Chapter 13: Active Directory Certificate Services Flashcards
(38 cards)
Define a symmetric key
A single “key”, or password/shared secret is used to encrypt/decrypt the information or to provide access
Define an asymmetric key
Uses public/private key pair to encrypt/decrypt data or provide access; A key can only perform one operation - either encrypt or decrypt. Public keys are always distributed to the public via TLS certificate to encrypt data and the private key is installed on the internal webserver to decrypt data or vise versa when webserver is communicating back to client. Private keys are distributed to users during authentication.
How is data signed as a means of verification and encrypted together to improve security of the data during transfer/receipt?
- A hashing algorithm is applied to the original data to create a message digest (hash value; it that represents the data in its original state to verify integrity of data) which is encrypted using the senders private key to digitally sign the data; this package will also include the senders public key so that the message digest can be verified by the recipient
- Generate a one-time symmetric key to encrypt the data, message digest, and digital signature; Then encrypt the symmetric key with recipients public key so that only the recipient can decrypt the symmetric key with their private key to then decrypt the data
When receiving signed/encrypted data, how is it decrypted?
Decrypting the symmetric key with the (your) private key; then symmetric key can then be used to decrypt the data
When receiving singed/encrypted data, how is the digital signature verified?
Decrypt the message digest with the senders public key; Calculate the hash using the original algorithm, that hash/digest should match the one you decrypted with the public key.
What data is included in an SSL/TLS certificate?
- Version: X.509 standards define the format of the certificate. It was first introduced in 1988, and currently, it uses version 3.
- Serial number: A unique identifier used by the CA to identify the certificate.
- Signature algorithm: The type of algorithm used by the CA to sign the digital certificate.
- Signature hash algorithm: The type of hash algorithm used by the CA.
- Issuer: The name of the CA who issued the certificate.
- Valid from: The day the certificate was issued by the CA.
- Valid to: The day the certificate will expire.
- Subject: The individual to whom the certificate was issued.
- Public key: The public key of the certificate owner. This will be the object or the service it was issued to.
What is best practice when configuring CAs in an environment?
Bring the root CA online only when required. By considering the security and hierarchy of the PKI, it is recommended to use the root CA only to issue certificates to subordinate CAs.
What are the responsibilities of the subordinate CA in a best practice environment?
Subordinate CAs are responsible for issuing, storing, managing, and revoking certificates for users, devices, or services; also known as issuing CAs
What are the responsibilities of the intermediate CA in a best practice environment?
Subordinate CAs can have more subordinate CAs under them. In such situations, subordinate CAs are also responsible for issuing certificates for their own subordinate CAs. The parent subordinate CAs are called intermediate CAs.
What is a certificate enrollment web service?
Allows users, computers, or services to request a certificate or renew a certificate via a web browser, even if it is not domain-joined
What is “Certificate Enrollment Policy Web Service”
Similar to Certificate Enrollment Web Service; When a client requests policy information, the Enrollment Policy Web Service queries the AD DS using LDAP ; Once the user has the policy, they can request a certificate.
What is “Certification Authority Web Enrollment”
Users, computers, or services can request certificates using a web interface. Using the interface, users can also download the root certificates and intermediate certificates to validate a certificate. This can be used to request the certificate revocation list (CRL).
What are the two types of Certificate Authorities (CAs)?
Standalone and Enterprise
What are the functions/features of a standalone CA?
- Does not depend on AD DS; can be installed on a member server or standalone server in a workgroup
- Can stay offline
- Only supports standard templates
- Manual or web enrollment
- Manual cert approval process
- Cert issuance and managing using AD DS
What are the functions/features of an enterprise CA?
- Can only be installed on a member server
- Cannot be offline
- Customized certificate templates supported
- Auto, manual, or web enrollment
- Cert approval process is manual or automatic based on the policy
- User input fields for cert fields are retrieved from AD DS
- Certificate issuing and managing using AD DS is supported
What is the best use case for a standalone CA?
Standalone CAs are mostly used as the root CA as they can switch between online/offline
What is the purpose of a root certificate authority (CA)?
Root CAs are only used to issue certificates to a subordinate/intermediate CA
What is the benefit/advantage that an enterprise CA has in terms of cert management?
Enterprise CAs allow engineers to create certificate templates with specific
requirements and publish those via AD DS. End users can request certificates based
on these templates
Are there any licensing requirements to utilize and enterprise CA?
Enterprise CAs can only be installed on the Windows Server Enterprise Edition or the Datacenter Edition
What are the different PKI deployment models?
- Single-tier
- Two-tier
- Three-tier
Describe a “single-tier” PKI deployment model
- The simplest deployment model for a PKI; not recommended for use in any production network as it’s a single point of failure
- A single CA will act as a root CA and issuing CA
What are the advantages of a single-tier PKI deployment?
- Fewer resources are needed to
manage it - Deployment is faster and it is
possible to get the CA running in a
short timeframe
What are the disadvantages of a single-tier PKI deployment?
- There is a high possibility of being compromised as the root CA is online and running all the PKI-related roles from one single server. If someone gets access to a private key of the root CA, they have complete ownership over the PKI
- There is a lack of redundancy, as certificate issuing and management all depend on a single server
- It is not scalable, and the hierarchy will need to be
restructured if more role servers need to be added
Describe a “two-tier” PKI deployment model
- In this design, the root CA is kept offline. It will help to protect the private key of the
root certificate from being compromised - Root CAs will issue certificates for subordinate CAs, and subordinate CAs are
responsible for issuing certificates for objects and services
