Вы находитесь на странице: 1из 26

Active Directory

Windows Server 2008



: 2007 .
: (Roland Winkler)
: (Debbie Swanson)


,
Active Directory (AD CS) .
AD CS Windows Server 2008
,
.


,
,
,
.
, ,
. ,
-
. , , URL -,
.
. ,
, , , ,
, , ,
-
, , , ,
, , .
. ,
- ,
, ,
, , ,
.
, ,
, ,
.
, ,
, ,

.
2007 . .
Microsoft, Active Directory, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT
Windows Server ,
/ .

.
2


Active Directory Windows Server
2008...............................................................................................................................................................1
...........................................................................................................................................1
.......................................................................................................................2
.....................................................................................................................................................4
Active Directory Windows Server......5
AD CS.............................................................................................................................5
AD CS........................................................................................6
AD CS.....................................................................................7
................................................................................................8
1. ......................................................9
2. ..................................................................................................10
3.
OCSP...................................................................................................................................................10
4. ..............................................................................................12
5. AD CS.............15
AD CS.........................................................................16
.....................................................................................16
1. ...............................................17
2. ....................18
3. .............................................................................19
4.
OCSP...................................................................................................................20
5.
.............................................................................................................................21
6. OCSP ..............................21
7. OCSP........................................22
8. ..............................................................................................22
9. ...........24
10.
AD CS..................................................................................................................................................25


Active Directory
Windows Server
,
Active Directory (AD CS) .
AD CS Windows Server 2008
,
.
:

AD CS;

AD CS;

AD CS
;
AD CS

.

AD CS
Active Directory Certificate Services ( Active
Directory)
AD CS.
(Certification authorities, CA).
,
.
(CA Web enrollment).


:

(Retrieve certificate revocation lists,


CRL);

-.

. (Online Responder)
OCSP (Online Certificate Status Protocol
5

)
, ,
,
.
!

(CRL),
.
RFC 2560 OCSP
. RFC 2560 .
- IETF (http://go.microsoft.com/fwlink/?LinkID=67082) (
).
(Network Device
Enrollment Service, NDES).

SCEP (Simple Certificate Enrollment Protocol
) Cisco Systems Inc.

SCEP ,

.
, ,
, .

AD CS

, Windows 2000 Server, Windows Server 2003 Windows
Server 2008.
,
AD CS
. AD CS
, ,
, ,
, .

Server Core Windows Server 2008,


Windows Server 2008
Itanium .
6

AD CS,
Windows Server 2008.

Web

Standard

Enterprise

Datacenter

(CA)



(Network Device
Enrollment Service, NDES)


(Online Responder)

Windows Server 2008,


.
AD CS

Web

Standard

Enterprise

Datacenter


2 3


AD CS

AD CS.
, ,
.
Windows Server ;

.


AD CS ,
Windows Server 2008
Windows Vista.
.

LH_DC1: .

LH_PKI1:
.
.


Windows Server 2008 Enterprise
Windows Server 2008 Datacenter.
LH_CLI1: Windows Vista
LH_PKI1
LH_ PKI1.
AD CS,
:
LH_DC1 contoso.com,
(OU),
, ,
, ;
Windows Server 2008 LH_PKI1
LH_PKI1 ;
Windows Vista LH_CLI1
LH_CLI1 contoso.com.

.
1. .
2. .
3.
OCSP.
4. .
5. AD CS.

1.


.
,
Active Directory (AD DS).


Windows Server 2008 Enterprise Windows
Server 2008 Datacenter.

1. LH_PKI1 .
2. Start (), Administrative tools (
), Server Manager ( ).
3. Roles Summary ( ) Add Roles (
).
4. Select Server Roles ( )
Active Directory Certificate Services ( Active Directory).
Next .
5. Select Role Services ( )
Certification Authority ( ) Next;
6. Specify Setup Type ( )
Enterprise (), Next.
7. Specify CA Type ( )
Root CA ( ), Next.
8. Set Up Private Key ( ) Configure
Cryptography for CA ( )
,
.
, Next .
9. Common name for this CA ( )
, RootCA1, Next.
10. Set the Certificate Validity Period (
)
, Next.
11. Configure Certificate Database (
)
9

,
Next.
12. Confirm Installation Options
( ) Install ().
13. ,
.

2.
Windows Server 2008
Enterprise Windows Server 2008 Datacenter.
Windows
Server 2008, Windows
Server 2003 , .

IIS,
.

1. LH_PKI1 .
2. Start, Administrative tools, Server Manager.
3. Manage Roles ( ). Active
Directory Certificate Services, Add role services (
).
4. Select Role Services ( )
Online Responder ( ).
IIS Windows.
5. Add Required Role Services ( ),
Next .
6. Confirm Installation Options (
) Install ().
7. ,
.

3.
OCSP



10

OCSP,
.

,
, ,

.

1. LH_PKI1
.
2. Certificate Templates ( ).
3. OCSP Response Signing (
OCSP), Duplicate Template
( ).
4. , OCSP Response Signing_2.
5. OCSP Response Signing_2,
Properties ().
6. Security (). Group or user name
( ) Add (),
,
.
7. , LH_PKI1, Permissions
() Read () Autoenroll (
).
8. Certificate Templates,

3 4 7
LH_CLI1 .
,
Certification Authority ( )
:

;
,
.

11


1. Certification Authority ( ).
2. .
3. Action () Properties.
4. Extensions (). Select extension (
) Authority Information Access (AIA) (
).
5. Include in the AIA extension of issue certificates (
AIA ) Include in the online certificate
status protocol (OCSP) extension ( OCSP).
6. ,
;
http://LH_PKI1/ocsp.
7. Certification Authority
Certificate Templates ( ), New
Certificate Templates to Issue ( ).
8. Enable Certificate Templates ( )
OCSP Response Signing ( OCSP)
, ,
OK.
9. Certificate Templates ( ) ,
.

4.
,
,
.
,
, ,
.
!
, ,
, ,
,
.

12


1. LH_PKI1,
.
2. .
3. Certificates () .
Personal ()
, OCSP Response Signing.
4. Manage
Private Keys ( ).
5. Security (). User Group
or user name ( ) Add,
Network Service Group or user name (
), OK.
6. Network Service Permissions ()
Full Control ( ).
7. .
:

, ;

CRL
;
,
;
,
, .

1. Online Responder ( ).
2. Actions () Add Revocation Configuration
( ), Add Revocation
Configuration wizard ( ),
Next.
3. Name the Revocation Configuration ( )
, LH_RC1, Next.
4. Select CA certificate Location (
) Select a certificate from an existing
enterprise CA (
), Next.
5. Browse CA certificates published in Active
13

Directory ( ,
Active Directory) LH_PKI1.
, ,
,
Next.
, Browse for CA Computer (
) ,
LH_PKI1, Browse
(), . ,
Next.



4.
6. CRL
, RootCA1.
:
a) Certificate Services ( ).
;
) , Details
();
) CRL Distribution Points (
CRL);
)

URL- CRL;

) .
7. Select Signing Certificate ( )
, Automatically select signing certificate (
), Next.
8. Revocation Provider ( ) Provider
().
9. Revocation Provider Properties ( )
Add, URL- CRL,
OK.
10. Finish.
11. Online Responder ,
, .
,
.
14

5. AD CS

.


, ,
.
AD CS

1.
LH_CLI1
.
2. AD DS
,
:
certutil -pulse

3. LH_CLI1 Certificates
.
4. Certification Authority
,
Certification Authority (Computer)/CA name/Issued Certificates (
()/ / )
, . Action
All Tasks ( ), Revoke Certificate (
). Yes ().
5. Certification Authority CRL,
Certification Authority (Computer)/CA name/Revoked Certificates
. Action All Tasks ( ),
Publish ().
6. CRL
, Certification Authority .
Action Properties.
7. Extensions () , Select
extension ( ) CRL Distribution Point
(CDP) ( CRL).
8. CRL , Remove
(), OK.
9. AD CS.
10. 1 2, , 15

.
Certificates, (*.cer).
:
certutil -url <exportedcert.cer>

11. Verify and Retrieve ( )


From CDP ( CDP) From OCSP ( OCSP)
.


AD CS

AD CS, .


AD CS
Windows Server 2008
Windows Vista.
:

LH_DC1: ;

LH_CA_ROOT1:
;
LH_CA_ISSUE1:
LH_CA_ROOT1
.


Windows Server 2008 Enterprise
Windows Server 2008 Datacenter.

LH_ORS1: ;

LH_NDES:
(Network Device Enrollment Service, NDES),

;
LH_CLI1: Windows Vista
LH_CA_ISSUE1
LH_ORS1.
16

AD CS,
.
1. LH_DC1 contoso.com,
(OU),
LH_CLI1, ,
, .
2. Windows Server 2008
.
3. Windows Vista LH_CLI1
LH_CLI1 contoso.com.

.
1. .
2. .
3. .
4.
OCSP.
5.
.
6. OCSP .
7. OCSP.
8. .
9. .
10.
AD CS.

1.

.
.
(public key infrastructure, PKI),
PKI ,
.

1. LH_CA_ROOT1 .
2. Add Roles Wizard ( ). Select
Server Roles ( ) Active Directory
17

Certificate Services, Next .


3. Select Role Services TS Gateway (
), Next.
4. Specify Setup Type Standalone (),
Next.
5. Specify CA Type Root CA, Next.
6. Set Up Private Key Configure Cryptography for CA
, .
,
Next .
7. Common name for this CA ,
RootCA1, Next.
8. Set the Certificate Validity Period
, Next.
9. Configure Certificate Database

, Next.
10. Confirm Installation Options
Install.

2.


.

AD DS .

1. LH_CA_ISSUE1
.
2. Add Roles Wizard ( ). Select
Server Roles Active Directory Certificate Services,
Next .
3. Select Role Services TS Gateway (
), Next.
4. Specify Setup Type Enterprise,
Next.
5. Specify CA Type Subordinate CA (
18

), Next.
6. Set Up Private Key Configure Cryptography for CA
, .
,
Next .
7. Request Certificate ( )
LH_CA_ROOT1 ( )
, .
Next.
,

.
8. Common name for this CA ,
LH_CA_ISSUE1.
9. Set the Certificate Validity Period
, Next.
10. Configure Certificate Database

, Next.
11. Confirm Installation Options
Install.

3.
Windows Server 2008
Enterprise Windows Server 2008 Datacenter.
Windows Server 2008,
Windows Server 2003 ,
.
, .

IIS,
.
OCSP IIS, -
Internet Server Application Programming Interface (ISAPI).

1. LH_ORS1 .
2. Add Roles Wizard ( ). Select
19

Server Roles Active Directory Certificate Services,


Next .
3. Select Role Services Certification Authority
( ), Online Responder ( ),
Next.
IIS Windows.
4. Add Required Role Services, Next .
5. Confirm Installation Options Install.
6. ,
.

4.
OCSP

, OCSP
, : Read (), Enroll (),
Autoenroll ( ) Write (),
- .

1. LH_CA_ISSUE1
.
2. Certificate Templates ( ).
3. OCSP Response Signing,
Duplicate Template.
4. , OCSP Response Signing_2.
5. OCSP Response Signing_2,
Properties.
6. Security. Group or user name
Add (),
, .
7. LH_ORS1, Permissions
Read Autoenroll.
8. Certificate Templates,

3 4 7
LH_CLI1 .

20

5.

, URL-

. URL-
.


1. LH_CA_ISSUE1
.
2. Certification Authority ( ).
3. .
4. Action Properties.
5. Extensions () Select extension
( ), Authority Information Access (AIA).
6. Include in the AIA extension of issue certificates Include
in the online certificate status protocol (OCSP) extension.
7. ,
;
http://LH_ORS1/ocsp.
8. Certification Authority
Certificate Templates, New Certificate Templates to
Issue.
9. Enable Certificate Templates OCSP Response
Signing , ,
OK.
10. Certificate Templates ( ) ,
.

6. OCSP


.

21


OCSP
1. Certification Authority ( ).
2. Certificate Templates,
Certificate Template to Issue ( ).
3. OCSP Response Signing_2 ,
OK.

7.
OCSP
. ,
, , ,
, ,
.

1. LH_ORS1,
.
2. .
3. Certificates .
Personal ,
OCSP Response Signing_2.
4. Manage
Private Keys.
5. Security. User Group or user name
Add, Network Service Group or
user name, OK.
6. Network Service Permissions
Full Control. .

8.
:

, ;

CRL
;
,
;
22

,
, .

1. LH_ORS1 .
2. Online Responder ( ).
3. Actions Add Revocation Configuration,
Add Revocation Configuration wizard ( ),
Next.
4. Name the Revocation Configuration
, LH_RC1, Next.
5. Select CA certificate Location Select a certificate
for an existing enterprise CA, Next.
6. , LH_CA_ISSUE1,
Browse CA certificates published in Active Directory.
, ,
,
Next.
, Browse for CA Computer
,
LH_CA_ISSUE1, Browse, .
, Next.



5.
7. CRL
, RootCA1.
:
a) Certificate Services,
;
) , Details;
) CRL Distribution Points;
)

URL- CRL;

) .
8. Select Signing Certificate ,
Automatically select signing certificate, Next.
23

9. Revocation Provider Provider.


10. Revocation Provider Properties Add,
URL- CRL, OK.
11. Finish.
12. Online Responder ,
, .
,
.

9.

(Network Device Enrollment
Service)
, , .
ISAPI
IIS, :

SCEP;

SCEP HTTP, PKCS


#10, PKCS #7, RFC 2459
. SCEP
- IETF
(http://go.microsoft.com/fwlink/?LinkId=71055) ( ).
, ndes_user1
IIS.
Certificate Templates Read Enroll
IPSEC ( ).

1. LH_NDES
.
2. Add Roles Wizard ( ). Select
Server Roles ( ) Active Directory
Certificate Services, Next .
3. Select Role Services Certification Authority
Network Device Enrollment Service.
24

IIS Windows.
4. Add Required Role Services, Next .
5. Confirm Installation Options Install.
6. ,
.
7.
SCEP , Replace existing Registration Authority (RA) certificates
( ,
Next.

, ,
.
8. Specify User Account ( )
Select User ( )
ndes_user1 ,

. OK, Next.
9. Specify CA ( )
CA name ( ) Computer name ( ),
Browse (), ,
,
LH_CA_ISSUE1, Next.
10. Specify Registry Authority Information (
) ndes_1 RA name (
). Country/region ,
/, , Next.
11. Configure Cryptography ( )
,
Next.
12. , Install.

10.
AD CS


.

.

25


AD CS

1.
LH_CLI1
.
2. AD DS
,
:
certutil -pulse

3. Certificates
.
4. Certification Authority
, Certification
Authority (Computer)/CA name/Issued Certificates ,
. Action, All Tasks,
Revoke Certificate. Yes.
5. Certification Authority CRL,
Certification Authority (Computer)/CA name/Revoked Certificates .
Action All Tasks, Publish.
6. CRL
, Certification Authority .
Action Properties.
7. Extensions , Select extension
CRL Distribution Point (CDP).
8. CRL , Remove,
OK.
9. AD CS.
10. 1 2, , . Certificates,
(*.cer).
:
certutil -url <exportedcert.cer>

11. Verify and Retrieve From CDP


From OCSP .

26