Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 9: Designing Public Key Infrastructure in Windows Server 2008.

Published byGervais Rodgers Modified over 8 years ago

Similar presentations

Presentation on theme: "Module 9: Designing Public Key Infrastructure in Windows Server 2008."— Presentation transcript:

1 Module 9: Designing Public Key Infrastructure in Windows Server 2008

2 Module Overview Overview of PKI and Active Directory Certificate Services Designing a Certification Authority Hierarchy Designing Certificate Templates Designing Certificate Distribution and Revocation

3 Lesson 1: Overview of PKI and Active Directory Certificate Services Applications That Use PKI Certification Authorities and PKI Internal and Public Certification Authorities Active Directory Certificate Services in Windows Server 2008

4 Applications That Use PKI A Windows Server PKI supports the following types of PKI-enabled applications: Digital signatures Smart card logon Secure e-mail Software code signing IP security 802.1x Software restriction policy Internet authentication Encrypting File System

5 Certification Authorities and PKI The CA performs the following tasks: Common CA roles: Root CA Intermediate CA Policy CA Issuing CA Types of CAs: Stand-alone Enterprise Verifies the identity of a certificate requestor Issues certificates to requestors Manages certificate revocation

6 Internal and Public Certification Authorities Internal CAPublic CA ExpenseNo certificate costLower administrative cost FlexibilityMore flexibleLess flexible Trust Within your Active Directory forest only Global level (Internet) You can use both internal and public CAs, when doing so: Use public certificates for external Web pages, such as your Outlook Web Access site Use internally issued certificates for securing internal communications, such as smart card logons

7 Active Directory Certificate Services in Windows Server 2008 Windows Server 2008 Editions ComponentsWebStandardEnterpriseDatacenter CANoYes Network Device Enrollment Service No Yes Online Responder service No Yes

8 Lesson 2: Designing a Certification Authority Hierarchy Certification Authority Hierarchy Roles Types of CA Hierarchies Guidelines for Designing a Certification Authority Hierarchy

9 Certification Authority Hierarchy Roles Root CAsSubordinate CAs Most trusted CA in the hierarchy Should be physically secured Should not issue certificates except to subordinate CAs Often a stand-alone CA Certified by another CA Usually issues certificates to client computers Can certify subordinate CAs Often integrated with Active Directory Common roles in a CA hierarchy include: Root CA Policy CA Issuing CA

10 Types of CA Hierarchies Root CA Issuing CA Policy CA Issuing CA Root CA Issuing CA Policy CA Issuing CA Policy CA Root CA Issuing CA Root CA Hierarchy Cross-Certification Trust

11 Guidelines for Designing a Certification Authority Hierarchy Consider the following guidelines when you design your organization’s CA hierarchy: Decide how many CAs you require and where to locate them 1 1 Select the CA type Deploy the root CA first, keeping it offline Keep the CA hierarchy three to four layers deep Define security levels and appropriate CA policies Implement role separation 2 2 3 3 4 4 5 5 6 6

12 Certificate Templates in Windows Server 2008 CA Operating System Certificate Template Supported Version 1Version 2Version 3 Windows Server 2008 Datacenter Edition Yes Windows Server 2008 Enterprise Edition Yes Windows Server 2008 Standard Edition YesNo

13 Lesson 4: Designing Certificate Distribution and Revocation Certificate Distribution and Enrollment Choosing Enrollment Method Certificate Autoenrollment Guidelines for Designing Certificate Revocation

14 Certificate Distribution and Enrollment Web Enrollment Manual enrollment Certificates Snap-in Autoenrollment Enterprise CA Enrollment agents Network Device Enrollment Service

15 Choosing Enrollment Method Autoenrollment for: Windows 2000 Windows XP Windows 2003 and later Users and computers Yes Smart cards NoYes Only enterprise CAs support: Autoenrollment Smart card enrollment Autoenrollment is available only for domain clients

16 Several autoenrollment settings can be configured through group policy; these include the following: Certificate Autoenrollment GPO SettingDescription Certificate Services Client – Autoenrollment Defines whether autoenrollment is enabled or disabled Renew expired certificates, update pending certificates, and remove revoked certificates Enables automatic certificate renewal, and removes expired certificates Update certificates that use certificate templates Updates certificates as needed to conform to the associated certificate templates Expiration Notification Enables or disables expiration notifications (if enabled, you can control when notification will occur)

17 Guidelines for Designing Certificate Revocation When designing certificate revocation, follow these guidelines: Evaluate the potential benefits of supplementing CRLs with the use of Online Responders Identify potential locations where Online Responders would be beneficial Identify the installation configuration that best suits your organization Identify the locations for every Online Responder and determine how they are to be managed Test the Online Responder and PKI configuration

Download ppt "Module 9: Designing Public Key Infrastructure in Windows Server 2008."

Similar presentations

Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.

Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.
Planning a Public Key Infrastructure

Planning a Public Key Infrastructure
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Chapter 9 Deploying IIS and Active Directory Certificate Services

Chapter 9 Deploying IIS and Active Directory Certificate Services
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer

Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Chapter 11: Active Directory Certificate Services

Chapter 11: Active Directory Certificate Services
Implementing Native Mode and Internet Based Client Management.

Implementing Native Mode and Internet Based Client Management.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Maintaining Network Health Lesson 10. Skills Matrix Technology SkillObjective DomainObjective # Understanding the Components of NAP Configure Network.

Maintaining Network Health Lesson 10. Skills Matrix Technology SkillObjective DomainObjective # Understanding the Components of NAP Configure Network.
11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10.

11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10.
Configuring Active Directory Certificate Services Lesson 13.

Configuring Active Directory Certificate Services Lesson 13.
Managing Client Access

Managing Client Access

Similar presentations

Ads by Google