Presentation on theme: "Deploying and Managing Active Directory Certificate Services"— Presentation transcript:
1 Deploying and Managing Active Directory Certificate Services Presentation: 80 minutesLab: 90 minutesAfter completing this module, students will be able to:Deploy CAs.Administer CAs.Troubleshoot, maintain, and monitor CAs.Required materialsTo teach this module, you need the Microsoft Office PowerPoint file 10969A_07.pptx.Important: We recommended that you use PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an older version of PowerPoint, all the features of the slides might not display correctly.Preparation tasksTo prepare for this module:Read all of the materials for this module.Practice performing the demonstrations.Practice performing the labs.Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance.As you prepare for this class, it is imperative that you complete the labs yourself so that you understand how they work and the concepts that are covered in each. This will allow you to provide meaningful hints to students who get stuck in a lab, and it also will help guide your lecture to ensure that you cover the concepts that the labs cover.Module 7Deploying and Managing Active Directory Certificate Services
2 Troubleshooting, Maintaining, and Monitoring CAs Module Overview7: Deploying and Managing Active Directory Certificate ServicesTroubleshooting, Maintaining, and Monitoring CAsAsk students how much experience they have with public key infrastructure (PKI) and certification authorities (CAs) in general. If they are experienced already, you have the opportunity to save some time teaching this module.
3 Demonstration: Deploying an Enterprise Root CA Lesson 1: Deploying CAs7: Deploying and Managing Active Directory Certificate ServicesDemonstration: Deploying an Enterprise Root CAThis lesson is very important, especially for students who do not have previous experience with PKI or CAs. Make sure that you spend enough time explaining all the necessary details.
4 AD CS in Windows Server 2012 CA CA Web Enrollment Online Responder 7: Deploying and Managing Active Directory Certificate ServicesFirewallEnrollmentLinuxProxyWindows 7or newerPolicyCACA Web EnrollmentIntroduce AD CS and explain the purpose of each role service. Spend some time describing the role services that are new to Windows Server 2008 R2 and Windows Server 2012.Online ResponderNetwork Device Enrollment ServiceCertificate Enrollment Web ServiceCertificate Enrollment Policy Web Service
5 What Is Certification Authority? 7: Deploying and Managing Active Directory Certificate ServicesFirewallExplain what a CA is and how it operates. CAs are the key components of the PKI environment. In a simple PKI environment, a single CA can provide all of the PKI services.CARoot CA issues a self-signed certificate for itselfIssues certificates to users, computers, and servicesManages certificate revocationVerifies the identity of the certificate requestor
6 Public vs. Private CAs External public CAs: Internal private CAs: 7: Deploying and Managing Active Directory Certificate ServicesExternal public CAs:Are trusted by many external clients, such as web browsers, operating systemsAre slower compared to internal CAsHave higher costInternal private CAs:Require greater administration than external public CAsCost less than external public CAs and provide greater control over certificate managementAre not trusted by external clients by defaultOffer advantages such as customized templates and autoenrollmentStart by explaining that a CA solution can be implemented as an internal private CA, or an organization can use an external public CA. Many organizations use both: an external public CA for public-facing services, and an internal private CA for internal corporate requirements.You also can discuss a newer hybrid approach that some organizations use. In this scenario, the root CA is an externally trusted root CA, and the internal CAs that issue certificates are subordinates. With the hybrid approach, companies can issue certificates that are trusted by virtually all computers. The module documentation goes into more detail about this method in upcoming slides. Therefore, keep the discussion at a high-level because subsequent topics provide more detail.Remind students that a public CA is trusted by virtually all modern computers and applications, while an internal private CA usually is not trusted outside of the organization that runs it. Ask students which type of CA they use in their environments today, and what the limitations are with that type.
7 Stand-alone vs. Enterprise CAs 7: Deploying and Managing Active Directory Certificate ServicesStandalone CAsEnterprise CAsMust be used if any CA (root/intermediate/policy) is offline because a standalone CA is not joined to an AD DS domainRequires the use of AD DS and stores information in AD DSCan use Group Policy to propagate certificates to the trusted root CA certificate storeUsers must provide identifying information and specify the type of certificatePublishes user certificates and CRLs to AD DSDoes not support certificate templatesIssues certificates based on a certificate templateAll certificate requests are kept pending until administrator approvalSupports autoenrollment for issuing certificatesDiscuss the following:Standalone and enterprise CAs, and their differencesCAs that issue certificates to clients over the InternetA root CA typically is configured as a stand-alone CAMention that business requirements often dictate the types of CAs that students might use. For example, autoenrollment requires an enterprise CA.
8 Options for Implementing CA Hierarchies 7: Deploying and Managing Active Directory Certificate ServicesRoot CAPolicy CAsIssuing CAIssuing CAsPolicy CAPolicy CA UsageTwo-Tier HierarchyCross-Certification TrustHighlight various usage scenarios for CAs. This should help students understand the typical scenarios that are found in an enterprise environment. Contrast these scenarios with a typical usage scenario in a small environment, such as a single-server PKI. Make sure that students understand that a single CA does not represent a CA hierarchy, although it is still a fully functional PKI.
9 Considerations for Deploying a Root CA 7: Deploying and Managing Active Directory Certificate ServicesComputer name and domain membership cannot changeWhen you plan private key configuration, consider the following:CSPKey character length with a default of 2,048The hash algorithm that is used to sign certificates issued by a CAWhen you plan a root CA, consider the following:Name and configurationCertificate database and log locationValidity periodDescribe the key points related to considerations for installing a root CA. When discussing the private key configuration, mention that any provider that contains a number sign (#) in its name is a Cryptography Next Generation (CNG) provider.CNG, which was first introduced in Windows Vista, is enhanced in Windows Server 2008 and Windows Server The CNG application programming interface (API) is the long-term replacement for the CryptoAPI of previous versions of the Windows operating system.
10 Considerations for Deploying a Subordinate CA 7: Deploying and Managing Active Directory Certificate ServicesRootSubordinateRASEFSS/MIMECertificate UsesLoad BalancingIndiaCanadaUSALocationsEmployeeContractorPartnerDiscuss the scenarios for deploying a subordinate CA. Ask students if they have PKI deployed in their environments, and whether they are using only root CAs, or if they also have deployed subordinate CAs as well.Organizational Divisions
11 How to Use the CAPolicy.inf File for Installing a CA 7: Deploying and Managing Active Directory Certificate ServicesThe CAPolicy.inf file is stored in the %Windir% folder of the root or subordinate CAThe CAPolicy.inf file defines the following:Certification practice statementObject identifierCRL publication intervalsCA renewal settingsKey sizeCertificate validity periodCDP and AIA pathsDescribe the CAPolicy.inf file and explain its structure and uses. Also, point students to the syntax examples in the Workbook.
12 Demonstration: Deploying an Enterprise Root CA 7: Deploying and Managing Active Directory Certificate ServicesIn this demonstration, your instructor will show you how to deploy the enterprise root CAPreparation StepsFor this demonstration, you will need the 10969A-LON-DC1 and 10969A-LON-SVR1 virtual machines. Log on as Adatum\Administrator with the password of Pa$$w0rd.After you are done with the demo, leave virtual machines running for the next demonstration.Demonstration StepsDeploy an enterprise root CAOn LON-SVR1, in Server Manager, click Add roles and features.On the Before you begin page, click Next.On the Select installation type page, click Next.On the Select destination server page, click Next.On the Select server roles page, select Active Directory Certificate Services. In the Add Roles and Features Wizard, click Add Features, and then click Next.On the Select features page, click Next.On the Active Directory Certificate Services page, click Next.On the Select role services page, ensure that Certification Authority is selected, and then click Next.On the Confirm installation selections page, click Install.On the Installation progress page, after the installation completes successfully, click the text Configure Active Directory Certificate Services on the destination server.In the AD CS Configuration wizard, on the Credentials page, click Next.On the Role Services page, select Certification Authority, and then click Next.On the Setup Type page, select Enterprise CA, and then click Next.(More notes on the next slide)
13 7: Deploying and Managing Active Directory Certificate Services On the CA Type page, click the Root CA option, and then click Next.On the Private Key page, ensure that Create a new private key is selected, and then click Next.On the Cryptography for CA page, keep the default selections for Cryptographic Service Provider (CSP) and Hash Algorithm, but set the Key length to 4096, and then click Next.On the CA Name page, in the Common name for this CA box, type AdatumRootCA, and then click Next.On the Validity Period page, click Next.On the CA Database page, click Next.On the Confirmation page, click Configure.On the Results page, click Close.On the Installation progress page, click Close.
14 Lesson 2: Administering CAs 7: Deploying and Managing Active Directory Certificate ServicesDemonstration: Configuring CA Properties
15 For managing CA hierarchy, you can use: 7: Deploying and Managing Active Directory Certificate ServicesFor managing CA hierarchy, you can use:CA Management consoleWindows PowerShellCertutil command-line utilityCertutil provides an interface for advanced CA and PKI configuration and managementPKI options are manageable through Group Policy, if you use the following:Credential roamingAutoenrollment of certificatesCertificate path validationCertificate distributionDiscuss methods and tools that you can use to manage CA hierarchy. Make sure that you explain that is important to learn to use certutil. Also, discuss options in Group Policy for managing PKI, CAs, and certificates.
16 Configuring CA Administration and Security 7: Deploying and Managing Active Directory Certificate ServicesYou can establish role-based administration for CA hierarchy by defining the following roles:CA AdministratorCertificate ManagerBackup OperatorAuditorEnrolleesYou can assign the following permissions on the CA level:ReadIssue and Manage CertificatesManage CARequest CertificatesCertificate Managers can be restricted to a templateDefine and discuss role-based administration for the CA hierarchy. Discuss each role and its rights and permissions. Explain a relationship between role-based administration and security permissions that are defined on the CA level.
17 Configuring CA Policy and Exit Modules 7: Deploying and Managing Active Directory Certificate ServicesThe policy module determines the action that is performed after the certificate request is receivedThe exit module determines what happens with a certificate after it is issuedEach CA is configured with default policy and exit modulesThe FIM 2010 Certification Management deploys custom policy and exit modulesThe exit module can send or publish a certificate to a file systemYou have to use certutil to specify these settings, as they are not available in the CA the administrator consoleDefine policy and exit modules on the CA. Most students probably will not be familiar with these settings, as they are used rarely. Use FIM CM to provide real life examples of custom policy and exit modules. Spend some time explaining how to configure default exit modules to perform some tasks.
18 Configuring CRL Distribution Points and AIA Locations 7: Deploying and Managing Active Directory Certificate ServicesThe AIA specifies where to retrieve the CA's certificateThe CDP specifies from where the CRL for a CA can be retrievedPublication locations for AIA and CDP:AD DSWeb serversFile Transfer Protocol FTP serversFile serversEnsure that you properly configure CRL and AIA locations for offline and stand-alone CAsEnsure that the CRL for an offline root CA does not expireThis is an important topic. Make sure that you spend enough time explaining the importance of the authority information access (AIA) and certificate revocation list distribution point (CDP) locations. Use the offline root CA as an example. Discuss the publication points and when to use each one of them.
19 Demonstration: Configuring CA Properties 7: Deploying and Managing Active Directory Certificate ServicesIn this demonstration, you will see how to configure CA propertiesPreparation StepsFor this demonstration, you will need the 10969A-LON-DC1 and 10969A-LON-SVR1 virtual machines. Log on as Adatum\Administrator with the password of Pa$$w0rd. After you are done with the demo, you can revert virtual machines to their initial snapshot.Demonstration StepsOn LON-SVR1, open Server Manager, click Tools, and then click Certification Authority.In the Certsrv console, right-click AdatumRootCA, and then select Properties.On the General tab, click View Certificate. When the Certificate window opens, review the data on the General, Details, and Certification Path tabs, and then click OK.On the Policy Module tab, click Properties. Review the settings available for the Default policy module, and then click OK.On the Exit Module tab, click Properties. Show the Publication Settings available in the default Exit module, and then click OK.On the Extensions tab, review the options available for the CDP and AIA locations.On the Security tab, review the available options on the access control list (ACL), and also review the default permissions.On the Certificate Managers tab, review the options and explain how to restrict security principals to specific certificate templates, and then click Cancel.Close the Certsrv console.
20 Lesson 3: Troubleshooting, Maintaining, and Monitoring CAs 7: Deploying and Managing Active Directory Certificate ServicesMonitoring and Maintaining CA Hierarchy
21 Tools for managing CAs: Troubleshooting CAs7: Deploying and Managing Active Directory Certificate ServicesTools for managing CAs:Certificates snap-inPKIView toolCA snap-inCertutil.exeCertificate Templates snap-inAD CS common issues:Client autoenrollment issuesUnavailable enterprise CA optionError accessing CA web pagesEnrollment agent restrictionDiscuss which tools you can use to troubleshoot and manage CAs. Also, discuss some of the most common AD CS issues and ways how to resolve them. Refer to the Workbook for different methods of troubleshooting.
22 Renewing a CA Certificate 7: Deploying and Managing Active Directory Certificate ServicesThe CA certificate needs to be renewed when the validity period of the CA certificate is close to its expiration dateThe CA will never issue a certificate that has a longer validity time than its own certificateConsiderations for renewing a root CA certificate:Key lengthValidity periodConsiderations for renewing a certificate for an issuing CA:New key pairSmaller CRLsProcedure for CA certificate renewalDiscuss the renewal of CA certificates. Students might be familiar with the renewal procedure, but they are probably not aware of potential side effects of renewal. Be sure that you explain and discuss all the considerations for renewing a root CA certificate and for renewing a certificate for an issuing CA.
23 Moving a Root CA to Another Computer 7: Deploying and Managing Active Directory Certificate ServicesTo move a CA from one computer to another, you have to perform backup and restore:To back up a computer, follow this procedure:Record the names of the certificate templatesBack up a CA in the CA admin consoleExport the registry subkeyUninstall the CA roleConfirm the %Systemroot% folder locationsRemove the old CA from the domainTo restore, follow this procedure:Install AD CSUse the existing private keyRestore the registry fileRestore the CA database and settingsRestore the certificate templatesDiscuss the procedure for moving a CA to another computer. First, make sure that you define scenarios for this and discuss each step. Use the Workbook for detailed steps. This slide provides only high-level steps for this procedure.
24 Monitoring and Maintaining CA Hierarchy 7: Deploying and Managing Active Directory Certificate ServicesFor monitoring and maintenance of a CA hierarchy, you can use PKIView and CA auditingWith the PKIView, you can:Access and manage AD DS PKI-related containersMonitor CAs and their health stateCheck the status of CA certificatesCheck the status of AIA locationsCheck the status of CRLsCheck the status of CRL distribution pointsEvaluate the state of the online responderCA auditing provides logging for various events that happen on the CADiscuss the tools that students can use to maintain and monitor the status of a CA hierarchy. If time permits, demonstrate the usage of the PKIView utility. It should be available on LON-SVR1 if you completed the previous demonstrations successfully. Also, you can briefly show events that you can log with CA auditing.
25 Lab: Deploying and Configuring a Two-Tier CA Hierarchy 7: Deploying and Managing Active Directory Certificate ServicesExercise 2: Deploying an Enterprise Subordinate CAExercise 1: Deploying an Offline Root CAA. Datum wants to use certificates for various purposes. You need to install the appropriate CA infrastructure. Because A. Datum uses Windows Server 2012 AD DS, you decided to implement the AD CS role. When you reviewed the available designs, you decided to implement a stand-alone root CA. This CA will be taken offline after it issues a certificate for a subordinate CA. After installation, you must make sure that you configured the CDP and AIA locations correctly. You also must make sure that you have a Domain Name System (DNS) record for the offline root CA so that it is accessible from the network.Exercise 2: Deploying an Enterprise Subordinate CAAfter deploying the stand-alone root CA, the next step is to deploy an enterprise subordinate CA. A. Datum wants to use an enterprise subordinate CA to utilize AD DS integration. In addition, because root CA is a stand-alone CA, you want to publish its certificate to all clients.Logon InformationVirtual machines: A-LON-DC1,10969A-LON-SVR1,10969A-CA-SVR1User name: Adatum\AdministratorPassword: Pa$$w0rdEstimated Time: 60 minutes
26 10969ALab Scenario7: Deploying and Managing Active Directory Certificate ServicesAs A. Datum Corporation has expanded, its security requirements also have increased. The Security department is particularly interested in enabling secure access to critical websites, and in providing additional security for features. To address these and other security requirements, A. Datum has decided to implement a PKI by using the Active Directory Certificate Services role in Windows Server 2012.As one of the senior network administrators at A. Datum, you are responsible for implementing the AD CS deployment.
27 10969ALab Review7: Deploying and Managing Active Directory Certificate ServicesWhat are some reasons that an organization would use an Enterprise root CA?QuestionWhy is it not recommended to install only an enterprise root CA?AnswerFor security reasons, a root CA should be taken offline and should not have any network access. Since the enterprise root CA cannot be offline, you cannot provide maximum protection for its key and identity.What are some reasons that an organization would use an Enterprise root CA?If an organization wants to use only one CA, and it wants to use certificate templates and autoenrollment, an enterprise root CA is the only choice.
28 Module Review and Takeaways 7: Deploying and Managing Active Directory Certificate ServicesCommon Issues and Troubleshooting TipsReview QuestionsQuestionWhat are some reasons that an organization would use a PKI?AnswerSome reasons are to improve security, to increase identity control, and to sign code digitally.Why would you deploy a custom policy and exit modules?If you have an additional application for certificate management, such as FIM CM, you will have to install a custom policy and exit modules so that you can integrate your application with CA.ToolsCA admin consoleCertutil command-line utilityWindows PowerShell command-line interfacePKIView.mscServer ManagerBest Practice: When deploying a CA infrastructure, deploy a stand-alone (nondomain-joined) root CA and an enterprise subordinate CA (issuing CA). After the enterprise subordinate CA receives a certificate from the root CA, take the root CA offline.Review the validation time of root CA certificate revocation lists (CRLs).Provide more than one location for AIA and CRL.(More notes on the next slide)
29 7: Deploying and Managing Active Directory Certificate Services Common Issues and Troubleshooting TipsCommon Issue: The location of the CA certificate that is specified in the AIA extension is not configured to include the certificate name suffix. Clients might not be able to locate the correct version of the issuing CA's certificate to build a certificate chain, and certificate validation might fail.Troubleshooting Tip: Use the Certification Authority snap-in to configure the AIA extension to include the certificate name suffix in each location.Common Issue: The CA is not configured to include CRL distribution point locations in the extensions of issued certificates. Clients might not be able to locate a CRL to check the revocation status of a certificate, and certificate validation might fail.Troubleshooting Tip: Use the Certification Authority snap-in to configure the CRL distribution point extension and to specify the network location of the CRL.