Section 6 - Chapter 15 Flashcards
AD CS Role Services
Certificate Authority - issues and manages certs
CA Web Enrollment - allows users to: request and renew certs, retrieve CRLs, enroll for smart card certs
Online Responder - makes cert revocation data accessible
Network Device Enrollment Service - certs for routers and other hardware
Cert Enrollment Web Services - enroll and renew certs when computer does not belong to domain or is outside security boundary
Cert Enrollment Web Policy Service - policy based auto enroll cert enroll web service users, provides policies not certs
Comparison
Publish CA config to AD DS
Stand Alone - optional
Enterprise - mandatory
Comparison
CA Cert Data Integration w/ AD DS Forests
Stand Alone - optional, manual process
Enterprise - mandatory and automatic
Comparison
CRL publication in AD DS Forest
Stand Alone - optional, manual process
Enterprise - mandatory and automatic, includes delta CRLs and cross certificates
Comparison
AD DS Forest pub assigned per template level as an attribute of the template
Stand Alone - n/a
Enterprise - supported
Comparison
Web Enrollment for cert requests and validation
Stand Alone - supported
Enterprise - supported
Comparison
Cert MMC for request and validation
Stand Alone - n/a
Enterprise - supported
Comparison
Cert requests thru http or https
Stand Alone - supported
Enterprise - supported
Comparison
Cert requests thru RPC and DCOM
Stand Alone - n/a
Enterprise - default mode
Comparison
V1 templates with custom object identifiers (OID) as source of certs
Stand Alone - Default
Enterprise - n/a
Comparison
V2 & V3 templates - can be customized and duplicated
Stand Alone - n/a
Enterprise - default
Comparison
User input during cert requests
Stand Alone - manual
Enterprise - retrieved from AD DS
Comparison
Supported enrollment methods
Stand Alone - automatic or pending for all templates
Enterprise - automatic or pending, applied on a per template basis
Comparison
Cert approval process
Stand Alone - manual
Enterprise - manual or auto thru AD DS
Comparison
Cert Publishing
Stand Alone - manually to client or CA, AD DS thru custom policy module
Enterprise - depends on cert type and setting, can be auto enrolled in clients cert store and pub’d in AD DS
Comparison
Cert Publishing and manangement thru AD DS
Stand Alone - n/a
Enterprise - supported
Deployment Options
Stand Alone - DC, Member Server or Stand Alone Server
Standard, Enterprise or Datacenter
Enterprise - DC or Member Server
Enterprise or Datacenter
CPS - Certificate Policy Statement
Clear definition of who your company is
A list of your certificate policies
A general statement of proceedures used to issue, assign and revoke certs
A description of methods used to protect CAs
Revocation policy used
AD CS New Features 2008 r2
Certificate Enrollment and Certificate Enrollment Policy Web Services
Certificate enrollment across forests
Better support for high-volume CAs
AD CS Web Services
Cert enroll over http/https
Proxy between client and CA
Direct communication unnecessary
Allows enroll over internet and across forests
Functional Levels Needed for AD CS Web Services
Forest Functional Level 2008 r2
CA running 2003 and above
Client Computers Win 7
Cross Forest Enroll - CA running Enterprise or Datacenter
Cross Forest Enrollment
Two Way Trust
Forest Functional Level 2003
Issue Certs - forest functional level 2003
Enrollment - forest functional level 2008 r2
Clients do not need an update
High Volume CAs
Windows Server Network Access Protection (NAP) may require
Non persistant cert processing
Bypasses certain CA database operations - not storing each request record and issued cert
Improves performance and reduces CA operational costs
Can no longer revoke certs or manage CRLs
AD CS Hosting Server Config
Multiple processors
Minimal RAM
Seperate disks for store on Root
Another disk for logs on Issuing
Medium key lengths
RAID balanced for reliability and performance
Stand Alone Root CA - Installation
AD CS only role needed
Create new private key or use existing
Chose CN - name will be embedded in every subordinate cert issued by the chain, cannot change once installed
Set Validity Period
Select cert db and cert db log file paths
Create a new private key
Only for internal networks
Select Cryptographic Service Provider (CSP)
Key Character Length
Hash Algorithm
Allow Admin Interaction When Private Key is Accessed by the CA
Using An Existing Key
Reinstalling Machine
Chained to 3rd Party, must be pre-installed
Roles That Can Be Installed AD CS
Certificate Authority
CA Web Enrollment
Online Responder
Network Device Enrollment Service
Certificate Enrollment Web Service
Certficate Enrollment Policy Web Service
CA Properties
General Tab
Name, cryptography, hash setting, view cert
CA Properties
Policy Module Tab
Properties - Request Handling
Pending, Admin Must Install
Follow Settings in Template or Automatic
CA Properties
Exit Module
Windows Default - publishes certs when issued
Properties - allow certs to be pub’d to file system
CA Properties
Extensions
CRL Distribution Point (CDP)
Authority Information Access (AIA)
Specify locations from which users can obtain a CRL
Publishing options
CA Properties
Storage
Shows if AD DS integrated
Paths to db and db logs
CA Properties
Certificate Managers
Can restrict Administrators, Domain Admins and Enterprise Admin rights or others who have been added thru the Security Tab
Allow or Deny
CA Properties
Auditing Options
Back up and Restore Changes to Configuration Changes to Security Settings Issue and Manage Cert Requests Revoke Certs and Publish CRLs Store and Retrieve Archive Keys Start and Stop AD CS
CA Properties
Security
Permissions
Read
Issue and Manage Certs (Local, Domain & Enterprise Admins)
Manage CA (Local, Domain and Enterprise Admins)
Request Certs (authenticated users)
Can added users or groups that can then be allowed or denied management rights on Certificate Management tab
certutil
- viewstore = verifies publication
- dspublish = publishes a cert or CRL to AD
- resubmit = resubmit a pending request
- revoke = revoke a cert
- CRL = publishes a new CRL
- pulse = pulse autoenroll events
Enterprise Issuing CA Install
CA and OR
Automatically adds: IIS and RSAT
Do not select Allow Admin Interaction - must be able to interact with all users needing certs
Make request for cert or save request and do manually, save to docs folder
Adding Root CA cert to Issuing CA
On Root - rc Contoso-Root-CA, all tasks, submit new request, specify file location
rc Pending Requests, all tasks, Issue
rc, Issued Cert, Details tab, copy to > opens export wizard, chose format
Export File Formats
DER encoded binary x.509 (.cer) - non Windows computers
Base-64 encoded x.509 (.cer) - support S/MIME, usually used for non-windows on servers
Cryptograph Message Syntax Standard - PKCS #7 - (.p7b) - transfers certs and their chained paths
Personal Info Exchange - PKCS #12 - (pfx) - transfers certs and their chained paths and transfer of private key as well as public
Microsoft Serialized Cert Store - transfers root certs from one computer to another
Import Cert and Start Service on Issuing
rc Issuing-CA, all tasks, install CA cert
rc Issuing-CA. all tasks, start service
CA Properties
Additional Tabs On Enterprise CAs
Enrollment Agents - can restrict enroll agents to certain certs and give allow or deny access
Recovery Agents - archive or do not archive when cert request includes key archival
Prep for Install NDES
Create a service account identity
Server Manager, Config, Local Users and Groups, IIS_IURs Group > add service account identity
Install NDES
Cannot be install at the same time as AD CS
rc AD CS, add role services
IIS automatically added
Specify service account identity as user
RA (registration authority) Setup - will assign and manage certs assigned to network devices
Config cryptography
Adds additional web files
Credentials for AD CS Installation
Local Admin
ORs
Responds to specific cert validation requests thru Online Cert Status Protocol (OCSP)
Relies on PKI
Does not need full CRL
Can request validation for a specific cert
OR decodes validation request sending back encrypted response
Finalizing the Config of Issuing CA
Create certificate revocation config
Config and personalize cert templates
Config enrollment and issuance options
Personalizing Templates
EFS - involves planning recovery agent
Wireless Networks - enforces strong authentication and encrypts all communications
Smart Cards - supports two-factor authentication
Website and Enabled e-commerce - web server certs, also can protect DCs and encrypt communication to and from
Create Revocation Config for CA
Specify Cert Revocation List (CRL) distribution points
Config CRL and Delta CRL overlap periods
Schedule pub of CRLs
CRL Distribution Point
Issuing CA, Properties, Extention Tab
drop down list set to CDP, publish CRLs and publish Delta CRLs to this lcoation check boxes
Config CRL and Delta CRL Overlap Periods
certutil -setreg ca\CRLOverlapUnits value
certutil -setreg ca\CRLOverlapPeriod units
certutil -setreg ca\CRLDeltaOverlapUnits value
certutil -setreg ca\CRLDeltaOverlapPeriod units
Config Pub of the CRLs
Issuing CA, Revoked Certificates, Properties
Set Pub Intervals CRL 1 week, Delta 1 day
For high throughput and high availibility decrease values
Cert Templates Pub to AD DS
Must be connected to DC while working with the templates
Working with Cert Templates
Select source template, rc, duplicate and select version of Windows
Name Template
Customize Template
Save Template
Basic EFS Templates
Request Handling Tab
Archive Subject’s Encryption Private Key
Use Advanced Symmetric Algorithm to Send the Key to the CA
Subject Name Tab
Adds Alternative Subject Name Values
EFS Recovery Agent Template
Publish Cert in AD
Use same settings on other tabs that were used on Basic EFS duplicate
Network Policy Server (NPS) Template
Used for wireless networks
Create and config for autoenrollment
RAS and IAS Server Templates as source for NPS Template
Publish in AD
Security Tab - select RAS and IAS Servers group to assign Autoenroll and Enroll permissions
Smartcard Logon and Smartcard User Templates
Name and publish in AD
Do not use autoenrollment for these, use smart card enrollment stations to distribute cards
Web Server and Domain Controller Authentication Templates
Do not use DC template - made for earlier versions of OS
Name and publish in AD
Issuing Templates
Issuing CA, Certificate Templates
rc Cert Templates, new, cert template to issue
Select cert template(s)
Config Enrollment in GP
Must be assigned to all members of the domain
Computer Config or User Config \Policies\Windows Settings\Security Settings\Public Key Policies
dc Cert Services Client - Auto Enrollment
Enable
Renew expired, update pending, and remove revoked certs
Update Certs that use Cert Templates - if already issued certs manually
On User Config - can enable Expiration Notification
Set Default Action for Issuing CA
rc Issuing CA server name, Properties
Policy Module Tab, Properties
Set to Pending, Admin must issue
or
Follow Cert Setting, otherwise Automatic
Config of Online Responder
Config and Install OCSP Response Signing Cert
Config AIA extension support
Assign template to a CA
Enroll system to obtain cert
OR Array
Two or more CAs acting as ORs
Config OCSP Response Signing Cert
Duplicate cert and name
Publish in AD
Security Tab - Add CA server that hosts OR and give enroll and autoenroll permissions
Config AIA Extension
rc Issuing CA, Properties, Extensions Tab
Extension drop down list - AIA
Specify locations to obtain revocation data
Include AIA Extension of Issued Cert
Include OCSP Extension
Cert Templates, new, cert templates to issue
Select OCSP Response Signing template to enable
Verify OCSP cert assign to server
Create MMC Certs snap in Computer Account Local Computer Save
Expand Cert\Personal, Certs, rc, request new cert
AD Enrollment Policy
Select new OCSP cert and click enroll
rc new cert, all task, Manage Private Key, Security Tab
Local server name in location, add Network Service, give full control permission
Adding Revocation Config for OR
Online Responder, Revocation Config, rc, add
Assign a valid name - each revocation config tied to particular CA so use CA name in it
Select location - AD, local cert store or a file
Located Root CA in AD
Select signing method - auto, manually or CA cert uses cert from CA
Provider, Add under Base CRLs and Delta CRLs: http:\localhost\ca.crl
Repeat for each CA that is an OR
AD CS & AD DS
Relies on LDAP to get infor from directory store
AD CS & RSAT
To get MMC snap in to manage certs on Win 7 workstation select AD CS tools in RSAT tools
Cross-Certification
Created to establish relationships between original cert and renewed root
Exit Module
publish or send email notification
Enterprise PKI
or
PKIView - command line
View status of deployment, entire PKI hierarcy and drill down into individual CAs to identify issues with config or operations
Can link to CAs quickly, rc CA, Manage CA
Access to Manage Templates
Access to Certs Container in AD DS
Icons show green (healthy), yellow (minor issues) and red (critical issues)
Backing Up CAs
Cert Authority Backup Wizard
Select Items:
Private Key and CA Cert
Cert db and cert db log (full or incremental)
Identify backup location
Assign strong password
can also use certutil on the command line
Restoring CAs
Cert Authority Restore Wizard
Stop CA service
Select items to restore:
Private Key and CA Cert
Cert db and db logs
Enter location of backup files
Provide password
Restart AD CS service
Web Based Download Locations for CRL Distribution
CDP and AIA http locations
Must be created manually in IIS
Secondary locations needed for mobile or external users outside network, URLs specified must be available externallly
AD DS integrated deployment does not need web based secondary locations, directory service responsible for AIA and CRL distribution
Web Support for CRLs
Points to CertEnroll vd under default website as CDP, not created by default, must create in IIS
AD CS Servers Name and Role
After AD CS installed cannot change name or domain status (cannot be demoted from or promoted to DC)
EFS
Encryption of NT File System, allows offline folders to maintain encryption sert on the server
BitLocker
Vista or Win 7 - allows for entire hard drive, aside from some boot files, to be encrypted
Base CRL and Delta CRL Overlap
The amount of time at the end of a published CRLs lifetime that a client can use to obtain a new CRL before the old CRL is considered unusable
The default value is 10% of the CRLs lifetime
CRLs Lifetime
Revoked Certificates
CRL Publishing Parameters tab
Base default - 1 week
Delta default - 1 day
Enterprise PKI - rc
Manage Templates
Manage AD Containers
Options - can set Cert, CRL and Delta CRL status to expiring
Publish CRL Manually
rc Revoked Certificates
4 Ways To Enroll For Certs
MMC Based Enrollment
Auto Enrollment
Web Based Enrollment
Manual Enrollment
Cert Web Enrollment Services
Cert Web Enrollment Policy
Cert web enroll service enables users to obtain the cert web enroll policies which policies enable cert enroll when the client computer is not a member of or not currently connected to the domain
Also enables cross forest based cert enroll for Win 7 or 2008 r2 clients
Cert Web Enroll & GP
Computer / User Config
Policies\windows settings\security policy\public key policies\certificate services client - certificate enrollment policy
CA Web Enrollment
Provides a set of web pages that interact with a CA
Can be installed on a server that is not a CA to keep web traffic away from the CA
Install configs the computer as a enrollment registration authority
The CA used is called the TargetCA
If the CA Web Enrollment is installed on a computer that is not the Target CA, the computer account where it is installed must be trusted for delegation in order to present the client identity to the CA
