that a CA can take on receiving a certificate request:
- The certificate request can be automatically approved by the CA
- The CA administrator can review the request, which changes the status of the request to pending in the CA, and take appropriate actions
Issued certificates can be stored locally on the
computer or device that requested the certificate. .
Certificates that are issued by a CA are stored
in the CA’s certificate store
When a certificate is issued, it is copied to
FileName.cer,
where FileName is the
request ID of the certificate request. The file is copied to the CertEnroll folder on the CA.
CONFIGURE CA SERVER SETTINGS
Assigning Roles to Users
Assigning Roles to Users
The administration of an organization or any other group can be divided according to roles. The administration of a CA can be organized by using separate CA roles. This administration is known as role-based administration.
In a CA, a role is assigned to a user by assigning the security settings of the role. Security settings associated with a role are specific for every role.
All roles in a CA are assigned and modified by the members of local Administrators, Enterprise Admins, or Domain Admins groups. In an enterprise CA, the role of the administrator is assigned to the members of these groups by default.
In a stand-alone CA, the role of the CA administrator is only assigned to the members of the Local Administrators group. By default, the administrator role is also assigned to the members of the Domain Admins group in a stand-alone CA, if the stand-alone CA is joined to an Active Directory domain.
There are four roles that can be assigned to users in a CA:
Certificate Manager
Auditor
CA Administrator
Backup Operator
Certificate Manager
can approve certificate enrollment and revocation requests. This role can be configured by using the Certification Authority snap-in.
Auditor
can configure, maintain, and view audit logs. This role is an operating system role.
CA Administrator
The CA administrator can renew a CA certificate and assign all the other roles to the users. This role is a built-in account in a CA by default and it can be configured by using the Certification Authority snap-in.
Backup Operator
can perform system backup and recovery.
The Issue and Manage Certificates permission is assigned to this role.
Certificate Manager
The Manage Auditing and Security Log permission is assigned to this role.
Auditor