Section 6 - Chapter 15

Question 1

AD CS Role Services

Answer 1

Certificate Authority - issues and manages certs
CA Web Enrollment - allows users to: request and renew certs, retrieve CRLs, enroll for smart card certs
Online Responder - makes cert revocation data accessible
Network Device Enrollment Service - certs for routers and other hardware
Cert Enrollment Web Services - enroll and renew certs when computer does not belong to domain or is outside security boundary
Cert Enrollment Web Policy Service - policy based auto enroll cert enroll web service users, provides policies not certs

Question 2

Comparison

Publish CA config to AD DS

Answer 2

Stand Alone - optional

Enterprise - mandatory

Question 3

Comparison

CA Cert Data Integration w/ AD DS Forests

Answer 3

Stand Alone - optional, manual process

Enterprise - mandatory and automatic

Question 4

Comparison

CRL publication in AD DS Forest

Answer 4

Stand Alone - optional, manual process

Enterprise - mandatory and automatic, includes delta CRLs and cross certificates

Question 5

Comparison

AD DS Forest pub assigned per template level as an attribute of the template

Answer 5

Stand Alone - n/a

Enterprise - supported

Question 6

Comparison

Web Enrollment for cert requests and validation

Answer 6

Stand Alone - supported

Enterprise - supported

Question 7

Comparison

Cert MMC for request and validation

Answer 7

Stand Alone - n/a

Enterprise - supported

Question 8

Comparison

Cert requests thru http or https

Answer 8

Stand Alone - supported

Enterprise - supported

Question 9

Comparison

Cert requests thru RPC and DCOM

Answer 9

Stand Alone - n/a

Enterprise - default mode

Question 10

Comparison

V1 templates with custom object identifiers (OID) as source of certs

Answer 10

Stand Alone - Default

Enterprise - n/a

Question 11

Comparison

V2 & V3 templates - can be customized and duplicated

Answer 11

Stand Alone - n/a

Enterprise - default

Question 12

Comparison

User input during cert requests

Answer 12

Stand Alone - manual

Enterprise - retrieved from AD DS

Question 13

Comparison

Supported enrollment methods

Answer 13

Stand Alone - automatic or pending for all templates

Enterprise - automatic or pending, applied on a per template basis

Question 14

Comparison

Cert approval process

Answer 14

Stand Alone - manual

Enterprise - manual or auto thru AD DS

Question 15

Comparison

Cert Publishing

Answer 15

Stand Alone - manually to client or CA, AD DS thru custom policy module

Enterprise - depends on cert type and setting, can be auto enrolled in clients cert store and pub’d in AD DS

Question 16

Comparison

Cert Publishing and manangement thru AD DS

Answer 16

Stand Alone - n/a

Enterprise - supported

Question 17

Deployment Options

Answer 17

Stand Alone - DC, Member Server or Stand Alone Server

Standard, Enterprise or Datacenter

Enterprise - DC or Member Server

Enterprise or Datacenter

Question 18

CPS - Certificate Policy Statement

Answer 18

Clear definition of who your company is
A list of your certificate policies
A general statement of proceedures used to issue, assign and revoke certs
A description of methods used to protect CAs
Revocation policy used

Question 19

AD CS New Features 2008 r2

Answer 19

Certificate Enrollment and Certificate Enrollment Policy Web Services

Certificate enrollment across forests

Better support for high-volume CAs

Question 20

AD CS Web Services

Answer 20

Cert enroll over http/https

Proxy between client and CA

Direct communication unnecessary

Allows enroll over internet and across forests

Question 21

Functional Levels Needed for AD CS Web Services

Answer 21

Forest Functional Level 2008 r2

CA running 2003 and above

Client Computers Win 7

Cross Forest Enroll - CA running Enterprise or Datacenter

Question 22

Cross Forest Enrollment

Answer 22

Two Way Trust

Forest Functional Level 2003

Issue Certs - forest functional level 2003

Enrollment - forest functional level 2008 r2

Clients do not need an update

Question 23

High Volume CAs

Answer 23

Windows Server Network Access Protection (NAP) may require

Non persistant cert processing

Bypasses certain CA database operations - not storing each request record and issued cert

Improves performance and reduces CA operational costs

Can no longer revoke certs or manage CRLs

Question 24

AD CS Hosting Server Config

Answer 24

Multiple processors

Minimal RAM

Seperate disks for store on Root

Another disk for logs on Issuing

Medium key lengths

RAID balanced for reliability and performance

Question 25

Stand Alone Root CA - Installation

Answer 25

AD CS only role needed

Create new private key or use existing

Chose CN - name will be embedded in every subordinate cert issued by the chain, cannot change once installed

Set Validity Period

Select cert db and cert db log file paths

Question 26

Create a new private key

Answer 26

Only for internal networks

Select Cryptographic Service Provider (CSP)

Key Character Length

Hash Algorithm

Allow Admin Interaction When Private Key is Accessed by the CA

Question 27

Using An Existing Key

Answer 27

Reinstalling Machine

Chained to 3rd Party, must be pre-installed

Question 28

Roles That Can Be Installed AD CS

Answer 28

Certificate Authority

CA Web Enrollment

Online Responder

Network Device Enrollment Service

Certificate Enrollment Web Service

Certficate Enrollment Policy Web Service

Question 29

CA Properties

General Tab

Answer 29

Name, cryptography, hash setting, view cert

Question 30

CA Properties

Policy Module Tab

Answer 30

Properties - Request Handling

Pending, Admin Must Install
Follow Settings in Template or Automatic

Question 31

CA Properties

Exit Module

Answer 31

Windows Default - publishes certs when issued

Properties - allow certs to be pub’d to file system

Question 32

CA Properties

Extensions

Answer 32

CRL Distribution Point (CDP)
Authority Information Access (AIA)

Specify locations from which users can obtain a CRL

Publishing options

Question 33

CA Properties

Storage

Answer 33

Shows if AD DS integrated

Paths to db and db logs

Question 34

CA Properties

Certificate Managers

Answer 34

Can restrict Administrators, Domain Admins and Enterprise Admin rights or others who have been added thru the Security Tab

Allow or Deny

Question 35

CA Properties

Auditing Options

Answer 35

Back up and Restore
Changes to Configuration
Changes to Security Settings
Issue and Manage Cert Requests
Revoke Certs and Publish CRLs
Store and Retrieve Archive Keys
Start and Stop AD CS

Question 36

CA Properties

Security

Answer 36

Permissions

Read
Issue and Manage Certs (Local, Domain & Enterprise Admins)
Manage CA (Local, Domain and Enterprise Admins)
Request Certs (authenticated users)

Can added users or groups that can then be allowed or denied management rights on Certificate Management tab

Question 37

certutil

Answer 37

• viewstore = verifies publication
• dspublish = publishes a cert or CRL to AD
• resubmit = resubmit a pending request
• revoke = revoke a cert
• CRL = publishes a new CRL
• pulse = pulse autoenroll events

Question 38

Enterprise Issuing CA Install

Answer 38

CA and OR

Automatically adds: IIS and RSAT

Do not select Allow Admin Interaction - must be able to interact with all users needing certs

Make request for cert or save request and do manually, save to docs folder

Question 39

Adding Root CA cert to Issuing CA

Answer 39

On Root - rc Contoso-Root-CA, all tasks, submit new request, specify file location

rc Pending Requests, all tasks, Issue

rc, Issued Cert, Details tab, copy to > opens export wizard, chose format

Question 40

Export File Formats

Answer 40

DER encoded binary x.509 (.cer) - non Windows computers

Base-64 encoded x.509 (.cer) - support S/MIME, usually used for non-windows on servers

Cryptograph Message Syntax Standard - PKCS #7 - (.p7b) - transfers certs and their chained paths

Personal Info Exchange - PKCS #12 - (pfx) - transfers certs and their chained paths and transfer of private key as well as public

Microsoft Serialized Cert Store - transfers root certs from one computer to another

Question 41

Import Cert and Start Service on Issuing

Answer 41

rc Issuing-CA, all tasks, install CA cert

rc Issuing-CA. all tasks, start service

Question 42

CA Properties

Additional Tabs On Enterprise CAs

Answer 42

Enrollment Agents - can restrict enroll agents to certain certs and give allow or deny access

Recovery Agents - archive or do not archive when cert request includes key archival

Question 43

Prep for Install NDES

Answer 43

Create a service account identity

Server Manager, Config, Local Users and Groups, IIS_IURs Group > add service account identity

Question 44

Install NDES

Answer 44

Cannot be install at the same time as AD CS

rc AD CS, add role services

IIS automatically added

Specify service account identity as user

RA (registration authority) Setup - will assign and manage certs assigned to network devices

Config cryptography

Adds additional web files

Question 45

Credentials for AD CS Installation

Answer 45

Local Admin

Question 46

ORs

Answer 46

Responds to specific cert validation requests thru Online Cert Status Protocol (OCSP)

Relies on PKI

Does not need full CRL

Can request validation for a specific cert

OR decodes validation request sending back encrypted response

Question 47

Finalizing the Config of Issuing CA

Answer 47

Create certificate revocation config

Config and personalize cert templates

Config enrollment and issuance options

Question 48

Personalizing Templates

Answer 48

EFS - involves planning recovery agent

Wireless Networks - enforces strong authentication and encrypts all communications

Smart Cards - supports two-factor authentication

Website and Enabled e-commerce - web server certs, also can protect DCs and encrypt communication to and from

Question 49

Create Revocation Config for CA

Answer 49

Specify Cert Revocation List (CRL) distribution points

Config CRL and Delta CRL overlap periods

Schedule pub of CRLs

Question 50

CRL Distribution Point

Answer 50

Issuing CA, Properties, Extention Tab

drop down list set to CDP, publish CRLs and publish Delta CRLs to this lcoation check boxes

Question 51

Config CRL and Delta CRL Overlap Periods

Answer 51

certutil -setreg ca\CRLOverlapUnits value
certutil -setreg ca\CRLOverlapPeriod units
certutil -setreg ca\CRLDeltaOverlapUnits value
certutil -setreg ca\CRLDeltaOverlapPeriod units

Question 52

Config Pub of the CRLs

Answer 52

Issuing CA, Revoked Certificates, Properties

Set Pub Intervals CRL 1 week, Delta 1 day

For high throughput and high availibility decrease values

Question 53

Cert Templates Pub to AD DS

Answer 53

Must be connected to DC while working with the templates

Question 54

Working with Cert Templates

Answer 54

Select source template, rc, duplicate and select version of Windows

Name Template

Customize Template

Save Template

Question 55

Basic EFS Templates

Answer 55

Request Handling Tab

Archive Subject’s Encryption Private Key
Use Advanced Symmetric Algorithm to Send the Key to the CA

Subject Name Tab

Adds Alternative Subject Name Values

Question 56

EFS Recovery Agent Template

Answer 56

Publish Cert in AD

Use same settings on other tabs that were used on Basic EFS duplicate

Question 57

Network Policy Server (NPS) Template

Answer 57

Used for wireless networks

Create and config for autoenrollment

RAS and IAS Server Templates as source for NPS Template

Publish in AD

Security Tab - select RAS and IAS Servers group to assign Autoenroll and Enroll permissions

Question 58

Smartcard Logon and Smartcard User Templates

Answer 58

Name and publish in AD

Do not use autoenrollment for these, use smart card enrollment stations to distribute cards

Question 59

Web Server and Domain Controller Authentication Templates

Answer 59

Do not use DC template - made for earlier versions of OS

Name and publish in AD

Question 60

Issuing Templates

Answer 60

Issuing CA, Certificate Templates

rc Cert Templates, new, cert template to issue

Select cert template(s)

Question 61

Config Enrollment in GP

Answer 61

Must be assigned to all members of the domain

Computer Config or User Config \Policies\Windows Settings\Security Settings\Public Key Policies

dc Cert Services Client - Auto Enrollment

Enable

Renew expired, update pending, and remove revoked certs

Update Certs that use Cert Templates - if already issued certs manually

On User Config - can enable Expiration Notification

Question 62

Set Default Action for Issuing CA

Answer 62

rc Issuing CA server name, Properties

Policy Module Tab, Properties

Set to Pending, Admin must issue
or
Follow Cert Setting, otherwise Automatic

Question 63

Config of Online Responder

Answer 63

Config and Install OCSP Response Signing Cert

Config AIA extension support

Assign template to a CA

Enroll system to obtain cert

Question 64

OR Array

Answer 64

Two or more CAs acting as ORs

Question 65

Config OCSP Response Signing Cert

Answer 65

Duplicate cert and name

Publish in AD

Security Tab - Add CA server that hosts OR and give enroll and autoenroll permissions

Question 66

Config AIA Extension

Answer 66

rc Issuing CA, Properties, Extensions Tab

Extension drop down list - AIA

Specify locations to obtain revocation data

Include AIA Extension of Issued Cert
Include OCSP Extension

Cert Templates, new, cert templates to issue

Select OCSP Response Signing template to enable

Question 67

Verify OCSP cert assign to server

Answer 67

Create MMC
Certs snap in
Computer Account
Local Computer
Save

Expand Cert\Personal, Certs, rc, request new cert

AD Enrollment Policy

Select new OCSP cert and click enroll

rc new cert, all task, Manage Private Key, Security Tab

Local server name in location, add Network Service, give full control permission

Question 68

Adding Revocation Config for OR

Answer 68

Online Responder, Revocation Config, rc, add

Assign a valid name - each revocation config tied to particular CA so use CA name in it

Select location - AD, local cert store or a file

Located Root CA in AD

Select signing method - auto, manually or CA cert uses cert from CA

Provider, Add under Base CRLs and Delta CRLs: http:\localhost\ca.crl

Repeat for each CA that is an OR

Question 69

AD CS & AD DS

Answer 69

Relies on LDAP to get infor from directory store

Question 70

AD CS & RSAT

Answer 70

To get MMC snap in to manage certs on Win 7 workstation select AD CS tools in RSAT tools

Question 71

Cross-Certification

Answer 71

Created to establish relationships between original cert and renewed root

Question 72

Exit Module

Answer 72

publish or send email notification

Question 73

Enterprise PKI
or
PKIView - command line

Answer 73

View status of deployment, entire PKI hierarcy and drill down into individual CAs to identify issues with config or operations

Can link to CAs quickly, rc CA, Manage CA

Access to Manage Templates

Access to Certs Container in AD DS

Icons show green (healthy), yellow (minor issues) and red (critical issues)

Question 74

Backing Up CAs

Answer 74

Cert Authority Backup Wizard

Select Items:
Private Key and CA Cert
Cert db and cert db log (full or incremental)

Identify backup location

Assign strong password

can also use certutil on the command line

Question 75

Restoring CAs

Answer 75

Cert Authority Restore Wizard

Stop CA service

Select items to restore:
Private Key and CA Cert
Cert db and db logs

Enter location of backup files

Provide password

Restart AD CS service

Question 76

Web Based Download Locations for CRL Distribution

Answer 76

CDP and AIA http locations

Must be created manually in IIS

Secondary locations needed for mobile or external users outside network, URLs specified must be available externallly

AD DS integrated deployment does not need web based secondary locations, directory service responsible for AIA and CRL distribution

Question 77

Web Support for CRLs

Answer 77

Points to CertEnroll vd under default website as CDP, not created by default, must create in IIS

Question 78

AD CS Servers Name and Role

Answer 78

After AD CS installed cannot change name or domain status (cannot be demoted from or promoted to DC)

Question 79

EFS

Answer 79

Encryption of NT File System, allows offline folders to maintain encryption sert on the server

Question 80

BitLocker

Answer 80

Vista or Win 7 - allows for entire hard drive, aside from some boot files, to be encrypted

Question 81

Base CRL and Delta CRL Overlap

Answer 81

The amount of time at the end of a published CRLs lifetime that a client can use to obtain a new CRL before the old CRL is considered unusable

The default value is 10% of the CRLs lifetime

Question 82

CRLs Lifetime

Answer 82

Revoked Certificates

CRL Publishing Parameters tab

Base default - 1 week

Delta default - 1 day

Question 83

Enterprise PKI - rc

Answer 83

Manage Templates
Manage AD Containers
Options - can set Cert, CRL and Delta CRL status to expiring

Question 84

Publish CRL Manually

Answer 84

rc Revoked Certificates

Question 85

4 Ways To Enroll For Certs

Answer 85

MMC Based Enrollment
Auto Enrollment
Web Based Enrollment
Manual Enrollment

Question 86

Cert Web Enrollment Services

Cert Web Enrollment Policy

Answer 86

Cert web enroll service enables users to obtain the cert web enroll policies which policies enable cert enroll when the client computer is not a member of or not currently connected to the domain

Also enables cross forest based cert enroll for Win 7 or 2008 r2 clients

Question 87

Cert Web Enroll & GP

Answer 87

Computer / User Config

Policies\windows settings\security policy\public key policies\certificate services client - certificate enrollment policy

Question 88

CA Web Enrollment

Answer 88

Provides a set of web pages that interact with a CA

Can be installed on a server that is not a CA to keep web traffic away from the CA

Install configs the computer as a enrollment registration authority

The CA used is called the TargetCA

If the CA Web Enrollment is installed on a computer that is not the Target CA, the computer account where it is installed must be trusted for delegation in order to present the client identity to the CA