Configuring Directory Certificate Services Lesson 13

Skills Matrix Technology SkillObjective DomainObjective # Installing Active Directory Certificate Services Install Active Directory Certificate Services 6.1 Configuring CA Server SettingsConfigure CA server settings6.2 Configuring Certificate Templates Manage certificate templates6.3 Managing Certificate Enrollments Manage enrollments6.4 Configuring Certificate Revocation Manage certificate revocations 6.5

Public Key Infrastructure Public key infrastructure (PKI) consists of a number of elements that allow two parties to communicate securely, without any previous communication, through the use of a mathematical algorithm called public key cryptography. Public key cryptography, as the name implies, stores a piece of information called a public key for each user, computer, and so on that is participating in a PKI.

Public Key Infrastructure Each user, computer, and so on also possesses a private key, a piece of information that is known only to the individual user or computer. By combining the well-known and easily obtainable public key with the hidden and well-secured private key, one entity (you, for example) can communicate with another entity (a secured Web site, for example) in a secure fashion without exchanging any sort of shared secret key beforehand. A shared secret key is a secret piece of information that is shared between two parties prior to being able to communicate securely.

Certificate Authority (CA) A Certificate Authority (CA) is an entity, such as a Windows Server 2008 server running the AD CS server role, that issues and manages digital certificates for use in a PKI. –CAs are hierarchical, which means that many subordinate CAs within an organization can chain upwards to a single root CA that is authoritative for all Certificate Services within a given network. –Many organizations use a three-tier hierarchy, where a single root CA issues certificates to a number of intermediate CAs, allowing the intermediate CAs to issue certificates to users or computers.

Digital Certificate Sometimes just called a certificate. This digital document contains identifying information about a particular user, computer, service, and so on. The digital certificate contains the certificate holder’s name and public key, the digital signature of the Certificate Authority that issued the certificate, as well as the certificate’s expiration date.

Digital Signature This electronic signature (created by a mathematical equation) proves the identity of the entity that has signed a particular document. Like a personal signature on a paper document, when an entity signs a document electronically it certifies that the document originated from the person or entity in question. In cases where a digital signature is used to sign something like an message, a digital signature also indicates that the message is authentic and has not been tampered with since it left the sender’s Outbox.

Certificate Practice Statement and Certificate Revocation List Certificate Practice Statement (CPS) –Provides a detailed explanation of how a particular CA manages certificates and keys. Certificate Revocation List (CRL) –This list identifies certificates that have been revoked or terminated, as well as the corresponding user, computer, or service. –Services that utilize PKI should reference the CRL to confirm that a particular certificate has not been revoked prior to its expiration date.

Certificate Templates Templates used by a CA to simplify the administration and issuance of digital certificates. This is similar to how templates can be used in other applications, such as office productivity suites, or when creating objects within Active Directory.

Self-Enrollment and Enrollment Agents Self-Enrollment –As the name suggests, this feature enables users to request their own PKI certificates, typically through a Web browser. Enrollment agents –These are used to request certificates on behalf of a user, computer, or service if self-enrollment is not practical or is otherwise an undesirable solution for reasons of security, auditing, and so on. –An enrollment agent typically consists of a dedicated workstation that is used to install certificates onto smart cards, thus preconfiguring a smart card for each person’s use.

Autoenrollment This PKI feature supported by Windows Server 2003 and later allows users and computers to automatically enroll for certificates based on one or more certificate templates, as well as using Group Policy settings in Active Directory. Because this feature is only supported in Windows Server 2003 or later, certificate templates that are based on Windows 2000 will not allow autoenrollment to maintain backwards compatibility.

Recovery Agent These agents are configured within a CA to allow one or more users (typically administrators) to recover private keys for users, computers, or services if their keys are lost. For example, if a user’s hard drive crashes and the user has not backed up the private key, any information that the user has encrypted using the certificate will be inaccessible until a recovery agent retrieves the user’s private key.

Key Archival This is the process by which private keys are maintained by the CA for retrieval by a recovery agent, if at all. Most commercial CAs do not allow key archival; if a customer loses a private key and has not taken a backup, the user needs to purchase a new certificate. In a Windows PKI implementation, users’ private keys can be stored within Active Directory to simplify and automate both the enrollment and retrieval processes.

Windows Server 2008 and Certificate Services Within Windows Server 2008, the Active Directory Certificate Services server role consists of the following services and features: –Web enrollment. –Online Responder. –Online Certificate Status Protocol (OCSP).

Types of CAs When deploying a Windows-based PKI, two different types of CAs can be deployed: –Standalone CA. –Enterprise CA.

Stand-alone CA A standalone CA is not integrated with Active Directory. –It requires administrator intervention to respond to certificate requests. –You can use a standalone CA as both a root and a subordinate CA in any PKI infrastructure.

Enterprise CA An enterprise CA integrates with an Active Directory domain. –It can use certificate templates to allow autoenrollment of digital certificates, as well as store the certificates themselves within the Active Directory database. –You can use an enterprise CA as both a root and a subordinate CA in any PKI infrastructure.

Summary The Active Directory Certificate Services (AD CS) role in Windows Server 2008 is a component within Microsoft’s larger Identity Lifecycle Management (ILM) strategy. The role of AD CS in ILM is to provide services for managing a Windows public key infrastructure (PKI) for authentication and authorization of users and devices.

Summary A PKI allows two parties to communicate securely, without any previous communication with each other, through the use of a mathematical algorithm called public key cryptography. PKI certificates are managed through certificate authorities that are hierarchical, which means that many subordinate CAs within an organization can chain upwards to a single root CA.

Summary Certificate templates are used by a certificate authority to simplify the administration and issuance of digital certificates. A Certificate Revocation List (CRL) identifies certificates that have been revoked or terminated.

Summary Autoenrollment is a feature of PKI that is supported by Windows Server 2003 and later, which allows users and computers to automatically enroll for certificates based on one or more certificate templates, as well as using Group Policy settings in Active Directory. Key archival is the process by which private keys are maintained by the CA for retrieval by a recovery agent.

Summary Web enrollment enables users to connect to a Windows Server 2008 CA through a Web browser to request certificates and obtain an up-to-date CRL. The Network Device Enrollment Service (NDES) enables network devices to enroll for certificates within a Windows Server 2008 PKI using the Simple Certificate Enrollment Protocol (SCEP).

Summary When deploying a Windows-based PKI, two different types of CAs can be deployed: enterprise CAs and standalone CAs. –A standalone CA is not integrated with Active Directory and relies on administrator intervention to respond to certificate requests. –An enterprise CA integrates with Active Directory. It can use certificate templates as well as Group Policy Objects to allow autoenrollment of digital certificates, as well as storing digital certificates within the Active Directory database for easy retrieval by users and devices.