IntroToADM03_high

Welcome back we are off on our next module actor director domain or Certificate Services after
spending some time on actor director Domain Services we're going to dive right in and get an
overview of Certificate Services what it is what it does and how it works a little bit eighty C.S. What
is it what does it do for us or provide for us over you back to directors to get services as I mentioned
before when I started off this course eighty C.S. is relatively in theory simple all it does is manage
certificates that's it however to get to the point where managing certificates with all of the things
certificates do and how they can do it how important they are and the infrastructure possibilities for
managing them it is a complicated piece of technology in any environment overview of Active
Directory Certificate Services What is a certification authority how hierarchies work options for
implementing options for integrating C.S. and Domain Services that we just learned about and a
demonstration some of the tools what is a certification authority it's an entity entrusted to issue
certificates that's it it is in this instance essentially a computer that we have said this computer is
going to be allowed to issue certificates to individuals or users computers servers the organization
network devices in some cases if necessary or required or requested these certificates verify the
identity and other attributes of the certificate subject to other entities now a lot of this module is
going to actually be spent on P.K.I. as an idea and not so much on the technicalities behind Active
Directory Certificate Services only because that background is very necessary for how the pieces of
Certificate Services work once you have that background Certificate Services is much much simpler
Not that it is simple overall but it is simpler once you have an idea of P.K.I.. How CA hierarchy's
work they include a root CA or certification authority and one or more levels of subordinate CA's
Optionally you don't have to have subordinate CA's there are plenty of reasons for deploying more
than one all of them listed here usage. Go back certificates may be issued for a number of purposes
secure email secure web servers pure user verification identity verification you may want to
segregate your certification authorities to issue certificates just for those particular uses
organizational divisions as we talked about earlier you might have a number of different
organizations or teams or groups within your overall organization that have different functions
different requirements different teams even possibly and you need those teams to independently
manage certification services Geographic divisions that one is very similar to organizational
divisions but physical geographic locations load balancing I might want to make sure that I don't
overwhelm any one certification authority with request with revocation with management so I may
have a number of different sort of occasion authorities a number different servers in the hierarchy to
provide for that that load balancing high availability there are key crucial servers in Active Directory
certificate services that have to be available you have to have them for to function correctly without
that you lose the validity of the certificates that are attempting to be verified and your certification is
essentially for not enter a strict administrative access just like everything in Microsoft software and
tools we have the ability to very very green you literally control delegation of administration I can
allow different users of different types or different administrators of different types to manage
different aspects of the infrastructure and that may be a reason to have different hierarchies within
my certification authority when implementing a certification authority solution. You can use an
internal private CA or an accidental public CA These are very different options an extra public CA I
don't manage I send a request for a certificate that's pretty much it I go to any major commercial
service I say I want to certificate for purpose X. Here's the information that pertains that certificate
depending on what that certificate is or how important is there may be independent verification
provided by that third party that I am who I say AM and then they're going to issue me a certificate a
very good example of this would be any public Web site secured with US S L H T T P S at the
beginning of a U.R.L. those certificates are issued by third parties the reason for that is that every
computer is deployed with a preset list of trusted certification authorities in the world that
certificates issued by will be valid if I create my own internal private sort of certification authority I
don't have that trust built into the system I can't create a website attach a certificate to it that I've
issued myself have someone from outside of my organization go to that website and have them not
get a certificate error their computers don't have a store of my internal certification authority and

1
IntroToADM03_high
it's trust to the world that's our biggest difference between these two internal CA's are less
expensive and provide board ministry of options but the issue certificates are not trusted by extra
clients the world at large doesn't know about them I personally use a mix of both of these in my day
to day operations even at home I host some websites for myself and for associates of mine I've used
external certificates for some self issued certificates for some options for integrating Active
Directory Certificate Services an Active Directory Domain Services enterprise a standalone these are
the two types of certification authorities you can stand up in Active Directory sort of Certificate
Services. A standalone cert certification authority is a server you install the roll on and you can
issues or to Fitz it is that simple what you lose out on is what's in the enterprise column you don't
have group policy for trusted root propagation I'll have to explain that for a moment as I mentioned
every computer when built when deployed within this case will stick with Microsoft Windows
operating systems on them there is a list of trusted certification authorities worldwide built into that
operating system my internal certification authority isn't on that list by default so for me to be able
to use certificates that I've issued internally without having trust issues I can use group policy I can
populate that trusted list on all of those workstations with my certification authority it tells those
clients any certificates issued by me are to be trusted that's our first advantage of an Enterprise CA
publisher certificates and C R L's to A.T.T.'s this is one we're going to learn more about as we go
through this module the simple explanation is certification authorities maintain the lists of
certificates that have been revoked and clients check those lists to make sure that when they're
getting a certificate as validation of identity that they're still valid that they are still legitimate
certificates I can use Active Directory to store and distribute that list as opposed to other
mechanisms built within certification can force credential checks during enroll meant if I want to get
a certificate I can make sure that I Christopher Chapman and the one getting that certificate and not
someone else pretending to be me getting a certificate with my name on it can have subject name
generated automatically from log on credentials this has to do with certificates matching when
issued a certificate the name being verified has to match the subject name of the certificate for it to
be valid certificate templates. Those are preset templates for preset purposes that I can either
decide to issue or not issue and control different options of and we'll talk about that more in the in
further slides can be used to generate smart card Windows domain authentication certificates I can't
do this without Active Directory Domain Services I have to have an eighty D.S. integrated C.S.
implementation to do smart card windows authenticated log on and can you certificate auto
enrollment what this means is as a user or as a computer I can designate that when that computer
comes online it automatically gets a certificate for whatever purpose I might want one for we are
going to install this role I'm going to jump into a demo real quick and install the role and then we're
going to take a look at the tools for managing right off the bat and here we are in the demo
environment this is a server I've prepared ahead of time it has the Domain Services role pre-installed
but not Certificate Services we're going to go ahead run through that installation just you can get a
look at what it what it takes we're going to click on Add rules and features in the server manager
window brings up are our prerequisite information box it is again a role based installation and it is
on the local server we're going to install Active Directory Certificate Services as per other
installations of Active Directory roles there are prerequisite features that have to be installed server
manager warns us about these features and lets us know what it's going to be installing and next
brings up the features window again with those features asked for in the prior step already pre-
selected another information screen just letting us know a couple of things there is a note right here
that's relatively important the name and domain settings of this computer cannot be changed after
certification already has been it's installed if you want to change the name join a domain or promote
the server to the main controller complete these changes before installing the certification authority
role we're going to go ahead and continue forward we're not planning on making any changes
during this course of the name These are the role services I am going to install most of these. All of
them come with additional features so we're going to click this a couple of times and if I remember
correctly I can't actually install or can't configure all of these right away after this installation is

2
IntroToADM03_high
done we'll look at that once they're installed and other information screen this is been put here as a
as a requirement of the features that we just got selected as I selected the roles it gave me
prerequisites I.A.S. was on that list of prerequisites so a step has been added to the added roles and
features wizard in that process I can once again make changes but the options that I absolutely need
for Certificate Services have already been selected I can restart automatically for quired I'm not
going to select that I'm just going to install. This wizard again as mentioned in prior modules being
close was without interrupting any tasks once it's gotten started I can close this the installation is
going to continue in the background independently of anything I'm doing I am going to switch over
to another computer that already has a role installed because we don't need to wait for this portion
so here I have a server up and running server manager open that has a D.C.'s already installed on it
same dashboard window it's going to give us servers with this role installed in this case there's just
one and any events that have happened in regards to this particular role or service unlike Active
Directory we had the actor director administrative center it's a new tool that Microsoft has provided
to centralize management of the Active Directory tools provided Certificate Services we still have a
number of different tools to use the complication with these tools or talking about these tools is that
they're actually very dependent upon each other the a first one I've opened is the certification
authority tool it's connected to the local machine right here and this is all it gives us certificates that
have been revoked certificates that have been issued. Requests for certificates failed requests and
the templates that this certification authority is currently authorized to provide is relatively basic
This is our main source of information about our certification authority. So from here we've seen
what these options are for the next of a management actually stems from this consul on Certificate
templates right click is a manage option what that's going to do is it's going to open up another
console in a new window for managing our certificate templates it's in this console that I can modify
the certificate templates that can be issued by my certification authority. This is another slightly
complicated step in that I don't select which templates to issue from here this for instance is where I
would modify a web server certificate template properties and I could make changes to some options
in here for instance there are no computers in here so I can't issue a web server should have a get to
a web server directly I could modify that I could add computers and I could select a computer to
issue a certificate to. So server D.C. isn't that list in role or I doubt a server web or whatever the
name of my web server is select the enroll option click OK All I've done is change the template I still
can't issue that certificate to a web server I then have to return to my certification authority right
click on stiff get templates again new template to issue this lets me select from those templates
which one I want to issue now in this case I already have a web server certificate here. So I would
actually have to remove the one that exists and then resell lect it with the changes issue that
certificate template in and I'm going to deep into this this is the topic that we can spend days and
days on if we wanted to so our tools so far we've looked at the certification authority tool we looked
at the certificate templates tool now we want to look really quickly at certificates themselves if I'm a
user or want to look at the certificates issued to a server a domain controller whatever the case may
be how do I find that information the quickest way is to open up the mix of management consul or
run window a command prompt or just the start button. And type MC It's going to give you your
M.M.C. option you're miked up management console option and you can launch it now it's empty
there is no out of the box button icon option for opening just a certificate snappin you have to open
the M M C and add the snap in and the reason for that is that when you add the certificate snap into
a management console you get to select your scope what do you want to manage certificates for
yourself a select service or computer I'm to go and say my user account in this instance just for the
sake of the demo and now I get a view of the certificates that have been issued to me as a user in
this case file recovery that's all I have the list I mentioned earlier of third party certification
authorities out in the world that issue certificates that my computer or my account trust
automatically exists right here trusted root certification authorities certificates issued by any of
these organizations that are used to verify identity or encryption or whatever the case may be I'm
going to trust those certificates if they're issued by these issuing certification authorities in the

3
IntroToADM03_high
world. Now in this case I have additions this is my certification authority it's been added here
automatically because it's an enterprise sort of occasion authority my domain as soon as I installed it
issued out a policy to add this at the ready to this list for my internal users and computers if I were
to add the snap in for the computer that I'm using you see the same list in personal you're going to
see something a little bit different because this server is a certification authority it's been issued a
certificate by itself to issue certificates if that makes sense to issue a certificate you have to be
issued a certificate by a certification authority in this case because it's an internal certification
authority we've issued that ourselves we also have client authentication as a domain controller and a
web server certificate that I created and installed as part of the deployment of the web in roll Mint
roll which we'll talk about in future slides and not save this console and we'll come back to that later
the only other tool we have for managing Active Directory certification or Certificate Services is the
online responder snappin an online responder is an alternative to a certificate revocation list I'm just
going to show you the tool you can take a look at it we haven't covered what this topic is or what
certificate certificate revocation lists are yet so we'll come back to this in a later demo and take
another look and there's one more I did forget to mention I'm going to open a console more time and
we're going to add one more snap in this is a tool left over or not left over but that's been in use by
Microsoft for some time since the server resource kit was issued back for Server two thousand I do
believe used to be called P.K. I view and is now called Enterprise P.K.I.. This is basically a monitor
for your certification authority all this tells you is information about your certification authority it
tells me that the ship gets good it has an expired it tells me locations for Certificate revocation lists
these are all topics we're going to cover in subsequent lessons but this is just a quick review at a tool
that gives me a health check of my certification authority and Meister to my entire P.K.I. at this
point my whole public key infrastructure in my organization we're going to jump back. Into our
presentation and continue on so we covered sort of kitchen authority certificate templates the online
responder which will come back to Enterprise P.K.I. and certificates themselves understanding actor
director Certificate Services certificates this is where we go more into the theory behind this
technology what these are what they do why we use them and then at the end we'll tie these tools
back together into how they manage these certificates and what they're used for digital certificates
it's a file it's a file that has two parts to it basic information about the certificate and the holder
name location organizational information and a key this on this slide says public key it's not always a
public key it may be a private key but these are the two parts to any digital certificate digital file
public keys are distributed to all clients who request it private keys are stored only on the computer
from which the certificate was requested if I happen to have a web server and I want that web
server to provide S.S.L. encrypted services to the world I'm going to get a certificate for that server
that contains basic certificate information as outlined on the slide and a private key there's also
going to be with that a file containing the same information and a public key. That is what goes out
to the public when they access that web server for the sake of making sure the data is encrypted
before it's transmitted to my web server we're going to cover that in more detail actually right now I
set up a web server I request a certificate I may shoot a certificate I install that certificate on the
web server and it's available to the world when a user requests in this works both directions
requesting or submitting information that information is in plain text the private key is used well
either the private or public depending on the direction you're flowing are used to encrypt that
information it then as you see here is S.S.L. encrypted that's what you see if a good example this is
any website collecting personal information which hopefully should be using S.S.L. and if it's not you
probably shouldn't be submitting personal information should have S.S.L. enabled H.T.T.P. S. At the
top the lock in the Status Bar and what it's doing is it's encrypted this information with a key I can
decrypt that information on my Into read it or I can use the public key to encrypt it if I'm submitting
and then the private key is used to decrypt it before it's actually sent on the web server on the back
end but as it transits the public internet between these two sources it's encrypted and cannot be
read by third parties it's a very broad overview of the process in this case of just a web server
certificate I'm going to do a quick demo similar to the web server explanation I just gave but a little

4
IntroToADM03_high
bit different in that it's going to allow me as a user to witness more readily encryption using digital
certificates so as the administrator on this computer I'm going to open up the M.M.C. that I had
opened before so that we can take a look at the certificates that have been issued to me as a user my
user account and OK and again prior always always this fall recovery I'm in a minimize this and will
come back to it in just a minute I'm going to create a text document. And in that document to put
some extraordinarily confidential information that no one else should ever be able to read except me
and those that I designate save and close one of the sort of basic functions of Windows and has been
for a long time is the ability to encrypt individual files in advanced on my general tab in the
properties of my data encrypt contents to secure data and I click OK and OK Again you're encrypt in
a file that's in an encrypted folder if this file is modified the editing software might story temporary
an encrypted copy of the file not going to the technical details of that but it is possible if you're
editing a document in an encrypted folder that a temporary copy of that document is actually what's
modified by the software and is accessible in the meantime it gives me an option right here encrypt
the file and its parent folder I got this on the desktop so I'm not going to do that this is a smaller
demo we don't have to worry about that in this case and it's done nothing really appears any
different if I come into advanced it is encrypted What's different is I now have a new certificate as
soon as I encrypted that document I was issued an encrypted file system certificate the process by
which E.F.-S. works in terms of encrypting the document all of the algorithms used in the process is
a well documented process we're not going to cover it in this course because again is is that much
technically deeper level knowing those steps and what they should be or what they are in this case
so we won't get into that but this is a great demonstration that pretty much anybody can do on
having a certificate issued and having it used to encrypt contents of a file and onto our next topic
certificate templates this is one that we talked about a few minutes ago we saw the tool used to
manage templates and very briefly looked at one of those templates and how to modify some of it
settings. Certificate templates and what they are they define what certificates can be issued by a
certification authority they define what those certificates are used for and how they're used in some
cases within those roles there are other options you can set define which security principals have
permission to read and roll and configure the template themselves there are a number of different
templates we saw one just now issued to the administrator a basic encrypting file system certificate
earlier we saw me modify a web server certificate those are just two of the examples of a number of
examples that exist in that certificate template snappin of the types of certificates we can issue
modify and decide to use or not use in our enterprise implementing certificate enrollment and
revocation So once we've got our certification authority up and running we've created our templates
we've modified our templates we've published our templates to that certification authority we now
have to set up how do we want users and computers to get those certificates and how do we want to
make sure those computers and users know when other certificates have been revoked or have been
cancelled essentially. Certificate enrollment is the process of getting a certificate from a certification
authority attached to your user account a computer account or a service there are multiple options
for enrolling a certificate we're going to go through a couple of them here some of them we won't
actually demonstrate but we are going to take a look so our next demo is just that So here we are
back in our demo environment and we're going to use Web and roll mint to enroll for a certificate.
One of your certification authorities you'll designate as a web and roll Mint certificate or whether
Roman provider in this case I'm using the same server I have a single server instance in this case.
And that's going to be up this interface this is Web an element request a certificate a user to get I as
a user I as a user can only select the user certificate and this website knows that I'm a user
requesting one I can submit an advanced request which I could do on behalf of something else but
for now hold off and that will come back that a minute I want to use or to get a little warning comes
up that says that this website must be used in H.D. T.V.'s in order to complete certificate enrollment
the website for the CA must be configured to use H.T.T.P. Yes and that is actually for the whole
purpose of what we're doing they want to make sure they being Microsoft in this case that when I as
a user am requesting a certificate which is built for identity verification and encryption. And other

5
IntroToADM03_high
security factors they want to make sure that I'm getting that certificate and requesting that
certificate in a secure manner so I click OK and right now there is no submit option I'm not using
S.S.L. Let's go back and we will add S.S.L.. Same screen click the request this website is attempting
to perform a digital certificate operation on your behalf me the user you should only allow known
websites to perform these operations in this case this is my website so yes this time the Submit
option exists there are more options for the certificate we're not going to get anywhere near those
details today I click submit. Again attempting to perform this operation on my behalf and they've
issued me a certificate now this certificate does not exist in the certificate store that we looked at
earlier and I'll bring that back up real quick for my user account and will open up personal
certificates. We have the encrypting file system certificate from earlier we have the original file
recovery certificate the one I was just issued has not been attached to me as a user on this computer
yet I have to install it I clicked the link it takes care of that for me I now have in this case it's a user
certificate the prebuilt template that's called user to fit here at the bottom where says certificate
template name it will let me expand that out user now user and basically FS even other different
templates in this case you look at intended purposes they're similar but not the same the basic If it is
for encrypting file system the user certificate is for encrypting file system and additional functions
and that's the one I now have and that is the demo on enrolling for should give you the web for a
user we're going to jump back into the powerpoint presentation and pick up where we left off so
administering certificate enrollment to obtain using manual enroll meant this is a little bit different
than the web and roll we just saw which was relatively automated you create a request submit a
request obtain approval and retrieve it from the CA What this would entail and this is a process you
may see with third party certification authorities is filling out a number of forms a series of forms
creating a file that file either gets pasted into the contents of the fire the paste into a box via a
website or the file gets sent off and that is your request and that request gets put on a server
waiting for an administrator to approve it this can also be done in the methods we were just using
you submit it an administrator has to approve it once they've approved it you then go to that
certification authority and pull that certificate down off of it install it into your certificate store there
is a demo here for that is wealth will jump right into that so when I close this out. I go back home. In
our web in Roman form request a certificate very similar to what we did before or submitted
advanced one so here this is where you'll see the option submit a certificate request by using a base
sixty four encoded C.M.C. or P.K. C.S. number ten file or submit a renewal request by using a basic
four coded P.K. C.S. number seven file these are generated through other certificate request
mechanisms I'm going to once again open up R M M C four personal certificates issued to my user
account all tasks request new I also have advanced create custom here I can select the policy that I
want to apply to get the certificate I only have one policy where I can go to deep into certificate
enroll in policy what template do I want to use and again this is a user so I was going to use the user
certificate template we used before but in this instance instead of submitting this directly to the
certification authority I'm going to put it into one of those formats just mentioned in the message
click NEXT all my details are here click next Again where do I want to put my request file and we'll
call this certificate finish no real feedback but here's my request this is now a file that can be used to
request a certificate from a certification authority based on the criteria I entered this is what a
certificate request looks like the reason I bring this up is because from time to time depending on
the configuration of the the certification authority you're trying to get a certificate from and this may
pertain to third parties you may have to actually copy and paste this text from the file into another
window instead of submitting the file now since we've done this as we have the file here we're going
to go back to web and roll mint one more time log and again. Request a certificate. Submitted
danced in here we're going to use that second links administered if you request using a file it's going
to ask me exactly what I just mentioned which is not to attach the file but to put the request directly
into this box I want to cheat a little bit open on my desktop via the run line open that file back up
copy its contents paste them into here again it's a user template and submit and it's done the CA has
now issued me a new certificate based on a request generated externally and then copy and paste it

6
IntroToADM03_high
into a request window in the web and Roman tool this step. We have a couple of options I can
download the certificate from this page if I don't for some reason KNOW I GOT MY or certificate I
don't need it I just closed this I can still get that certificate from the certification authority snappin
because all issued certificates are tracked here as an end user I won't have access to this but as an
end user if I've requested a certificate and then closed this window and unable to download that
certificate I can have an administrator give me that information and you can actually see the request
I just submitted right here at the end user there's an ID a serial number times submitted and I can't
export this if I need to. I'm going to download this for potential later use and that is our demo on
requesting the file certificate and we're on to the next slide post demo we did talk about
administering should get an element this is what we just did creating submitting obtaining approval
and retrieving in this case the step we skipped was approval we don't have the certificate template
set up so that when a request is submitted in minister has to manually approve it that is one
difference there is a demo here. On how to administer requests I'm going to skip this demo in the
interest of time we've seen all the steps for require for requesting unrolling for certificates I can say
that once and a request has been made in that certification authority window you open up that snap
in there's a pending request folder it's in that folder as an administrator that you would go to look at
requests that have been submitted and not approved automatically or by another administrator and
approve them and issue those are to it's to those users or devices options for automating So this
relates to what we've just been talking about I can select a number or have a number of different
options as an administrator I can tell a certificate template to allow users to enroll and approve that
and Roman which we've seen I can tell it in administrators approval is required which we haven't
seen but we've talked about or I can go a step beyond the first option and tell my network my
domain to automatically issue certificates of given types to given objects computers or users or
network devices automatically without them specifically enrolling for those or to get right here on
the site we talk about it a group policy in my domain triggers an automatic request for a new
computer or a new user OD one role is enabled on the template from which the request certificate is
created and it's issued automatically certificate revocation is what happens when I as an
administrator decide that a certificate should no longer be valid that could be for any number of
reasons a user no longer with the organization a computer taken offline there are various reasons
for a certificate being revoked clients can ensure the certificate has not been revoked by using the
following methods the online certificate status protocol responder service or the online responder or
the certificate revocation list we saw actually jump to the next slide because it's a demo and will go
right into that demo real quick so we're back here in the demo environment and we're going to take
a look at certificate revocation as it applies to the tools we've already used. We have a certification
authority we've seen this tool a couple of times at this point we have our issues or to fit so this will
be a good starting point for me we have a number of shifts issued to administrator in this case a
number of certificates that are essentially the same and for whatever reason we'll say that user has
left the organization amicably not amicably under whatever circumstances we want to make sure
that this certificate is no longer honored for its purpose all tasks revoke Are you sure you want to
revoke it give us a reason and a date and time in this case we can see a change of affiliation that
user is no longer with this organization and yes the certificate vanishes from here and has now been
placed into revoke certificates what this means is that if that user were to attempt to log onto these
systems and access encrypted information decrypt an encrypted file because this was in the FS or to
fix it it would not work because as soon as that operation is attempted it's going to check with the
certification authority on the validity of the certificate being used to do that operation the
certification authority is going to look at this revocation and say that certificates no longer valid you
don't get to do that a good example of this where options are given to end users if you have a
website that is encrypted with S.S.L. or is using the S.S.L. protocol and does not have a valid
certificate you'll get a warning window saying this certificate is invalid and then maybe for any
number of reasons there are a number of possible reasons that that happens on a relatively regular
basis but in that instance you have an option to continue anyways using an invalid certificate or stop

7
IntroToADM03_high
the operation or attempting to to do. And that is the end of the revocation of that's how you revoke a
certificate and how the Server stores information about those revoke certificates we're going to
further details in just a little while so now you've seen how to revoke certificates and monitor our
manager vote certificates. That actually wraps up the module on Active Directory stiffing IT services
we've covered the various different tools used to manage we've covered the installation again very
high level what it is what it does how it works so that concludes actor director Certificate Services
we've seen the tools to glean some ideas on what they're for how they're used how they're managed
again as an overview the many many many further details in actor director Certificate Services like
Domain Services It is a very deep topic full of days of its own content and hopefully you keep
monitoring Mark's offer Tool Academy right here and we will be providing more content on this topic
in the future.