Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft ® Official Course Module 7 Deploying and Managing Active Directory Certificate Services.

Similar presentations


Presentation on theme: "Microsoft ® Official Course Module 7 Deploying and Managing Active Directory Certificate Services."— Presentation transcript:

1 Microsoft ® Official Course Module 7 Deploying and Managing Active Directory Certificate Services

2 Module Overview Deploying CAs Administering CAs Troubleshooting, Maintaining, and Monitoring CAs

3 Lesson 1: Deploying CAs AD CS in Windows Server 2012 What Is Certification Authority? Public vs. Private CAs Stand-alone vs. Enterprise CAs Options for Implementing CA Hierarchies Considerations for Deploying a Root CA Considerations for Deploying a Subordinate CA How to Use the CAPolicy.inf File for Installing a CA Demonstration: Deploying an Enterprise Root CA

4 AD CS in Windows Server 2012 CA Online Responder Network Device Enrollment Service CA Web Enrollment Certificate Enrollment Web Service Certificate Enrollment Policy Web Service Firewall Enrollment Linux Proxy Windows 7 or newer Policy Windows 7 or newer

5 What Is Certification Authority? CA Root CA issues a self-signed certificate for itself Verifies the identity of the certificate requestor Manages certificate revocation Issues certificates to users, computers, and services Firewall

6 Public vs. Private CAs External public CAs: Are trusted by many external clients, such as web browsers, operating systems Are slower compared to internal CAs Have higher cost Internal private CAs: Require greater administration than external public CAs Cost less than external public CAs and provide greater control over certificate management Are not trusted by external clients by default Offer advantages such as customized templates and autoenrollment

7 Stand-alone vs. Enterprise CAs Standalone CAsEnterprise CAs Must be used if any CA (root/intermediate/policy) is offline because a standalone CA is not joined to an AD DS domain Requires the use of AD DS and stores information in AD DS Can use Group Policy to propagate certificates to the trusted root CA certificate store Users must provide identifying information and specify the type of certificate Publishes user certificates and CRLs to AD DS Does not support certificate templates Issues certificates based on a certificate template All certificate requests are kept pending until administrator approval Supports autoenrollment for issuing certificates

8 Options for Implementing CA Hierarchies Root CA Policy CAs Issuing CA Root CA Issuing CAs Root CA Policy CA Root CA Policy CA Issuing CA Policy CA Usage Two-Tier Hierarchy Cross-Certification Trust

9 Considerations for Deploying a Root CA Computer name and domain membership cannot change When you plan private key configuration, consider the following: CSP Key character length with a default of 2,048 The hash algorithm that is used to sign certificates issued by a CA When you plan a root CA, consider the following: Name and configuration Certificate database and log location Validity period

10 Considerations for Deploying a Subordinate CA Root Subordinate RAS EFS S/MIME Certificate Uses Root Subordinate Load Balancing IndiaCanadaUSA Root Subordinate Locations Root Subordinate Employee Contractor Partner Organizational Divisions

11 How to Use the CAPolicy.inf File for Installing a CA The CAPolicy.inf file is stored in the %Windir% folder of the root or subordinate CA The CAPolicy.inf file defines the following: Certification practice statement Object identifier CRL publication intervals CA renewal settings Key size Certificate validity period CDP and AIA paths

12 Demonstration: Deploying an Enterprise Root CA In this demonstration, your instructor will show you how to deploy the enterprise root CA

13

14 Lesson 2: Administering CAs Managing CA Hierarchy Configuring CA Administration and Security Configuring CA Policy and Exit Modules Configuring CRL Distribution Points and AIA Locations Demonstration: Configuring CA Properties

15 Managing CA Hierarchy For managing CA hierarchy, you can use: CA Management console Windows PowerShell Certutil command-line utility Certutil provides an interface for advanced CA and PKI configuration and management PKI options are manageable through Group Policy, if you use the following: Credential roaming Autoenrollment of certificates Certificate path validation Certificate distribution

16 Configuring CA Administration and Security You can establish role-based administration for CA hierarchy by defining the following roles: CA Administrator Certificate Manager Backup Operator Auditor Enrollees You can assign the following permissions on the CA level: Read Issue and Manage Certificates Manage CA Request Certificates Certificate Managers can be restricted to a template

17 Configuring CA Policy and Exit Modules The policy module determines the action that is performed after the certificate request is received The exit module determines what happens with a certificate after it is issued Each CA is configured with default policy and exit modules The FIM 2010 Certification Management deploys custom policy and exit modules The exit module can send or publish a certificate to a file system You have to use certutil to specify these settings, as they are not available in the CA the administrator console

18 Configuring CRL Distribution Points and AIA Locations The AIA specifies where to retrieve the CA's certificate The CDP specifies from where the CRL for a CA can be retrieved Publication locations for AIA and CDP: AD DS Web servers File Transfer Protocol FTP servers File servers Ensure that you properly configure CRL and AIA locations for offline and stand-alone CAs Ensure that the CRL for an offline root CA does not expire

19 Demonstration: Configuring CA Properties In this demonstration, you will see how to configure CA properties

20 Lesson 3: Troubleshooting, Maintaining, and Monitoring CAs Troubleshooting CAs Renewing a CA Certificate Moving a Root CA to Another Computer Monitoring and Maintaining CA Hierarchy

21 Troubleshooting CAs Tools for managing CAs: Certificates snap-in PKIView tool CA snap-in Certutil.exe Certificate Templates snap-in AD CS common issues: Client autoenrollment issues Unavailable enterprise CA option Error accessing CA web pages Enrollment agent restriction

22 Renewing a CA Certificate The CA certificate needs to be renewed when the validity period of the CA certificate is close to its expiration date The CA will never issue a certificate that has a longer validity time than its own certificate Considerations for renewing a root CA certificate : Key length Validity period Considerations for renewing a certificate for an issuing CA: New key pair Smaller CRLs Procedure for CA certificate renewal

23 Moving a Root CA to Another Computer To move a CA from one computer to another, you have to perform backup and restore: To back up a computer, follow this procedure: 1. Record the names of the certificate templates 2. Back up a CA in the CA admin console 3. Export the registry subkey 4. Uninstall the CA role 5. Confirm the %Systemroot% folder locations 6. Remove the old CA from the domain To restore, follow this procedure: 1. Install AD CS 2. Use the existing private key 3. Restore the registry file 4. Restore the CA database and settings 5. Restore the certificate templates

24 Monitoring and Maintaining CA Hierarchy For monitoring and maintenance of a CA hierarchy, you can use PKIView and CA auditing With the PKIView, you can: Access and manage AD DS PKI-related containers Monitor CAs and their health state Check the status of CA certificates Check the status of AIA locations Check the status of CRLs Check the status of CRL distribution points Evaluate the state of the online responder CA auditing provides logging for various events that happen on the CA

25 Lab: Deploying and Configuring a Two-Tier CA Hierarchy Exercise 1: Deploying an Offline Root CA Exercise 2: Deploying an Enterprise Subordinate CA Logon Information Virtual machines:10969A-LON-DC1, 10969A-LON-SVR1, 10969A-CA-SVR1 User name:Adatum\Administrator Password:Pa$$w0rd Estimated Time: 60 minutes

26 Lab Scenario As A. Datum Corporation has expanded, its security requirements also have increased. The Security department is particularly interested in enabling secure access to critical websites, and in providing additional security for features. To address these and other security requirements, A. Datum has decided to implement a PKI by using the Active Directory Certificate Services role in Windows Server As one of the senior network administrators at A. Datum, you are responsible for implementing the AD CS deployment.

27 Lab Review Why is it not recommended to install only an enterprise root CA? What are some reasons that an organization would use an Enterprise root CA?

28 Module Review and Takeaways Review Questions Tools Best Practice Common Issues and Troubleshooting Tips

29


Download ppt "Microsoft ® Official Course Module 7 Deploying and Managing Active Directory Certificate Services."

Similar presentations


Ads by Google