Академический Документы
Профессиональный Документы
Культура Документы
Infrastructure
Delivery Guide
Course Number: 2821A
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, MS-DOS, Windows, Windows NT, Windows Server, Active Directory, ActiveX,
MSDN, PowerPoint, and Windows Media are either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Contents
Introduction
Course Materials......................................................................................................2
Additional Reading from Microsoft Press...............................................................3
Prerequisites ............................................................................................................4
Course Outline.........................................................................................................5
Initial Logon Procedure ...........................................................................................7
Microsoft Official Curriculum.................................................................................8
Microsoft Certified Professional Program...............................................................9
Facilities ................................................................................................................12
Module 1: Overview of Public Key Infrastructure
Overview .................................................................................................................1
Lesson: Introduction to PKI ....................................................................................2
Lesson: Introduction to Cryptography.....................................................................7
Lesson: Certificates and Certification Authorities.................................................12
Lab A: Identifying Trusted Root CAs ...................................................................23
Module 2: Designing a Certification Authority Hierarchy
Overview .................................................................................................................1
Lesson: Identifying CA Hierarchy Design Requirements .......................................2
Lesson: Common CA Hierarchy Designs..............................................................10
Lesson: Documenting Legal Requirements...........................................................15
Lesson: Analyzing Design Requirements..............................................................23
Lesson: Designing a CA Hierarchy Structure........................................................33
Lab A: Designing a CA Hierarchy ........................................................................42
Module 3: Creating a Certification Authority Hierarchy
Overview .................................................................................................................1
Lesson: Creating an Offline Root CA .....................................................................2
Lab A: Installing an Offline CA ............................................................................14
Lesson: Validating Certificates .............................................................................20
Lesson: Planning CRL Publication........................................................................30
Lab B: Publishing CRLs and AIAs .......................................................................39
Lesson: Installing a Subordinate CA .....................................................................49
Lab C: Implementing a Subordinate Enterprise CA..............................................59
Module 4: Managing a Public Key Infrastructure
Overview .................................................................................................................1
Lesson: Introduction to PKI Management...............................................................2
Lesson: Managing Certificates ................................................................................8
Lesson: Managing Certification Authorities .........................................................16
Lab A: Enabling Role Separation ..........................................................................24
Lesson: Planning for Disaster Recovery................................................................40
Lab B: Backing Up and Restoring a Certification Authority ................................51
iv Designing and Managing a Windows® Public Key Infrastructure
Course objectives After completing this course, the student will be able to:
! Describe PKI and the major components of a PKI.
! Design a certification authority (CA) hierarchy to meet business
requirements.
! Install Certificate Services to create a CA hierarchy.
! Perform certificate management tasks, CA management tasks, and plan for
disaster recovery of Certificate Services.
! Create and publish a certificate template, and replace an existing certificate
template.
! Enroll a certificate manually, autoenroll a certificate, and enroll a smart card
certificate.
! Implement manual and automatic key archival and recovery in a Windows
Server 2003 PKI.
! Configure trust between organizations by configuring and implementing
qualified subordination.
! Deploy smart cards in a Windows environment.
! Secure a Web environment by implementing SSL security and certificate-
based authentication for Web applications.
! Implement secure e-mail messages by using Microsoft Exchange Server in a
Windows 2000 or Windows 2003 environment.
Designing and Managing a Windows® Public Key Infrastructure ix
Course Timing
The following schedule is an estimate of the course timing. Your timing may
vary.
Day 1
Start End Module
9:00 9:30 Introduction
9:30 10:30 Module 1: Overview of Public Key Infrastructure
10:30 10:45 Break
10:45 11:15 Lab A: Identifying Trusted Root CAs
11:15 12:15 Module 2: Designing a Certification Authority Hierarchy
12:15 1:15 Lunch
1:15 2:00 Lab A: Designing a CA Hierarchy
2:00 2:30 Module 3: Creating a Certification Authority Hierarchy
2:30 2:45 Break
2:45 3:45 Module 3: Creating a Certification Authority Hierarchy
(continued)
3:45 4:15 Lab A: Installing an Offline CA
4:15 5:00 Lab B: Publishing CRLs and AIAs
Day 2
Start End Module
9:00 9:30 Day 1 review
9:30 10:15 Lab C: Implementing a Subordinate Enterprise CA
10:15 11:15 Module 4: Managing a Public Key Infrastructure
11:15 11:30 Break
11:30 12:15 Lab A: Enabling Role Separation
12:15 1:15 Lunch
1:15 2:15 Lab B: Backing Up and Restoring a Certification Authority
2:15 3:15 Mod 5: Configuring Certificate Templates
3:15 3:30 Break
3:30 3:45 Lab A: Delegating Certificate Template Management
3:45 4:15 Lab B: Designing a Certificate Template
4:15 4:45 Lab C: Configuring Certificate Templates
x Designing and Managing a Windows® Public Key Infrastructure
Day 3
Start End Module
9:00 9:30 Day 2 review
9:30 10:30 Module 6: Configuring Certificate Enrollment
10:30 10:45 Break
10:45 11:30 Lab A: Enrolling Certificates
11:30 12:30 Module 7: Configuring Key Archival and Recovery
12:30 1:30 Lunch
1:30 2:15 Lab A: Configuring Key Recovery
2:15 2:30 Break
2:30 3:30 Mod 8: Configuring Trust Between Organizations
3:30 5:00 Lab A: Implementing a Bridge CA
Day 4
Start End Module
9:00 9:30 Day 3 review
9:30 10:30 Mod 9: Deploying Smart Cards
10:30 10:45 Break
10:45 12:15 Lab A: Deploying Smart Cards
12:15 1:15 Lunch
1:15 2:15 Mod 10: Securing Web Traffic by Using SSL
2:15 3:00 Lab A: Deploying SSL Encryption on a Web Server
3:00 3:15 Break
3:15 4:15 Mod 11: Configuring E-mail Security
4:15 5:00 Lab A: Configuring Secure E-mail in Exchange Server 2003
Designing and Managing a Windows® Public Key Infrastructure xi
Document Conventions
The following conventions are used in course materials to distinguish elements
of the text.
Convention Use
Contents
Introduction 1
Course Materials 2
Additional Reading from Microsoft Press 3
Prerequisites 4
Course Outline 5
Initial Logon Procedure 7
Microsoft Official Curriculum 8
Microsoft Certified Professional Program 9
Facilities 12
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, MS-DOS, Windows, Windows NT, Windows Server, Active Directory, ActiveX,
MSDN, Outlook, PowerPoint, and Windows Media are either registered trademarks or trademarks
of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Introduction iii
Instructor Notes
Presentation: The Introduction module provides students with an overview of the course
30 minutes content, materials, and logistics for Course 2821, Designing and Managing a
Windows® Public Key Infrastructure.
Required materials To teach this course, you need the following materials:
! Delivery Guide
! Trainer Materials compact disc
Important This course has assessment items for each lesson, located on the
Student Materials compact disc. You can use them as pre-assessments to help
students identify areas of difficulty, or you can use them as post-assessments to
validate learning.
Consider using them to reinforce learning at the end of the day. You can also
use them at the beginning of the day as a review for the content that was taught
on the previous day.
Tell students where they can send comments and feedback on this course.
Demonstrate how to open the Web page that is provided on the Student
Materials compact disc by double-clicking Autorun.exe or Default.htm in the
Student folder on the Trainer Materials compact disc.
Prerequisites Describe the prerequisites for this course. This is an opportunity for you to
identify students who may not have the appropriate background or experience
to attend this course.
Course outline Briefly describe each module and what students will learn. Be careful not to go
into too much detail because the course is introduced in detail in Module 1.
Explain how this course will meet students’ expectations by relating the
information that is covered in individual modules to their expectations.
Microsoft Official Explain the Microsoft® Official Curriculum (MOC) program and present the list
Curriculum of additional recommended courses.
Refer students to the Microsoft Official Curriculum Web page at
http://www.microsoft.com/traincert/training/ for information about curriculum
paths.
Introduction v
Microsoft Certified Inform students about the Microsoft Certified Professional (MCP) program, any
Professional program certification exams that are related to this course, and the various certification
options.
Facilities Explain the class hours, extended building hours for labs, parking, restroom
location, meals, phones, message posting, and where smoking is or is not
allowed.
Let students know if your facility has Internet access that is available for them
to use during class breaks.
Also, make sure that the students are aware of the recycling program if one is
available.
Introduction 1
Introduction
Course Materials
Note To open the Web page, insert the Student Materials compact disc into
the CD-ROM drive, and then in the root directory of the compact disc,
double-click Autorun.exe or Default.htm.
! Assessments. There are assessments for each lesson, located on the Student
Materials compact disc. You can use them as pre-assessments to identify
areas of difficulty, or you can use them as post-assessments to validate
learning.
! Course evaluation. To provide feedback on the course, training facility, and
instructor, you will have the opportunity to complete an online evaluation
near the end of the course.
To provide additional comments or feedback on the course, send e-mail to
support@mscourseware.com. To inquire about the Microsoft Certified
Professional program, send e-mail to mcphelp@microsoft.com.
Introduction 3
Prerequisites
Course Outline
To create the password that you will use in this course, you must log on either
as Student1 on the domain controller, or Student2 on the member server.
Note You change your default password in Lab A, “Identifying Trusted Root
CAs,” in Module 1 of this course.
8 Introduction
Exam 70-220 is a core choice or an elective choice for the MCSE on Microsoft
Windows 2000, and exam 70-298 is a core choice or an elective choice for the
MCSE on Microsoft Windows Server 2003.
MCP certifications The Microsoft Certified Professional program includes the following
certifications.
! MCSA on Microsoft Windows 2000
The Microsoft Certified Systems Administrator (MCSA) certification is
designed for professionals who implement, manage, and troubleshoot
existing network and system environments based on Microsoft
Windows 2000 platforms, including the Windows Server 2003 family.
Implementation responsibilities include installing and configuring parts of
the systems. Management responsibilities include administering and
supporting the systems.
10 Introduction
Certification The certification requirements differ for each certification category and are
requirements specific to the products and job functions addressed by the certification. To
become a Microsoft Certified Professional, you must pass rigorous certification
exams that provide a valid and reliable measure of technical proficiency and
expertise.
For More Information See the Microsoft Training and Certification Web site at
http://www.microsoft.com/traincert/.
You can also send e-mail to mcphelp@microsoft.com if you have specific
certification questions.
Acquiring the skills Microsoft Official Curriculum (MOC) and MSDN Training can help you
tested by an MCP exam develop the skills that you need to do your job. They also complement the
experience that you gain while working with Microsoft products and
technologies. However, no one-to-one correlation exists between MOC and
MSDN Training courses and MCP exams. Microsoft does not expect or intend
for the courses to be the sole preparation method for passing MCP exams.
Practical product knowledge and experience are also necessary to pass the MCP
exams.
To help prepare for the MCP exams, use the preparation guides that are
available for each exam. Each Exam Preparation Guide contains exam-specific
information, such as a list of the topics on which you will be tested. These
guides are available on the Microsoft Training and Certification Web site at
http://www.microsoft.com/traincert/.
12 Introduction
Facilities
Overview 1
Lesson: Introduction to PKI 2
Lesson: Introduction to Cryptography 7
Lesson: Certificates and Certification
Authorities 12
Lab A: Identifying Trusted Root CAs 23
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or
for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property..
Microsoft, MS-DOS, Windows, Windows NT, Windows Server, Active Directory, ActiveX,
MSDN, Outlook, PowerPoint, and Windows Media are either registered trademarks or trademarks
of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Module 1: Overview of Public Key Infrastructure iii
Instructor Notes
Presentation: This module introduces students to a public key infrastructure (PKI) and its
60 minutes components. It also provides an overview of the topics that will be explained in
the rest of the course.
Lab:
30 minutes After completing this module, students will be able to:
! Describe PKI and its basic components.
! Describe how symmetric and public key encryption works.
! Define the role of certificates and certification authorities (CAs) in a PKI.
Required materials To teach this module, you need Microsoft® PowerPoint® file 2821A_01.ppt.
Preparation tasks To prepare for this module:
! Read all of the materials for this module.
! Complete the lab.
! Read the Microsoft Knowledge Base article 293781, “Trusted Root
Certificates That Are Required By Windows 2000,” under Additional
Reading on the Web page on the Student Materials compact disc.
! Read the white paper, PKI Enhancements in Windows XP Professional and
Windows Server 2003, under Additional Reading on the Web page on the
Student Materials compact disc for details about PKI functionality in
Microsoft Windows Server™ 2003.
Note Each lesson in a module has assessment items, which are located on the
Student Materials compact disc. You can use them as pre-assessments to help
students identify areas of difficulty, or you can use them as post-assessments to
validate learning.
Consider using them to reinforce learning at the end of the day. You can also
use them at the beginning of the day as a review of the content that you taught
on the previous day.
iv Module 1: Overview of Public Key Infrastructure
How Does Symmetric When you present this topic, consider discussing simple encryption algorithms,
Encryption Work? such as replacing a letter with the next letter in the alphabet. For example,
replace the letter A with the letter B, replace the letter B with the letter C, and
so on. If the sender and recipient of a message know the key, they can both
encrypt and decrypt the message.
Explain to students that this lesson does not compare and contrast the various
symmetric encryption protocols.
How Does Public Key When you discuss this topic, use the example of two students in a classroom
Encryption Work? exchanging secure e-mail messages. Explain each step in the process and
answer any questions about the process.
You may discover that students are unaware that public key encryption also
uses symmetric encryption in the process. Many books have incorrectly stated
that all data is encrypted with the recipient’s public key.
How Does Public Key Discuss each step in the digital signing process and answer any questions.
Digital Signing Work?
Roles in a Certification This topic introduces terminology that is used in the remainder of the course.
Authority Hierarchy Spend extra time explaining the purpose of policy CAs in a CA hierarchy.
Many students do not understand why a policy CA is required.
The topic compares internal and external policies. Use the example of two
divisions in a corporation that have very different security requirements for
certificate issuance. For example, a power company may have different
issuance requirements for employees at a nuclear plant than employees at the
organization’s corporate office. In this example, explain that the organization
may require two policy CAs to define and enforce the different issuance
requirements.
What Are Trusted Root The topic presents different methods for adding root CAs to a trusted root CA
Certificates? store. Emphasize that a computer’s operating system often defines how students
deploy trusted root CA certificates. For example, tell students that they cannot
use Group Policy to deploy trusted root CA certificates to client computers
running Microsoft Windows NT® or Windows® 98.
Lab A Ensure that students perform all steps in Exercise 0, Lab Setup.
The steps in Exercise 0 add the Administrative Tools menu to the Start menu
for the PKI management user accounts that students use in the rest of the labs in
the course. Later in the course, if the Administrative Tools menu is missing for
a specific user account, have the students perform the steps in Exercise 0.
The remainder of the lab inspects the trusted root certificate stores. At the end
of the lab, review the importance of trusted root CA certificates and discuss
which root certificates the students may consider deleting from the trusted root
store.
Lab Setup
The following list describes the setup requirements for the labs in this module.
Setup requirement 1 Complete the automated setup or manual setup for Course 2821, Designing and
Managing a Windows Public Key Infrastructure.
Module 1: Overview of Public Key Infrastructure vii
Lab Results
Performing the labs in this module introduces the following configuration
changes:
! Students define a custom password for the Student1 account (on the domain
controller) or Student2 account (on the member server).
! Administrative Tools is added to the Start menu for the following
administrative user accounts:
• Student1 (on the domain controller) or Student2 (on the member
server)
• CAadmin1 (on the domain controller) or CAadmin2 (on the member
server)
• CertAdmin1 (on the domain controller) or CertAdmin2 (on the
member server)
• KRA1 (on the domain controller) or KRA2 (on the member server)
! Students create a custom console named Certificate Management for the
Student1 or Student2 account and place it on the desktop. The console
contains the Certificates console viewing the current user store and the
Certificates console viewing the local computer store.
Module 1: Overview of Public Key Infrastructure 1
Overview
What Is a PKI?
Components of a PKI
PKI Tools
Command-line tools Windows Server 2003 provides the following command-line tools for managing
CAs and requesting certificates from a CA:
! Certutil.exe. Allows you to script CA and certificate management tasks
including management of the CA, publication of CRL and CA certificates,
revocation of certificates, and recovery of archived private keys.
! Certreq.exe. Allows you to script certificate requests from a CA and
generate Cross Certification Authority certificate requests.
6 Module 1: Overview of Public Key Infrastructure
Resource Kit tools The Windows Server 2003 Resource Kit includes the following management
tools for managing a PKI:
! Key Recovery Tool (Krt.exe). Determines key recovery agents (KRAs) and
recovers archived private key material from the CA database.
! PKI Health Tool (Pkiview.msc). Validates a CRL distribution point (CDP)
and Authority Information Access (AIA) URLs for every CA in an
organization’s CA hierarchy.
! Chkcdp.exe. Validates CDP and AIA extensions for a selected certificate.
Encryption Keys
Warning Because the symmetric key is used for both encrypting and
decrypting the data, you must protect it from interception. If the symmetric
key is intercepted, all data that is encrypted with the symmetric key is
susceptible to inspection.
Note A single character change in the original data will result in a change
in value of more than half of the digits in the resulting hash value. This
change in value protects data from simple modifications, such as inflating a
dollar value in a contract.
2. The resulting hash value is encrypted by using the sender’s private key. The
encryption protects the hash value from modification during the
transmission of the hash value to the recipient.
3. The sender sends the certificate, the encrypted hash value, and the original
data to the recipient. The certificate includes the sender’s public key as one
of the attributes of the certificate.
4. The recipient retrieves the sender’s public key from the received certificate.
The recipient uses the public key to decrypt the encrypted hash value. The
successful decryption and validation of the sender’s certificate proves that
the data originated from the sender.
5. The recipient passes the original data through the same hash algorithm. The
resulting hash value is compared to the hash value received from the sender.
If the two hash values are identical, the original data was not modified during
the transmission from sender to receiver.
12 Module 1: Overview of Public Key Infrastructure
Note The date when an application or service evaluates the certificate must fall
between the Valid From and Valid To fields of the certificate for the certificate
to be considered time valid.
! Public Key. Contains the public key of the key pair that is associated with
the certificate.
Module 1: Overview of Public Key Infrastructure 15
X.509 version 3 X.509 version 3 certificates are the current certificate format in a
extensions Windows Server 2003 PKI. In addition to the version 1 fields, an X.509 version
3 certificate includes extensions that provide additional functionality and
features to the certificate. These extensions are optional and are not necessarily
included in each certificate that the CA issues:
! Subject alternative name. A subject may be presented in many different
formats. For example, if the certificate must include a user’s account name
in the format of an LDAP distinguished name, e-mail name, and a user
principal name (UPN), you can include the e-mail name and UPN in a
certificate by adding a subject alternative name extension that includes these
additional name formats.
! CRL distribution points (CDP). When a user, service, or computer presents
a certificate, an application or service must determine whether the certificate
has been revoked before its validity period has expired. The CDP extension
provides one or more URLs where the application or service can retrieve the
CRL from.
! Authority Information Access (AIA). After an application or service
validates a certificate, the certificate of the CA that issued the certificate,
also referred to as the parent CA, must also be evaluated for revocation and
validity. The AIA extension provides one or more URLs from where an
application or service can retrieve the issuing CA certificate.
! Enhanced key usage. This attribute describes what applications or services a
certificate may be used for by including an object identifier (OID) for each
supported application or service. The OID is a sequence of numbers from a
worldwide registry that are unique in the world.
! Application policies. Also describes what applications or services that a
certificate may be used for by including an OID for each supported
application or service. The contents of the Enhanced Key Usage field must
match the contents of the Application Policies extension.
! Certificate policies. Describes what measures an organization takes to
validate the identity of a certificate requestor before a certificate is issued.
An OID represents the validation process and may include a policy-
qualified URL that fully describes the measures taken to validate the
identity.
16 Module 1: Overview of Public Key Infrastructure
Note Root hierarchies are preferred over cross certification hierarchies because
they are easier to deploy, maintain, and troubleshoot.
Note Typically, you remove root CAs and policy CAs from the network to
provide additional physical security and to protect the CAs from network
attacks.
Issuing CAs An issuing CA is typically located on the third tier or lower in a CA hierarchy.
An issuing CA issues certificates to other computers, users, network devices,
services, or other issuing CAs. An issuing CA is always online.
The parent CA for an issuing CA can be a policy CA or another issuing CA.
The issuing CA must enforce the policies and procedures that are described in
the policy CA above the issuing CA in the CA hierarchy.
! A user can add a root certificate to his trusted root store by using the
Certificates console. Any certificates included in the user’s trusted root store
are trusted only by that user.
! A domain administrator or user with the permission to modify Group Policy
can designate trusted root certificates for all computers in the site, domain,
or organizational unit where the Group Policy object applies.
! An enterprise administrator can publish root certificates in the NTAuth store
of the configuration naming context (NC). A member of the Enterprise
Admins group can publish trusted root CA certificates to the configuration
naming context in the CN=NTAuthCertificates,,CN=Public Key Services,
CN=Services,CN=Configuration,DC=ForestRootDomain container by
using the certutil.exe command.
! Publish root certificates in the AIA container of the configuration naming
context. A member of the Enterprise Admins group can publish trusted root
CA certificates to the configuration naming context in the
CN=AIA,CN=Public Key Services, CN=Services,CN=Configuration,
DC=ForestRootDomain container by using the certutil.exe command.
Not all operating systems support the preceding methods. The following table
defines the minimum requirements for an operating system to recognize a root
CA certificate.
Method Minimum operating system required
Note This lab focuses on the concepts that are explained in this module and
may not comply with Microsoft security recommendations.
Prerequisites Before working on this lab, you must have completed the course setup.
Additional information For more information about trusted root CAs, see article Q293781, “Trusted
Root Certificates That Are Required By Windows 2000,” in the Microsoft
Knowledge Base at http://support.microsoft.com/?kbid=293781.
Estimated time to
complete this lab:
30 minutes
24 Module 1: Overview of Public Key Infrastructure
Exercise 0
Lab Setup
You must change the password for your network administrative account before you start the lab.
This user account is referred to as your domain administrative account in all subsequent labs. In
addition, you must add the Administrative Tools menu to the Start menu for the PKI
administration accounts.
2. Change your password to a. In the Logon Message message box, click OK.
your own personal b. In the Change Password dialog box, in the New Password and
password. Confirm New Password boxes, type Password (where Password is a
new password for your administrative account), and then click OK.
c. In the Change Password message box, click OK.
d. In the Manage Your Server window, click Don’t display this page at
logon, and then close the window.
3. Open the Start menu and " Click Start, and then verify that the Administrative Tools menu is
verify that the available on the Start menu.
Administrative Tools menu If Administrative Tools is not available, perform the tasks in Step 4.
appears. If Administrative Tools is available, proceed to Step 5.
Module 1: Overview of Public Key Infrastructure 25
(continued)
5. Log on as a member of the a. Close all open windows and then log off.
CA administrators. b. Log on to your computer by using the following information:
• User name: CAadmin1 (on the domain controller) or CAadmin2
(on the member server)
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
6. Open the Start menu and " Click Start, and then verify that the Administrative Tools menu is
verify that the available on the Start menu.
Administrative Tools menu If Administrative Tools is not available, perform the tasks in Step
appears. 7. If Administrative Tools is available, proceed to Step 8.
8. Log on as a member of the a. Close all open windows and then log off.
certificate administrators. b. Log on to your computer with the following information:
• User name: CertAdmin1 (on the domain controller) or
CertAdmin2 (on the member server)
• Password: P@ssw0rd
• Domain: Domain
9. Open the Start menu and " Click Start, and then verify that the Administrative Tools menu is
verify that the available on the Start menu.
Administrative Tools menu If Administrative Tools is not available, perform the tasks in Step
appears. 10. If Administrative Tools is available, proceed to Step 11.
26 Module 1: Overview of Public Key Infrastructure
(continued)
10. Add Administrative Tools a. Right-click Start, and then click Properties.
to the Start menu. b. In the Taskbar and Start Menu Properties dialog box, click Start
menu, and then click Customize.
c. In the Customize Start Menu dialog box, on the Advanced Tab, in
the Start menu items list, under System Administrative Tools, click
Display on the All Programs and the Start menu, and then click
OK.
d. In the Taskbar and Start Menu Properties dialog box, click OK.
11. Log on as a member of the a. Close all open windows and then log off.
auditors. b. Log on to your computer by using the following information:
• User name: Auditor1 (on the domain controller) or Auditor2 (on
the member server)
• Password: P@ssw0rd
• Domain: Domain
12. Open the Start menu and " Click Start, and then verify that the Administrative Tools menu is
verify that the available on the Start menu.
Administrative Tools menu If Administrative Tools is not available, perform the tasks in Step
appears. 13. If Administrative Tools is available, proceed to Step 14.
13. Add Administrative Tools a. Right-click Start, and then click Properties.
to the Start menu. b. In the Taskbar and Start Menu Properties dialog box, click Start
menu, and then click Customize.
c. In the Customize Start Menu dialog box, on the Advanced Tab, in
the Start menu items list, under System Administrative Tools, click
Display on the All Programs and the Start menu, and then click
OK.
d. In the Taskbar and Start Menu Properties dialog box, click OK.
14. Log on as a member of the a. Close all open windows and then log off.
key recovery agents. b. Log on to your computer by using the following information:
• User name: KRA1 (on the domain controller) or KRA2 (on the
member server)
• Password: P@ssw0rd
• Domain: Domain
15. Open the Start menu and " Click Start, and then verify that the Administrative Tools menu is
verify that the available on the Start menu.
Administrative Tools menu If Administrative Tools is not available, perform the tasks in Step
appears. 16. If Administrative Tools is available, proceed to Step 17.
Module 1: Overview of Public Key Infrastructure 27
(continued)
16. Add Administrative Tools a. Right-click Start, and then click Properties.
to the Start menu. b. In the Taskbar and Start Menu Properties dialog box, click Start
menu, and then click Customize.
c. In the Customize Start Menu dialog box, on the Advanced Tab, in
the Start menu items list, under System Administrative Tools, click
Display on the All Programs and the Start menu, and then click
OK.
d. In the Taskbar and Start Menu Properties dialog box, click OK.
17. Close all open windows and " Close all open windows and log off.
then log off the network.
28 Module 1: Overview of Public Key Infrastructure
Exercise 1
Creating a Custom MMC
In this exercise, you will create a custom MMC by using the Certificates snap-in for the current
user and the local computer.
Scenario
Your manager has asked you to create a custom MMC that includes the Certificates MMC snap-in
for the current user and the local computer so that you can investigate the default trusted root CAs.
1. Log on with your " Ensure that you are logged on with the following account information:
administrative account for • User name: Student1 (at the domain controller) or Student2 (at the
your domain. member server)
• Password: Password (where Password is the password for your
administrative account)
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. Create an MMC and then a. Click Start, click Run, type MMC and then click OK.
add the following snap-ins: b. On the File menu, click Add/Remove Snap-in.
• Certificates – Current c. In the Add/Remove Snap-in dialog box, click Add.
User
d. In the Add Standalone Snap-in dialog box, in the Available
• Certificates – Local Standalone Snap-ins list, select Certificates, and then click Add.
Computer
e. In the Certificates snap-in dialog box, click My user account, and
then click Finish.
f. In the Add Standalone Snap-in dialog box, in the Available
Standalone Snap-ins list, select Certificates, and then click Add.
g. In the Certificates snap-in dialog box, click Computer account, and
then click Next.
h. In the Select Computer dialog box, click Local computer (the
computer this console is running on), and then click Finish.
i. In the Add Standalone Snap-in dialog box, click Close.
j. In the Add/Remove Snap-in dialog box, click OK.
3. Save the MMC on the a. In the Console1 – [Console Root] window, on the File menu, click
desktop as Certificate Save As.
Management. b. In the Save As dialog box, click Desktop.
c. In the Save As dialog box, in the File name box, type Certificate
Management and then click Save.
Module 1: Overview of Public Key Infrastructure 29
Exercise 2
Viewing CA Certificates in Certificates MMC
In this exercise, you will investigate the trusted root CA certificates that are loaded in the
Certificates MMC snap-in.
Scenario
Your manager has asked you to enumerate the root certificates trusted by your organization. You
must determine how many certificates are listed in Certificates MMC for the current user and the
local computer.
1. View the trusted root CAs a. In the Certificate Management console, in the console tree, expand
for both the current user and Certificates – Current User, expand Trusted Root Certification
the local computer in the Authorities, and then click Certificates.
Certificates MMC snap-in.
How many CAs are listed in the Certificates container?
Why are the same number of CAs shown in the local computer and the current user account?
Both containers display all root certificates that are trusted by the computer for that user. The
containers do not differentiate between root certificates trusted by the user and root certificates
trusted by the local computer.
How does the addition of a trusted root CA certificate differ in the Certificates (Local Computer) snap-in and
the Certificates - Current User snap-in?
A trusted root CA certificate that is added to the Certificates (Local Computer) snap-in is trusted by
all users of the computer, whereas a trusted root CA certificate that is added to the Certificates –
Current User snap-in is trusted only by the current user.
30 Module 1: Overview of Public Key Infrastructure
Exercise 3
Analyzing CA Certificate Distribution Methods
In this exercise, you will examine methods of distributing trusted root CA certificates to users and
computers in your organization.
Scenario
You organization wishes to deploy a private PKI. You must determine the best way to distribute
trusted root CA certificate from the private PKI to users and computers in your organization.
1. View the list of Windows a. Click Start, point to Control Panel, and then click Add or Remove
Components that are Programs.
available in the b. In the Add or Remove Programs dialog box, click Add/Remove
Add/Remove Windows Windows Components.
Components list.
c. On the Windows Components page, scroll to the bottom of the
Components list.
What does the Update Root Certificates component provide when it is enabled?
When Microsoft adds CAs to the trusted root CA program, they are automatically downloaded to the
computer.
2. Create an MMC and then a. Click Start, click Run, type MMC and then click OK.
add the Group Policy object b. On the File menu, click Add/Remove Snap-in.
Default Domain Policy.
c. In the Add/Remove Snap-in dialog box, click Add.
d. In the Add Standalone Snap-in dialog box, in the Available
Standalone Snap-ins list, select Group Policy Object Editor, and
then click Add.
e. In the Select Group Policy Object dialog box, click Browse.
f. In the Browse for a Group Policy Object dialog box, select Default
Domain Policy, and then click OK.
g. In the Select Group Policy Object dialog box, click Finish.
h. In the Add Standalone Snap-in dialog box, click Close.
i. In the Add/Remove Snap-in dialog box, click OK.
Module 1: Overview of Public Key Infrastructure 31
(continued)
3. View the Trusted Root a. In the console tree, expand Default Domain Policy, expand
Certification Authorities Computer Configuration, expand Windows Settings, expand
container in Default Domain Security Settings, expand Public Key Policies, and then click
Policy. Trusted Root Certification Authorities.
Are there any certificates included in the Trusted Root Certification Authorities details pane?
If certificates are included in the details pane, where are they applied?
To all computers in the domain or organizational unit where the Group Policy object is applied.
4. Open the ADSI Edit console a. Click Start, click Run, type Adsiedit.msc and then click OK.
and inspect CA certificate b. In the console tree, expand Configuration, expand
publication points in the CN=Configuration, DC=ForestName (where ForestName is the
Configuration naming LDAP distinguished name of your forest), expand CN=Services,
context. expand CN=Public Key Services, and then click CN=AIA.
Are there any certificates in the AIA container? What types of certificates are added to this store?
No. You can add private CA certificates to this store, which you must add manually.
Overview 1
Lesson: Identifying CA Hierarchy Design
Requirements 2
Lesson: Common CA Hierarchy Designs 10
Lesson: Documenting Legal Requirements 15
Lesson: Analyzing Design Requirements 23
Lesson: Designing a CA Hierarchy
Structure 33
Lab A: Designing a CA Hierarchy 42
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, MS-DOS, Windows, Windows NT, Windows Server, Active Directory, ActiveX,
MSDN, Outlook, PowerPoint, and Windows Media are either registered trademarks or trademarks
of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Module 2: Designing a Certification Authority Hierarchy iii
Instructor Notes
Presentation: This module introduces the students to designing a Certification Authority (CA)
60 minutes Hierarchy. The major tasks involved in designing a PKI are the design of the
CA hierarchy and the configuration of the CAs in that hierarchy.
Lab:
45 minutes After completing this module, students will be able to:
! Identify requirements for designing a CA hierarchy.
! Describe common CA hierarchy designs.
! Describe policies and documents for specifying the legal requirements of a
CA hierarchy design.
! Identify the impact of design requirements and determine design changes to
a CA hierarchy design.
! Design a CA hierarchy to meet business requirements.
Required materials To teach this module, you need Microsoft® PowerPoint® file 2821A_02.ppt.
Guidelines for Designing Emphasize that because there are many factors to consider before students
a CA Hierarchy create a CA design, they must collect all the required information, verify the
information, identify how to meet those requirements, and study the impact on
the CA hierarchy design before finalizing the design.
Lab A Lab A is a design lab. Consider divining the class into groups of three to four
students to discuss the lab contents. AT the end of the lab, have each group
present their answers. Spend extra time reviewing each of the proposed CA
hierarchies. Remember that any answer can be correct, as long as the students
back up the design with appropriate business, technical, or security criteria.
If you divide the classroom into groups of three or four students, ensure that
you do not allow the lab to take longer than the prescribed 60 minutes. Leave
sufficient time to discuss each group’s answers to the lab questions.
If autoenrollment fails, verify the following:
! That the AutoenrollUsers group is assigned Read, Enroll, and Autoenroll
permissions.
! That there are two AutoComputer certificate templates published at the
enterprise subordinate CA.
! That the Autoenrollment GPO exists.
! That the Autoenrollment GPO is correctly defined to enable all
autoenrollment options for users, not computers.
! That the Autoenrollment GPO is linked to the Module06 organizational unit
(OU).
Lab Setup
There are no lab setup requirements that affect replication or customization.
Lab Results
There are no configuration changes on student computers that affect replication
or customization.
Module 2: Designing a Certification Authority Hierarchy 1
Overview
Project Scope
! 802.1x. Allows only authenticated users to access a network and protects the
data that is transmitted across a network. An Institute of Electrical and
Electronics Engineers, Inc. (IEEE) standard, 802.1x in PKI provides
centralized user identification, authentication, dynamic key management,
and accounting to grant authenticated network access to 802.11 wireless
networks and wired Ethernet networks.
! Software restriction policy. Enables you to identify the programs that can
run on a computer by performing a digital hash function on the binary code
of applications.
! Internet authentication. Authenticates the client and server for transactions
in a client-server transmission. For example, when you use SSL, or Secure
Sockets Layer encryption, a client authenticates the Web server by
validating the certificates that the server presents.
! Encrypting File System. Encrypts data. To recover EFS-encrypted data, you
can implement key recovery or data recovery, or both. To perform key
recovery, you recover the user’s private key from a Windows 2003
enterprise CA database and import it into any user’s certificate store that
allows the decryption of all encrypted files. To perform data recovery, you
implement EFS recovery agents, which cannot access a user’s private key.
They can only access the randomly-generated file encryption key.
6 Module 2: Designing a Certification Authority Hierarchy
Note For more information about certificate validation, see the white paper,
Troubleshooting Certificate Status and Revocation, under Additional Reading
on the Web page on the Student Materials compact disc.
Module 2: Designing a Certification Authority Hierarchy 9
Legal requirements Certification authorities must inform certificate holders and requestors about
any legal requirements and obligations for certificate use of issued certificates.
By defining certification practice statements, an organization can define legal
requirements for certificate enrollment, use, and revocation.
You can also use a certification practice statement (CPS) to define the liability
of an organization in the event of a breach of security. A CPS defines the
maximum liability of host organizations.
10 Module 2: Designing a Certification Authority Hierarchy
Note Your organization’s legal department must review all three documents
produced in this process: the security policy, the certificate policy, and the
certification practice statement.
Note A CPS can support one or more certificate policies. For each
certificate policy, the CPS must define how it supports the certificate policy
and provide any details that are not in the certificate policy.
Module 2: Designing a Certification Authority Hierarchy 17
4. Publish the CPS on a CA. The CPS must be available to all users and
computers that acquire certificates from your PKI. To make the CPS
available, publish it on one or more CAs in the CA hierarchy. Based on the
types of certificates that the CA issues and to whom, different certification
practice statements may exist on each CA in the hierarchy.
Note A CPS that is published on a policy CA affects the policy CA and any
subordinate CAs. If the same CPS is effective for all of the CAs, deploy the
CPS only on the policy CA.
18 Module 2: Designing a Certification Authority Hierarchy
Security Policy
The security policy document must also answer high-level PKI questions, such
as:
! What applications must be secured by using certificates?
! What kind of security services will be offered by using certificates?
Note For more information about security policies and procedures, see RFC
2196, Site Security Handbook, at http://www.ietf.org/rfc/rfc2196.txt.
Module 2: Designing a Certification Authority Hierarchy 19
Certificate Policy
Note The United States Department of Defense (DoD) defines its required
certificate policies in the report, X.509 Security Policy for the U.S. Department
of Defense, at http://www.c3i.osd.mil/org/sio/ia/pki/
DoD_CP_V60_31May2002.pdf. Each certificate policy describes the
identification methods that DoD uses to validate the identity of the certificate
requestor, the types of transactions that it allows, and the storage requirements
for each certificate policy.
Module 2: Designing a Certification Authority Hierarchy 21
Note Do not provide too much information in this section about security
controls so that the CA is not open to attack or compromised.
! Certificate and CRL Profile. Identifies the versions of certificates and CRLs
that the PKI supports. This section also details what extensions are
implemented by the CA, and whether the extensions are marked as critical.
! Specification Administration. Describes how the organization will maintain
the CPS. It includes change procedures, publication procedures, and
approval procedures.
Note For more information about each recommended section of the CPS, see
RFC 2527 “Internet X.509 Public Key Infrastructure Certificate Policy and
Certification Practices Framework,” under Additional Reading on the Web
page on the Student Materials compact disc.
Publish the CPS publicly on the Internet or to a location that is accessible to all
certificate holders. Every certificate that a CA issues that implements the
issuance procedures that are described in a CPS should include a URL in the
certificate that directs people to the public document. You can publish the CPS
at a higher level of the CA hierarchy, such as on the Policy CA. The CPS is still
effective for the subordinate CAs and their issued certificates.
Note You designate the location of your CPSs by creating a CAPolicy.inf file
and copying it to the CA’s system directory before the CA is installed or
renewed. For more information about a CAPolicy.inf file, see Module 3,
“Creating a Certification Authority Hierarchy,” in Course 2821, Designing and
Managing a Windows Public Key Infrastructure.
Module 2: Designing a Certification Authority Hierarchy 23
Issuing CA security To secure issuing CAs, place the CA in a secured server room, preferably one
that requires security card access to enter the room. Further enhance their
security by taking the following actions:
! Limit the number of services that are installed on the issuing CA and disable
any unused services on the issuing CA. These measures will reduce
additional connections to the CA for other services that are installed on it
and prevent attackers from exploiting known vulnerabilities in those
services.
! Dedicate a server running Windows 2003 Server, Enterprise Edition to
function as the issuing CA. This way, improperly configured applications or
services will not compromise the security of the CA. The only security
configuration that you must implement is that of the CA.
Private key protection Depending on the security requirements of your organization, you can protect
the private keys of computers, users, and CAs by implementing any of the
following cryptographic service providers (CSPs):
! Software CSPs. Key pairs are stored in the protected store of the local
computer. You can strengthen the key pair by using a longer key length for
the root CA, such as 4096 bytes.
! Smart cards or PC card tokens. Key pairs are generated and stored on a
smart card or a PC card token. This storage protects the private key by
providing two-factor authentication. You must have access to the physical
smart card and know the smart card’s PIN to unlock the private key.
! Hardware Security Modules (HSM). Hardware CSPs support a wide range
of cryptographic operations and technologies. Keys that are stored in
hardware cryptographic devices can have longer lifetimes than keys that are
stored on hard disks by software CSPs because the tamper-resistant
hardware crypto-devices are more secure.
Another advantage of using hardware CSPs is that the key material is kept
outside of the computer’s memory and within the hardware device. This makes
it impossible to access the CA’s key by causing a memory dump.
Different issuance If different issuance requirements exist for similar certificates, you must create
requirements individual certificate templates for each issuance requirement. For example, you
can have different issuance requirements for fulltime employees and
contractors. If you issue a smart card to fulltime employees when they join the
organization, all other certificates that they request require that they sign the
request by using their smart card. For contractors, the certificate will be issued
only after a meeting in person. Implementing different issuance requirements
requires separate certificate templates, which can be issued from different CAs
in the hierarchy.
26 Module 2: Designing a Certification Authority Hierarchy
Management of You can manage certificates that are issued by private CAs more easily than
certificates issued to certificates that are issued by external CAs. Even if you issue certificates from a
external users private PKI, you must still publish the CA certificates and CRLs to a
publication point that is available to the external network if you want external
computers to be able to access them. You must add external Authority
Information Access (AIA) and CRL distribution point (CDP) locations that are
accessible from the public network, and manually publish the CA certificate
and CRLs to those locations. This is true for all CAs in the CA hierarchy—from
the CA that issues the certificates to the root CA.
You can have total control of the certificates that are issued by private CAs.
These CAs offer you the advantage of immediately revoking a certificate if a
user or computer does not follow the revocation policy that is included in your
CPS. In contrast, a commercial CA may not be responsive to a request to
revoke an external user’s certificate.
Trust certificates from External clients can only trust certificates that are issued from your PKI
another organization hierarchy if the external organization trusts your root CA. You can trust
externally issued certificates by implementing:
! Certificate trust lists. Defines which certification authorities you trust in
another organization, what purposes you can use certificates for, and how
long you will trust the certificates.
! Cross certification. Enables two CA hierarchies to trust certificates that are
issued by the other CA hierarchy.
! Qualified subordination between the two organizations. Like cross
certification, qualified subordination enables two CA hierarchies to trust
certificates that are issued by the other CA hierarchy. The difference is that
you can apply constraints to the relationship when you use qualified
subordination.
Note The second and third requirements may cause actions that are in conflict.
If you arrive at conflicting design decisions, refer to your organization’s
security policy to determine which action to take.
Module 2: Designing a Certification Authority Hierarchy 29
Centralized You may make some of the following design decisions to support centralized
administration administration:
! Prohibit remote administration of the CAs. You can modify the user rights
on the CA to prevent CA administrators or certificate managers from
connecting remotely. Likewise, you can configure terminal services to
prevent remote connections by CA administrators or certificate managers.
! Place CAs in secure physical locations. Place the CAs in a centralized and
secure location, such as a server room with key card access, that limits
access by CA administrators and certificate managers.
! Deploy fewer CAs and place them at major hubs of the network. It is not
necessary to deploy additional CAs to remote sites to enable remote
administration. Instead, your design can have fewer CAs, located at major
hubs of the network.
Minimize CA failure To determine the best configuration for your CA infrastructure, evaluate the
following factors in your organization that affect CA capacity, performance,
and scalability:
! The number of certificates that you must issue and renew
! The key lengths of the issuing CA certificates
! The type of hardware that your CAs require
! The number and configuration of the client computers
! The quality of your network connections
Note Use hardware RAID solutions for CAs. Do not use the software RAID
services that Windows 2003 Server provides.
Module 2: Designing a Certification Authority Hierarchy 33
Medium security The following characteristics describe an organization that has medium security
requirements requirements:
! It has a 2-level CA hierarchy with an offline root CA and online
subordinates.
! It must remove only the root CA from the network.
! It requires the availability of multiple issuing CAs on the network, because
of the large number of users.
! Two or more CAs issue each certificate template because of fault tolerance
requirements.
High security The following characteristics describe an organization that has high security
requirements requirements:
! It has a 3-level or 4-level CA hierarchy with an offline root CA, an offline
subordinate or policy CA, and online issuing subordinates.
! Its employees or external vendors work in several geographic regions.
36 Module 2: Designing a Certification Authority Hierarchy
Security characteristics The following characteristics describe the security of a root CA:
of a root CA
! A root CA is permanently offline.
! A root CA provides a high level of physical and cryptographic security.
! A root CA supports the largest key size, hardware tokens, and levels two
and three of Federal Information Processing Standards (FIPS) 140-1.
Note FIPS are defined by the Computer Security Resource Center at the
National Institute of Standards and Technology (NIST). The FIPS 140
standards define security requirements for cryptographic modules. You can
view the standards on Computer Security Resource Center Web site at
http://csrc.nist.gov/publications/fips.
As the distance from the root CA increases, the physical and configuration
security requirements decrease for policy CAs and issuing CAs.
Security characteristics The following characteristics describe the security of a policy CA:
of a policy CA
! A policy CA is permanently offline.
! A policy CA may require a hardware storage module for private key
storage, but it may implement a lower FIPS 140-1 level of security, if the
security policy of the organization allows it.
! More than one Policy CA may be required if the organization must
implement different issuance requirements. For example, some countries
may require specific issuance requirements that are not required by other
countries in which the organization operates.
Security characteristics The following characteristics describe the security of an issuing CA:
of an issuing CA
! An issuing CA is a member of the domain.
! An issuing CA is always online, and responds to certificate requests over the
network.
! An issuing CA requires physical security, such as a server room that
requires card key access.
Note To avoid an oversized PKI for smaller environments, you can combine
the first two levels of the hierarchy—the root and policy CAs—into one level.
You can design a single level PKI hierarchy for basic PKI services. If you
remove the root and the policy tiers from the CA hierarchy, the result is a single
point of failure. One CA serves as the root CA, the policy CA, and the issuing
CA. Because the CA must issue certificates, it cannot be taken offline. Security
and flexibility is limited with this type of design.
38 Module 2: Designing a Certification Authority Hierarchy
Is typically used for offline CAs, but can also be used as Is typically deployed as an issuing CA that issues
an online CA certificates to users, computers, and services
Does not depend on Active Directory and can be Requires Active Directory as a configuration and
deployed in other environments or in network segments registration database and as a publication point for
where Active Directory cannot be contacted certificates that are issued to users and computers
Supports requests for standard user and computer Defines certificate formats in certificate templates that it
certificates, such as user-authentication certificates and issues
Web-server certificates
Requires that, by default, all certificate requests received Issues or denies certificate requests based on the
by the standalone CA must be issued or denied by a discretionary access control list (DACL) of the requested
certificate manager certificate template
Warning If you decide to change the CA type after you install a CA, you must
first back up the entire database and the key pair, reinstall the CA with the new
CA type by using the same key pair, and then restore the CA database.
Module 2: Designing a Certification Authority Hierarchy 39
What is the Common To help determine role separation, you can use the Common Criteria
Criteria specification? specification, which defines security standards for all forms of network security
and includes specifications for managing PKIs.
Note For more information about Common Criteria, see the Common Criteria
Web site at http://www.commoncriteria.org.
Role Separation using The specification identifies four roles for PKI management:
Common Criteria
! CA administrator. Configures and manages Certificate Services, designates
certificate managers, and renews CA certificates.
! Certificate manager. Issues and revokes certificates.
! Auditor. Reviews the security event log for success and failure audit events
that are related to Certificate Services.
! Backup Operator. Performs backups of the CA database, the CA
configuration, and the CA’s key pair.
Warning When you implement role separation, the user can be in only one of
the Common Criteria roles. If the user is assigned more than one role, that user
is blocked from performing any Certificate Services management activities.
Module 2: Designing a Certification Authority Hierarchy 41
Prerequisites Before working on this lab, you must have completed the course setup.
Additional information For more information about designing a CA hierarchy, see the white paper, Best
Practices for Implementing a Microsoft Wiindows Server 2003 Public Key
Infrastructure, under Additional Reading on the Web page on the Student
Materials compact disc.
Scenario Northwind Traders recently hired you as its PKI administrator. You must
analyze the organization’s business and technical requirements to design a CA
hierarchy for the organization. The CA hierarchy must also enforce the security
policy of Northwind Traders.
Estimated time to
complete this lab:
45 minutes
Module 2: Designing a Certification Authority Hierarchy 43
Exercise 1
Identifying Applications and Certificate Holders
Introduction In this exercise, you will determine whether the certificate to support PKI-
enabled applications was issued to users or computers.
Scenario The organization is planning the following projects that require digital
certificates.
! IPSec with certificate-based authentication The Human Resources (HR)
department wants to protect all network transmissions to the HR data server
by using IPSec. The server runs Wiindows Server 2003. The HR department
client computers run either Windows 2000 Professional or Windows XP
Professional.
! EFS The Consulting department wants to implement EFS on the portable
computers of all consultants. The portable computers run Windows XP
Professional and are members of one of the organization’s Active Directory
domains.
! Web-based time tracking system The Payroll department has created a
Web-based time tracking system on the corporate intranet. The Web site
authenticates all employees by using certificate-based authentication. Client
computers in the organization run Windows ME, Windows NT® 4.0
Workstation, Windows 2000 Professional, and Windows XP Professional.
All communications with the time tracking system must be protected against
inspection.
! Customer extranet Web Site Customers will connect to an extranet Web
site that is protected by SSL. User accounts will be stored in a SQL database
for authentication to the Web site.
! Smart card authentication A staged rollout will implement smart cards
for employees. Initially, the smart cards will be optional for interactive
logons, but mandatory for L2TP/IPSec VPN connections. The organization
will issue a Windows XP computer to each employee before it issues a
smart card.
Questions Complete the following table based on the information in the scenario. For each
application, identify whether the certificates that the application implements are
required for users or computers.
Application User certificate Computer certificate
IPSec " #
EFS # "
Web-based time tracking # #
system
Customer extranet Web " #
site
Smart card authentication # #
44 Module 2: Designing a Certification Authority Hierarchy
Exercise 2
Identifying Technical and Business Requirements
In this exercise, you will identify the technical and business requirements of
Northwind Traders. These requirements will determine the design of your CA
hierarchy.
Scenario Northwind Traders is in the process of planning several IT projects that require
digital certificates. When researching the design of the organization’s CA
hierarchy, you identify the following technical and business requirements for
PKI-enabled applications.
! The corporate headquarters is located in Hong Kong. All centralized
network services are managed out of Hong Kong.
! Northwind Traders has regional offices in Lisbon and Mexico City. The
organization delegates all network administration to the remote offices,
where local administration teams manage all aspects of the network.
! The organization implements three domains, one at each network location.
! The network implements a Service Level Agreement (SLA) that requires all
critical network services to be available at all times. The PKI is a critical
network service and must honor the SLA.
! Northwind Traders places a high value on security. A written security policy
exists for the organization. The following sections in the security policy will
influence the design of your CA hierarchy. The security policy requires that:
• Enterprise servers are stored in secure network locations.
• Additional hardware security measures (if available) are implemented to
increase security beyond what the operating system offers.
• Any network identification and encryption technology are protected
against interception and theft. Protection measures include removal from
the network, advanced cryptography devices, and physical security.
! Northwind Traders plans to deploy Microsoft Exchange Server 2003 for all
e-mail services. In addition, the organization will require the
implementation of S/MIME security for selected users in the organization.
These users must be able to exchange secure e-mail with specific partner
organizations.
! The Web-based time tracking system and the customer extranet Web sites
require SSL encryption.
! The organization uses separate administration teams to manage user
accounts and computer accounts. Therefore, the CA hierarchy must support
separate management of user and computer certificates.
! The European Union requires that companies that operate in Europe
implement specific issuance processes for certificates that are used to sign
e-mail messages that are sent between companies. Only users in the Lisbon
office must implement these policies.
Module 2: Designing a Certification Authority Hierarchy 45
____________________________________________________________
____________________________________________________________
2. What additional security measures are required for the offline CAs?
All CAs must implement hardware storage modules to protect each
CA’s key pair.
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
46 Module 2: Designing a Certification Authority Hierarchy
Exercise 3
Designing a CA Hierarchy
In this exercise, you will design a CA hierarchy for Northwind Traders, based
on the requirements that are presented in Exercise 1 and 2 of this lab.
Scenario The organization is in the process of planning several projects that require
digital certificates. Now that you have gathered and analyzed all technical and
business requirements, you must design the CA hierarchy.
Questions 1. What CA hierarchy design best fits the requirements of the organization?
a. CA hierarchy based on certificate use
b. CA hierarchy based on geography
c. CA hierarchy based on departments
d. Combination of certificate use and geography
d. The CA hierarchy must be based on certificate use, to allow separate
CAs to issue computer and user certificates, and geography, to allow
decentralized administration.
____________________________________________________________
____________________________________________________________
____________________________________________________________
2. If offline CAs are implemented at the first and second levels of the CA
hierarchy, where will you locate the offline CAs?
Locate the offline root and offline subordinate CAs at the Hong Kong
office, because all centralized network services are performed there.
____________________________________________________________
____________________________________________________________
____________________________________________________________
Module 2: Designing a Certification Authority Hierarchy 47
3. Based on the requirements that are presented in this lab, draw your proposed
CA hierarchy for Northwind Traders.
THIS PAGE INTENTIONALLY LEFT BLANK
Module 3: Creating a
Certification Authority
Hierarchy
Contents
Overview 1
Lesson: Creating an Offline Root CA 2
Lab A: Installing an Offline CA 14
Lesson: Validating Certificates 20
Lesson: Planning CRL Publication 30
Lab B: Publishing CRLs and AIAs 39
Lesson: Installing a Subordinate CA 49
Lab C: Implementing a Subordinate
Enterprise CA 59
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, MS-DOS, Windows, Windows NT, Windows Server, Active Directory, ActiveX,
MSDN, Outlook, PowerPoint, and Windows Media are either registered trademarks or trademarks
of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Module 3: Creating a Certification Authority Hierarchy iii
Instructor Notes
Presentation: This module introduces students to the process of creating a certification
90 minutes authority (CA) hierarchy based on a CA hierarchy design. Students will learn
how to determine the correct settings and configuration for installing Certificate
Labs: Services, validating certificates, and publishing certificate revocation lists
120 minutes (CRLs).
After completing this module, students will be able to:
! Create an offline root CA.
! Design an infrastructure to validate certificates.
! Design an infrastructure to publish certificate revocation lists.
! Install a subordinate CA.
Required materials To teach this module, you need the following materials:
! Microsoft® PowerPoint® file 2821A_03.ppt
! The multimedia presentation The Certificate Chaining Engine
Guidelines for Deploying Spend time reviewing each of the guidelines. Emphasize to students that an
an Offline Root CA incorrect decision during the installation of the root CA may require that they
redeploy the entire PKI.
Lab A In this lab, ensure that the students use the correct naming scheme for the
offline root CA. Also ensure that the students select Offline CA on the Boot
menu, and that they do not perform the lab procedure on the Member Server
partition.
Practice: Identifying The five certificates for the practice are provided in the
Matching Rules C:\moc\2821\practices\Module3 folder. Ask students to open the five
certificates and record the required information in the appropriate tables.
Students will require up to 30 minutes to complete the practice. Be sure to
review the answers and discuss what matching rules the certificate chaining
engine used for the two certificate chains.
vi Module 3: Creating a Certification Authority Hierarchy
Certificate Validation The certificate chaining engine performs multiple validation tests to ensure that
Tests a presented certificate is valid. Tell the students that any test failure will result
in the certificate chaining engine assigning a penalty to the chain, which could
result in the certificate chaining engine not selecting the chain.
Reasons for Revoking Explain the various reasons for revoking a certificate. Emphasize that although
Certificates CertificateHold enables a certificate to be unrevoked, placing a hold on a
certificate is not recommended, because it becomes difficult to determine if a
certificate was valid at a specific time.
Read RFC 3280 for more information about reasons to revoke a certificate.
Lab Setup
The following list describes the setup requirements for the labs in this module.
Setup requirement 1 The labs in this module require the creation of a custom MMC console named
Certificate Management, which is saved on the desktop. To prepare student
computers to meet this requirement, complete Module 1, “Overview of Public
Key Infrastructure,” in Course 2821, Designing and Managing a Windows
Public Key Infrastructure.
Setup requirement 2 The procedures in the three labs in this module are divided between two partner
computers. Ensure that the students perform each procedure on the correct
computer, as designated in the lab manual.
Important The labs in this module are also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Automated Classroom Setup Guide for this course.
Module 3: Creating a Certification Authority Hierarchy ix
Lab Results
Performing the labs in this module introduces the following configuration
changes:
Lab A At the completion of Lab A:
! CAPolicy.inf is configured as required and saved in the %Windir% folder.
! The dual-boot computer is configured as an offline root CA for the student
pair’s CA hierarchy.
Overview
Before you install the offline root CA, modify the CAPolicy.inf file and then
save it in the %Windir% folder of the root or subordinate CA. For a sample of
the CAPolicy.inf file, see the white paper, Planning and Implementing Cross-
Certification and Qualified Subordination Using Windows Server 2003, under
Additional Reading on the Web page on the Student Materials compact disc.
Important If you use the CAPolicy.inf file to install a CA, also use it for CA
renewal. Otherwise, the previously defined settings may be lost.
4 Module 3: Creating a Certification Authority Hierarchy
Note You do not define the validity period for subordinate CAs in the
CAPolicy.inf file. The CA that issues the subordinate CA certificate defines
the validity period.
[AuthorityInformationAccess]
Empty=True
You must use a CAPolicy.inf file to define the following settings for a non-root
CA:
! Certification practice statement
! CRL publication intervals
! CA renewal settings
! Renewal key size
Module 3: Creating a Certification Authority Hierarchy 5
Note The format of a CPS is defined in RFC 2527, “Internet X.509 Public Key
Infrastructure Certificate Policy and Certification Practices Framework,” under
Additional Reading on the Web page on the Student Materials compact disc.
You can configure a CAPolicy.inf file to point to a CA’s CPS by using a URL
pointer. You see this CPS when you view the CA certificate and click Issuer
Statement.
Defining certificate In a CAPolicy.inf file, you can define a certification practice statement. The
policies CPS can be valid for one or more certificate policies that are enforced by the
CA and subordinate CAs in the CA hierarchy. Each CPS requires a unique
object identifier (OID), and a policy statement. A policy statement can be a
URL pointer to the policy statement.
Note It is not mandatory that you implement a CPS in the CAPolicy.inf file on
every CA in the CA hierarchy. Typically, you define the CPS at the policy CA
level of the CA hierarchy. If an organization requires different certification
practice statements, you must implement separate policy CAs—one for each
CPS.
Module 3: Creating a Certification Authority Hierarchy 7
What is an OID? An OID is a sequence of numbers that identifies a specific object, such as an
algorithm or attribute type, or a specific policy. When you define the OID for a
policy, you can use either a public OID or a private OID. You can obtain a
public OID from the OID registry. You can obtain publicly recognized OIDs
from the following sources:
! Internet Assigned Numbers Authority (IANA). Issues OIDs for free under the
Private Enterprises branch.
! American National Standards Institute (ANSI). Issues OIDs under the U.S.
Organizations branch. Each OID must be purchased.
! British Standards Institute (BSI). Issues OIDs under the UK Organizations
branch. Each OID must be purchased.
! Other agencies that are on the Internet.
You can generate a private OID after you install Certificate Services on your
network. The Certificate Templates console can issue private OIDs that exist in
the Microsoft OID space. Each forest generates a unique OID within the
Microsoft OID space.
CA Policy format Use the following syntax to define a certificate policy and CPS in the
CAPolicy.inf file:
[PolicyStatementExtension]
Policies = InternalPolicy
[InternalPolicy]
OID = 1.3.3.4.6.6.7.8.9.10
Text = "The internal employees CPS"
URL = "http://www.nwtraders.msft/LegalPolicy/internal.htm"
Note Each space in the name uses three characters due to the escape character
sequence (%20). For example, the name My CA is seven characters in length
and is represented as My%20CA.
Key length. For most root CAs, the largest interoperable key length is 4096 bits.
Exceptions may apply if you use a hardware CSP or smart card to store the CA
key. The longer the signature key length, the greater the CPU utilization during
certificate generation.
Note For more information about defining the validity period for issued
certificates, see the section titled “Set the validity period for issued certificates
on the offline root CA” in the white paper, Best Practices for Implementing a
Windows Server 2003 PKI, under Additional Reading on the Web page on the
Student Materials compact disc.
Database and log settings. You can improve the performance of the CA
hierarchy by using separate disks for the database and log files. Using more
physical drives in a redundant array of independent disks (RAID) set also
improves disk write performance.
Store the database on a RAID 5 or RAID 0+1 volume and store the database log
files on a RAID 1 mirror set. Ensure that the database and logs are stored on a
different volume from the operating system.
10 Module 3: Creating a Certification Authority Hierarchy
Features of a HSM An HSM can provide highly secure operations by using multilayered hardware
and software tokens and other key features, including:
! Hardware-based, cryptographic operations. Examples include random
number generation, key generation, digital signatures, and key archival and
recovery.
! Hardware protection of private keys. The private keys are stored on the
HSM device, rather than on the local disk subsystem of the CA, which
separates the keys from the physical computer that hosts the CA.
! Secure management of private keys. All management tasks of the private
keys use the HSM’s CSP. The management occurs in the HSM, which
separates the management tasks from the computer that hosts the HSM.
! Acceleration of cryptographic operations. This feature offloads key
generation from the host server.
Module 3: Creating a Certification Authority Hierarchy 11
! Load balancing and failover in hardware modules. You can provide load
balancing and failover protection by using multiple HSMs that are linked
together.
! Split-key functions. By using an HSM, you can define a pool of certificate
operators, and specify that more than one operator is required for all signing
operations. For example, you can define three certificate operators, and
require two operators to perform all signing operations. This split-key
functionality ensures that a single person cannot perform CA management
tasks.
Secure private keys Consider securing the high value private keys by using HSM. If you store the
private key on the host server’s hard drive or in system memory, an attacker can
copy, delete, or compromise the hard drive if he gains physical control of the
host system. In a key is compromised, you must generate a new private key and
replace all certificates that were signed by using the compromised key. Such a
security breach like can cause significant downtime and replacement costs.
To secure your private keys in Windows Server 2003:
! Permit key generation, storage, and management by using HSMs. All
certificate signing operations are performed exclusively at the HSM.
! Enable all cryptographic functions to be performed within the CSP module
that generated the CA’s private keys.
! Use hardware-based CSPs to move cryptographic operations from host
processors to specialized hardware.
Using secure business If you maintain the root CA in a secure data center or vault, perform the offline
practices CRL publication and transfer the CRL by using multiple trusted personnel.
After you obtain the CRL, you must manually transfer it from the security area
to a location where you can propagate the CRL to the CRL distribution points
(CDPs).
Place the offline root CA server in secured storage until you must do one of the
following:
! Issue or renew a new subordinate CA certificate.
! Issue an updated CRL.
Perform the offline CRL publication several days before the previously issued
CRL expires in case the offline root CA has a hardware or publication failure.
Allow adequate time to publish and replicate the CRL to all CDP locations and
to ensure that you identify and correct any errors or failures.
12 Module 3: Creating a Certification Authority Hierarchy
! Use a unique distinguished name for the CA. The distinguished name should
identify the purpose of the CA so that your users can easily recognize it.
Make it unique in the PKI community—all computers, users, and services
that will evaluate the certificates that the CA issues. The PKI community
can also include external computers, users, and services, if the certificates
are used on the Internet or between organizations.
! Implement a long validity period. Configure root CAs to have a longer
lifecycle than an online issuing CA, which is typically 10-20 years. A long
validity period reduces the administrative burden of being required to renew
the root CA frequently. Renew the CA certificate every 10 years, and use a
new key pair for every other renewal.
Note Consider these guidelines when deploying any offline CAs, whether the
CA is an offline root CA or an offline subordinate CA.
14 Module 3: Creating a Certification Authority Hierarchy
Note This lab focuses on the concepts that are explained in this module and
may not comply with Microsoft security recommendations. For instance, this
lab does not implement HSM storage of the private key material for the offline
CA.
Module 3: Creating a Certification Authority Hierarchy 15
Exercise 1
Configuring CAPolicy.inf for installing the Offline Root CA
In this exercise, you will modify CAPolicy.inf to support the installation of the offline root CA for
your forest. You will also publish the Certificate Practice Statement at a predefined location on
your organization’s domain controller.
Scenario
Your organization requires the implementation of a private PKI. You must install an offline CA to
secure the CA hierarchy.
(continued)
Why are the CDP and AIA URLs defined as Empty in CAPolicy.inf for an offline root CA?
The CDP and AIA locations are not required for root CA certificates. By defining the CDP and AIA
URLs as empty, you ensure that applications do not check the root CA certificate for revocation.
The operating system reads the CAPolicy.inf file during the initial installation of the offline root CA
and during the renewal of the CA certificate.
4. Save all changes and close a. Save all changes, and then close CAPolicy.inf.
CAPolicy.inf. b. Close all open windows.
18 Module 3: Creating a Certification Authority Hierarchy
Exercise 2
Installing the Offline Root CA
In this exercise, you will install the offline root CA by using the settings in CAPolicy.inf.
Scenario
After you create CApolicy.inf, you must install Certificate Services on the offline root CA as a
standalone root CA.
1. Open Add or Remove a. Ensure that you are logged on as Administrator with a password of
Programs in Control Panel. P@ssw0rd at the offline root CA.
b. On the Start menu, click Control Panel, and then click Add or
Remove Programs.
2. Install Certificates Services a. In the Add or Remove Programs dialog box, click Add/Remove
with the following options: Windows Components.
• Stand-alone root CA b. In the Windows Components Wizard, in the Components list, select
• CSP: Microsoft Strong the Certificate Services check box.
Cryptographic c. In the Microsoft Certificate Services dialog box, click Yes.
Provider d. On the Windows Components page, click Next.
• Hash algorithm: SHA-1 e. On the CA Type page, click Stand-alone root CA, enable the Use
• Key length: 4096 custom settings to generate the key pair and CA certificate check
• Common Name: box, and then click Next.
Computer f. On the Public and Private Key Pair page, set the following options:
• Distinguished name • CSP: Microsoft Strong Cryptographic Provider
suffix: ForestName • Hash algorithm: SHA-1
• Validity Period: 20 • Key length: 4096
Years
g. On the Public and Private Key Pair page, click Next.
h. On the CA Identifying Information page, enter the following
information:
• Common Name for this CA: Computer (where Computer is the
NetBIOS name of the offline CA from the table at the beginning of
the lab)
• Distinguished name suffix: ForestName (where ForestName is the
LDAP distinguished name of your forest from the table at the
beginning of the lab)
• Validity Period: 20 Years
i. On the CA Identifying Information page, click Next.
Module 3: Creating a Certification Authority Hierarchy 19
(continued)
2. (continued) j. On the Certificate Database Settings page, accept the default settings,
and then click Next.
k. In the Microsoft Certificate Services dialog box, click OK.
l. Insert the Windows Server 2003 Enterprise Edition disk into the
CD-ROM drive, if you have not already done so.
m. On the Completing the Windows Components Wizard page, click
Finish.
n. Close the Add or Remove Programs dialog box.
o. Close all open windows.
20 Module 3: Creating a Certification Authority Hierarchy
Path validation Path validation is the validation of all certificates in a certificate chain until the
certificate chain terminates at a trusted, self-signed certificate.
The path validation process ensures that a valid certification path is established
for a given end certificate. A valid certification path is defined as an end-entity
certificate that chains a certificate to a trusted root CA.
Note For more information about path validation, see the white paper,
Troubleshooting Certificate Status and Revocation, under Additional Reading
on the Web page on the Student Materials compact disc.
Revocation checking Each certificate in the certificate chain is checked to verify that none of the
certificates were revoked. Revocation checking can occur either in conjunction
with the chain building process or after the chain is built.
In Windows XP and Windows Server 2003, the certificate chaining engine
checks revocation as the certificate chain is built. In contrast, in Windows 2000,
the certificate chaining engine does not perform revocation checking until the
complete chain is built.
22 Module 3: Creating a Certification Authority Hierarchy
Note This practice focuses on the concepts in this lesson and as a result may
not comply with Microsoft security recommendations.
Serial number 19 8b 11 d1 3f 9a 8f fe 69 a0
AKI Certificate Issuer:
CN=Microsoft Root Authority
OU=Microsoft Corporation
OU=Copyright (c) 1997 Microsoft Corp.
Certificate SerialNumber=
00 c1 00 8b 3c 3c 88 11 d1 3e f6 63 ec df 40
SKI n/a
24 Module 3: Creating a Certification Authority Hierarchy
Analysis Based on the information in the preceding tables, complete the following
graphic for the two certificate chains and then identify the certificate matching
method that was used to build the chains.
Certificate 3
Certificate 4
Certificate 5
Certificate 1
Certificate 2
_______________________________________________________________
_______________________________________________________________
26 Module 3: Creating a Certification Authority Hierarchy
! Revocation check. The operating system compares the serial number of the
certificate with all entries in the CA’s CRL to determine if the certificate
was revoked before its validity period expired.
! Root check. The certificate of the issuing CA must be chained to either a
trusted root or be included in a signed certificate trust list (CTL). The
certificate is considered chained to a nontrusted root if neither of these
conditions exist.
! Policy validation. The application may require that a certificate contain
specific certificate policies or application policies. If the certificate does not
include these policies, the certificate cannot be used by the application.
! Critical extensions. If the certificate contains an extension that is marked as
critical, but the application does not know how to implement or use the
extension, the operating system rejects the certificate.
28 Module 3: Creating a Certification Authority Hierarchy
Note For more information about certificate revocation reason codes, see RFC
3280, Internet X.509 Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile, under Additional Reading on the Web page on
the Student Materials compact disc.
30 Module 3: Creating a Certification Authority Hierarchy
Types of CRLs
Note You must download the base CRL initially and when the previous base
CRL expires. You can force the client computer to retrieve a more recent base
CRL even though the current base CRL is still valid by having the delta CRL
point to a higher number base CRL.
Module 3: Creating a Certification Authority Hierarchy 33
Any new delta CRLs will now include only certificates that have been revoked
since base CRL CRL#4 was issued.
34 Module 3: Creating a Certification Authority Hierarchy
! Registry settings. You can change three default registry settings to define
CRL publication intervals. A CRL is valid for a period that differs from its
publication period. The validity period is extended beyond the publication
period so that Active Directory replication can occur. You can adjust the
overlap period for CRL publication by modifying the following registry
settings:
• CRLOverlapPeriod. The amount of time that a CRL’s lifetime is
extended so that a client can obtain the updated CRL before the previous
CRL expires. The default value is ten percent of the CRL validity period,
up to a maximum of 12 hours. For example, if the CRL publication
interval is every ten days, the CRLOverlapPeriod is one day.
• CRLOverlapUnits. The unit of measurement for the
CRLOverlapPeriod registry setting.
• ClockSkewMinutes. The value that is added for overlap periods to
allow for time differential between clients. The default value is ten
minutes.
The combination of these three registry settings ensures that a newly
published CRL is distributed to all CRL distribution points before the
previous CRL expires. They prevent a situation in which the previous CRL
expires, and replication latency prevents the new CRL from being published
to the CRL distribution points.
Note The order in which the CDP and AIA extensions are listed is important
because the certificate chaining engine searches the URLs sequentially. Place
the LDAP URL first in the list.
Module 3: Creating a Certification Authority Hierarchy 37
Note This demonstration focuses on the concepts in this lesson and as a result
may not comply with Microsoft security recommendations.
What is the ModifyAIAandCDP.cmd is a custom batch file that modifies the registry entries
ModifyAIAandCDP.cmd? that store the CDP and AIA extensions. Modify the following settings for the
file:
! The LDAP distinguished name of the forest root domain. This name is used
in the LDAP URLs contained in the configuration naming context.
! The DNS name of the Web server. If you implement HTTP URLs, you must
type the correct DNS name of the Web server that hosts the CRL and AIA.
5. Search for and replace all occurrences of WebServer with the DNS name of
the Web server where the CDP and AIA are published.
6. Save all changes, and then close ModifyAIAandCDP.cmd.
7. Double-click C:\moc\2821\Labfiles\Module3\ModifyAIAandCDP.cmd.
Procedure for You must publish the CRL to all configured LDAP and HTTP URLs for the
Publishing the CRL CDP. To publish the CRL to the LDAP URL for the CDP:
1. Log on as a member of the Enterprise Admins group.
2. Type the following command:
Certutil –dspublish –f CRLName.crl
To publish the CRL to the HTTP URL for the CDP, you must copy the
CRLName.crl file to the virtual directory that is referred to in the HTTP URL
for the CDP.
Warning If you receive an error message when you run the certutil command
to publish the CRL, fix the CDP LDAP URL in the ModifyCDPandAIA.cmd
command file, and then run the command file again.
Procedure Publishing The CA certificate is published in the AIA URLs. To publish the CA certificate
the CA Certificate to the LDAP URL for the AIA:
1. Log on as a member of the Enterprise Admins group.
2. Type the following command:
Certutil –dspublish –f CertName.crt [RootCA|SubCA]
If you are publishing the root CA certificate, type RootCA at the end of the
command line. If you are publishing a policy CA or issuing CA certificate, type
SubCA at the end of the command line.
To publish the CA certificate to the configured HTTP URL for the AIA, you
must copy the CertName.crt file to the virtual directory referenced in the HTTP
URL for the AIA.
Warning If you receive an error message when you run the certutil command
to publish the CA certificate, fix the AIA LDAP URL in the
ModifyCDPandAIA.cmd command file, and then run the command file again.
Module 3: Creating a Certification Authority Hierarchy 39
Note This lab focuses on the concepts that are explained in this module and
may not comply with Microsoft security recommendations. For instance, this
lab does not comply with the recommendation to implement an HSM storage
device for the protection of the private key material of the offline CA.
40 Module 3: Creating a Certification Authority Hierarchy
Estimated time to
complete this lab:
45 minutes
Module 3: Creating a Certification Authority Hierarchy 41
Exercise 1
Defining CRL and AIA Publication Settings
In this exercise, you will complete the configuration of the offline root CA by defining the CRL
publication interval, ensuring that the CA certificate and CRL are available when the CA is offline,
and configuring the correct CRL and AIA publication URLs for all issued certificates.
Scenario
After you install the standalone root CA, you must modify the CDP and AIA extensions at the root
CA to refer to locations that are available when the standalone root CA is removed from the
network.
1. In Certification Authority a. Click Start, point to Administrative Tools, and then click
MMC, ensure that the CRL Certification Authority.
publication interval is set to b. In the console tree, expand Computer (where Computer is the NetBIOS
26 weeks for the root CA. name of the offline CA).
c. In the console tree, right-click Revoked Certificates, and then click
Properties.
d. In the Revoked Certificates Properties dialog box, ensure that the
CRL publication interval is 26 weeks.
e. In the Revoked Certificates Properties dialog box, ensure that the
Publish Delta CRLs check box is cleared, and then click OK.
Do not implement delta CRLs, because the publication of each delta CRL would require access to the
offline root CA in order to copy the delta CRL to an online publication location.
2. Review the default ldap:///, a. In the console tree, right-click Computer, and then click Properties.
http://, and file://\\ URLs in b. In the Computer Properties dialog box, on the Extensions tab, in the
the CRL distribution points Select extension drop-down list, ensure that the box reads CRL
(CDP) list on the Distribution Point (CDP).
Extensions tab of the
Computer Properties dialog c. Review the default ldap:///, http://, and file://\\ URLs in the CRL
box. distribution points (CDP) list.
42 Module 3: Creating a Certification Authority Hierarchy
(continued)
D:\WINDOWS\system32\Certsrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,
CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
file://\\<ServerDNSName>\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
Why should you not delete the URL that begins with D:\WINDOWS\system32\certsrv\certenroll?
The URL that begins with D:\WINDOWS\system32\certsrv\certenroll is where the updated CRL is
posted when you manually publish a CRL or when Certificate Services publishes the CRL at the CRL
publication interval.
3. Review the default ldap:///, a. On the Extensions tab, in the Select extension drop-down list, select
http://, and file://\\ URLs in Authority Information Access (AIA).
the Authority Information b. Review the default ldap:///, http://, and file://\\ URLs.
Access (AIA) list on the
Extensions tab of the
Computer Properties dialog
box.
What are the default AIA URLs?
D:\WINDOWS\system32\Certsrv\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt
ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,
CN=Services,<ConfigurationContainer><CAObjectClass>
http://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt
file://\\<ServerDNSName>\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt
Module 3: Creating a Certification Authority Hierarchy 43
(continued)
8. Restart Certificate Services a. Ensure that the Certification Authority console is the active window.
from the Certification b. In the console tree, right-click Computer, click All Tasks, and then
Authority console and then click Stop Service.
close the console.
c. In the console tree, right-click Computer, click All Tasks, and then
click Start Service.
d. Close the Certification Authority console.
e. Close all open windows.
44 Module 3: Creating a Certification Authority Hierarchy
Exercise 2
Publishing the CRL and AIA Information
In this exercise, you will publish the CA certificate and CRL information to the locations that are
referred to in the AIA and CDP extensions of issued certificates. By publishing the CRL and CA
certificate to these locations, you ensure that the certificate chaining engine can validate issued
certificates.
Scenario
After you modify the CDP and AIA extensions for issued certificates, you must publish the CRL
and CA certificate for the offline root CA to the LDAP and HTTP locations.
Important: Perform this procedure on the domain controller for your domain.
2. Install the Application a. In the Add or Remove Programs dialog box, click Add/Remove
Server component with the Windows Components.
following subcomponents: b. On the Windows Components page, in the Components list, click the
• Enable network COM+ phrase Application Server (not the check box), and then click Details.
access
c. In the Application Server dialog box, in the Subcomponents of
• Internet Information Application Server list, select the Enable network COM+ access
Services (IIS) check box, click the phrase Internet Information Services (IIS) (not
• Common Files the check box) , and then click Details.
• Internet Information d. In the Internet Information Services (IIS) dialog box, in the
Services Manager Subcomponents of Internet Information Services (IIS) list, select
the following subcomponent check boxes:
• World Wide Web
Service • Common Files
• Active Server Pages • Internet Information Services Manager
• World Wide Web e. In the Subcomponents of Internet Information Services (IIS) list,
Service click the phrase World Wide Web Service (not the check box), and
then click Details.
Module 3: Creating a Certification Authority Hierarchy 45
(continued)
2. (continued) f. In the World Wide Web Service dialog box, in the Subcomponents
of World Wide Web Service list, select the following subcomponent
check boxes:
• Active Server Pages
• World Wide Web Service
g. In the World Wide Web Service, dialog box, click OK.
h. In the Internet Information Services (IIS) dialog box, click OK.
i. In the Application Server dialog box, click OK.
j. On the Windows Components page, click Next.
k. Insert the Windows Server 2003 Enterprise Edition disk into the
CD-ROM drive, if you have not already done so.
l. If the Files Needed dialog box appears, in the Files Needed dialog
box, in the Copy files from box, type x:\i386 (where x is the drive
letter of your CD-ROM drive), and then click OK.
m. On the Completing the Windows Components Wizard page, click
Finish.
n. Close the Add or Remove Programs dialog box.
o. Close all open windows.
(continued)
6. Open the URL " In Internet Explorer, in the Address bar, type
http://WebServer/ http://WebServer/Legalpolicy/rootcps.htm (where WebServer is the
Legalpolicy/rootcps.htm in fully qualified domain name of your domain controller), and then press
Internet Explorer. ENTER.
Yes. If correctly configured, the Certificate Practice Statement is now available from the
http://WebServer/legalpolicy/rootcps.htm URL.
Yes. If correctly configured, the certificate revocation list is now available from the
http://WebServer/CertData/Computer.crl URL.
Module 3: Creating a Certification Authority Hierarchy 47
(continued)
8. Open the URL a. In the Certificate Revocation List dialog box, click OK.
http://WebServer/CertData/ b. In Internet Explorer, in the Address bar, type
Computer_Computer.crt. http://WebServer/CertData/Computer_Computer.crt (where
WebServer is the fully qualified domain name of your domain
controller and Computer is the NetBIOS name of the CA server) and
then press ENTER.
c. In the File download dialog box, click Open.
No. Currently the CA certificate is only trusted by the offline root CA. The two computers that are
members of the domain do not know or trust the offline root CA certificate because it does not chain
the certificate to a trusted root.
10. Log on as a member of the a. At a command prompt, type cd \inetpub\wwwroot\Certdata and then
Enterprise Admins group press ENTER.
and publish the CRL and b. To publish the latest CRL to Active Directory, at the command prompt,
CA certificate to Active type certutil –dspublish –f Computer.crl (where Computer is the
Directory by using the NetBIOS name of your offline root CA), and then press ENTER.
following commands:
Verify that the response to the certutil command states that the
• certutil –dspublish –f certutil -dspublish command was completed successfully.
Computer.crl
c. To publish the CA certificate to Active Directory, at the command
• certutil –dspublish –f prompt, type certutil –dspublish –f Computer_Computer.crt RootCA
Computer_Computer.crt (where Computer is the NetBIOS name of your offline root CA), and
RootCA then press ENTER.
Verify that the response to the certutil command states that the
certutil -dspublish command was completed successfully.
11. Force Group Policy a. At the command prompt, type gpupdate /force and then press
application by running ENTER.
gpupdate /force. b. Close the command prompt.
48 Module 3: Creating a Certification Authority Hierarchy
(continued)
Yes. By publishing the root CA certificate to Active Directory by using the certutil –dspublish
command, the root CA certificate is now located in the AIA store and is trusted by all domain
members. The gpupdate /force command forced the application of Group Policy to the domain
controller in the domain.
13. View the Issuer Statement a. In the Certificate dialog box, click Issuer Statement.
for the CA certificate. b. In the Disclaimer dialog box, click More Info.
What appears in Internet Explorer? What is the benefit of using a Web-based URL for the issuer statement?
The Certificate Practice Statement appears in Internet Explorer. By using a Web-based URL, you can
update the CPS. It is not necessary to reissue the RootCA certificate when the update is made to a
referenced URL.
After you define the registry values, you must restart Certificate Services.
3. Configure the validity period of the Subordinate Certification Authority
certificate template. If the issuing CA is an enterprise CA, you can define
the validity period in the properties of the certificate template. The validity
period for a Subordinate Certification Authority certificate that is issued by
an enterprise CA is the lesser value of the validity period that is configured
in the certificate template or in the ValidityPeriodUnits and
ValidityPeriod registry settings.
For a standalone CA, you can define the certificate validity period for issued
certificates only by using the definition of ValidityPeriodUnits and
ValidityPeriod.
52 Module 3: Creating a Certification Authority Hierarchy
Submit the subordinate When the installation is near completion, the submission of the CA certificate
CA certificate request request varies depending on whether the parent CA in the CA hierarchy is an
online or an offline CA.
! For an online parent CA, submit the request directly to the CA. In the drop-
down list on the CA Certificate Request page, you can select any
enterprise CAs that is published in Active Directory. The requesting CA
sends the certificate request directly to the parent CA, and the parent CA
issues the Subordinate Certification Authority certificate immediately.
! For an offline parent CA:
a. Save the request to a .req file.
The .req file uses a PKCS #10 format. The subordinate CA request is
based on the private key length that is designated in the Certificate
Services wizard. It includes the public key of the CA’s key pair.
b. Submit the .req file on the offline CA.
c. Ensure that a certificate manager issues the pended certificate request.
d. Export the entire certificate path in a PKCS #7 format.
Install the certificate on The final step in installing an enterprise CA is to install the CA certificate and
the Enterprise CA start Certificate Services. The process will vary depending on whether the
subordinate CA submits its certificate request to an enterprise CA or a
standalone CA.
! When a subordinate CA sends a Subordinate Certification Authority
certificate request to an enterprise CA, the parent CA returns the certificate
immediately. Certificate Services automatically restarts after the certificate
is installed.
! When a subordinate CA sends a Subordinate Certification Authority
certificate request to a standalone CA, the PKCS #7 file that is issued by the
standalone CA must be loaded on the subordinate CA. Certificate Services
restarts after the PKCS #7 file is installed.
54 Module 3: Creating a Certification Authority Hierarchy
Note You must manually publish the CA certificate and CRL to the externally
accessible locations from the enterprise CA.
Internal users The CDP and AIA extensions do not require modification if the certificate is
validated only by internal accounts. By default, the extensions are published to:
! Active Directory. The CA certificate and CRL are published in the
configuration naming context and are available for retrieval from any
domain controller in the forest.
! Web service. The CA certificate and CRL are available from the Web
service that is installed on the enterprise CA. Because the enterprise CA is
online, any client can connect to the Web page URLs to download the latest
CA certificate and CRLs to validate the path.
! The local path. The CA publishes the CA certificates to the local
\\CAName\Certenroll share (where CAName is the NetBIOS name of the
CA computer). You can copy the CRLs and CA certificate in this share to
external locations.
Module 3: Creating a Certification Authority Hierarchy 55
Note This demonstration focuses on the concepts in this lesson and as a result
may not comply with Microsoft security recommendations.
Publication points that are correctly configured appear with an OK status. The
status column also indicates any problems the PKI Health Tool identifies for the
AIA or CDP extensions.
For example, if you type an incorrect URL for a CDP or AIA extension, the
status column reports that the CDP or AIA extension’s status as Unable to
Download. The status column also provides information if a CDP or AIA
extension is near expiration, or has already expired.
56 Module 3: Creating a Certification Authority Hierarchy
Procedure for resetting To reset the warning periods for CA certificates, CRLs, and delta CRLs:
warning periods
1. In the PKI Health Tool, in the console tree, right-click Enterprise PKI,
and then click Options.
2. In the Options dialog box, change the CRL status to 7 days, and then click
OK.
3. In the console tree, right-click BridgeCA, and then click Refresh.
The status column for the CDP locations changes to Expiring.
Module 3: Creating a Certification Authority Hierarchy 57
Procedure for deploying To deploy Windows Server 2003 enterprise CAs in a Windows 2000 forest:
Windows Server 2003
enterprise CAs in a 1. Upgrade all Windows 2000 domain controllers to Service Pack (SP) 3 or
Windows 2000 forest later.
Windows 2000 SP 3 applies modifications to the Windows 2000 operating
system that Windows 2003 Certificate Services requires. These
modifications are also required to run the adprep command to update the
forest schema.
2. If you are running Exchange Server 2000, ensure that the Secretary and
LabeledURI attributes are protected against corruption by the
Windows Server 2003 schema extensions.
These attributes are also attributes of the InetOrgPerson class. They do not
match the RFC 2798 defined formats.
Note For information about how to modify the Secretary and LabeledURI
attributes to match the RFC 2798 defined formats see article Q314649,
“Windows Server 2003 ADPREP Command Causes Mangled Attributes in
Windows 2000 Forests That Contain Exchange 2000 Servers,” in the
Microsoft Knowledge Base at http://support.microsoft.com/
default.aspx?scid=kb;[LN];314649.
58 Module 3: Creating a Certification Authority Hierarchy
3. Run adprep /forestprep on the schema master for the forest by using the
Windows Server 2003 installation CD-ROM.
The adprep /forestprep command updates the schema of the
Windows 2000 forest with the schema modifications that Windows 2003
Certificate Services requires.
5. If there are multiple domains in your forest, create a custom universal group
that contains each domain’s Cert Publishers group. Assign the custom
universal group read and write permissions to the userCertificate attribute
for all user objects in each domain in the forest.
Note For more information about the procedures to assign these permissions,
see article Q28127, “Windows 2000 Certification Authority Configuration to
Publish Certificates in Active Directory of Trusted Domain” in the
Microsoft Knowledge Base at http://support.microsoft.com/
default.aspx?scid=kb;[LN];281271.
Module 3: Creating a Certification Authority Hierarchy 59
Note This lab focuses on the concepts that are explained in this module and
may not comply with Microsoft security recommendations. For instance, this
lab does not comply with the recommendation that the top two levels of the CA
hierarchy be offline.
Additional information For more information about implementing a subordinate enterprise CA, see the
white paper, Best Practices for Implementing a Microsoft Windows Server 2003
Public Key Infrastructure, under Additional Reading on the Web page on the
Student Materials compact disc.
Estimated time to
complete this lab:
45 minutes
Module 3: Creating a Certification Authority Hierarchy 61
Exercise 1
Installing the Subordinate Enterprise CA
In this exercise, you will install an enterprise CA as a subordinate to the offline root CA that you
previously created. To simulate an offline CA, you will remove the root CA from the network by
unplugging its network cable.
Scenario
Northwind Traders requires an enterprise subordinate CA so that it can deploy certificates that are
based on Windows Server 2003 certificate templates.
Important: Perform this procedure on the offline CA computer for your organization.
1. Unplug the offline root CA a. Remove the offline root CA computer from the network by unplugging
computer from the the network cable.
classroom network. b. Leave the offline root CA computer turned on.
Important: Perform this procedure on the domain controller for your domain. You will require a
floppy disk for transporting the CA certificate request file between the offline root CA and the
subordinate enterprise CA that you are installing.
2. Install Certificates Services a. Ensure you are logged on with the following credentials:
with the following options, • User name: Student1
and then save the request to
a file named a:\request.req. • Password: Password (where Password is the password for your
administrative account)
• Enterprise subordinate
CA • Domain: Domain (where Domain is the NetBIOS name of your
domain)
• CSP: Microsoft Strong
Cryptographic b. Insert a newly formatted floppy disk into the floppy disk drive.
Provider c. Insert the Windows Server 2003 Enterprise Edition disk into the
• Hash algorithm: SHA-1 CD-Rom drive, if you have not already done so.
• Key length: 2048 d. Click Start, click Control Panel, and then click Add or Remove
Programs.
• Common name:
DomainCA e. In the Add or Remove Programs window, click Add/Remove
Windows Components.
f. On the Windows Components page, select the Certificate Services
check box.
g. In the Microsoft Certificate Services dialog box, click Yes.
h. On the Windows Components page, click Next.
i. On the CA Type page, click Enterprise subordinate CA, select the
Use custom settings to generate the key pair and CA certificate
check box, and then click Next.
62 Module 3: Creating a Certification Authority Hierarchy
(continued)
2. (continued) j. On the Public and Private Key Pair page, set the following options:
• CSP: Microsoft Strong Cryptographic Provider
• Hash algorithm: SHA-1
• Key length: 2048
k. On the Public and Private Key Pair page, click Next.
l. On the CA Identifying Information page, enter the following
information:
• Common Name for this CA: DomainCA (where Domain is the
NetBIOS name of your domain from the table at the beginning of
the lab)
• Distinguished name suffix: ForestName (where ForestName is the
LDAP distinguished name of your forest from the table at the
beginning of the lab)
Verify that the forest LDAP name that appears is the name of your
forest.
m. On the CA Identifying Information page, click Next.
n. On the Certificate Database Settings page, accept the default settings,
and then click Next.
o. On the CA Certificate Request page, click Save the request to a file.
p. In the Request file box, type a:\request.req and then click Next.
q. In the Microsoft Certificate Services dialog box, click Yes to
temporarily stop Internet Information Services.
r. If the Files Needed dialog box appears, in the Files Needed dialog
box, in the Copy files from box, type x:\i386 (where x is the drive
letter of your CD-ROM drive), and then click OK.
s. In the Microsoft Certificate Services message box, acknowledge that
the CA installation is incomplete, and then click OK.
t. On the Completing the Windows Components Wizard page, click
Finish.
u. Close the Add or Remove Programs dialog box.
v. Remove the floppy disk that contains the certificate request file from
the floppy drive.
Important: Perform this procedure only on the offline CA for your organization. You must use the
floppy disk that contains the certificate request file from the enterprise subordinate CA.
3. Ensure you are logged on as a. Ensure that you are logged on with the following credentials:
a local administrator of the • User name: Administrator
root CA computer and then
insert the floppy disk that • Password: P@ssw0rd
contains the request.req file b. Insert the floppy disk containing the certificate request file in the
in the floppy drive. floppy disk drive.
Module 3: Creating a Certification Authority Hierarchy 63
(continued)
4. In the Certification a. Click Start, click Administrative Tools, and then click Certification
Authority console, request a Authority.
new certificate by using the b. In the console tree, right-click Computer, point to All Tasks, and then
A:\request.req request file. click Submit new request.
c. In the Open Request File dialog box, in the File name box, type
A:\Request.req and then click Open.
5. In the Certification a. In the console tree, expand Computer, and then click Pending
Authority console, issue the Requests.
pending certificate request. b. In the details pane, right-click the pending certificate, point to All
Tasks, and then click Issue.
6. Export the issued certificate a. In the console tree, click Issued Certificates.
to a PKCS #7 file named b. In the details pane, double-click the issued certificate.
subca.p7b that includes all
of the certificates in the c. In the Certificate dialog box, on the Details tab, click Copy to File.
certification path. d. On the Welcome to the Certificate Export Wizard page, click Next.
e. On the Export File Format page, click Cryptographic Message
Syntax Standard – PKCS #7 Certificates (.P7B), select the Include
all certificates in the certification path if possible check box, and
then click Next.
f. On the File to Export page, in the File name box, type a:\subca.p7b
and then click Next.
g. On the Completing the Certificate Export Wizard page, click
Finish.
h. In the Certificate Export Wizard message box, click OK.
i. In the Certificate dialog box, click OK.
j. Close the Certification Authority console.
k. Close all open windows.
l. Remove the floppy disk that contains the certificate request file from
the floppy drive.
Important: Perform this procedure on the domain controller for your domain. Use the floppy disk that
contains the issued certificate from the offline root CA.
7. Install the CA certificate in a. Insert the floppy disk that contains the PKCS #7 file in the floppy
the Certification Authority drive.
console by using the b. Click Start, click Administrative Tools, and then click Certification
a:\subca.p7b file. Authority.
c. In the console tree, right-click DomainCA, point to All Tasks, and then
click Install CA Certificate.
d. In the Select file to complete CA installation dialog box, in the File
name box, type a:\subca.p7b and then click Open.
e. In the console tree, right-click DomainCA, point to All Tasks, and then
click Start Service.
64 Module 3: Creating a Certification Authority Hierarchy
(continued)
8. View the CA certificate for a. In the Certification Authority console, in the console tree, expand
the DomainCA CA. DomainCA, right-click DomainCA, and then click Properties.
b. In the DomainCA Properties dialog box, click View Certificate.
The validity period is for ten years, as defined in the ValidityPeriodUnits registry entry of the root CA.
9. View the Certification Path " In the Certificate dialog box, click the Certification Path tab.
tab.
What is the CA hierarchy path for your enterprise subordinate CA?
10. Close the Certificate dialog a. In the Certificate dialog box, click OK.
box and the DomainCA b. In the DomainCA Properties dialog box, click OK.
Properties dialog box.
11. Increase the validity period a. Open a command prompt.
of issued certificates to 5 b. At the command prompt, type
years by using certutil – certutil -setreg ca\ValidityPeriodUnits 5 and then press ENTER.
setreg.
c. At the command prompt, type
certutil -setreg ca\ValidityPeriod "Years" and then press ENTER.
d. Close the command prompt.
Contents
Overview 1
Lesson: Introduction to PKI Management 2
Lesson: Managing Certificates 8
Lesson: Managing Certification Authorities 16
Lab A: Enabling Role Separation 24
Lesson: Planning for Disaster Recovery 40
Lab B: Backing Up and Restoring a
Certification Authority 51
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, MS-DOS, Windows, Windows NT, Windows Server, Active Directory, ActiveX,
MSDN, Outlook, PowerPoint, and Windows Media are either registered trademarks or trademarks
of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Module 4: Managing a Public Key Infrastructure iii
Instructor Notes
Presentation: Managing a Public Key Infrastructure (PKI) means managing certificates and
60 minutes certification authorities (CAs) to ensure that the PKI functions properly in the
event of a disaster. Students learn to identify PKI management roles that are
Labs: required to perform typical CA and certificate management tasks, and how to
115 minutes recover a PKI in the event of a failure.
After completing this module, students will be able to:
! Describe the use of Common Criteria roles in PKI management.
! Perform certificate management tasks.
! Perform CA management tasks.
! Plan for disaster recovery of Certificate Services.
Required materials To teach this module, you need Microsoft® PowerPoint® file 2821A_04.ppt.
Other Certificate The Common Criteria Certificate Manager role does not perform all certificate
Management Tasks management tasks. Ask students if they can identify other certificate
management tasks, beyond those that are discussed in this topic.
When you describe these tasks, clarify that an individual who performs a
Common Criteria role can also perform the tasks that are described on this
page. The actual design decision is based on the security policy of the
organization—specifically, whether the organization allows one person to
perform two or more tasks.
Guidelines for Discuss these guidelines with the class. Ask students for feedback about the
Certificate Management guidelines to see if they recommend different practices for their organization.
If a student assigns two roles to the same security group in this lab (typically
the CAAdmins or CertAdmins global groups), ask them to disable role
separation (certutil –delreg ca\RoleSeparationEnabled) and remove the extra
permission assignment. Be sure to remind the student to enable role separation
afterwards (certutil –setreg ca\RoleSeparationEnabled 1).
Module 4: Managing a Public Key Infrastructure vii
This lab will take about one hour to complete. If the system state restoration
fails, students can restore Certificate Services from the manual backup files that
they created in the lab.
Lab Setup
The following list describes the setup requirements for the labs in this module.
Setup requirement 1 The labs in this module require the creation of a custom MMC named
Certificate Management to be saved on the desktop. To prepare student
computers to meet this requirement, complete Module 1, “Overview of Public
Key Infrastructure,” in Course 2821, Designing and Managing a Windows
Public Key Infrastructure.
Setup requirement 2 The student in each student pair whose computer is the domain controller for
their domain will perform the manual backup and System State backup. The
other student in each student pair will observe the lab results.
Lab Results
Performing the labs in this module introduces the following configuration
changes:
Lab A At the completion of Lab A:
! The CAAdmins group is assigned Manage CA permission.
! The CertAdmins group is assigned Issue and Manage Certificates
permission.
! Role separation is enforced.
! Auditing is enabled on the enterprise subordinate CA.
Overview
Procedure for disabling To disable role separation, at the command prompt, type:
role separation
certutil -delreg ca\RoleSeparationEnabled
Important The certutil command is executed only when you restart the
Certificate Services on the CA.
Module 4: Managing a Public Key Infrastructure 7
3. On the Security tab, click Add, and then type the names of any domain
local groups that will be CA administrators.
4. Assign the users or groups Issue and Manage Certificates permission, and
then click OK.
10 Module 4: Managing a Public Key Infrastructure
Note For more information about key archival and recovery, see Module 7,
“Configuring Key Archival and Recovery,” in Course 2821, Designing and
Managing a Windows Public Key Infrastructure.
12 Module 4: Managing a Public Key Infrastructure
3. On the Security tab, click Add, and then type the names of the domain local
groups that will be CA administrators.
4. Assign the users or groups Manage CA permission, and then click OK.
18 Module 4: Managing a Public Key Infrastructure
Note For more information about how renewing a CA with a new key affects
certificate revocation and the names of CRLs, see the white paper,
Troubleshooting Certificate Status and Revocation, under Additional Reading
on the Web page on the Student Materials compact disc.
When you choose a key length for the CA’s key pair, ensure that the key length
is neither too short nor too long. Short key lengths can compromise the CA’s
private key. If you implement a long key length, it can take too much time for
the Cryptographic Service Provider (CSP) to generate key pairs. When you
renew a CA certificate, you can implement a longer key length if the previous
key length was too short. To protect a CA against attackers who attempt to
determine the private key based on the public key, always implement a key
length between 1024 and 4096 bits.
Although a CA that is approaching the end of its validity period issues
certificates that are valid for shorter periods of time, you must have a plan to
renew the CA certificate before it expires.
20 Module 4: Managing a Public Key Infrastructure
Note To ensure that you maintain role separation, do not assign the Manage
auditing and security log user right to members of the CA Administrators and
Certificate Managers groups on a CA.
22 Module 4: Managing a Public Key Infrastructure
Note This lab focuses on the concepts in this module and as a result may not
comply with Microsoft security recommendations. For instance, the Issue and
Manage Certificates permission is assigned to a user account rather than to a
security group.
Additional information For more information about enabling role separation in a Windows Server 2003
PKI, see the white paper, Windows Server 2003 PKI Operations Guide, under
Additional Reading on the Web page on the Student Materials compact disc.
Estimated time to
complete this lab:
45 minutes
Module 4: Managing a Public Key Infrastructure 25
Exercise 1
Defining CA Administrators and Certificate Managers
In this exercise, you will modify the default permissions for the DomainCA (where Domain is the
NetBIOS name of your Active Directory domain) to enable role separation. You will designate the
CAadmins group as CA administrators and the CertAdmins group as certificate managers for your
enterprise subordinate CA and then enforce role separation.
Scenario
The security policy and the certificate policy for your organization require that you enable role
separation in your PKI. You must configure the enterprise subordinate CA to implement role
separation so that you can designate groups as CA administrators and certificate managers.
Important: Perform this procedure at the domain controller for your domain.
1. Log on by using your a. Log on to the domain controller by using the following account
administrative account for information:
your domain, and then open • User name: Student1
the Certification Authority
console. • Password: Password (where Password is the password assigned to
your administrative account)
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
b. Click Start, click Administrative Tools, and then click Certification
Authority.
2. Display the current a. In the Certification Authority console, in the console tree, right-click
permission assignments for DomainCA, and then click Properties.
DomainCA. b. In the DomainCA Properties dialog box, click the Security tab.
Which groups are designated as CA administrators and certificate managers? What permission are the groups
assigned?
The Administrators, Domain Admins and Enterprise Admins groups are designated as both CA
administrators and certificate managers. CA administrators are assigned the Manage CA permission
and certificate managers are assigned the Issue and Manage Certificates permission.
26 Module 4: Managing a Public Key Infrastructure
(continued)
3. Assign the CAadmins group a. In the DomainCA Properties dialog box, click Add.
the Manage CA permission. b. In the Select Users, Computers, or Groups dialog box, in the Enter
the object names to select box, type CA and then click Check Names.
c. In the Multiple Names Found dialog box, in the Matching names list,
select CAadmins, and then click OK.
d. In the Select Users, Computers, or Groups dialog box, ensure that
CAadmins appears in the Enter the object names to select box, and
then click OK.
e. In the DomainCA Properties dialog box, in the Group or user names
list, select CAadmins, and then in the Permissions for CAadmins list,
select the Allow check box for the Manage CA permission.
The Request Certificates permission is automatically assigned to
any security principals that were added to the discretionary
access control list (DACL). You can leave this default permission
assignment.
f. In the DomainCA Properties dialog box, click Apply.
4. Assign the CertAdmins a. In the DomainCA Properties dialog box, click Add.
group the Issue and b. In the Select Users, Computers, or Groups dialog box, in the Enter
Manage Certificates the object names to select box, type Cert and then click Check
permission. Names.
c. In the Multiple Names Found dialog box, in the Matching names list,
select CertAdmins, and then click OK.
d. In the Select Users, Computers, or Groups dialog box, ensure that
CertAdmins appears in the Enter the object names to select box, and
then click OK.
e. In the DomainCA Properties dialog box, in the Group or user names
list, select CertAdmins, and then in the Permissions for CertAdmins
list, select the Allow check box for the Issue and Manage Certificates
permission.
f. In the DomainCA Properties dialog box, click Apply.
Module 4: Managing a Public Key Infrastructure 27
(continued)
5. Remove all permissions that a. In the DomainCA Properties dialog box, in the Group or user names
are assigned to the list, select Administrators, and then click Remove.
Administrators, Domain b. In the DomainCA Properties dialog box, in the Group or user names
Admins, and Enterprise list, select Domain Admins, and then click Remove.
Admins groups.
c. In the DomainCA Properties dialog box, in the Group or user names
list, select Enterprise Admins, and then click Remove.
d. In the DomainCA Properties dialog box, click OK.
6. Enforce role separation by a. At a command prompt, type C: and then press ENTER.
running the b. At the command prompt, type cd \moc\2821\labfiles\module4 and
C:\moc\2821\labfiles\ then press ENTER.
module4\rolesep.cmd and
then log off the network. c. At the command prompt, type rolesep.cmd and then press ENTER.
d. Close the command prompt.
e. Close all open windows and then log off.
28 Module 4: Managing a Public Key Infrastructure
Exercise 2
Restricting Certificate Managers
In this exercise, you will implement restrictions that limit the groups that the CertAdmins group can
manage certificates for.
Scenario
The security policy of your organization requires that only a specific user account, Finance1, may
manage the certificates that are issued to members of the Finance department. You must enforce
this policy by implementing certificate manager restrictions.
Important: Perform this procedure only on the member server for your domain.
1. Log on as a CA " Log on to the member server by using the following account
administrator for your information:
enterprise CA. • User name: CAAdmin2
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. Open the Certification a. Click Start, click Administrative Tools, and then click Certification
Authority console focused Authority.
on the enterprise CA for b. In the Microsoft Certificate Services message box, click OK.
your domain.
c. In the console tree, right-click Certification Authority, and then click
Retarget Certification Authority.
d. In the Certification Authority dialog box, click Another computer,
and then click Browse.
e. In the Select Certification Authority dialog box, select DomainCA,
and then click OK.
f. In the Certification Authority dialog box, click Finish.
3. Assign the Finance1 user a. In the console tree, right-click DomainCA, and then click Properties.
account the Issue and b. In the DomainCA Properties dialog box, on the Security tab, click
Manage Certificates Add.
permission for the enterprise
CA. c. In the Select User, Computer, or Group dialog box, in the Enter the
object name to select box, type Fin and then click Check Names.
d. In the Multiple Names Found dialog box, in the Matching names
list, select Finance1, and then click OK.
e. In the Select User, Computer, or Group dialog box, ensure that
Finance1 appears in the Enter the object name to select box, and
then click OK.
Module 4: Managing a Public Key Infrastructure 29
(continued)
3. (continued) f. In the DomainCA Properties dialog box, in the Group or user names
list, select Finance1, and then in the Permissions for Finance1 list,
select the Allow check box for the Issue and Manage Certificates
permission.
g. In the DomainCA Properties dialog box, click Apply.
4. Enable certificate manager a. In the DomainCA Properties dialog box, on the Certificate Managers
restrictions so that the Restrictions tab, click Restrict certificate managers.
CertAdmins group cannot b. In the Available certificate managers drop-down list, select
manage certificates for the Domain\CertAdmins.
FinanceDept global group.
c. On the Certificate Managers Restrictions tab, click Add.
d. In the Select Users, Computers, or Groups dialog box, in the Enter
the object names to select box, type Fin and then click Check Names.
e. In the Multiple Names Found dialog box, in the Matching names list,
select FinanceDept, and then click OK.
f. In the Select Users, Computers, or Groups dialog box, ensure that
FinanceDept appears in the Enter the object names to select box, and
then click OK.
g. On the Certificate Managers Restrictions tab, in the Groups, users,
or computers to manage list, select Domain\FinanceDept, and then
click Deny.
5. Define certificate manager a. In the Available certificate managers drop-down list, select
restrictions so that the Domain\Finance1.
Finance1 user account can b. On the Certificate Managers Restrictions tab, in the Groups, users,
only manage certificates that or computers to manage list, select Everyone, and then click
are issued to the Remove.
FinanceDept group.
c. On the Certificate Managers Restrictions tab, click Add.
d. In the Select User, Computer, or Group dialog box, in the Enter the
object name to select box, type Fin and then click Check Names.
e. In the Multiple Names Found dialog box, in the Matching names list,
select FinanceDept, and then click OK.
f. In the Select User, Computer, or Group dialog box, ensure that
FinanceDept appears in the Enter the object name to select box, and
then click OK.
g. In the DomainCA Properties dialog box, click OK.
h. Close all open windows and then log off.
30 Module 4: Managing a Public Key Infrastructure
Exercise 3
Generating Certificate Requests
In this exercise, you will log on as different users in the domain and generate certificate requests by
using a batch file that uses the CertReq.exe certificate request command file.
Scenario
To simulate a network where several certificates are issued, you must log on to the network by
using different user accounts and execute a command file that requests user certificates from the
enterprise CA in your organization.
1. Log on as a member of the " Log on to your computer by using the following credentials:
Finance department. • User name: Finance1 (on the domain controller) or Finance2 (on
the member server)
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
4. Log on as a member of the " Log on to your computer by using the following credentials:
Accounting department. • User name: Accounting1 (on the domain controller) or
Accounting2 (on the member server)
• Password: P@ssw0rd
• Domain: Domain
Exercise 4
Testing CA Administrator Tasks
In this exercise, you will log on as a user that has the Manage CA permission and attempt to
perform several CA and certificate management tasks.
Scenario
After enabling role separation for the issuing CA in your organization, you must determine what
tasks the CA administrators can perform for CA management and certificate management.
1. Log on as a member of the " Log on to your computer by using the following credentials:
CAAdmins group. • User name: CAAdmin1 (at the domain controller) or CAAdmin2
(at the member server)
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. Open the Certification " Click Start, click Administrative Tools, and then click Certification
Authority console. Authority.
When you work on the member server in your domain, an error
will appear, informing you that Certificate Services is not an
installed service. You must retarget the console to the domain
controller.
3. Retarget the Certification a. In the Microsoft Certificate Services message box, click OK.
Authority console to b. In the console tree, right-click Certification Authority, and then click
manage the enterprise CA Retarget Certification Authority.
on the domain controller.
c. In the Certification Authority dialog box, click Another computer,
and then click Browse.
d. In the Select Certification Authority dialog box, select DomainCA,
and then click OK.
e. In the Certification Authority dialog box, click Finish.
4. View the Security tab of the a. In the console tree, right-click DomainCA, and then click Properties.
DomainCA Properties b. In the DomainCA Properties dialog box, click the Security tab.
dialog box.
32 Module 4: Managing a Public Key Infrastructure
(continued)
5. View the Auditing tab of " In the DomainCA Properties dialog box, click the Auditing tab.
the DomainCA Properties
dialog box.
Can you modify the audit settings for the CA?
No, only accounts that are assigned the Manage Audit and Security log user right can modify the
auditing properties of a CA.
6. View the CRL Publication a. In the DomainCA Properties dialog box, click Cancel.
properties. b. In the console tree, expand DomainCA.
c. In the console tree, right-click Revoked Certificates, and then click
Properties.
Can you modify the CRL and delta CRL publication intervals?
Yes, a CA administrator can modify CRL and delta CRL publication intervals.
7. Attempt to publish an a. In the Revoked Certificates Properties dialog box, click Cancel.
update CRL or delta CRL. b. In the console tree, right-click Revoked Certificates, point to All
Tasks, and then click Publish.
Yes, a CA administrator can publish CRL and delta CRL publication intervals.
8. Attempt to revoke the a. In the Publish CRL dialog box, click Cancel.
certificate issued to b. In the console tree, click Issued Certificates.
Domain\Finance1.
c. In the details pane, expand Requester Name, right-click the certificate
by using a requester name of Domain\Finance1, and then point to All
Tasks.
Module 4: Managing a Public Key Infrastructure 33
(continued)
No. Only users that are assigned the Issue and Manage Certificates permission for a CA can issue and
revoke certificates.
Exercise 5
Testing Certificate Manager Tasks
In this exercise, you will log on as a user with the Issue and Manage Certificates permission and
attempt various CA and certificate management tasks.
Scenario
After enabling role separation for the issuing CA in your organization, you must determine what
tasks the certificate managers can perform to manage CAs and certificates.
1. Log on as a member of the " Log on to your computer with the following credentials:
CertAdmins group. • User name: CertAdmin1 (on the domain controller) or
CertAdmin2 (on the member server)
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. Open the Certification " Click Start, click Administrative Tools, and then click Certification
Authority console. Authority.
When you work on the member server in your domain, an error
will appear, information you that Certificate Services is not an
installed service. You must retarget the console to the domain
controller.
3. Retarget the Certification a. In the Microsoft Certificate Services message box, click OK.
Authority console to b. In the console tree, right-click Certification Authority, and then click
manage the enterprise CA Retarget Certification Authority.
on the domain controller.
c. In the Certification Authority dialog box, click Another computer,
and then click Browse.
d. In the Select Certification Authority dialog box, select DomainCA,
and then click OK.
e. In the Certification Authority dialog box, click Finish.
4. View the Security tab of the a. In the console tree, right-click DomainCA, and then click Properties.
DomainCA Properties b. In the DomainCA Properties dialog box, click the Security tab.
dialog box.
Module 4: Managing a Public Key Infrastructure 35
(continued)
No, only CA administrators can modify the permissions for the CA.
5. View the CRL Publication a. In the DomainCA Properties dialog box, click Cancel.
properties. b. In the console tree, expand DomainCA, right-click Revoked
Certificates, and then click Properties.
Can you modify the CRL and delta CRL publication intervals?
No, only CA administrators can modify CRL and delta CRL publication intervals.
6. Attempt to publish an a. In the Revoked Certificates Properties dialog box, click Cancel.
update CRL or delta CRL. b. In the console tree, right-click Revoked Certificates, and then point to
All Tasks.
No, only CA administrators can publish CRL and delta CRL publication intervals.
No. Certificate manager restrictions are in place, and only Finance1 is assigned the permission to
revoke certificates that are issued to the Finance department.
36 Module 4: Managing a Public Key Infrastructure
(continued)
8. Attempt to revoke the a. In the Microsoft Certificate Services dialog box, click OK.
certificate issued to b. In the console tree, click Issued Certificates.
Domain\Accounting1 or
Domain\Accounting2. c. In the details pane, right-click the certificate specified below, point to
All Tasks, and then click Revoke Certificate.
• Domain controller: Domain\Accounting1
• Member server: Domain\Accounting2
d. In the Certificate Revocation dialog box, in the Reason code drop-
down list, select Key Compromise, and then click Yes.
Yes. Certificate manager restrictions allow you to revoke any certificate that is not issued to a member
of the FinanceDept group.
Exercise 6
Enabling Certificate Services Auditing
In this exercise, you will continue to implement role separation by defining auditors and auditing
settings for Certificate Services. You will enable Certificate Services auditing so that all CA
administration and certificate management tasks are recorded in the security event log.
Scenario
The written security policy of your organization requires that separate auditors review all CA
administration and certificate management tasks that are recorded in the Windows Server 2003
event logs. You must delegate the auditing user rights to a designated group of users.
Important: Perform this procedure on the domain controller for your domain.
1. Log on with your " Ensure that you are logged on with the following credentials:
administrative account for • User name: Student1
your domain.
• Password: Password (where Password is the password assigned to
your administrative account).
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. View the User Rights a. Click Start, point to Administrative Tools, and then click Domain
Assignment policy in the Controller Security Policy.
Domain Controller Security b. In the console tree, expand Local Policies, and then click User Rights
Policy. Assignment.
c. In the details pane, double-click Manage auditing and security log.
Which security groups are assigned the Manage auditing and security log user right?
The security group Domain\Exchange Enterprise Servers and Administrators is assigned the security
policy setting Manage auditing and security log.
38 Module 4: Managing a Public Key Infrastructure
(continued)
3. Assign the Domain\Auditors a. In the Manage auditing and security log Properties dialog box, click
group the Manage auditing Add User or Group.
and security log user right. b. In the Add User or Group dialog box, click Browse.
c. In the Select Users, Computers, or Groups dialog box, in the Enter
the object names to select box, type Audit and then click Check
Names.
d. In the Multiple Names Found dialog box, in the Matching names list,
select Auditors, and then click OK.
e. In the Select Users, Computers, or Groups dialog box, verify that
Auditors appears in the Enter the object names to select box, and
then click OK.
f. In the Add User or Group dialog box, verify that Domain\Auditors
appears in the User or group names box, and then click OK.
g. In the Manage auditing and security log Properties dialog box, click
OK.
4. Enable success and failure a. In the console tree, click Audit policy.
auditing for object access. b. In the details pane, double-click Audit object access.
c. In the Audit object access Properties dialog box, select the Define
these policy settings, Success, and Failure check boxes, and then
click OK.
d. Close the Default Domain Controller Security Settings window.
5. Update Group Policy a. At a command prompt, type gpupdate /force and then press ENTER.
settings and the log off. b. Close the command prompt.
c. Close all open windows and then log off.
6. Log on as a member of the " Log on to the member server with the following account information:
Auditors group for your • User name: Auditor2
domain.
• Password: P@ssw0rd
• Domain: Domain
Module 4: Managing a Public Key Infrastructure 39
(continued)
7. Open the Certification a. Click Start, click Administrative Tools, and then click Certification
Authority console so that it Authority.
manages the enterprise CA b. In the Microsoft Certificate Services message box, click OK.
for your domain.
c. In the console tree, right-click Certification Authority, and then click
Retarget Certification Authority.
d. In the Certification Authority dialog box, click Another computer,
and then click Browse.
e. In the Select Certification Authority dialog box, select DomainCA,
and then click OK.
f. In the Certification Authority dialog box, click Finish.
8. In the properties of the a. In the console tree, right-click DomainCA, and then click Properties.
DomainCA, enable all b. In the DomainCA Properties dialog box, on the Auditing tab, in the
auditing events. Events to audit list, select all check boxes.
c. In the Microsoft Certificate Services message box, click OK.
d. In the DomainCA Properties dialog box, click OK.
e. Close the Certification Authority console.
f. Close all open windows and then log off.
40 Module 4: Managing a Public Key Infrastructure
Important Only use disaster recovery after you have attempted to repair your
system by using Safe Mode, the Recovery Console, and the Emergency Repair
Process.
Disaster recovery for Disaster recovery includes preparing for system problems and collecting
CAs information about system repair and recovery options. For Certificate Services,
implement disaster recovery plans when:
! Certificate Services fail. Certificate Services may not start when incorrect
versions of the Certificate Services files exist on the CA, or when an
executable or dynamic link-library (DLL) is corrupted on the CA.
! The CA is configured incorrectly. Incorrect configuration of the CA can
cause Certificate Services to fail to start. You can restore the CA to its
previous, approved state by performing disaster recovery.
42 Module 4: Managing a Public Key Infrastructure
Disaster recovery In your disaster recovery planning, ensure that you plan for CA restoration. The
planning disaster recovery plan must include the following information:
! Recovering from hardware failure. Based on the security policy of your
organization, determine the solution for recovering from hardware failure.
You can maintain duplicate hardware for a recovery CA or keep duplicate
devices for key components of the CA, such as the CPU or motherboard.
! Recovering from a compromised CA. If a CA is compromised, your disaster
recovery plan must include plans for rebuilding the CA and also what you
will do with the issued certificates. Typically, you revoke the currently
issued certificates and issue new ones.
! Minimizing the risk of a CA failure. Manage the risk of hardware failure by
implementing hardware redundancy. For example, install the CA database
on either a redundant array of independent disks (RAID) 0+1 or RAID 5
volume to prevent CA failure due to a single disk failure.
Module 4: Managing a Public Key Infrastructure 43
Tip You can document the names registered by the CA in Active Directory by
recording the output of the certutil –v –ds command. Consider redirecting the
output of the command to a text file for future reference.
44 Module 4: Managing a Public Key Infrastructure
Database paths Certificate Services uses local storage for its database, configuration data,
backup data, and logging data. You can specify locations for the database and
log file during the setup of the CA, or you can change them later manually.
When you document database paths, include the following information:
! Database path. For best performance, the CA database should be stored on
a disk drive separate from the operating system. For best performance, store
the CA database on a hardware RAID 5 or hardware RAID 0+1 volume set.
These volume sets maximize disk throughput and enable you to recover the
CA database in the event of a single disk failure.
! Backup location of the CA database. If you back up the CA database by
using the Certification Authority Backup Wizard, document the path that the
backed up database is saved to. This way, you can recover the CA in the
event of CA failure by using the backed up files.
! Log file location. Store the CA log files on a separate disk drive from the
operating system. For best performance, store the log files on a volume that
implements hardware RAID 1 mirroring.
Note The key pair is included in the System State backup, but is not stored as a
separate PKCS #12 file. Backing up the key pair allows you to reinstall the CA
by using the same key pair.
Software CSPs If you use software CSPs, the CA’s private key is stored in the local computer’s
certificate store. You can backup the CA’s key pair and certificate by exporting
the certificate by using the Certificates console, or by using the Certutil
-backupkey command.
Procedure for backing To export the CA certificate and associated private key to a PKCS #12 file:
up private and public
keys when using 1. Ensure that you are logged on as a CA administrator.
software CSPs 2. On the CA, open a command prompt.
3. At the command prompt, type Certutil –backupkey folder (where folder is
the name of folder where the PKCS #12 file will be created).
4. At the Enter new password prompt, type a password for the PKCS #12
file.
5. At the Confirm new password prompt, retype the password for the
PKCS#12 file.
6. Ensure that the CAName.p12 (where CAName is the name of the CA) exists
in folder.
46 Module 4: Managing a Public Key Infrastructure
Note When you export the CA certificate and private key by using Certutil
–backupkey, the PKCS #12 file uses the .p12 extension, instead of the .pfx
extension. The content of the file is the same, despite the different extension.
Hardware CSPs If you use a hardware CSP, use the backup software that is included with the
hardware device to back up the CA’s key pair. Because you may back up the
key pair up using a proprietary format, ensure that you can restore the
certificate and private key in the event of hardware failure by taking the
following actions:
! Back up the certificate and private key to multiple backup media. This way,
you protect against failure of the backed up media. Restore the backups to
verify that they are successful.
! Maintain a redundant Hardware Security Module (HSM) device so that you
protect against failure of the HSM hardware. If the hardware fails, you can
attach the backup device to the CA and then import the certificate and
private key.
Module 4: Managing a Public Key Infrastructure 47
Restoring from a manual You can also restore Certificate Services by using the Certificate Services
backup Backup Wizard to restore a previous manual backup of Certificate Services.
During the restore procedure, you must designate which backup folder contains
the manual backup of the CA database.
Procedure to restore To restore Certificate Services from a manual backup:
from a manual backup
1. Log on as a member of the Backup Operators group.
2. Open a command prompt.
3. At the command prompt, type :
certutil -restore BackupDirectory
After you restore the CA manually, you must perform the following tasks:
! Restore the Microsoft IIS metabase. This step is only required if the
metabase was lost or corrupted along with the Certificate Services
information. Unless you restore the metabase, you cannot load the
Certificate Services Web pages.
! Restore all registry settings. The manual restoration does not include any
Certificate Services registry settings. It is recommended that you create a
script of all registry settings by using the following command:
Certutil –setreg CA\Registrykey Value
Note This lab focuses on the concepts that are explained in this module and
may not comply with Microsoft security recommendations.
Additional information For more information about backing up and restoring a CA, see the white paper,
Windows Server2003 PKI Operations Guide, under Additional Reading on the
Web page on the Student Materials compact disc.
Estimated time to
complete this lab:
60 minutes
Module 4: Managing a Public Key Infrastructure 53
Exercise 1
Determining Backup Privileges
In this exercise, you will determine which users are assigned backup and restore user rights and
whether role separation rules are violated in the default user rights assignments.
Scenario
You have attempted to back up the CA database and private key by using your domain
administrator account.
1. Log on to the network by " Log on to the member server with the following account information:
using your domain • User name: Student2
administrator account.
• Password: Password (where Password is the password that is
assigned to your administrative account)
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. Create an MMC with Group a. Click Start, click Run, type mmc, and then click OK.
Policy Object Editor with b. On the File menu, click Add/Remove Snap-in.
the Default Domain
Controllers Policy loaded. c. In the Add/Remove Snap-in dialog box, click Add.
d. In the Add Standalone Snap-in dialog box, in the Available
Standalone Snap-ins list, click Group Policy Object Editor, and then
click Add.
e. In the Select Group Policy Object dialog box, click Browse.
f. In the Browse for a Group Policy Object dialog box, on the All tab,
click Default Domain Controllers Policy, and then click OK.
g. In the Select Group Policy Object dialog box, click Finish.
h. In the Add Standalone Snap-in dialog box, click Close.
i. In the Add/Remove Snap-in dialog box, click OK.
3. View the User Rights a. In the console tree, expand Default Domain Controllers Policy,
Assignment policy for expand Computer Configuration, expand Windows Settings, expand
Domain Controller Security Security Settings, expand Local Policies, and then click User Rights
Policy. Assignment.
b. In the details pane, double-click Back up files and directories.
54 Module 4: Managing a Public Key Infrastructure
(continued)
Which security groups are assigned the Back up files and directories user right?
The Administrators, Backup Operators, and Server Operators security groups are assigned the Back
up files and directories user right. Server Operators may appear as the a SID (*S-1-5-32-549)
4. View the properties for the a. In the Back up files and directories Properties dialog box, click OK.
Back up files and directories b. In the details pane, double-click Restore files and directories.
user right in Domain
Controller Security Policy.
Which security groups are assigned the Restore files and directories user right?
The Administrators, Backup Operators, and Server Operators security groups are assigned the
Restore files and directories user right. Server Operators may appear as the a SID (*S-1-5-32-549).
5. View the properties for the a. In the Restore files and directories Properties dialog box, click OK.
Manage auditing and b. In the details pane, double-click Manage auditing and security log.
security log user right in
Domain Controller Security
Policy.
Which security groups are assigned the Manage auditing and security log user right?
The Domain\Exchange Enterprise Servers, Domain\Auditors, and Administrators were assigned the
Manage auditing and security logs user right. Domain\Auditors were assigned the Manage auditing
and security log user right in Lab A of this module.
Which group members are blocked from managing any aspect of the CA when role separation is enforced?
Administrators are blocked. A security principal cannot hold two of the four predefined roles: auditor,
backup operator, CA administrator, or certificate manager.
6. Close all open windows and a. In the Manage auditing and security log Properties dialog box, click
log off the network. OK.
b. Close the MMC without saving changes.
c. Close all open windows and then log off.
Module 4: Managing a Public Key Infrastructure 55
Exercise 2
Backing Up Certificate Services
In this exercise, you will back up the CA’s database and private key by using the certutil
command. You use this command in a custom script to back up the CA private key and CA
database.
Scenario
To protect your organization from the failure of the enterprise CA, you must back up the CA’s
private key and CA database to ensure that the CA can be restored in the event of a CA failure.
Important: Perform this procedure on the domain controller for your domain.
1. Log on as a member of the " Log on to the domain controller with the following account
Backup Operators group. information:
• User name: Backup1
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
The command created a backup of the CA’s private key (DomainCA.p12) and a backup of the CA
database in the C:\temp\DataBase folder.
56 Module 4: Managing a Public Key Infrastructure
(continued)
Exercise 3
Removing the CA’s private key from the CA certificate store
In this exercise, you will delete the CA’s private key to simulate the corruption or loss of the CA’s
private key from the CA’s local machine store.
Scenario
Your organization has experienced a corruption on the hard disk. The corruption has caused the loss
of the CA’s private key pair, which is preventing certificate services from starting.
Important: Perform this procedure on the domain controller for your domain.
1. Log on as by using your " Log on to the domain controller by using the following account
administrative account for information:
your domain. • User name: Student1
• Password: Password (where Password is the password assigned to
your administrative account)
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. Remove the private key for a. On the desktop, open the Certificate Management console.
the Subordinate b. In the console tree, expand Certificates (Local Computer), expand
Certification Authority Personal, and then click Certificates.
certificate from the local
machine store, and then c. In the details pane, right-click Subordinate Certification Authority,
delete the certificate. point to All Tasks, and then click Export.
You must scroll to the right and expand the column width to view
the Certificate Template column.
d. On the Welcome to the Certificate Export Wizard page, click Next.
e. On the Export Private Key page, click Yes, export the private key,
and then click Next.
f. On the Export File Format page, select the following options:
• Personal Information Exchange – PKCS #12 (.PFX)
• Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above)
• Delete the private key if the export is successful
g. On the Export File Format page, click Next.
h. On the Password page, type P@ssw0rd in the Password and Confirm
password dialog boxes, and then click Next.
i. On the File to Export page, in the Filename box, type
c:\temp\issuingca and then click Next.
58 Module 4: Managing a Public Key Infrastructure
(continued)
3. Log on using your " Log on to the member server by using the following account
administrative account for information:
your domain. • User name: CAadmin2
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
4. Open the Certification a. Click Start, click Administrative Tools, and then click Certification
Authority console with the Authority.
console connected to the b. In the Microsoft Certificate Services message box, click OK.
enterprise CA in your
domain. c. In the console tree, right-click Certification Authority, and then click
Retarget Certification Authority.
d. In the Certification Authority dialog box, click Another computer,
and then click Browse.
e. In the Select Certification Authority dialog box, click DomainCA,
and then click OK.
f. In the Certification Authority dialog box, click Finish.
5. Restart Certificate Services a. In the console tree, right-click DomainCA, point to All Tasks, and then
in the Certification click Stop Service.
Authority console. b. In the console tree, right-click DomainCA, point to All Tasks, and then
click Start Service.
Does Certificate Services start successfully if the CA’s private key is deleted or corrupted?
No, a message appears, stating that the Keyset does not exist on the CA.
6. Minimize the Certification a. In the Microsoft Certificate Services message box, click OK.
Authority console. b. Minimize the Certification Authority console.
Module 4: Managing a Public Key Infrastructure 59
Exercise 4
Restoring the System State Backup
In this exercise, you will restart the domain controller in Active Directory Restore Mode and restore
the System State backup. The restoration will restore the CA’s private key to the machine store of
the domain controller.
Scenario
To recover from the failure of certificate services, you will restore the CA configuration data and
CA database by performing a System State restore.
Important: Perform this procedure at the domain controller for your domain.
1. Ensure you are logged on by " Ensure you are logged on to the domain controller with the following
using your administrative account information:
account for your domain. • User name: Student1
• Password: Password (where Password is the password assigned to
your administrative account)
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. Remove the Windows a. If the Windows Server 2003 compact disc is in the CD-ROM drive,
Server 2003 compact disc remove the compact disc from the CD-ROM drive.
from the CD-ROM drive b. Click Start, and then click Shut Down.
and restart the domain
controller with the shutdown c. In the Shut Down Windows dialog box, in the What do you want the
event tracker reason of computer to do? drop-down list, select Restart.
Security Issue. d. In the Option drop-down list, select Security Issue, and then click
OK.
3. Restart the domain a. When the computer restarts, press F8 to display the Windows
controller in Directory Advanced Options menu.
Services Restore Mode. b. On the Windows Advanced Options menu, select Directory Services
Restore Mode (Windows domain controllers only), and then press
ENTER.
c. In the Please select the operating system to start screen, press
ENTER.
Does the recovery of System State data always require restarting the enterprise CA in Directory Services
Restore Mode?
No, you must only restart the enterprise CA in Directory Services Restore Mode when the enterprise
CA is installed on a domain controller.
60 Module 4: Managing a Public Key Infrastructure
(continued)
4. Log on to the domain a. Log on to the domain controller by using the following account
controller as Administrator information:
with a password of • User name: Administrator
P@ssw0rd.
• Password: P@ssw0rd
b. In the Desktop message box, click OK.
6. Ensure you are logged on by " Ensure you are logged on to the member server by using the following
using your administrative account information:
account for your domain. • User name: CAadmin2
• Password: P@ssw0rd
• Domain: Domain
Module 4: Managing a Public Key Infrastructure 61
(continued)
7. After the domain controller a. Wait until the domain controller restarts.
restarts, ensure that you can b. Open the Certification Authority console.
start Certificate Services
successfully on the c. In the console tree, right-click DomainCA, and then click Refresh.
enterprise CA.
Did the CA start after the System State backup was restored?
Yes. The restore of the System State backup restores the CA’s private key to the CA local machine
store.
8. Close all open windows and a. Close the Certification Authority console.
log off the network. b. Close all open windows and log off the network.
THIS PAGE INTENTIONALLY LEFT BLANK
Module 5: Configuring
Certificate Templates
Contents
Overview 1
Lesson: Introduction to Certificate
Templates 2
Lab A: Delegating Certificate Template
Management 8
Lesson: Designing and Creating
Certificate Templates 13
Lab B: Designing a Certificate Template 25
Lesson: Publishing a Certificate Template 31
Lesson: Managing Changes in a Certificate
Template 35
Lab C: Configuring Certificate Templates 40
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, MS-DOS, Windows, Windows NT, Windows Server, Active Directory, ActiveX,
MSDN, Outlook, PowerPoint, and Windows Media are either registered trademarks or trademarks
of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Module 5: Configuring Certificate Templates iii
Instructor Notes
Presentation: Certificate templates are rules or profiles that define the content of certificates
60 minutes that Microsoft enterprise certification authorities issue. These rules can be either
simple or complex and may apply to all users or specific groups of users. This
Labs: module introduces students to certificate templates and how to design certificate
75 minutes templates. They will also learn about creating, publishing, and changing
certificate templates.
After completing this module, students will be able to:
! Describe the function of certificate templates in a Microsoft®
Windows Server™ 2003 public key infrastructure (PKI).
! Design and create a certificate template.
! Publish a certificate template.
! Replace an existing certificate template with an updated certificate template.
Required materials To teach this module, you need Microsoft PowerPoint® file 2821A_05.ppt.
The students will only encounter problems with this lab if they do not correctly
modify the DelegateTemplates.cmd command file.
Lab Setup
The following list describes the setup requirements for the labs in this module.
Setup requirement 1 The labs in this module require that a CA hierarchy with an offline root CA and
an enterprise subordinate CA exist.
! Complete Lab A, Lab B, and Lab C in Module 3, “Creating a Certification
Authority Hierarchy,” in Course 2821, Designing and Managing a Windows
Public Key Infrastructure.
Setup requirement 2 All of the procedures in the lab assume that Common Criteria role separation is
enforced.
! Complete Lab A in Module 4, “Managing a Public Key Infrastructure,” in
Course 2821, Designing and Managing a Windows Public Key
Infrastructure.
viii Module 5: Configuring Certificate Templates
Setup requirement 3 The ability to create and modify certificate templates is delegated to the
CertTmplAdmins global group. This is a requirement for Lab C.
! Complete Lab A in this module.
Lab Results
Performing the labs in this module introduces the following configuration
changes:
Lab A At the completion of Lab A:
! Full control permissions are delegated for the OID container to the
CertTmplAdmins global group.
! Full control permissions are delegated for the Certificate Templates
container to the CertTmplAdmins global group.
! The DelegateTemplates.cmd file is modified to reflect the domain and forest
name of the students’ computers.
! Full control permissions are delegated for each existing certificate template
to the CertTmplAdmins global group.
Overview
Note Windows Server 2003, Standard Edition only issues certificates that are
based on version 1 templates.
You use version 2 templates to customize settings in the template. The default
configuration supplies several preconfigured version 2 templates and the ability
to create more.
Version 2 template definitions are stored in Active Directory, although you can
create and modify version 2 templates at any Windows Server 2003 family
computer or Microsoft Windows® XP Professional computer with the
Windows Server 2003 Administration pack installed. Certificates based on
version 2 templates can only be issued by a CA running Windows Server 2003,
Enterprise Edition or Windows Server 2003, Datacenter Edition.
Who can issue version 1 Windows 2000 Server family servers and Windows Server 2003 family servers
and version 2 can issue version 1 templates. Windows Server 2003, Enterprise Edition and
templates? Windows Server 2003, Datacenter Edition issue version 2 templates.
Module 5: Configuring Certificate Templates 5
Single function The following table describes the single-function certificate templates for users
templates for users in Windows Server 2003.
Template Function
Basic EFS Encrypts and decrypts data by using EFS. The private key
is used to decrypt the file encryption key (FEK) which is
used to encrypt and decrypt the EFS protected data.
Authenticated Session Authenticates a user with a Web server. The private key is
used to sign the authentication request.
Smart Card Logon Authenticates a user with the network by using a smart
card.
6 Module 5: Configuring Certificate Templates
Multiple function The following table describes the multiple function certificate templates for
templates for users users in Windows Server 2003.
Template Function
Single function The following table describes the single function templates for computers in
templates for computers Windows Server 2003.
Template Function
Multiple function The following table describes multiple function certificate templates for
templates for computers computers in Windows Server 2003.
Template Function
Note For definitions of all the user and computer certificate templates that are
available in Windows Server 2003, see the white paper, Implementing and
Administering Certificate Templates in Windows Server 2003 under Additional
Reading on the Web page on the Student Materials compact disc.
Module 5: Configuring Certificate Templates 7
Note Individual certificate templates do not inherit the permissions that are
assigned to the Certificate Templates container.
Tools for delegation Use the following tools to delegate the ability to create and manage certificate
templates:
! The Active Directory Sites and Services console. Allows you to delegate
permissions to the CN=Certificate Templates and CN=OID containers
within the Configuration naming context.
! The Dsacls.exe command-line tool from the Windows Server 2003 Support
Tools. Allows you to delegate permissions to the individual certificate
templates.
8 Module 5: Configuring Certificate Templates
Note This lab focuses on the concepts that are explained in this module and
may not comply with Microsoft security recommendations.
Module 5: Configuring Certificate Templates 9
Additional information For more information about delegating the management of certificate templates,
read the white paper, Implementing and Administering Certificate Templates in
Windows Server 2003, under Additional Reading on the Web page on the
Student Materials compact disc.
Estimated time to
complete this lab:
15 minutes
10 Module 5: Configuring Certificate Templates
Exercise 1
Delegating Certificate Template Administration Permissions
In this exercise, you will delegate the permission to create and modify certificate templates to a
custom global group named CertTmplAdmins.
Scenario
Your organization wants to extend the PKI role separation model to assign the ability to create and
manage certificate templates to a designated group in the organization. You must delegate the
required permissions to this designated group, named CertTmplAdmins.
Important: Perform this procedure on the domain controller for your domain.
1. Log on by using your " Ensure that you are logged on with the following credentials:
domain administrative • User name: Student1
account.
• Password: Password (where Password is the password defined for
your administrative account)
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. Open the Active Directory a. On the Start menu, click Administrative Tools, and then click Active
Sites and Services console Directory Sites and Services.
and browse to the OID b. On the View menu, click Show Services node.
container.
c. In the console tree, expand Services, expand Public Key Services, and
then click OID.
3. Modify the permissions of a. In the console tree, right-click OID, and then click Properties.
the OID container to grant b. In the OID Properties dialog box, on the Security tab, click Add.
the CertTmplAdmins global
group Full Control c. In the Select Users, Computers, or Groups dialog box, in the Enter
permissions. the object names to select box, type Cert and then click Check
Names.
d. In the Multiple Names Found dialog box, in the Matching names list,
select CertTmplAdmins, and then click OK.
e. In the Select Users, Computers, or Groups dialog box, in the Enter
the object names to select box, ensure that CertTmplAdmins
appears, and then click OK.
f. In the OID Properties dialog box, in the Group or user names list,
select CertTmplAdmins.
g. In the OID Properties dialog box, in the Permissions for
CertTmplAdmins list, select the Allow check box for Full Control,
and then click OK.
Module 5: Configuring Certificate Templates 11
(continued)
4. Delegate administrative a. In the console tree, right-click Certificate Templates, and then click
permissions to the Delegate Control.
CertTmplAdmins global b. In the Delegation of Control Wizard, click Next.
group for the Certificate
Templates container. c. On the Users or Groups page, click Add.
d. In the Select Users, Computers, or Groups dialog box, in the Enter
the object names to select box, type Cert and then click Check
Names.
e. In the Multiple Names Found dialog box, in the Matching names list,
select CertTmplAdmins, and then click OK.
f. In the Select Users, Computers, or Groups dialog box, in the Enter
the object names to select box, ensure that CertTmplAdmins
appears, and then click OK.
g. On the Users or Groups page, click Next.
h. On the Tasks to Delegate page, click Create a custom task to
delegate, and then click Next.
i. On the Active Directory Object Type page, click This folder,
existing objects in this folder, and creation of new objects in this
folder, and then click Next.
j. On the Permissions page, in the Permissions list, enable Full Control,
and then click Next.
k. On the Completing the Delegation of Control Wizard page, click
Finish.
l. Close Active Directory Sites and Services.
(continued)
Note For more information about certificate template design, see the white
paper Implementing and Administering Certificate Templates in
Windows Server 2003, under Additional Reading on the Web page on the
Student Materials compact disc.
14 Module 5: Configuring Certificate Templates
The renewal period is the amount of time prior to the end of the validity period
when the subject can renew the certificate by using autoenrollment. Renewing
the certificate during this interval ensures that last-minute requests for
certificate renewal can be serviced before certificate expiration, allowing
uninterrupted use of the certificate.
Module 5: Configuring Certificate Templates 15
Guidelines When defining the validity period and renewal period for a certificate template,
use the following guidelines:
! Do not make the validity period of a certificate template longer than the
remaining validity period of the issuing CA. For example, if a CA only has
two years remaining in its validity period, it cannot issue certificates with a
validity period of more than two years.
! Ensure that the validity period for a certificate template reflects the security
policy of the organization. For example, longer validity periods may only be
implemented for certificates that you issue to employees as compared to the
certificates that you issue to contractors.
! Do not set long validity periods that allow for an attacker to derive the
private key from the public key that is included in a certificate’s attributes.
Consider restricting user and computer certificates to validity periods of less
than two years.
! Define the ValidityPeriodUnits and ValidityPeriod registry entries to allow
the maximum validity period that is required for certificates that the CA
issues. You cannot issue certificates with a longer validity period than those
defined for a CA’s ValidityPeriodUnits and ValidityPeriod registry entries.
! Ensure that the renewal period allows sufficient time for renewal. The
renewal period defines the time interval before the expiration of the
certificate when an attempt to autorenew the certificate takes place.
Defining a renewal period that is too short will not allow autoenrollment to
take place. For example, the Cryptographic application programming
interface (CryptoAPI), starts automatic certificate renewal attempts when
80% of the certificate validity period has expired.
16 Module 5: Configuring Certificate Templates
Note The certificate purpose setting determines whether you can enable key
archival for a certificate template. Key archival is only possible if the certificate
purpose is set to Encryption or Signature and encryption.
Guidelines for selecting When you define certificate purpose in a certificate template, use the following
the certificate purpose guidelines:
! Use the Signature or Signature and smart card logon purposes for
authentication-only certificates. These purposes prevent the certificate from
being used for encryption purposes.
! Use only the Signature and encryption purpose for non-vital certificates. It
is more secure to issue separate certificates for signature or encryption
purposes.
! Implement the Signature and smart card logon purpose for all smart card
certificates.
Module 5: Configuring Certificate Templates 17
Alternate subject name In addition to the subject name, you can include additional names that reference
options the subject in the subject alternative name. The alternate subject name option
allows storing different name formats of the subject name. For certificates that
are issued to users, the following alternate subject name formats are available:
! E-mail name. The e-mail name field that is populated in the Active
Directory user object.
! User principal name (UPN). The UPN is part of the Active Directory user
object.
For certificates that are issued to computers, the following alternate subject
name formats are available:
! Domain Name System (DNS) name. The fully qualified domain name
(FQDN) of the subject that requested the certificate.
! Service principal name (SPN). The service principal name is part of the
Active Directory computer object.
Requesting certificates Usually, a subject cannot request a certificate that uses a nonmatching subject
for a non-matching name. For example, user1@nwtraders.msft would not be allowed to request a
certificate name certificate with a subject name of user2@nwtraders.msft.
The only subject that can request a certificate for another user is one who holds
a certificate based on the Enrollment Agent template. That subject can request
certificates on behalf of any other subject. For example, an enrollment agent
can request Smart Card User or Smart Card Logon certificates on behalf of
other users.
Guidelines for defining Use the following guidelines when defining subject name requirements in a
subject name certificate template:
requirements
! On the Subject Name tab of a certificate template, select the Supply in the
request option for certificates that are issued to users or computers that do
not have accounts in Active Directory. This option allows the user to
provide the subject name during the certificate request.
Note The Supply in the request option allows you to apply a custom
subject name in a certificate request. For example, a code signing certificate
may require the company name in the subject of the certificate, rather than
the individual user’s name.
! On the Subject Name tab of a certificate template, select the Build from
this Active Directory information option for users or computers that have
accounts in Active Directory. This option ensures that the same information
that is stored for a user or computer account in Active Directory is also
populated into a certificate that is issued to the user or computer.
! Ensure that a user or computer account in Active Directory has all the
required alternate subject name formats that are defined in the object’s
properties. For example, a request for a certificate that populates the
alternate subject name with a user’s e-mail name will fail if the user account
does not have an e-mail name configured.
Module 5: Configuring Certificate Templates 21
When a subject presents its certificate, the target server or application examines
it to verify the issuance policy and determine if that level of issuance policy is
sufficient to perform the requested action.
Module 5: Configuring Certificate Templates 23
Default certificate policy The following table describes the three default certificate policy OIDs included
OIDs in Windows Server 2003.
OID type Description
Note The low assurance, medium assurance, and high assurance OIDs are
unique for each Windows Active Directory forest.
24 Module 5: Configuring Certificate Templates
Note This lab focuses on the concepts that are explained in this module and
may not comply with Microsoft security recommendations.
Prerequisites Before working on this lab, you must have knowledge about creating and
modifying version 2 certificate templates.
Scenario You are a PKI administrator of your company network. The company is in the
process of deploying several projects that require certificates from your PKI
hierarchy.
In one project, you must increase the security for Microsoft Excel macros. The
Accounting department implements several Excel workbooks for month-end
procedures. These workbooks contain macros that were developed by the
Accounting IT department.
Currently, the macro security in Microsoft Excel must be set to Low Security to
allow the macros to run without user intervention. Because of the lowered
security, a virus that was distributed in an Excel workbook infected several
computers on the company network.
To increase the security of the Excel macros, you must deploy certificates to the
programmers in the Accounting IT department, so that the programmers can
digitally sign the macros. After the programmers sign the macros, you can
change the macro security setting for the Excel workbooks to High Security to
prevent unsigned macros from being used.
26 Module 5: Configuring Certificate Templates
Additional information For more information about configuring a certificate template, see the white
paper, Implementing and Administering Certificate Templates in
Windows Server 2003, under Additional Reading on the Web page on the
Student Materials compact disc.
Estimated time to
complete this lab:
30 minutes
Module 5: Configuring Certificate Templates 27
Exercise 1
Review an Existing Certificate Template
In this exercise, you will gather design requirements for the certificate template, and then analyze
an existing certificate template.
Requirements
During the information gathering stage, you identify the following requirements:
! The subject of the certificate must contain the company name, not the name of the programmer
that signs the certificate.
! The code signing certificate must be stored on a Schlumberger CryptoFlex 8 KB smart card.
! Only members of the Accounting IT department may request a code signing certificate
! All code signing certificate requests and renewals must be approved by Arlene Huff, the
Accounting IT department manager.
! The code signing certificate must be valid for five years.
! The code signing certificate must have a minimum key length of 1024 bits.
! All code signing certificates that the organization issues must meet these requirements.
1. Ensure that you are logged " Log on to your computer with the following information:
on to the domain as a • User name: Template1 (on the domain controller) or Template2
Certificate Template (on the member server)
administrator.
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. Open the Certificate " Click Start, click Run, type Certtmpl.msc and then click OK.
Templates console.
28 Module 5: Configuring Certificate Templates
Analyze existing 1. Is there an existing certificate template that allows code signing? If so, what
certificate templates is the name of the certificate template?
Yes. The Code Signing certificate template allows code signing.
____________________________________________________________
____________________________________________________________
____________________________________________________________
2. Does the Code Signing certificate template meet the design requirements?
No. The Code Signing certificate template has a one-year validity
period and does not implement any issuance requirements.
____________________________________________________________
____________________________________________________________
____________________________________________________________
3. Can you modify the Code Signing certificate template to meet the design
requirements?
No. The Code Signing certificate template is a version 1 certificate
template that allows you to modify only the certificate template
permissions.
____________________________________________________________
____________________________________________________________
____________________________________________________________
4. Can you convert the Code Signing certificate template into a version 2
certificate template?
No. You cannot convert a version 1 certificate template into a version 2
certificate template.
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
Module 5: Configuring Certificate Templates 29
Exercise 2
Designing the Custom Code Signing Certificate Template
In this exercise, you will design a custom version 2 certificate template that
meets the design requirements that are outlined in Exercise 1.
Scenario To meet the design requirements, you must create a version 2 certificate
template for code signing.
1. In the following table, define the settings on the General tab to meet the
design requirements for your custom Code Signing certificate template.
Attribute Your recommended design
2. In the following table, define the settings on the Request Handling tab to
meet the design requirements for the custom Code Signing certificate
template.
Attribute Your recommended design
Purpose Signature
Allow private key to be Disabled
exported
Minimum key size 1024
Do the following when the Enroll subject without requiring any user
subject is enrolled and when input
the private key associated with
this certificate is used
CSPs Only enable the Schlumberger
Cryptographic Service Provider
3. How must you configure the settings on the Subject name tab to meet the
design requirements?
You must enter the subject name in the certificate request so that the
requestor can provide the company name as the subject of the
certificate.
____________________________________________________________
____________________________________________________________
____________________________________________________________
30 Module 5: Configuring Certificate Templates
5. How must you configure the settings on the Superseded Templates tab to
ensure that all certificates that a certification authority issues for code
signing use the version 2 certificate template?
Add the Code Signing certificate template to the Superseded Templates
tab.
____________________________________________________________
____________________________________________________________
____________________________________________________________
6. Assuming that all of the developers that require the code signing certificate
are in a global group named Company_CodeSigners, what permissions must
you assign to the Company_CodeSigners group?
You must assign Read and Enroll permissions to the
Company_Codesigners group.
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
Module 5: Configuring Certificate Templates 31
Note Both modification and superseding affect only those certificates that are
issued after you modify the certificate. Existing certificates are not modified
until the user or computer holding the certificate based on the certificate
template renews the certificate or enrolls a new certificate based on the
modified or superseded certificate template.
Note You can force the application of the updated certificate template by
forcing all certificate holders to re-enroll the updated certificate template.
Module 5: Configuring Certificate Templates 39
Note This lab focuses on the concepts that are explained in this module and
may not comply with Microsoft security recommendations.
Additional information For more information about creating certificate templates, read the white paper,
Implementing and Administering Certificate Templates in
Windows Server 2003, under Additional Reading on the Web page on the
Student Materials compact disc.
Estimated time to
complete this lab:
30 minutes
42 Module 5: Configuring Certificate Templates
Exercise 1
Creating a Certificate Template
In this exercise, you will create a version 2 certificate template based on the User certificate
template.
Scenario
Your organization must implement a modified version of the User certificate template. Each
division of your organization will maintain its own version of the modified User certificate
template.
1. Ensure that you are logged " Log on to your computer with the following information:
on to the domain as a • User name: Template1 (on the domain controller) or Template2
Certificate Template (on the member server)
administrator.
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. Open the Certificate a. Click Start, click Run, type Certtmpl.msc and then click OK.
Templates console. b. In the Certificate Templates dialog box, click OK.
3. Create a new certificate a. In the Certificate Templates console, in the details pane, right-click
template named User, and then click Duplicate Template.
ComputerUser based on the b. In the Properties of New Template dialog box, on the General tab, in
User certificate template. the Template display name box, type ComputerUser (where
Computer is the NetBIOS name of your computer), and then click OK.
What members of the Windows Server 2003 family can issue the newly created certificate template?
Only Windows Server 2003, Enterprise Edition and Windows Server 2003, Data Center Edition can
issue version 2 certificate templates.
4. On the General tab of the a. In the details pane, double-click the ComputerUser certificate template.
ComputerUser certificate b. On the General tab, define the validity period as 3 Years.
template, define the validity
period as 3 Years. c. Click Apply.
Module 5: Configuring Certificate Templates 43
(continued)
5. On the Request Handling a. On the Request Handling tab, define the minimum key size as 2048
tab, define the minimum key bytes.
size as 2048 bytes. b. Click Apply.
6. On the Security tab, view " Click the Security tab, and then view the settings.
the current settings.
If you want to restrict enrollment to members of the Marketing department, what would you do?
You would create a global group that contains all Marketing department users. Then assign Read and
Enroll permissions to the Marketing global group.
Why is it necessary to use global or universal groups when you assign permissions to certificate templates?
Certificate template objects are stored in the configuration naming context. By using global or
universal groups when you assign permissions, all domains in the forest can recognize the groups.
7. On the Subject name tab of a. On the Subject Name tab, select Build from this Active Directory
the ComputerUser information.
certificate template, perform b. In the Subject name format drop-down list, select Common name.
the following steps:
c. Select the Include e-mail name in subject name check box.
• Select Build from this
Active Directory d. Leave all other settings as the default settings.
information. e. Click Apply.
• Select Common name.
• Select the Include
e-mail name in subject
name check box.
44 Module 5: Configuring Certificate Templates
(continued)
8. On the Extensions tab, a. On the Extensions tab, select Application Policies, and then click
remove the Encrypting File Edit.
System application policy. b. In the Edit Application Policies Extension dialog box, select
Encrypting File System, and then click Remove.
c. In the Edit Application Policies Extension dialog box, click OK.
d. In the ComputerUser Properties dialog box, click OK.
9. Close all open windows and a. Close the Certificate Templates console.
log off the network. b. Close all open windows, and then log off.
Module 5: Configuring Certificate Templates 45
Exercise 2
Publishing a Certificate Template
In this exercise, you will publish your modified User certificate template on the DomainCA
enterprise subordinate CA.
Scenario
After you create a custom User certificate template, publish the certificate template on an enterprise
CA so that users can enroll the certificate based on the modified template.
1. Ensure that you are logged " Log on to your computer with the following information:
on to the domain as a • User name: CAadmin1 (on the domain controller) or CAadmin2
Certificate Template (on the member server)
administrator.
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. Open the Certification " On the Start menu, click Administrative Tools, and then click
Authority console. Certification Authority.
If you are working on the member server in your domain, an error
message appears, stating that Certificate Services is not an
installed service. You must retarget the console to the domain
controller.
3. Retarget the Certification a. In the Microsoft Certificate Services message box, click OK.
Authority console to manage b. In the console tree, right-click Certification Authority, and then click
the enterprise CA in your Retarget Certification Authority.
domain.
c. In the Certification Authority dialog box, click Another computer,
and then click Browse.
d. In the Select Certification Authority dialog box, select DomainCA,
and then click OK.
e. In the Certification Authority dialog box, click Finish.
46 Module 5: Configuring Certificate Templates
(continued)
4. Configure the DomainCA to a. In the console tree, expand Certification Authority, expand
issue the ComputerUser DomainCA, and then click Certificate Templates.
certificates. Close all open b. In the console tree, right-click Certificate Templates, click New, and
windows and log off. then click Certificate Template to Issue.
c. In the Enable Certificate Templates dialog box, click ComputerUser
(where Computer is the NetBIOS name of your computer), and then
click OK.
d. In the details pane, ensure that the ComputerUser certificate template
appears in the details pane.
e. Close the Certification Authority console.
f. Close all open windows, and then log off.
Module 5: Configuring Certificate Templates 47
Exercise 3
Enrolling the Certificate Template
In this exercise, you will perform a certificate request to indicate that the certificate template that
you created and published has the format of the certificate.
Scenario
After you publish the certificate template on the enterprise CA in your domain, you must enroll the
certificate to ensure that the certificate is issued as required.
1. Ensure that you are logged " Log on to your computer with the following information:
with your domain • User name: Student1 (on the domain controller) or Student2 (on
administrative account. the member server)
• Password: Password (where Password is the password defined for
your administrative account).
• Domain: Domain (where Domain is the NetBIOS name of your
domain).
• Ensure the key size is h. On the Advanced Certificate Request page, in the Key Options
2048 bytes. section, ensure that the key size is 2048.
• Type the friendly name: i. On the Advanced Certificate Request page, in the Friendly Name
ComputerUser box, type ComputerUser
• Click Yes in the j. On the Advanced Certificate Request page, scroll to the bottom of the
Potential Scripting page, and then click Submit.
Violation dialog box. k. In the Potential Scripting Violation dialog box regarding the Web site
• Install the issued requesting a new certificate on your behalf, click Yes.
certificate. l. On the Certificate Issued page, click Install this certificate.
48 Module 5: Configuring Certificate Templates
(continued)
2. (continued) m. In the Potential Scripting Violation dialog box regarding the addition
of one or more certificate to your computer, click Yes.
n. Ensure that the Certificate Installed page indicates that Your new
certificate has been successfully installed.
o. Close Internet Explorer.
The extension includes the Client Authentication and Secure Email application policies.
Exercise 4
Superceding a Certificate Template
In this exercise, you will create a new certificate template that supersedes the three existing
certificate templates. The new certificate template modifies the existing certificate templates by
preventing the export of the private key and by adding a Low assurance issuance policy.
Scenario
Your organization has consolidated operations by creating a centralized IT department. Rather than
having separate certificate templates for each division, the organization will deploy a common
certificate template. This new certificate template must supersede the three existing templates and
make minor modifications to the certificate template.
1. Ensure you are logged on to " Log on to your computer with the following information:
the domain as a Certificate • User name: Template2
Template administrator.
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. Create a new certificate a. Click Start, click Run, type Certtmpl.msc and then click OK.
template named b. In the Certificate Templates dialog box, click OK.
SupersededUser based on
one of the existing c. In the details pane, right-click ComputerUser (where Computer is the
ComputerUser certificate NetBIOS name of your computer), and then click Duplicate Template.
templates. d. In the Properties of New Template dialog box, on the General tab, in
the Template display name box, type SupersededUser and then click
OK.
(continued)
6. Close all open windows and a. Close the Certificate Templates console.
log off the network. b. Close all open windows, and then log off.
Important: Perform this procedure on the domain controller for your domain.
7. Ensure that you are logged " Log on to your computer with the following information:
on to the domain as a • User name: CAadmin1
Certificate Template
administrator. • Password: P@ssw0rd
• Domain: Domain
8. Configure the DomainCA to a. On the Start menu, click Administrative Tools, and then click
issue the SupersededUser Certification Authority.
certificate template. b. In the console tree, expand Certification Authority, expand
DomainCA, and then click Certificate Templates.
c. In the console tree, right-click Certificate Templates, click New, and
then click Certificate Template to Issue.
d. In the Enable Certificate Templates dialog box, click
SupersededUser, and then click OK.
e. In the details pane, ensure that the SupersededUser certificate
template appears.
9. Remove the two superseded a. In the details pane, click ComputerUser, press CTRL and click
certificate templates from PartnerComputerUser, right-click the selection, and then click Delete.
the list of certificate b. In the Disable certificate templates dialog box, click Yes.
templates issued by the
DomainCA. Close all open c. Close the Certification Authority console.
windows and log off d. Close all open windows and then log off.
Module 6: Configuring
Certificate Enrollment
Contents
Overview 1
Lesson: Introduction to Certificate
Enrollment 2
Lesson: Enrolling Certificates Manually 9
Lesson: Autoenrolling Certificates 14
Lab A: Enrolling Certificates 23
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, MS-DOS, Windows, Windows NT, Windows Server, Active Directory, ActiveX,
MSDN, Outlook, PowerPoint, and Windows Media are either registered trademarks or trademarks
of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Module 6: Configuring Certificate Enrollment iii
Instructor Notes
Presentation: Certificate enrollment is the process of requesting and receiving a certificate
60 minutes from a certification authority (CA). In this module, students will learn about the
various methods of enrolling certificates. Students can either process the
Lab: certificate requests manually or automatically depending upon the approval
45 minutes requirement from the certificate manager.
After completing this module, students will be able to:
! Select the appropriate certificate enrollment method for a given scenario.
! Enroll certificates manually.
! Autoenroll certificates.
! Enroll smart card certificates.
How to Request The Certificates console is only available for requesting certificates from an
Certificates Using the enterprise CA. The MMC console allows you to install certificates for user
MMC Wizard accounts, computer accounts, or service accounts.
Consider demonstrating the Certificate Enrollment Wizard.
Request Certificates Certreq.exe was used to request certificates in Lab B: Backing Up and
Using Certreq.exe Restoring a Certification Authority, in Module 4, “Managing a Public Key
Infrastructure,” Course 2821, Designing and Managing a Windows Public Key
Infrastructure. Consider showing the contents of the Requestcert.cmd and
Certreq.inf files in the C:\Moc\2821\Labfiles\Module4 folder, to illustrate what
information is required as input when requesting a certificate.
Autoenrollment Settings
! Deploys user and computer certificates
! Requires version 2 certificate templates
! Only deploys to computers running Windows XP and operating systems in
the Windows Server 2003 family
How to Enable Consider demonstrating how to add certificate templates for deployment by
Autoenrollment Using using automatic certificate request settings. During the demonstration, show
Automatic Certificate that only version 1 certificate templates that are issued to computers are
Request Settings available for selection.
Enable Autoenrollment The first step in designing automatic certificate enrollment by using
in the Version 2 Autoenrollment settings is configuring a certificate template to support
Certificate Template Autoenrollment. Consider showing each tab in the Certificate Templates
console, which is described in the slide.
Stress that to deploy a certificate template by using Autoenrollment settings, a
universal group must be assigned the Read, Enroll, and Autoenroll permissions.
vi Module 6: Configuring Certificate Enrollment
How to Enable Share with the students that the Autoenrollment Settings Group Policy is
Autoenrollment Settings available in a Windows Server 2003 forest and a Windows 2000 forest, as long
in Group Policy as the Windows Server 2003 schema extensions are applied to the
Windows 2000 forest.
Remind the students that you can only define this group policy setting by
editing the Group Policy object (GPO) from a computer running Windows XP
with the Windows Server 2003 Administration Pack (Adminpak.msi) installed
or from a computer running Windows Server 2003.
Considerations for Use the chart on the slide to compare and contrast the two autoenrollment
Implementing processes. Ensure that the students are clear on when to choose each
Autoenrollment autoenrollment method.
When performing this lab, it is inevitable that the students do not have enough
patience when they wait for autoenrollment to occur. Remind students that all
Group Policy objects that are applied to the computer and user must be
evaluated before the autoenrollment process begins. They may have to wait for
a period of up to 90 seconds before enrollment takes place.
If autoenrollment fails, verify the following:
! Is the AutoenrollUsers group assigned Read, Enroll, and Autoenroll
permissions.
! Are the two AutoComputer certificate templates published at the enterprise
subordinate CA.
! Does the Autoenrollment GPO exist?
! Is the Autoenrollment GPO correctly defined to enable all autoenrollment
options for users, not computers.
! Is the Autoenrollment GPO linked to the Module06 OU.
Module 6: Configuring Certificate Enrollment vii
Lab Setup
Setup requirement 1 The labs in this module require that a CA hierarchy with an offline root CA and
an enterprise subordinate CA exist.
! Complete Lab A, Lab B, and Lab C in Module 3, “Creating a Certification
Authority Hierarchy,” in Course 2821, Designing and Managing a Windows
Public Key Infrastructure.
Setup requirement 2 All of the procedures in the lab assume that Common Criteria role separation is
enforced.
! Complete Lab A in Module 4, “Managing a Public Key Infrastructure,” in
Course 2821.
Setup requirement 3 The ability to create and modify certificate templates is delegated to the
CertTmplAdmins global group.
! Complete Lab A in Module 4, “Managing a Public Key Infrastructure,” in
Course 2821.
Lab Results
Performing the labs in this module introduces the following configuration
changes:
Lab A At the completion of Lab A:
! An Internet Protocol security (IPSec) certificate is installed at both the
domain controller and member server.
! Two certificate templates are created that are based on the User Signature
Only certificate template, AutoComputer and AutoPartnerComputer. The
two certificate templates enable autoenrollment.
! The Autoenrollment GPO is created and linked to the Module06
organizational unit. The GPO enabled autoenrollment of user certificates.
! The CertAdmins group is assigned the Issue and Manage Certificates
permission.
! AutoComputer and AutoPartnerComputer are issued to the Enroll1 and
Enroll2 user accounts.
Module 6: Configuring Certificate Enrollment 1
Overview
There are various methods for enrolling certificates. You can either process the
certificate requests manually or automatically depending upon the approval
requirement from the certificate manager.
Objectives After completing this module, you will be able to:
! Select the appropriate certificate enrollment method for a given scenario.
! Perform manual certificate enrollment.
! Enable autoenrollment of certificates.
2 Module 6: Configuring Certificate Enrollment
Enrollment Methods
Registration authority Require that the certificate request a private key of a previous enrolled
certificate sign it and define what issuance policy or application policy must
exist in the signing certificate. The certificate template can require one or more
signatures be applied to the certificate request.
For example, you can create a version 2 certificate template based on the basic
Encrypting File System (EFS) certificate that requires that the certificate
request be signed by a certificate with the Smart Card Logon application policy.
The assurance is raised because, to use a smart card certificate, the user must
possess the physical smart card and know the smart card’s personal
identification number (PIN).
Note For autoenrollment to be successful, you can only require one authorized
signature. More than one signature disables autoenrollment.
8 Module 6: Configuring Certificate Enrollment
Important You must add the ServerName Web site to the Local intranet or
Trusted sites zone in Internet Explorer if the Windows Server 2003 Internet
Explorer Enhanced Security Settings are enabled. Addition to these zones
ensures that the Microsoft ActiveX® controls included in the Web site are
allowed to download to Web clients.
If you do not see the Certificate Issued Web page, then you do not meet
issuance requirements of the certificate template, or the issuance requirements
of the certificate template may have kept the certificate request pending.
You can request a certificate from the Web pages with advanced options. These
include options for CSP, hash algorithm key generation, creating a new key set
or using an existing key set, marking the keys as exportable, enabling strong
key protection, and using the local computer store to generate the key.
12 Module 6: Configuring Certificate Enrollment
Certificate Autoenrollment
Autoenrollment methods In a Windows Server 2003 PKI, there are two methods of enabling
autoenrollment of certificates:
! Automatic Certificate Request Settings. Is a Group Policy setting that
enables the deployment of version 1 certificates to computers running
Windows 2000, Windows XP, and Windows Server 2003.
! Autoenrollment Settings. Is based on a combination of group policy settings
and version 2 certificate templates. This combination allows the client
computer running Windows XP Professional or Windows Server 2003 to
enroll user or computer certificates automatically.
16 Module 6: Configuring Certificate Enrollment
Note The GPO must be linked to the organizational unit that contains the
target computer accounts. Automatic certificate request settings can only be
defined for computer accounts.
18 Module 6: Configuring Certificate Enrollment
Note Never enable the Prompt the user during enrollment option for
certificates issued to computers or service accounts. Only enable this option for
certificates issued to users.
In some cases you do require user input for certificate autoenrollment. For
example, a smart card certificate requires user input so that the user is prompted
to insert the smart card in the smart card reader when required.
Important If more than one smart card CSP is made available on this tab, the
user may be prompted for every CSP when enrolling for this template. Users
with one smart card will have to cancel the prompts for the unavailable CSPs.
Module 6: Configuring Certificate Enrollment 19
Issuance Requirements The Issuance Requirements tab allows you to enforce additional requirements
for certificate enrollment. For example, you can add a requirement for CA
certificate manager approval. Autoenrollment will check for pending certificate
requests, and complete the installation of the certificate when the CA certificate
manager issues the pending certificate.
If the certificate template requires that a registration authority (RA) certificate
sign the certificate request, autoenrollment will only be enabled if only a single
signature is required.
Permissions Use the Permissions tab to assign Read, Enroll, and Autoenroll permissions. To
autoenroll a certificate template, a user or computer must belong to a security
group that is assigned the Read, Enroll, and Autoenroll permissions. Only
groups that are assigned these three permissions are enabled for autoenrollment.
Note It is recommended that you assign the Read, Enroll, and Autoenroll
permissions to either global or universal groups. This is because the certificate
template objects are stored in the Configuration naming context of the forest.
20 Module 6: Configuring Certificate Enrollment
Note For autoenrollment, the GPO must be linked to either the domain or
the organizational unit where the user or computer accounts exist.
Applying the Group The Autoenrollment Settings are applied the next time the GPO is applied to the
Policy settings user or computer. However:
! User autoenrollment is triggered when the user performs an interactive log
on and at Group Policy refresh intervals.
! Computer autoenrollment is triggered when the computer is restarted.
! Both user and computer Autoenrollment Settings are also applied at the
default GPO refresh intervals.
You can manually refresh the GPO settings at a client running Windows XP or
Windows Server 2003 by forcing Group Policy update. You can refresh the
GPO settings by running GPUpdate /force at the target workstation.
Note You can also force autoenrollment from the Certificates console by right-
clicking the Certificates – certificate store node in the console tree, pointing to
All Tasks, and then clicking Automatically Enroll Certificates.
22 Module 6: Configuring Certificate Enrollment
Note This lab focuses on the concepts that are explained in this module and as
a result may not comply with Microsoft security recommendations. For
instance, two certificate templates that have the same purpose are configured
for autoenrollment, rather than one certificate template.
Additional information For more information about enrolling certificates, read the white paper,
Certificate Autoenrollment in Windows Server 2003, under Additional
Reading on the Web page on the Student Materials compact disc.
Estimated time to
complete this lab:
45 minutes
Module 6: Configuring Certificate Enrollment 25
Exercise 1
Choosing an Enrollment Method
In this exercise, you will determine the best method to enroll certificates based
on the scenario that is provided.
Scenario You are the PKI administrator of your organization’s network. The organization
is in the process of deploying several projects that require certificates to be
issued by your PKI hierarchy.
The following projects are in the planning stage. You must recommend to
management what enrollment method to use to deploy the certificates.
! CA certificates. As shown in the following diagram, t company’s CA
hierarchy will consist of an offline root CA, an offline policy CA, three
enterprise subordinate CAs that are based on geographic region, and an
additional enterprise subordinate CA, that issues certificates to customers on
the extranet.
Questions 1. In the following table, indicate what enrollment methods are available for
each of the PKI-related projects.
Automatic
Certificate Certificate
Enrollment Request Settings
Scenario Web-based Wizard (ACRS) Autoenrollment
CA installation " # # #
IPSec certificate distribution # # " "
EFS encryption # # # "
Web-based time tracking system " " # "
Customer extranet Web site " # # #
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
Module 6: Configuring Certificate Enrollment 27
5. Can you use a version 2 certificate template to provide authentication for the
Web-based tracking system?
Yes. The Windows ME, Windows NT 4.0 and Windows 2000 client
computers must request the certificate by using Web-based enrollment.
Client computers running Windows XP clients can use autoenrollment.
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
7. What can you do to increase the issuance security of the certificates that the
extranet CA issues to external customers?
Configure the version 2 certificate to require CA certificate manager
approval. This configuration sets the status of the certificate request to
Pending until a CA certificate manager approves the certificate request.
____________________________________________________________
____________________________________________________________
____________________________________________________________
28 Module 6: Configuring Certificate Enrollment
Exercise 2
Enrolling Computer Certificates by Using the Certificate
Enrollment Wizard
In this exercise, you will enroll an IPSec certificate for your computer by using the Certificate
Enrollment Wizard in the Certificates console.
Scenario
To prevent unauthorized computers from connecting to network resources, your company
implements IPSec by using Authentication Headers (AH) to authenticate all network access. To
strengthen the authentication, you will deploy certificate-based authentication, which requires that
an IPSec certificate is installed on each computer.
Important: Perform this procedure on the domain controller for your domain.
1. Ensure that you are logged $ Log on to your computer by using the following information:
on to the domain as a CA • User name: CAadmin1
administrator.
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. Configure the DomainCA to a. On the Start menu, click Administrative Tools, and then click
publish the IPSEC Certification Authority.
certificate template. Once b. In the console tree, expand Certification Authority, expand
completed, close all open DomainCA, and then click Certificate Templates.
windows and log off.
c. Right-click Certificate Templates, click New, and then click
Certificate Template to Issue.
d. In the Enable Certificate Templates dialog box, click IPSEC and
then click OK.
e. In the details pane, verify that IPSEC appears.
f. Close the Certification Authority console.
g. Close all open windows, and then log off.
3. Ensure that you are logged $ Log on to your computer by using the following information:
on to the domain as a local • User name: Student1 (on the domain controller) or Student2 (on
administrator of your the member server)
computer.
• Password: Password (where Password is the password assigned to
your administrative account)
• Domain: Domain
Module 6: Configuring Certificate Enrollment 29
(continued)
Machine certificates are already installed on which computer in your domain? Why?
Two certificates are installed on the domain controller. One certificate is the subordinate CA
certificate, which was installed when the domain controller was configured as a subordinate enterprise
CA. The other is a Domain Controller certificate, which Active Directory automatically issues to all
domain controllers.
5. Use the Certificate Request a. In the console tree, right-click the Personal folder, point to All Tasks,
Wizard to request an IPSec and then click Request New Certificate.
certificate with the friendly b. In the Certificate Request Wizard, click Next.
name IPSec Authentication
for your computer account. c. On the Certificate Types page, click IPSEC, and then click Next.
d. On the Certificate Friendly Name and Description page, in the
Friendly name box, type IPSec Authentication and then click Next.
e. On the Completing the Certificate Request Wizard page, click
Finish.
f. In the Certificate Request Wizard message box, click OK.
6. View the properties of the a. In the console tree, expand Certificate (Local Computer), expand
newly issued IPSec Personal, and then click Certificates.
certificate. b. In the details pane, scroll to the right and then double-click the
certificate that has the friendly name IPSec Authentication.
(continued)
If you want to deploy IPSec certificates to 1,000 portable computers in your company, would the Certificate
Request Wizard be the best certificate enrollment method to use?
No. It would be necessary for a local administrator to run the Certificate Enrollment Wizard on each
of the 1,000 portable computers, which would take a long time.
To deploy IPSec certificates to Windows 2000 Professional and Windows XP Professional computers, what
autoenrollment method would you choose?
You must use ACRS to deploy certificates automatically in this case. The IPSec certificate template is a
version 1 certificate template. ACRS supports the automatic deployment of version 1 computer
certificates on computers running Windows 2000, Windows XP, or Windows Server 2003.
7. Close all open windows and a. Save any changes, and then close all open windows.
log off the network. b. Log off.
Module 6: Configuring Certificate Enrollment 31
Exercise 3
Creating a User Certificate Template that Enables
Autoenrollment
In this exercise, you will create a certificate template based on the User certificate template, which
enables autoenrollment. You will deploy the new certificate template to user accounts by using
autoenrollment.
Scenario
To reduce the costs and effort of issuing user certificates, you must create a version 2 certificate
template that is based on the User certificate template.
1. In the Certificate Templates a. Log on to your computer with the following information:
console, create a new • User name: Template1 (on the domain controller) or Template2
certificate template named (on the member server)
AutoenrollComputer based
on the User Signature Only • Password: P@ssw0rd
certificate template. Define • Domain: Domain (where Domain is the NetBIOS name of your
the following attributes: Active Directory domain)
• Template display name: b. Click Start, click Run, type Certtmpl.msc and then click OK.
AutoComputer c. In the details pane, right-click User Signature Only, and then click
• Validity period: 2 years Duplicate Template.
d. In the Properties of New Template dialog box, on the General tab,
type the following information:
• Template display name: AutoComputer (where Computer is the
NetBIOS name of your computer)
• Validity period: 2 years
e. Click OK.
2. Enable the Prompt the user a. In the details pane, double-click AutoComputer.
during enrollment option in b. On the Request Handling tab, click Prompt the user during
the AutoComputer enrollment.
certificate template.
c. Click Apply.
32 Module 6: Configuring Certificate Enrollment
(continued)
3. Modify the permissions for a. On the Security tab, in the Group or user names box, select Domain
the AutoComputer Users¸ and then click Remove.
certificate template: b. On the Security tab, click Add.
• Remove Domain Users c. In the Select Users, Computers, or Groups dialog box, in the Enter
from the discretionary the object names to select box, type Auto and then click Check
access control list Names.
(DACL).
d. In the Select Users, Computers, or Groups dialog box, ensure that
• Add the AutoenrollUsers appears in the Enter the object names to select box,
AutoenrollUsers group and then click OK.
and assign it Read,
Enroll, and Autoenroll e. On the Security tab, assign the AutoenrollUsers group Read, Enroll
permissions. and Autoenroll permissions, and then click OK.
4. Close all open windows and a. Close the Certificate Templates console.
log off the network. b. Close all open windows, and then log off.
Module 6: Configuring Certificate Enrollment 33
Exercise 4
Deploying the Certificates by Using Autoenrollment
In this exercise, you will deploy the AutoComputer certificates by using autoenrollment.
Scenario
To enable autoenrollment, you must configure the DomainCA to issue the AutoComputer
certificates, and then modify Group Policy to enable autoenrollment of certificates. Users in the
Module06 organizational unit must then log on to receive the certificates by using autoenrollment.
1. Log on to the domain with $ Log on to the domain by using the following credentials:
your administrative account. • Logon name: CAadmin2
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. Open the Certification a. On the Start menu, click Administrative Tools, and then click
Authority console and Certification Authority.
retarget the console to the b. In the Microsoft Certificate Services message box, click OK.
domain controller in your
domain. c. In the console tree, right-click Certification Authority, and then click
Retarget Certification Authority.
d. In the Certification Authority dialog box, click Another computer,
and then click Browse.
e. In the Select Certification Authority dialog box, click DomainCA,
and then click OK.
f. In the Certification Authority dialog box, click Finish.
3. In the Certification a. In the console tree, expand DomainCA, and then click Certificate
Authority console, configure Templates.
DomainCA to issue b. Right-click Certificate Templates, click New, and then click
AutoComputer and Certificate Template to Issue.
AutoPartnerComputer and
then log off. c. In the Enable Certificate Templates dialog box, click AutoComputer
(where Computer is the NetBIOS name of your computer), press CTRL
and click AutoPartnerComputer (where PartnerComputer is the
NetBIOS name of your partner’s computer), and then click OK.
d. In the details pane, verify that the AutoComputer and
AutoPartnerComputer certificate templates appear.
e. Close the Certification Authority console.
f. Log off.
34 Module 6: Configuring Certificate Enrollment
(continued)
4. Log on to the domain, with $ Log on to the domain by using the following credentials:
your domain administrative • Logon name: Student1
account.
• Password: Password (where Password is the password defined for
your administrative account
• Domain: Domain
5. In Active Directory Users a. On the Start menu, click Administrative Tools, and then click Active
and Computers, create a new Directory Users and Computers.
GPO named b. In the console tree, expand Domain.msft, expand Labs, and then click
Autoenrollment and link Module06.
the GPO to the Module06
organizational unit. c. Right-click Module06, and then click Properties.
d. In the Module06 Properties dialog box, on the Group Policy tab,
In the Autoenrollment GPO, click New.
enable the following e. In the name box of the new Group Policy object, type Autoenrollment
autoenrollment options: and then click Edit.
• Enroll certificates f. In Group Policy Object Editor, expand User Configuration, expand
automatically Windows Settings, expand Security Settings, and then click Public
• Renew expired Key Policies.
certificates, update g. In the details pane, double-click Autoenrollment Settings.
pending certificates, and
remove revoked h. In the Autoenrollment Settings Properties dialog box, enable the
certificates following options:
6. Log on as a member of the $ Log on to your computer by using the following information:
AutoenrollUsers group. • User name: Enroll1 (on the domain controller) or Enroll2 (on the
member server)
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
Active Directory domain)
Module 6: Configuring Certificate Enrollment 35
(continued)
Wait for the Certificate Enrollment ballon to appear in the system tray. It may take 90 seconds to appear.
8. Click the Certificate a. In the system tray, click the Certificate Enrollment balloon.
Enrollment balloon and start b. In the Certificate Enrollment dialog box, click Start.
the certificate enrollment
process.
Was there any additional user input required to enroll the two autoenrollment certificates?
No. The certificates did not require any additional user input for enrollment.
Smart card certificates require user input. When prompted, the user must place the smart card in the
smart card reader. Additionally, certificates that implement strong private key protection require user
input to enroll and to access the private key.
9. Open the Certificates $ Click Start, click Run, type Certmgr.msc and then click OK.
console that is connected to
the current user
(Certmgr.msc).
10. Refresh the personal a. In the Certificates – Current User console, in the console tree, expand
certificates store in the Certificates – Current User, expand Personal, and then click
Certificates – Current User Certificates.
console. b. Scroll to the right to view the Certificate Template column.
.
36 Module 6: Configuring Certificate Enrollment
(continued)
Yes. The autoenrollment process installed the certificates based on the AutoComputer and
AutoPartnerComputer certificate templates.
11. Close all open windows and a. Close the Certificates – Current User console.
log off of the network. b. Close all open windows, and then log off.
Module 7: Configuring
Key Archival and
Recovery
Contents
Overview 1
Lesson: Introduction to Key Archival and
Recovery 2
Lesson: Implementing Manual Key Archival
and Recovery 13
Lesson: Implementing Automatic Key
Archival and Recovery 21
Multimedia: (Optional) How EFS Works 29
Lab A: Configuring Key Recovery 30
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, MS-DOS, Windows, Windows NT, Windows Server, Active Directory, ActiveX,
MSDN, Outlook, PowerPoint, and Windows Media are either registered trademarks or trademarks
of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Module 7: Configuring Key Archival and Recovery iii
Instructor Notes
Presentation: This module explains the importance of creating a strategy for data and key
60 minutes recovery. Students learn how Microsoft® Windows® XP and
Windows Server™ 2003 enhance the capability of data protection and data
Lab: recovery.
45 minutes
After completing this module, students will be able to:
! Describe the key archival and recovery process in a Windows Server 2003
public key infrastructure (PKI).
! Implement manual key archival and recovery.
! Implement automatic key archival and recovery.
Required materials To teach this module, you need Microsoft PowerPoint® file 2821A_07.ppt.
Preparation tasks To prepare for this module:
! Read all of the materials for this module.
! Read the white paper, Key Archival and Management in
Windows Server 2003, under Additional Reading on the Web page on the
Student Materials compact disc.
! Complete the practice and the lab.
iv Module 7: Configuring Key Archival and Recovery
Guidelines for Key Consider asking the students whether their organization’s security policy
Recovery requires separation of the certificate manager and key recovery agent (KRA)
roles. Remind the students that the KRA role is not a Common Criteria role, so
they can perform this dual assignment.
Guidelines for Archiving Review each guideline and answer any questions about the guidelines.
a Private Key Manually
How to Recover an Perform the steps of performing a private key recovery. If time permits, ask
Archived Private Key students to follow the steps and recover the private key that they archived in the
Manually previous practice Archiving a Private Key Manually.
When performing this lab, students are first exposed to the Key Recovery Tool
from the Windows Server 2003 Resource Kit. Consider demonstrating the tool
before the start of the lab if your students think it would be helpful.
Lab Setup
The following list describes the setup requirements for the labs in this module.
Setup requirement 1 The labs in this module require the existence of a CA hierarchy with an offline
root CA and an enterprise subordinate CA. Complete all of Labs A, B, and C in
Module 3, “Creating a Certification Authority Hierarchy,” in Course 2821,
Designing and Managing a Windows Public Key Infrastructure.
Setup requirement 2 All of the procedures in Lab A assume that Common Criteria role separation is
enforced. Complete Lab A in Module 4, “Managing a Public Key
Infrastructure,” in Course 2821.
Setup requirement 3 The ability to create and modify certificate templates is delegated to the
CertTmplAdmins global group. Complete Lab A in Module 5, “Configuring
Certificate Templates,” in Course 2821.
Setup requirement 4 The http://WebServer (where WebServer is the fully qualified domain name of
your domain controller) is configured as a member of the Local intranet zone in
the Default Domain Policy.
! Complete Lab B in Module 3, “Creating a Certification Authority
Hierarchy,” in Course 2821.
Module 7: Configuring Key Archival and Recovery vii
Lab Results
Performing the labs in this module introduces the following configuration
changes:
Lab A At the completion of Lab A:
! The Key Recovery Agent certificate template is published on the enterprise
subordinate CA.
! KRA1 and KRA2 are designated as KRAs for the enterprise subordinate
CA.
! A version 2 certificate template, ArchiveEFS, based on the Basic EFS
certificate template, is created and published.
! The student has created an EFS protected file.
! The user’s ArchiveEFS certificate and private key are removed by deleting
the user’s profile.
! The user’s ArchiveEFS certificate and private key are recovered by using
the Key Recovery Tool (KRT.exec) from the Windows Server 2003
Resource Kit.
Module 7: Configuring Key Archival and Recovery 1
Overview
Note The option to archive private keys is blocked if the certificate purpose is
signature or signature and smart card logon.
Module 7: Configuring Key Archival and Recovery 5
Note The path in the user’s profile where the private key material is stored is
\Documents and Settings\UserName\Application Data\Microsoft\
SystemCertificates\My\Keys.
6 Module 7: Configuring Key Archival and Recovery
Key archival Use key archival when your security policy requires automated protection of
private keys. Key archival archives the user’s private key on the CA database so
that the private key may be recovered if the private key is lost or corrupted.
When an administrator enables key archival in a certificate template, users
provide their private key to the certification authority (CA) in a CMC
(Certificate Management Protocol) request format. CMC uses CMS
(Cryptographic Message Syntax), an RFC-based syntax for certificate requests.
The CA stores that private key in its database.
Note You can also add private keys to the CA database by importing PKCS
#12 (.pfx) or Microsoft Outlook® Exchange Security (.epf) file formats by using
the certutil–importkms command.
Key recovery Use key recovery after the key archival process has stored the subject’s private
key in the CA database. During the key recovery process, the certificate
manager retrieves an encrypted blob file that contains the certificate and private
key from the CA database. A KRA then decrypts the private key from the
encrypted file and returns the certificate and private key to the user.
Note Key recovery allows a trusted agent to access a user’s private keys. For
this reason, use key recovery only if your organization permits an administrator
to have access to another user’s private key.
Module 7: Configuring Key Archival and Recovery 7
Request formats The request format defines what information is included in the certificate
request. When a computer, user, or service requests a certificate from a
Windows Server 2003 CA, the following request formats are available:
! PKCS #10 - Certification Request Standard. Describes the syntax of a
request for the certification of a public key, a name, and a set of attributes.
When a user requests a certificate from a CA by saving the request in a file,
the PKCS #10 file format stores the request information and the public key
of the key pair. The certificate requestor than submits the PKCS #10
certificate request file to an offline CA to complete the certificate request.
! CMC – Certificate Management protocol using CMS. Provides an envelope
for a PKCS #10 request. The format also allows the inclusion of more
attributes, such as qualified subordination constraints and extensions or the
signing of a certificate request.
Module 7: Configuring Key Archival and Recovery 9
Note You can recover a certificate’s private key by presenting only the
subject name of the certificate, but if more than one certificate with the
same subject name exists in the CA database, only the serial number can
differentiate the certificates.
3. A certificate manager extracts the encrypted private key and certificate from
the CA database. The export format of the private key and certificate is a
PKCS #7 file, which is encrypted by using the public key of the Key
Recovery Agent certificate. The certificate manager can use either the Key
Recovery Tool (krt.exe) or certutil –getkey to extract the PKCS #7 file
from the CA database.
4. The certificate manager transfers the PKCS #7 file to the KRA. Because the
PKCS #7 file is encrypted so that only defined KRA can recover the
encrypted certificate and private key, no additional security is required for
the transfer.
5. The KRA recovers the private key and certificate from the encrypted PKCS
#7 file at a secure workstation, also known as the recovery workstation. The
extraction is performed by using certutil –recoverkey or the Key Recovery
Tool. The private key and certificate are stored in a PKCS #12 file and are
protected with a KRA-assigned password.
6. The KRA then supplies the PKCS #12 file to the user, who provides the
KRA-assigned password and imports the certificate and private key into his
certificate store by using the Certificate Import Wizard.
Note The KRA can also hold the role of the certificate manager for a user. The
organization’s security policy determines whether to combine the KRA and a
certificate manager into one role or keep them as separate roles.
Module 7: Configuring Key Archival and Recovery 11
Note You can also use Internet Explorer to export a certificate and its
associated private key. This method is useful for workstations running
Windows operating systems earlier than Windows 2000 that do not include
the Certificates console.
2. Choose the export format. This decision is based on the tool that you use to
archive the private key. If you use the Certificates console, you can export
the file to a PKCS #12 file. If you use Outlook, you can export the file to an
Exchange Security file.
Note You can export X.509v1 certificates only to the Outlook Security file
format. For X.590v3 certificates, you can use either an Outlook Security
files or a PKCS#12 file.
Module 7: Configuring Key Archival and Recovery 15
When you export a certificate and its private keys, the following options are
available:
• Include all certificates in the certification path if possible. This option
includes the entire certificate chain of the exported certificate. This
allows the import to include all certificates in the certificate chain up to
the root certificate.
• Enable strong protection (requires IE 5.0, Windows NT 4.0, SP4 or
later). This option requires a password to access the private key that is
stored in the PKCS#12 file. Provide this password to the CA
administrators so they can import the private key to the CA database.
• Delete the private key if the export is successful. This option deletes the
private key that is associated with the certificate from the certificate
store. You must use this option when you export a certificate and private
key so that the private key is removed from the user’s profile.
3. Store the exported file in a secure location. After the certificate and private
key are exported, store the export file in a physically secure location. Copy
the export file to a CD-ROM and then store the CD-ROM in a safe location.
In addition, import the export file to the CA database by using the certutil –
importkms <export file> command.
16 Module 7: Configuring Key Archival and Recovery
Note This practice focuses on the concepts in this lesson and as a result may
not comply with Microsoft security recommendations.
10. In the File to Export dialog box, in the File Name box, type
C:\temp\privexport and then click Next.
Note Create the C:\temp folder if it does not exist on your computer.
11. On the Completing the Certificate Export Wizard page, click Finish.
12. In the Certificate Export Wizard message box, click OK.
18 Module 7: Configuring Key Archival and Recovery
Tip Do not select Place all certificates in the following store if the export
file contains all certificates in the certificate chain. Choosing to place all
certificates in a specific store results in the CA certificates being placed in
your personal store.
20 Module 7: Configuring Key Archival and Recovery
Note You must use Web Enrollment Pages when enrolling the Key
Recovery Agent certificate. Web Enrollment Pages saves a cookie that
refers to the pending certificate request, thereby allowing a direct link to the
certificate request after the certificate is released from its pending state.
4. Issue the pending certificate. A certificate manager must perform this step.
The Key Recovery Agent certificate template requires that a certificate
manager review the certificate request before he issues the pending
certificate. After the certificate is issued, the requesting KRA must install
the certificate by using Web Enrollment Pages on the enterprise CA.
24 Module 7: Configuring Key Archival and Recovery
Procedure for enabling a To enable a CA for key archival and configuration options:
CA for key archival and
configuration options 1. Log on to the CA as a user who is assigned the CA administrator role.
2. In Administrative Tools, open the Certification Authority console.
3. In the console tree, right-click CAName (where CAName is the logical name
of your CA), and then click Properties.
4. In the CAName Properties dialog box, on the Recovery Agents tab, click
Archive the key, and then click Add.
5. In the Key Recovery Agent Selection dialog box, add one or more of the
Key Recovery Agent certificates published in Active Directory, and then
click OK.
6. On the Recovery Agents tab, in the Number of recovery agents to use
box, type a number between 1 and the number of Key Recovery Agent
certificates added, and then click OK.
7. Restart Certificate Services.
Module 7: Configuring Key Archival and Recovery 25
Designating the number When you designate the number of KRAs, you can designate between one and
of KRAs the number of KRAs that are designated at a CA.
! If you choose a number equal to the total number of Key Recovery Agent
certificates that are designated on the CA, the holder of the Key Recovery
Agent certificate’s private key can recover all private keys that are archived
in the CA database.
! If you choose a number less than the total number of Key Recovery Agent
certificates that are designated on the CA, the CA implements a round-robin
selection method to choose the KRAs for each archived private key that is
stored in the CA database. The selection results in the random designation
of KRAs.
Note Alternatively, the CSP must support the crypt_ archivable flag. Every
default Microsoft CSP that is included in the operating system supports this
flag.
! Ensure that the CSP that the certificate template uses permits key export. If
the CSP does not allow key export, the private key cannot be sent to the
issuing CA during the certificate enrollment process. For example, a smart
card CSP prohibits the private key from being exported from the smart card
during the smart card enrollment process.
! Select the Archive subject’s encryption private key check box. This
setting enforces that all certificates based on this certificate template archive
the private key, if the certificates are issued by a CA that is enabled for key
archival.
Note The CA that issues the certificates that are based on the archive-enabled
certificate template must be enabled for key archival. If the CA does not have at
least one KRA defined in its properties, the archival of the private key fails.
Module 7: Configuring Key Archival and Recovery 27
2. Determines the KRA for the archived private key. After uniquely identifying
the certificate, the certificate manager must determine one or more KRAs
who can recover the certificate’s private key from the CA database. The
certificate manager can use the Key Recovery Tool from the
Windows Server 2003 Resource Kit. The tool identifies the Key Recovery
Agent certificate that is associated with the private key that can decrypt the
archived private key.
28 Module 7: Configuring Key Archival and Recovery
3. Extracts the PKCS #7 blob. To extract the archived private key from the CA
database, the certificate manager can use the Key Recovery Tool or the
certutil -getkey <serial number> <outputblob> command. The tool or
command extracts the archived private key for the certificate with the
matching serial number into a PKCS #7 file. The output blob is formatted as
an encrypted PKCS #7 structure that contains the private key encrypted with
the KRA’s public key, the Key Recovery Agent certificates, and the entire
certificate chain.
Note The certutil –getkey command also identifies the KRA for the archived
private key in its output.
KRA tasks When the archived private key is extracted to a PKCS #7 blob, the identified
KRA must recover the private key. The KRA has both the private key that can
decrypt the archived private key and the archived private key that was
encrypted with the KRA’s public key. In other words, only the KRA that holds
the private key that is associated with the public key that was used to encrypt
the archived private key can recover the archived private key. To recover the
archived private key:
1. Recover the archived private key from the encrypted PKCS #7 blob. The
KRA can use the Key Recovery Tool or the certutil -recoverkey
outputblob user.pfx command to recover the private key. These processes
use the KRA’s private key to recover the encrypted private key and store the
recovered private key with its certificate chain in a PKCS #12 file named
user.pfx. The PKCS #12 file is protected with a password that was provided
during the command processing.
Note An event log message with event ID 787 is generated when a private
key is recovered from the database. This message indicates that Certificate
Services recovered an archived private key.
2. Hand deliver the PKCS #12 to the user or place it on a network share that is
accessible only by that user. Do not put the PKCS #12 file on a public
network share or send it in an e-mail message it to the user. Inform the user
of the password that is required to import the private key and certificate
chain that is stored in the PKCS #12 file.
User tasks After receiving the PKCS #12 file from the KRA, the user must import the
private key and the associated certificate chain into her personal certificate. The
user double-clicks the PKCS #12 file and runs the Certificate Import Wizard.
When proceeding through the wizard, the user must provide the password that
is used to protect the PKCS #12 file.
Module 7: Configuring Key Archival and Recovery 29
Note This lab focuses on the concepts in this module and as a result may not
comply with Microsoft security recommendations. For instance, this lab does
not export the Key Recovery Agent certificates and private keys to PKCS #12
files. Nor does the lab remove the KRA user accounts from Active Directory or
revoke the EFS user certificates after KRA recovers the private keys from the
CA database.
Module 7: Configuring Key Archival and Recovery 31
Additional information For more information about configuring key recovery, see the white paper, Key
Archival and Management in Windows Server 2003, under Additional Reading
on the Web page on the Student Materials compact disc.
Estimated time to
complete this lab:
45 minutes
32 Module 7: Configuring Key Archival and Recovery
Exercise 1
Publishing the Key Recovery Agent Certificate Template
In this exercise, you will configure the enterprise CA in your domain to issue Key Recovery Agent
certificates. To enforce role separation, you will issue these certificates to users that do not hold
Common Criteria management roles.
Scenario
Your organization wants the ability to recover private keys that are used for EFS encryption in the
event that the private keys are corrupted or deleted accidentally.
1. Log on using your " Log on to the domain by using the following credentials:
certificate template • User name: Template2
administration account.
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. In the Certificate Templates a. Click Start, click Run, type Certtmpl.msc and then click OK.
console, view the Issuance b. In the Certificate Templates dialog box, click OK.
Requirement properties of
the Key Recovery Agent c. In the details pane, double-click Key Recovery Agent.
certificate template. d. In the Key Recovery Agent Properties dialog box, click the Issuance
Requirements tab.
What special requirements are implemented for certificate enrollment of the Key Recovery Agent
certificates?
3. Take ownership of the Key a. In the Key Recovery Agent Properties dialog box, on the Security
Recovery Agent certificate tab, click Advanced.
template. b. In the Advanced Security Settings for
LDAP://ForestName/KeyRecoveryAgent (where ForestName is the
DNS name of your forest), on the Owner tab, click Template2, and
then click Apply.
c. Click OK.
Module 7: Configuring Key Archival and Recovery 33
(continued)
Important: Perform this procedure on the domain controller for your domain.
5. Log on using your domain " Log on to your computer with the following credentials:
administration account and • User name: CAadmin1
password.
• Password: P@ssw0rd
• Domain: Domain
6. Publish the Key Recovery a. On the Start menu, click Administrative Tools, and then click
Agent certificate template Certification Authority.
on DomainCA. b. In the console tree, expand DomainCA (where Domain is the NetBIOS
name of your domain), and then click Certificate Templates.
c. Right-click Certificate Templates, click New, and then click
Certificate Template to Issue.
d. In the Enable Certificate Templates dialog box, select Key Recovery
Agent, and then click OK.
e. In the details pane, verify that the Key Recovery Agent certificate
template appears.
f. Close the Certification Authority console.
g. Log off the network.
34 Module 7: Configuring Key Archival and Recovery
Exercise 2
Enrolling the Key Recovery Agent certificates
In this exercise, you will log on by using a non-administrative account that is a member of the
KRAs global group, and then you will request a Key Recovery Agent certificate.
Scenario
Your organization has decided to implement non-administrator accounts as the KRAs for your
organization. The KRAs must now enroll the modified Key Recovery Agent certificate templates.
1. Log on to the network as a " Log on to the domain by using the following credentials:
member of the KRAs group. • User name: KRA1 (on the domain controller) or KRA2 (on the
member server)
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain).
(continued)
The certificate is set to a pending status until a CA certificate manager issues the certificate.
Why is it preferable to request a Key Recovery Agent certificate by using Web-based enrollment?
If the certificate is set to a pending status, the Web-based enrollment method uses cookies, which
enable you to check the status of the pending certificate request.
Wait at this point until your partner completes the initial enrollment process for the Key Recovery Agent
certificate.
Important: Perform this procedure on the domain controller for your domain.
3. Issue the Pending Key a. On the Start menu, click Administrative Tools, right-click
Recovery Agent certificate Certification Authority, and then click Run as.
requests, and then log off b. In the Run As dialog box, click The following user, and then provide
the network. the following credentials:
• User name: Domain\CertAdmin1 (where Domain is the NetBIOS
name of your domain)
• Password: P@ssw0rd
c. In the Run As dialog box, click OK.
d. In the Certification Authority console, expand DomainCA, and then
click Pending Requests.
e. In the details pane, select all pending certificate requests.
f. Right-click the pending certificate requests, point to All Tasks, and
then click Issue.
g. Close the Certification Authority console.
36 Module 7: Configuring Key Archival and Recovery
(continued)
Exercise 3
Enabling Key Recovery on the Enterprise CA
In this exercise, you will enable key recovery on the enterprise CA by adding the Key Recovery
Agent certificates that are issued to the KRAs in your forest.
Scenario
You must designate the certificate for each KRA to enable key recovery on the enterprise CA.
Important: Perform this procedure on the domain controller for your domain.
1. Log on to the network using " Log on to the domain by using the following credentials:
your CA administrator • Logon name: CAadmin1
account.
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. Open the Certification a. On the Start menu, click Administrative Tools, and then click
Authority console and Certification Authority.
perform the following b. In the console tree, right-click DomainCA, and then click Properties.
actions:
c. In the DomainCA Properties dialog box, on the Recovery Agents tab,
• Define KRA1 and click Archive the key.
KRA2 as key recovery
agents. d. In the Number of recovery agents to use box, type 2
• Define the number of e. In the DomainCA Properties dialog box, on the Recovery Agents tab,
recovery agents to use click Add.
as 2. f. In the Key Recovery Agent Selection dialog box, select the Key
Recovery Agent certificate issued to KRA1, and then click OK.
g. In the DomainCA Properties dialog box, on the Recovery Agents tab,
click Add.
h. In the Key Recovery Agent Selection dialog box, select the Key
Recovery Agent certificate issued to KRA2, and then click OK.
i. In the DomainCA Properties dialog box, click OK.
j. In the Certification Authority dialog box, click Yes to restart
Certificate Services.
Exercise 4
Creating an Archive-enabled Certificate Template
In this exercise, you will create a new certificate template based on the Basic EFS certificate
template that enables key archival.
Scenario
Your company wants to deploy EFS to encrypt critical data files. Rather than implement an EFS
Recovery Agent, you will archive the EFS encryption private keys on an enterprise CA on a
computer running Windows Server 2003, Enterprise Edition.
1. Ensure that you are logged " Ensure that you are logged on to the domain by using the following
on using your domain credentials:
administrative account. • Logon name: Template2
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
Active Directory domain)
2. Open the Certificate a. On the Start menu, click Run, type Certtmpl.msc and then click OK.
Management console and b. If the Certificate Templates message box appears, click OK.
create a new certificate
template named c. In the details pane, right-click Basic EFS, and then click Duplicate
ArchiveEFS, based on the Template.
Basic EFS certificate d. In the Properties of New Template dialog box, in the Template
template. display name box, type ArchiveEFS and then click OK.
Important: Perform this procedure on the domain controller for your domain.
5. Ensure that you are logged " Ensure that you are logged on to the domain with the following
on with your domain credentials:
administrative account. • Logon name: CAadmin1
• Password: P@ssw0rd
• Domain: Domain
Module 7: Configuring Key Archival and Recovery 39
(continued)
Exercise 5
Acquiring an ArchiveEFS Certificate
In this exercise, you will acquire an ArchiveEFS certificate, and then use the private key to encrypt
a file on drive C. You will verify that EFS used the private key from the ArchiveEFS certificate to
encrypt the file encryption key.
Scenario
After you deploy the ArchiveEFS certificate, all users who implement EFS must acquire an
ArchiveEFS certificate. Deployment of the ArchiveEFS certificate to all users of the network
ensures that private key recovery is possible for all EFS-encrypted files.
1. Log on to your domain by " Log on to the domain by using the following credentials:
using your EFS user account • User name: EFS1 (at the domain controller) or EFS2 (at the
with a password of member server)
P@ssw0rd.
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. In the Certificates – Current a. Click Start, click Run, type Certmgr.msc and then click OK.
User console, use the b. In the console tree, expand Certificates – Current User, and then
Certificate Request Wizard click Personal.
to request an ArchiveEFS
certificate with the friendly c. Right-click Personal, click All Tasks, and then click Request New
name of Archive EFS. Certificate.
d. On the Welcome to the Certificate Request Wizard page, click Next.
e. On the Certificate Types page, select ArchiveEFS, and then click
Next.
f. On the Certificate Friendly Name and Description page, in the
Friendly name box, type Archive EFS and then click Next.
g. On the Completing the Certificate Request Wizard page, click
Finish.
h. In the Certificate Request Wizard message box, click OK.
3. View the details of the a. In the console tree, expand Certificates- Current User, expand
ArchiveEFS certificate. Personal, and then click Certificates.
b. In the details pane, double-click the ArchiveEFS certificate.
You must scroll to the right and expand the column width to view
the Certificate Template column.
c. In the Certificate dialog box, on the Details tab, in the Show drop-
down list, select Properties only.
Module 7: Configuring Key Archival and Recovery 41
(continued)
Answers will vary. Every certificate has a unique thumbprint value. The thumbprint is a digital hash
of the contents of the certificate, signed with the issuing CA’s private key.
7. View the properties of the a. In the C:\EFS folder, right-click Secret.txt, and then click Properties.
Secret.txt file to determine b. In the Secret.txt Properties dialog box, on the General tab, click
the thumbprint of the Advanced.
certificate that can open the
encrypted file. c. In the Advanced Attributes dialog box, click Details.
d. In the Encryption Details for C:\EFS\Secret.txt dialog box, adjust
the column widths in the Users Who Can Transparently Access This
File section so you can view the Certificate Thumbprint column.
42 Module 7: Configuring Key Archival and Recovery
(continued)
Does the value of the certificate thumbprint in the Data Decryption Field attribute match your certificate
thumbprint that you recorded earlier?
Yes, the value is the same. EFS uses the private key of the ArchiveEFS certificate to encrypt the file
encryption key.
t
8. Close the property sheets for a. In the Encryption Details for C:\EFS\Secret.txt dialog box, click
C:\EFS\Secret and log off OK.
the network. b. In the Advanced Attributes dialog box, click OK.
c. In the Secret.txt Properties dialog box, click OK.
d. Close all open windows and then log off.
Module 7: Configuring Key Archival and Recovery 43
Exercise 6
Performing Key Recovery
In this exercise, you will recover the private key of the ArchiveEFS certificate that the issuing CA
issued to your EFS user account.
Scenario
The EFS# (where # is 1 or 2) user has experienced problems with her profile. To fix the problem, a
local administrator has deleted her user profile. When the user logs on to the network, the problem
is fixed, but she can no longer access her EFS encrypted files. You must recover the EFS private
key to enable this user to access her EFS encrypted files.
1. Log on with your domain " Log on to the domain by using the following credentials:
administrative account. • User name: Student1 (on the domain controller) or Student2 (on
the member server)
• Password: Password (where Password is the password that was
assigned to your administrative account)
• Domain: Domain (where Domain is the NetBIOS name of your
Active Directory domain)
2. In the System folder in a. On the Start menu, click Control Panel, and then click System.
Control Panel, delete the b. In the System Properties dialog box, on the Advanced tab, in the
EFS1 profile (on the domain User Profiles section, click Settings.
controller) or the EFS2
profile (on the member c. In the User Profiles dialog box, under Profiles stored on this
server), and then log off the computer, select EFS1 (on the domain controller) or EFS2 (on the
network. member server), and then click Delete.
d. In the Confirm Delete dialog box, click Yes.
e. In the User Profiles dialog box, click OK.
f. In the System Properties dialog box, click OK.
g. Close all open windows and then log off.
3. Log on using your domain " Log on by using the following credentials:
administrative account. • User name: EFS1 (on the domain controller) or EFS2 (on the
member server)
• Password: P@ssw0rd
• Domain: Domain
(continued)
No. The ArchiveEFS certificate’s private key was deleted when you deleted the user’s profile.
5. Ensure that you are logged " Log on by using the following credentials:
on using your Certificate • User name: CertAdmin1 (on the domain controller) or
Manager account. CertAdmin2 (on the member server)
• Password: P@ssw0rd
• Domain: Domain
6. Open the Certification " On the Start menu, click Administrative Tools, and then click
Authority console. Certification Authority.
If you are working on the member server in your domain, an error
appears that states that Certificate Services does not exist as an
installed service. You must retarget the console to the domain
controller.
7. Retarget the Certification a. In the Microsoft Certificate Services message box, click OK.
Authority console to manage b. In the console tree, right-click Certification Authority, and then click
the enterprise CA in your Retarget Certification Authority.
domain.
c. In the Certification Authority dialog box, click Another computer,
and then click Browse.
d. In the Select Certification Authority dialog box, select DomainCA
(where Domain is the NetBIOS name of your domain), and then click
OK.
e. In the Certification Authority dialog box, click Finish.
Module 7: Configuring Key Archival and Recovery 45
(continued)
8. In Certification Authority a. In the console tree, expand DomainCA (where Domain is the NetBIOS
console, add the Archive name of your domain), and then click Issued Certificates.
Key column to issued b. On the View menu, click Add/Remove Columns.
certificates.
c. In the Add/Remove Columns dialog box, in the Available Columns
list, select Archived Key, and then click Add.
d. In the Add/Remove Columns dialog box, click OK.
e. In the details pane, scroll to the right and ensure that the Archived Key
column for the issued ArchiveEFS certificates contains the value Yes.
9. In the Certification a. In the details pane, expand the width of the Serial Number column to
Authority console, find the show the complete serial number.
serial number of the
ArchiveEFS certificate that
the CA issued to your EFS
account.
What is the serial number of the ArchiveEFS certificate that was issued to your EFS user account?
Answers will vary. Every certificate that a CA issues is assigned a unique certificate serial number.
10. In Key Recovery Tool a. Click Start, click Run, type C:\moc\2821\labfiles\module7\krt.exe
(C:\moc\2821\labfiles\ and then click OK.
module7\krt.exe), determine b. In the Key Recovery Tool, define the following settings, and then
the key recovery agent for click Search.
the EFS1 or EFS2
certificate. • Certification authority (CA): Dcname.Domain.msft\DomainCA
(where Dcname is the NetBIOS name of your domain controller
and Domain is the NetBIOS name of your domain)
• Search Criteria drop-down list: Common Name
• Search Criteria box: EFS1 (on the domain controller) or EFS2 (on
the member server)
46 Module 7: Configuring Key Archival and Recovery
(continued)
Does the serial number of the ArchiveEFS certificate that was issued to your EFS account match the
previously recorded serial number?
Yes, the serial number matches. This certificate is associated with the archived key for your EFS
account.
When is it prefereable to search for the archived certificate by serial number rather than by common name?
Search by serial number when a user has multiple certificates that have archived private keys.
10. (continued) c. In the Key Recovery Tool, in the Certificates list, select the listed
certificate, and then click Show KRA.
What is the subject and serial number of the Key Recovery Agent certificates that can recover the private key
of the EFS users’ certificate?
Both Key Recovery Agent certificates can recover the encrypted private key because two Key
Recovery Agent certificates the CA administrator designated two Key Recovery Agent certificates for
the server.
10. (continued) d. In the Key Recovery Agents Used for Archival dialog box, click
Close.
Module 7: Configuring Key Archival and Recovery 47
(continued)
Can you use your certificate manager account to recover the private key?
No. You do not have access to the Key Recovery Agent certificate’s private key that can recover the
EFS account private key that is stored in the CA database.
When can you use the Recover button in the Key Recovery Tool?
You can use the Recover button in the Key Recovery Tool only when you hold both the certificate
manager and key recovery agent roles.
11. Export the encrypted private a. In the Key Recovery Tool, in the Certificates list, select the certificate
key material to an output file listed, and then click Retrieve Blob.
named C:\moc\2821\ b. In the Save As dialog box, in the File name box, type
labfiles\module7\recover C:\moc\2821\labfiles\module7\recover and then click Save.
by using the Retrieve Blob
button in the Key Recovery c. In the Key Recovery Tool, click Close.
Tool. d. Close all open windows and then log off.
If you did not have access to the Key Recovery Tool, what certutil command can you use to extract the
PKCS #7 blob from the CA database?
(continued)
12. Log on to the network with " Log on to the network by using the following credentials:
your KRA user account. • User name: KRA1 (on the domain controller) or KRA2 (on the
member server)
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
Active Directory domain)
13. Recover the ArchiveEFS a. Click Start, click Run, type C:\moc\2821\labfiles\module7\krt.exe
certificate private key to a and then click OK.
file named C:\moc\2821\ b. In the Key Recovery Tool, click Decrypt Blob.
labfiles\module7\EFS.pfx,
and then close all open c. In the Open dialog box, in the File name box, type
windows and log off the C:\moc\2821\labfiles\module7\recover.blob and then click Open.
network. d. In the Save As dialog box, enter the following information:
• File name: EFS.pfx
• Password: P@ssw0rd
• Confirmation: P@ssw0rd
e. In the Save As dialog box, click Save.
f. In the Key Recovery Tool Info dialog box, click OK.
g. In the Key Recovery Tool, click Close.
h. Close all open windows and then log off.
14. Log on using the following " Log on by using the following credentials:
credentials: • Logon name: EFS1 (on the domain controller) or EFS2 (on the
• Logon name: EFS1 or member server)
EFS2 • Password: P@ssw0rd
• Password: P@ssw0rd • Domain: Domain (where Domain is the NetBIOS name of your
• Domain: Domain Active Directory domain)
Module 7: Configuring Key Archival and Recovery 49
(continued)
15. Import the EFS.pfx file into a. Open the C:\moc\2821\labfiles\module7 folder.
your personal store by using b. Double-click EFS.pfx.
the following options:
c. On the Certificate Import Wizard page, click Next.
• Password: P@ssw0rd
d. On the File to Import page, click Next.
• Click Mark this key as
exportable. This will e. On the Password page, in the Password box, type P@ssw0rd
allow you to back up f. Click Mark this key as exportable. This will allow you to back up
or transport your keys or transport your keys at a later time, and then click Next.
at a later time g. On the Certificate Store page, click Automatically select the
• Certificate Store: certificate store based on the type of certificate, and then click Next.
Automatically select h. On the Completing the Certificate Import Wizard page, click
the certificate store Finish.
based on the type of
certificate i. In the Certificate Import Wizard message box, click OK.
j. Close the C:\moc\2821\labfiles\module7 folder.
Yes. You now have the private key that can decrypt the file encryption key that is stored in the Data
Decryption Field attribute of Secret.txt.
Overview 1
Lesson: Introduction to Advanced PKI
Hierarchies 2
Lesson: Qualified Subordination Concepts 13
Lesson: Configuring Constraints in a
Policy.inf File 28
Lesson: Implementing Qualified
Subordination 41
Lab A: Implementing a Bridge CA 53
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, MS-DOS, Windows, Windows NT, Windows Server, Active Directory, ActiveX,
MSDN, Outlook, PowerPoint, and Windows Media are either registered trademarks or trademarks
of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Module 8: Configuring Trust Between Organizations iii
Instructor Notes
Presentation: In this module, students will to learn to how extend an organization’s PKI trust
60 minutes hierarchy to other organizations. By extending the trust hierarchy, an
organization’s certificates can be used and trusted across organizations for
Lab: purposes like secure e-mail messages, client authentication, and server
90 minutes authentication.
This module describes the various methods of extending your CA hierarchy to
other organizations.
After completing this module, students will be able to:
! Describe advanced PKI hierarchies.
! Describe how constraints are used in qualified subordination.
! Configure a policy.inf file to implement qualified subordination constraints.
! Implement qualified subordination between certification authority (CA)
hierarchies.
Required materials To teach this module, you need Microsoft® PowerPoint® file 2821A_08.ppt.
Steps for Modifying a Explain to students that they must perform major modifications to the Cross
Cross Certification Certification Authority certificate template only when they do not use the
Authority Certificate default application policy signing OID. Consider showing students the Issuance
Template Requirements tab of a version 2 certificate in the Certificate Templates console
(Certtmpl.msc), and discuss how they would implement a custom application
policy OID.
Demonstration: Creating You must perform this demonstration on the instructor computer exactly as it is
Certificate Templates for written. This demonstration creates the Qualified Subordination Signing
Qualified Subordination certificate template that the lab requires, and then publishes it and the Cross
Certification Authority certificate template. The most common error in this
demonstration is to omit publishing the Cross Certification Authority certificate
template.
How to Create a Cross Explain that the Certreq.exe command-line tool generates the Cross
Certification Authority Certification Authority certificate. Review the syntax of the command, and
Certificate show students that even though they start at a command line, the process is
actually a graphical process.
How to Publish a Cross This topic prepares students for the upcoming lab. Explain that the only time
Certification Authority that students must publish a Cross Certification Authority certificate is when
Certificate they implement a Bridge CA. Explain that the Cross Certification Authority
certificates that a Bridge CA issues must be published at all organizations that
participate in the bridge CA hierarchy. Discuss the scenario in which a new
organization joins a Bridge CA hierarchy. Explain each organization in the
Bridge CA hierarchy must publish the certificate issued by the Bridge CA to the
new organization to allow trust of the certificates issued by the new
organization.
How to Verify Qualified Review the syntax of the certutil –viewstore command. The most common
Subordination mistake students make is to mistype the command. If time permits, demonstrate
other ways to verify the publication of the Cross Certification Authority
certificate, such as by using the ADSIEdit.msc console.
Lab A This lab is the longest lab in the course. Consider providing the students with
extra time to take a break during the lab. It is recommended that you review the
two policy.inf files with the students before they create the Cross Certification
Authority certificate request files. This way, they can catch any errors before
they affect the rest of the lab.
The lab uses Terminal Services to connect to the instructor computer. Ensure
that Terminal Services is configured as presented in the Manual Setup Guide
for this course, so that one user account is allowed multiple terminal sessions.
viii Module 8: Configuring Trust Between Organizations
Lab Setup
The following list describes the setup requirements for the labs in this module.
Setup requirement 1 The labs in this module require that a CA hierarchy with an offline root CA and
an enterprise subordinate CA exist. Complete all of Lab A, Lab B, and Lab C in
Module 3, “Creating a Certification Authority Hierarchy,” in Course 2821,
Designing and Managing a Windows Public Key Infrastructure.
Setup requirement 2 All of the procedures in the lab assume that Common Criteria role separation is
enforced. Complete Lab A in Module 4, “Managing a Public Key
Infrastructure,” in Course 2821.
Setup requirement 3 The ability to create and modify certificate templates is delegated to the
CertTmplAdmins global group. Complete Lab A in Module 5, “Configuring
Certificate Templates,” in Course 2821.
Setup requirement 4 The http://WebServer (where WebServer is the fully qualified domain name of
your domain controller) is configured as a member of the Local intranet zone in
the Default Domain Policy. Complete Lab B in Module 3, “Creating a
Certification Authority Hierarchy,” in Course 2821.
Setup requirement 5 The instructor must perform the demonstration titled Creating Certificate
Templates for Qualified Subordination before students starting Lab A. The lab
depends on the completion of this demonstration, because it prepares the
London computer to issue Qualified Subordination Signing and Cross
Certification Authority certificates. Complete the demonstration titled Creating
Certificate Templates for Qualified Subordination in Module 8, “Configuring
Trust Between Organizations,” in Course 2821.
Module 8: Configuring Trust Between Organizations ix
Lab Results
Performing the labs in this module introduces the following configuration
changes:
Lab A At the completion of Lab A:
! A custom certificate template named Qualified Subordination Signing is
published on the enterprise subordinate CA.
! The Domain-to-Bridge.inf file is modified to enforce the required qualified
subordination constraints and policies.
! A Qualified Subordination Signing certificate is issued to Student1.
! A Cross Certification Authority certificate that implements the qualified
subordination constraints that are defined in the Domain-to-Bridge.inf file is
issued to the Bridge CA.
! The Bridge-to-Domain.inf file is copied to Domain.inf (where Domain is
the NetBIOS name of a student pair’s domain).
! The Domain.inf file is modified to enforce the required qualified
subordination constraints and policies.
! A Cross Certification Authority certificate that implements the qualified
subordination constraints that are defined in the Domain.inf file is issued to
each subordinate enterprise CA, which completes the Bridge CA hierarchy.
! All Cross Certification Authority certificates that the Bridge CA issued are
copied to the \\London\BridgeCerts share.
! All existing Cross Certification Authority certificates that the BridgeCA
issued are published in each student forest’s Active Directory database by
using the dspublish –f Certname.crt CrossCA command.
! A QS Email certificate template is created. The certificate template meets
all qualified subordination constraints.
! QS Email certificates are issued to QualSub1 and QualSub2.
! All QS Email certificates are copied to a share named \\London\ClientCerts.
Module 8: Configuring Trust Between Organizations 1
Overview
When to establish trust Consider implementing certificate trust when your organization must:
! Trust certificates that are issued by another organization’s CA hierarchy.
! Recognize certificates that are issued to people that are external to your
organization.
Module 8: Configuring Trust Between Organizations 5
Importing a CTL You can export a CTL from one GPO and import it to another GPO in another
organizational unit or domain. The import and export function ensures that the
same CTL settings are enforced between Group Policy containers.
6 Module 8: Configuring Trust Between Organizations
Note You can import a trusted root certificate from a PKCS #12 file, a
PKCS #7 file, a certificate file, or a Microsoft serialized certificate store file.
Considerations when A common root CA allows total trust between the organizations that designate
deploying a common the common root CA as a trusted root CA. Consider the following facts before
root CA you deploy a common root CA:
! The root CA is restricted by the security policy and certificate policy of the
organization that hosts the common root CA. These policies may not align
with your organization’s policies.
! The cost of a Subordinate Certification Authority certificate may be high,
and every certificate that is issued by the subordinate CA that your
organization hosts may incur additional costs.
! Organizations other than your trusted partner can use the common root CA.
If a certificate is chained to the common root CA, the certificate is trusted
for all purposes, even if this is not what your organization wants. A common
root CA implies total trust for certificates that are chained to the common
root CA.
Note Rather than acquire certificates from a common root CA, the two
organizations can designate the other organization’s root CA as a trusted root
CA. Like a common root CA, this configuration results in total trust of all
certificates that are issued by the other organization’s CA hierarchy.
8 Module 8: Configuring Trust Between Organizations
Note Use caution when choosing the CA certificate that you provide to the
partner organization. The partner organization will recognize only user and
computer certificates that are issued by the chosen CA or CAs that are
subordinate to the chosen CA.
Module 8: Configuring Trust Between Organizations 9
For example, to configure complete trust between Contoso, Ltd and Northwind
Traders, the issuing CA in each CA hierarchy must issue a Cross Certification
Authority certificate to the root CA in the partner organization’s CA hierarchy.
The Cross Certification Authority certificate allows certificates that the partner
organization issues to be trusted by PKI-enabled applications in your
organization.
Note The Cross Certification Authority certificates are stored in the Active
Directory database of the organization that issues the certificate. The issuing
organization uses the certificate to build certificate chains for certificates that
the partner organization issues.
10 Module 8: Configuring Trust Between Organizations
Note For more information about bridge CA design, see the Federal Bridge
Certification Authority (FBCA) Web site at http://www.cio.gov/fbca/.
Defining constraints You can define constraints for qualified subordination in one of the following
ways:
! When you install a CA, you can define constraints in CAPolicy.inf. The
constraints are then implemented on the CA during the installation of the
CA or during the certificate renewal process.
! When you issue a Cross Certification Authority certificate, the request
process for the certificate defines constraints in a policy.inf file.
Note For more information about basic constraints, see section 4.2.1.10 of
RFC 3280, Internet X.509 Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile, under Additional Reading on the Web page on
the Student Materials compact disc.
Recommendations for Define basic constraints only in CA certificates that are issued to a subordinate
basic constraints CA in your organization’s CA hierarchy. If you implement a basic constraint in
the Root CA certificate, a change in the basic constraint requires a complete
redeployment of the CA hierarchy.
You can define basic constraints in a Cross Certification Authority certificate
that you issue to the root CA of a partner organization. Changing the basic
constraints in this scenario only requires that you issue a new Cross
Certification Authority certificate and delete the previous Cross Certification
Authority certificate.
16 Module 8: Configuring Trust Between Organizations
Note If the name that is specified in the request is not present in the list of
constraints, the qualified CA will reject the request.
Example For example, when you configure qualified subordination between your
organization and a partner organization, you usually do not want your partner’s
CA infrastructure to issue certificates that contain names in your organization’s
namespace. The use of name constraints can ensure that your namespace, and
all recognized formats of your namespace, are excluded in certificates that your
partner’s CA hierarchy issues.
Note For more information about name constraints, see section 4.2.1.11 of
RFC 3280, Internet X.509 Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile, under Additional Reading on the Web page on
the Student Materials compact disc.
Module 8: Configuring Trust Between Organizations 17
Rules for processing When you process name constraints, consider the following rules:
name constraints
! A certificate is accepted if all names in the certificate match the
corresponding permitted name constraints.
! A certificate is rejected if any names in the certificate request match the
corresponding excluded name constraints.
! If a namespace is defined in both a permitted and an excluded name
constraint, the excluded name constraint takes precedence.
! Name constraints are applied to the Subject attribute and any existing
Subject Alternative Name extensions.
Note Constraints apply only when the namespace types that are specified as
name constraints exist in the presented certificate. If no namespace of the
specified types exists is in the certificate, the certificate is not acceptable.
18 Module 8: Configuring Trust Between Organizations
When you issue certificates that include both Application Policy and EKU
extensions, ensure that the two extensions are identical in their assignment of
OIDs. They must not be in conflict with each other. Otherwise, there policies
will be applied inconsistently when either extension is used.
Note For more information about certificate status checking and revocation,
see the white paper, Troubleshooting Certificate Status and Revocation, under
Additional Reading on the Web page on the Student Materials compact disc.
Module 8: Configuring Trust Between Organizations 19
When you define application policies in a certificate that is issued to a CA, the
OIDs that are associated with the application policy are applied to all issued
certificates. The All Applications OID indicates that the application policy
includes all application policies. This application policy is normally reserved
for certificates that are issued to CAs.
Note For more information about application policies, see section 4.2.1.13 of
RFC 3280, Internet X.509 Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile, under Additional Reading on the Web page on
the Student Materials compact disc.
20 Module 8: Configuring Trust Between Organizations
Note The x.y.z portion of the OID is a randomly generated numeric sequence
that is unique for each forest that has the Windows Server 2003 schema
extensions.
Module 8: Configuring Trust Between Organizations 21
Custom certificate In addition to these default certificate policies, your organization can create
policies custom OIDs to use for custom certificate policies. The OIDs should be part of
an OID space, which you acquire from the Internet Assigned Numbers
Authority (IANA) or a similar organization.
For example, two organizations that are involved in a purchaser and seller
relationship can define custom OIDs to represent digital signature certificates
for specific purchase amounts. They may define one OID for purchases
between $100,000 and $500,000 and another OID for purchases greater than
$500,000. Applications can then use these OIDs to recognize whether a person
had the appropriate signing authority for a specific volume purchase.
Defining certificate When certificate policies are implemented between organizations, the OIDs that
policies between one organization defines are mapped to the OIDs that the other organization
organizations defines. By defining mappings between the OIDs, equivalent OIDs are
identified between the organizations.
Note For more information about certificate policies, see section 4.2.1.5 in
RFC 3280, Internet X.509 Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile, under Additional Reading on the Web page on
the Student Materials compact disc.
22 Module 8: Configuring Trust Between Organizations
Note Review the security policy or certificate policy to ensure that they
provide sufficient information to define qualified subordination constraints.
! Modify your CPS to reflect the inclusion of external users in your PKI.
Usually, a CPS only applies to internal users. Before you extend the PKI
beyond your organization through qualified subordination, be sure to revise
your CPS to account for external users.
Module 8: Configuring Trust Between Organizations 25
Note This practice focuses on the concepts in this lesson and as a result may
not comply with Microsoft security recommendations.
Scenario You are a network administrator for Northwind Traders, where e-mail
communication is conducted between the members of your legal department
and your organization’s law firm, Contoso, Ltd. You must ensure the security
of all e-mail messages exchanged between the two organizations.
CA hierarchy of Contoso To help you configure certificate trust between the two organizations, Contoso,
Ltd Ltd has provided the following diagram of its CA hierarchy.
26 Module 8: Configuring Trust Between Organizations
Questions Based on the scenario and requirements presented, answer the following
questions:
1. What type of constraint must you apply to ensure that only certificates that
are issued by the MailCA are accepted from employees of Contoso, Ltd.?
a. Basic Constraint
b. Name Constraint
c. Application Policy
d. Certificate Policy
a. Basic Constraint
____________________________________________________________
____________________________________________________________
2. What type of constraint must you apply to ensure that background checks
are performed for all Contoso employees who will send encrypted and
digitally signed e-mail messages?
a. Basic Constraint
b. Name Constraint
c. Application Policy
d. Certificate Policy
d. Certificate Policy
____________________________________________________________
____________________________________________________________
Module 8: Configuring Trust Between Organizations 27
3. What type of constraint must you apply to ensure that only secure e-mail
certificates are accepted from Contoso, Ltd. employees?
a. Basic Constraint
b. Name Constraint
c. Application Policy
d. Certificate Policy
c. Application Policy
____________________________________________________________
____________________________________________________________
4. What type of constraint must you apply to ensure that only secure e-mail
certificates from Contoso, Ltd. are accepted?
a. Basic Constraint
b. Name Constraint
c. Application Policy
d. Certificate Policy
b. Name Constraint
____________________________________________________________
____________________________________________________________
28 Module 8: Configuring Trust Between Organizations
Note To see an example of a policy.inf file, see appendix A of the white paper,
Planning and Implementing Cross-Certification and Qualified Subordination
using Windows Server 2003, under Additional Reading on the Web page on
the Student Materials compact disc, and see Appendix B in the same
whitepaper for a sample of CAPolicy.inf.
30 Module 8: Configuring Trust Between Organizations
When you define a basic constraint with a path length of one, it enforces the
restriction to accept only certificates that are issued by the CA that is named in
the subject field of the Cross Certification Authority certificate and CAs that are
directly subordinate to it.
If the CA that issues the Cross Certification Authority certificate evaluates a
certificate issued by a CA two levels below the CA, the certificate is rejected.
Guideline for defining a Define basic constraints only in Cross Certification Authority certificates that
basic constraint you issue to subordinate CAs in a partner’s CA hierarchy. If you implement a
basic constraint in a Cross Certification Authority certificate that is issued to a
root CA, the PathLength constraint must be large enough to reach the issuing
CAs in the partner’s CA hierarchy. A large PathLength constraint can mean you
end up trusting additional CAs beyond those that your organization intended to
trust.
Module 8: Configuring Trust Between Organizations 31
Configuring name You implement name constraints by defining the Permitted and Excluded name
constraints constraints in the [NameConstraintsExtension] section of a policy.inf file.
For example, if your organization, Contoso, Ltd, wants to implement name
restrictions so that certificates that Northwind Traders issues include only the
Northwind Traders names—and exclude Contoso, Ltd names, add the following
sections to a policy.inf:
[NameConstraintsExtension]
Include = NameConstraintsPermitted
Exclude = NameConstraintsExcluded
Critical = True
[NameConstraintsPermitted]
DirectoryName = "DC=nwtraders, DC=msft"
email = @nwtraders.msft
UPN = .nwtraders.msft
UPN = @nwtraders.msft
[NameConstraintsExcluded]
DirectoryName = "DC=Contoso, DC=msft"
email = @contoso.msft
UPN = .contoso.msft
UPN = @contoso.msft
Acceptable name When you create a new CA, you can define name constraints for the CA by
formats configuring CAPolicy.inf. Similarly, when you create a Cross Certification
Authority certificate, you define name constraints in the policy.inf file.
The following table describes the various naming and addressing formats for
name constraints.
Naming and
addressing format Description
Note For more information about naming and addressing formats, see the
white paper, Planning and Implementing Cross-Certification and Qualified
Subordination Using Windows Server 2003, under Additional Reading on the
Web page on the Student Materials compact disc.
34 Module 8: Configuring Trust Between Organizations
When you issue a Cross Certification Authority certificate, you can configure a
policy.inf file to specify which application policy OIDs are permitted in
certificates that the partner organization issues.
Configuring application To configure application policies in a policy.inf file, create the following
policies sections:
[ApplicationPolicyStatementExtension]
Policies = AppEmailPolicy, AppCodeSignPolicy, AppAuthPolicy
CRITICAL = FALSE
[AppEmailPolicy]
OID = 1.3.6.1.5.5.7.3.4 ; Secure Email
[AppCodeSignPolicy]
OID = 11.3.6.1.5.5.7.3.3 ; Code Signing
[AppAuthPolicy]
OID = 1.3.6.1.5.5.7.3.2 ; Client Authentication
Module 8: Configuring Trust Between Organizations 35
Note You can view all defined application policy OIDs in the Certificate
Templates console by right-clicking Certificate Templates in the console tree,
and then clicking View Object Identifiers.
Using Custom OIDs If you define a custom application policy OID, you must map application
policies between organizations in the [ApplicationPolicyMappingsExtension]
section. This section uses the same format where the local OID maps to the
OID that the other organization in the qualified subordination uses, as shown in
the following code sample:
[ApplicationPolicyMappingsExtension]
1.3.6.1.4.1.311.21.64 = 1.2.3.4.98
1.3.6.1.4.1.311.21.65 = 1.2.3.4.100
critical = true
36 Module 8: Configuring Trust Between Organizations
[HighAssurancePolicy]
OID = 1.3.6.1.4.1.311.21.8.247374.109598.50717.506190032.1.401
[MediumAssurancePolicy]
OID = 1.3.6.1.4.1.311.21.8.247374.109598.50717.506190032.1.402
Note The high assurance and medium assurance certificate policy OIDs are
unique for every forest. To obtain the OIDs used in your forest, right-click
Certificate Templates in the Certificate Templates console, and then click
View Object Identifiers.
Obtaining OIDs from a After you define the OIDs for your organization’s certificate policies, obtain the
partner complementary OIDs from the partner organization. Obtain the partner’s OIDs
because the OIDs differ between the two organizations.
Module 8: Configuring Trust Between Organizations 37
Policy mapping When qualified subordination is configured between two CAs that use
certificate policies, you must map the OIDs between the two organizations in
the policy.inf file that you create. Policy mapping ensures that only authorized
OIDs from a partner organization are allowed in certificates that the partner
organization issues. The policy mapping associates the partner organization’s
OID with an OID that is defined in your organization’s PKI.
The following example shows how certificate policy mapping is configured in
CAPolicy.inf or a policy.inf file.
[PolicyMappingsExtension]
1.3.6.1.4.1.311.21.8.247374.109598.50717.506190032.1.401=
1.3.6.1.4.1.311.21.8.242424.101010.50717.505050505.1.401
1.3.6.1.4.1.311.21.8.247374.109598.50717.506190032.1.402=
1.3.6.1.4.1.311.21.8.242424.101010.50717.505050505.1.402
Policy qualifiers You can provide additional information about the certificate policies that are
implemented at a CA by configuring policy qualifiers. Policy qualifiers are
typically URLs that provide information directly or provide links to information
that describe the purpose of the certificate policy. The following code sample
shows how to define a policy qualifier for the LegalPolicy certificate policy:
[LegalPolicy]
OID = 1.3.6.1.4.1.311.21.43
Notice = "Legal policy statement text"
URL = "http://www.example.microsoft.com/policy/isspolicy.asp"
When a user views the certificate in an application, she initially views the
defined Notice text. She can then view the referenced URL by clicking the
ensuing Details button. This configuration ties the CPS to the issued
certificates.
38 Module 8: Configuring Trust Between Organizations
Note This practice focuses on the concepts in this lesson and as a result may
not comply with Microsoft security recommendations.
Scenario You are a network administrator for Northwind Traders. Your organization
requires e-mail communication between the members of the legal department
and your organization’s law firm, Contoso, Ltd.
Contoso’s CA hierarchy To aid in the configuration of certificate trust between the two organizations,
Contoso has provided you the following diagram of its CA hierarchy.
Module 8: Configuring Trust Between Organizations 39
Requirements Northwind Traders will only accept certificates from the Contoso CA hierarchy
that are issued to employees of Contoso.msft. If the name in a certificate is not
from Contoso, the certificate should be rejected. Enforce name constraints at all
times.
Contoso informs you that all e-mail certificates will include the following name
formats in the subject and subject alternative name fields:
! E-mail address. All certificates will include the employee’s e-mail address
in the subject name. The e-mail address will include the e-mail suffix
@contoso.msft.
! Directory name. All certificates will include the employee’s LDAP
distinguished name in the subject alternative name. All accounts that will
participate in the e-mail project are located in the Lawyers organizational
unit of the Contoso.msft domain.
____________________________________________________________
2. In the space provided, complete the required sections of the policy.inf file:
[NameConstraintsExtension]
[NameConstraintsExtension]
Include = NameConstraintsPermitted
Exclude = NameConstraintsExcluded
Critical = True
____________________________________________________________
____________________________________________________________
____________________________________________________________
40 Module 8: Configuring Trust Between Organizations
[NameConstraintsPermitted]
[NameConstraintsPermitted]
DirectoryName = "OU=lawyers,DC=contoso, DC=msft"
email = @contoso.msft
UPN = .contoso.msft
UPN = @contoso.msft
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
[NameConstraintsExcluded]
[NameConstraintsExcluded]
DirectoryName = "DC=nwtraders, DC=msft"
email = @nwtraders.msft
UPN = .nwtraders.msft
UPN = @nwtraders.msft
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
____________________________________________________________
Module 8: Configuring Trust Between Organizations 41
Procedure for defining After you create the Qualified Subordination certificate template, you define the
the certificate purpose purpose of the Qualified Subordination certificate and the CSP. To define the
and CSP purpose and CSP:
1. In the details pane, double-click Qualified Subordination.
2. In the Qualified Subordination Properties dialog box, on the Request
Handling tab, click CSPs.
3. In the CSP Selection dialog box, click Requests must use one of the
following CSPs.
4. In the CSPs list, select Microsoft Enhanced Cryptographic Provider
v1.0, and then click OK.
5. In the Qualified Subordination dialog box, on the Security tab, assign
Read and Enroll permissions to a global group that contains the Qualified
Subordination signing agents that you defined.
6. Click Apply.
Procedure for removing After you define the CSP and permissions, remove the Certificate Request
the Certificate Request Agent application policy from the certificate template. To remove the
Agent application policy Certificate Request Agent application policy:
1. In the Qualified Subordination Properties dialog box, on the Extensions
tab, in the Extensions included in this template list, select Application
Policies, and then click Edit.
2. In the Edit Application Policies Extension dialog box, in the Application
policies list, select Certificate Request Agent, and then click Remove.
3. In the Edit Application Policies Extension dialog box, click OK.
Procedure for adding After you remove the Certificate Request Agent application policy from the
the Qualified certificate template, you can add the Qualified Subordination application policy
Subordination OID to the certificate template in the following way:
application policy OID
1. In the Qualified Subordination Properties dialog box, on the Extensions
tab, in the Extensions included in this template list, select Application
Policies, and then click Edit.
2. In the Edit Application Policies Extension dialog box, click Add.
3. In the Add Application Policy dialog box, in the Application policies list,
select Qualified Subordination, and then click OK.
4. In the Edit Application Policies Extension dialog box, ensure that
Qualified Subordination appears in the Application policies list, and then
click OK.
5. In the Qualified Subordination Properties dialog box, click OK.
Note You can substitute a custom application policy for the Qualified
Subordination application policy OID by clicking New in the Add Application
Policy dialog box.
44 Module 8: Configuring Trust Between Organizations
Procedure for The final step in designing the Qualified Subordination certificate template is to
publishing the publish the certificate template on an enterprise CA in your organization’s CA
certificate template hierarchy. Publishing the certificate template will make the certificate template
available to potential Qualified Subordination signing agents. To publish the
certificate template:
1. Ensure you are logged on as a CA administrator, and then open the
Certification Authority MMC.
2. In the Certification Authorities console, in the console tree, expand
CAName (where CAName is the logical name of your CA), and then click
Certificate Templates.
3. In the console tree, right-click Certificate Templates, click New, and then
click Certificate Template to Issue.
4. In the Enable Certificate Templates dialog box, select Qualified
Subordination, and then click OK.
5. In the details pane, verify that Qualified Subordination appears.
6. Have the Qualified Subordination signing agents acquire a Qualified
Subordination certificate.
Module 8: Configuring Trust Between Organizations 45
7. Click OK.
46 Module 8: Configuring Trust Between Organizations
Procedure for To deploy a certificate, you must be running Windows Server 2003, Enterprise
publishing the certificate Edition because only Windows Server 2003 enterprise servers support version 2
template certificate templates. To configure Windows Server 2003, Enterprise Edition to
issue Qualified Subordination Signing and Cross Certification Authority
certificate templates:
1. Log on as a CA administrator on a computer running Windows Server 2003,
Enterprise Edition that has Certificate Services configured as an enterprise
CA.
2. Open the Certification Authority console.
3. In the console tree, expand CAName (where CAName is the name of your
CA).
4. In the console tree, right-click Certificate Templates, point to New, and
then click Certificate Template to Issue.
5. In the Enable Certificate Templates dialog box, in the list of available
templates, click Cross Certification Authority, and then click OK.
6. In the details pane, ensure that Cross Certification Authority appears.
7. Close the Certification Authority console.
Module 8: Configuring Trust Between Organizations 47
Note This demonstration focuses on the concepts in this lesson and as a result
may not comply with Microsoft security recommendations.
Procedure for creating a The first step in creating a Qualified Subordination Signing certificate is to
Qualified Subordination duplicate the Enrollment Agent certificate template. To create the Qualified
Signing certificate Subordination Signing certificate template:
template
1. Open the Certificate Templates (Certtmpl.msc) console.
2. In the details pane, right-click Enrollment Agent, and then click Duplicate
Template.
3. In the Properties of New Template dialog box, on the General tab, in the
Template display name box, type Qualified Subordination Signing and
then click OK.
Procedure for modifying After creating the version 2 certificate template, make the following
the attributes of the modifications to the certificate template attributes:
Certificate Template
1. In the details pane, double-click Qualified Subordination Signing.
2. On the Extensions tab, select Application Policies, and then click Edit.
3. In the Edit Application Policies Extension dialog box, select Certificate
Request Agent, and then click Remove.
4. In the Edit Application Policies Extension dialog box, click Add.
5. In the Add Application Policy dialog box, select Qualified Subordination
and then click OK.
6. In the Edit Application Policies Extension dialog box, click OK.
Note You can increase the security of the Qualified Subordination Signing
certificate by using a custom application policy OID and then configuring the
Cross Certification Authority certificate template to require the custom OID.
Procedure for After you create the Qualified Subordination Signing certificate template, and,
publishing the certificate if necessary, have modified the template, you must publish the two certificate
template templates on an enterprise CA in your CA hierarchy. To publish the certificate
template:
1. Open the Certification Authority console.
2. In the console tree, expand CAName (where CAName is the name of the
CA).
3. In the console tree, right-click Certificate Templates, click New, and then
click Certificate Template to Issue.
4. In the Enable Certificate Templates dialog box, click Cross Certification
Authority, press CTRL and click Qualified Subordination Signing, and
then click OK.
5. In the details pane, verify that Cross Certification Authority and
Qualified Subordination Signing appear.
Important Ensure that you publish both the Cross Certification Authority
and Qualified Subordination Signing certificate templates.
Procedure for To publish the Cross Certification Authority certificates that were issued by the
publishing Cross Bridge CA:
Certification Authority
certificates 1. On the Bridge CA, copy all issued Cross Certification Authority certificates
to a common share.
2. On each forest that is connected to the Bridge CA, run certutil –dspublish
–f certificate1.crt CrossCA (where certificate1.crt is the first Cross
Certification Authority certificate).
3. Repeat the process for all certificates that the Bridge CA issues to all forests
that are connected to the Bridge CA.
52 Module 8: Configuring Trust Between Organizations
3. In the View Certificate Store dialog box, select the Cross Certification
Authority certificate that you want to view, and then click View Certificate.
4. In the Certificate dialog box, on the Certification Path tab, ensure that the
certification path shows that the CAName certificate is chained to your
organization’s root CA certificate.
Module 8: Configuring Trust Between Organizations 53
Note This lab focuses on the concepts in this module and as a result may not
comply with Microsoft security recommendations. For instance, this lab does
not comply with the recommendation that role separation should be enabled on
the Bridge CA for PKI management.
54 Module 8: Configuring Trust Between Organizations
Additional information For more information about implementing qualified subordination, read the
white paper, Planning and Implementing Qualified Subordination Using
Windows Server 2003, Enterprise Edition under Additional Reading on the
Web page on the Student Materials compact disc.
Estimated time to
complete this lab:
90 minutes
Module 8: Configuring Trust Between Organizations 55
Scenario All organizations in the classroom must configure certificate trust between the
organizations by using the certificate bridge service that Northwind Traders
offers.
To enforce the qualified subordination constraints, Northwind Traders and its
partners will implement qualified subordination between the partners’ issuing
CAs and the bridge CA that exists at Northwind Traders.
The finalized bridge CA configuration for the classroom is based on the
following diagrams. Each subordinate enterprise CA will issue a Cross
Certification Authority certificate to the bridge CA on the instructor computer
and will be issued a Cross Certification Authority certificate from the
BridgeCA.
Note The classroom does not require deployment of all 24 computers. If there
are fewer than 24 computers, each pair of computers can be cross-certified with
the Bridge CA, thereby enabling certificate trust to occur between all
organizations in the classroom.
56 Module 8: Configuring Trust Between Organizations
Exercise 1
Creating a Qualified Subordination Signing Certificate Template
In this exercise, you will create a Qualified Subordination Signing certificate that an administrator
uses to sign the Cross Certification Authority certificate request.
Scenario
A Cross Certification Authority certificate request must be signed with a certificate with the
Qualified Subordination application policy OID. You must create and issue these certificates to the
users who will request the Qualified Subordination Signing certificates.
1. Log on using your " Log on to the domain by using the following credentials:
certificate template • User name: Template2
administration account.
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. Open the Certificate a. Click Start, click Run, type Certtmpl.msc and then click OK.
Templates console. b. If the Certificate Templates dialog box appears, click OK.
3. Create a new certificate a. In the Certificate Templates console, in the details pane, right-click
template named Qualified Enrollment Agent, and then click Duplicate Template.
Subordination Signing b. In the Properties of New Template dialog box, on the General tab, in
based on the Enrollment the Template display name box, type Qualified Subordination
Agent certificate template. Signing and then click OK.
4. Disable all CSPs for the a. In the details pane, double-click Qualified Subordination Signing.
Qualified Subordination b. On the Request Handling tab, click CSPs.
Signing certificate except
for the Microsoft Enhanced c. In the CSP Selection dialog box, in the CSPs list, select only
Cryptographic Provider v1.0 Microsoft Enhanced Cryptographic Provider v1.0, and then click
CSP. OK.
d. In the Qualified Subordination Signing Properties dialog box, click
Apply.
5. Select the following a. On the Issuance Requirements tab, click CA certificate manager
issuance requirements: approval.
• CA certificate manager b. Under Require the following for reenrollment, click Valid existing
approval certificate, and then click Apply.
• Valid existing certificate
Module 8: Configuring Trust Between Organizations 57
(continued)
6. Remove all existing a. On the Extensions tab, select Application Policies, and then click
application policy Edit.
extensions, and add the b. In the Edit Application Policies Extension dialog box, select
Qualified Subordination Certificate Request Agent, and then click Remove.
application policy.
c. Click Add.
d. In the Add Application Policy dialog box, in the Application policies
list, select Qualified Subordination, and then click OK.
e. In the Edit Application Policies Extension dialog box, click OK.
f. On the Extensions tab, click OK.
7. View the Issuance a. In the details pane, double-click Cross Certification Authority.
Requirements tab for the b. In the Cross Certification Authority Properties dialog box, click the
Cross Certification Issuance Requirements tab.
Authority certificate
template.
What issuance requirements exist for the Cross Certification Authority certificate template?
The certificate request must be signed by a certificate with the Qualified Subordination application
policy.
How can you increase the security for Cross Certification Authority certificates?
You can implement a custom OID in the application policy of the Qualified Subordination certificate
template, and require that the custom application policy OID be used to sign the certificate request for
the Cross Certification Authority certificate.
8. Close all open windows and a. Close the Certificate Templates console.
log off the network. b. Close all open windows and then log off.
58 Module 8: Configuring Trust Between Organizations
(continued)
Important: Perform this procedure on the domain controller for your domain.
9. Log on using your domain " Log on to your computer by using the following credentials:
administration account and • User name: CAadmin1
password.
• Password: P@ssw0rd
• Domain: Domain
10. Publish the Qualified a. On the Start menu, click Administrative Tools, and then click
Subordination Signing and Certification Authority.
the Cross Certification b. In the console tree, expand DomainCA, and then click Certificate
Authority certificate Templates.
templates on the
DomainCA. c. Right-click Certificate Templates, click New, and then click
Certificate Template to Issue.
d. In the Enable Certificate Templates dialog box, select the following
certificate templates:
• Cross Certification Authority
• Qualified Subordination Signing
e. In the Enable Certificate Templates dialog box, click OK.
f. In the details pane, ensure that the Cross Certification Authority and
Qualified Subordination Signing certificate templates appear.
g. Close the Certification Authority console.
h. Close all open windows and then log off.
Module 8: Configuring Trust Between Organizations 59
Exercise 2
Configuring the Policy.inf File
Introduction
In this exercise, you will configure the policy.inf file to enforce the required qualified subordination
constraints for the bridge CA deployment.
Scenario
Your organization wants to participate in the federated bridge project. To limit the certificates that
are trusted from other organizations, you must implement the following qualified subordination
constraints in the policy.inf file.
Qualified subordination constraints Required settings
Basic Constraints Limit to two CAs below your CA and inhibit policy mapping
Name Constraints Allow any namespace except your organization’s namespace
Certificate Policies Allow only certificates with the Medium Assurance certificate
policy, which indicates that the certificates were issued in a face-to-
face meeting
Application Policies Accept only certificates for secure e-mail, client authentication, and
server authentication from the partner organizations
Setup
Use the following table to help you complete the lab.
Computer DNS domain Forest name
Important: Perform this procedure on the domain controller for your domain.
1. Log on using your domain " Log on to your computer by using the following credentials:
administration account and • User name: Student1
password.
• Password: Password (where Password is the password for your
administrative account)
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
(continued)
4. Update the certificate a. Click Start, click Run, type Certtmpl.msc and then click OK.
policies in the Domain-to- b. If the Certificate Templates dialog box appears, click Yes.
Bridge.inf file to reflect your
organization’s Medium c. If the Certificate Templates message box appears, click OK.
Assurance certificate policy d. In the console tree, right-click Certificate Templates, and then click
OID. View Object Identifiers.
e. In the View Object Identifiers dialog box, in the Available object
identifiers list, select Medium Assurance, and then click Copy
Object Identifier.
f. In the View Object Identifiers dialog box, click Close.
g. Close Certificate Templates.
h. In the taskbar, click Domain-to-Bridge.inf – Notepad.
i. On the Edit menu, click Replace.
j. In the Replace dialog box, in the Find what box, type
MyMediumOID
k. In the Replace dialog box, right-click Replace with, and then click
Paste.
l. Click Replace All.
m. Click Cancel.
n. Minimize Domain-to-Bridge.inf – Notepad.
5. Connect to the London a. On the Start menu, point to All Programs, point to Accessories, point
computer by using Remote to Communications, and then click Remote Desktop Connection.
Desktop Connection as b. In the Remote Desktop Connection dialog box, in the Computer box,
Administrator with a type London and then click Connect.
password of P@ssw0rd.
c. In the Log On to Windows dialog box, log on by using the following
credentials:
• User name: Administrator
• Password: P@ssw0rd
• Log on to: Nwtraders
d. In the Log On to Windows dialog box, click OK.
6. Connect to the London a. Click Start, click Run, type Certtmpl.msc and then click OK.
computer to copy the b. In the console tree, right-click Certificate Templates, and then click
Medium Assurance OID for View Object Identifiers.
the Northwind Traders
forest to the Windows c. In the View Object Identifiers dialog box, in the Available object
clipboard. identifiers list, select Medium Assurance, and then click Copy
Object Identifier.
d. Minimize the Remote Desktop Connection window.
62 Module 8: Configuring Trust Between Organizations
(continued)
The Domain-to-Bridge.inf file excludes your domain’s name space in the defined name constraints.
Secure e-mail, client authentication, and server authentication application policies are defined in the
file.
8. Save any changes and close a. On the File menu, click Save.
Domain-toBridge.inf – b. Close the Domain-toBridge.inf – Notepad window.
Notepad.
9. In the Remote Desktop a. In the taskbar, click London - Remote Desktop.
Connection, close all open b. In the View Object Identifiers dialog box, click Close.
windows and then log off
the network. c. Close Certificate Templates.
d. On the Start menu, click Log Off.
e. In the Log Off Windows dialog box, click Log Off.
Module 8: Configuring Trust Between Organizations 63
Exercise 3
Requesting a Qualified Subordination Signing Certificate
In this exercise, you will request a Qualified Subordination Signing certificate so that you can issue
a Cross Certification Authority certificate to the Bridge CA that is located on the instructor’s
computer.
Scenario
Now that the Qualified Subordination Signing certificate template is configured and published on
the enterprise subordinate CA, a member of the Domain Admins group must request a Qualified
Subordination Signing certificate.
Important: Perform this procedure on the domain controller for your domain.
1. Ensure that you are logged " Ensure that you are logged on to the domain with the following
on to the network with your credentials:
domain administrator • User name: Student1
account.
• Password: Password (where Password is the password for your
administrative account)
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
(continued)
3. Log on to the network as a " Log on to the domain by using the following credentials:
member of the certificate • User name: Certadmin2
administrators.
• Password: P@ssw0rd
• Domain: Domain
4. Open the Certification a. On the Start menu, click Administrative Tools, and then click
Authority console. Certification Authority.
b. In the Microsoft Certificate Services message box, click OK.
c. In the console tree, right-click Certification Authority, and then click
Retarget Certification Authority.
d. In the Certification Authority dialog box, click Another computer,
and then click Browse.
e. In the Select Certification Authority dialog box, select DomainCA,
and then click OK.
f. In the Certification Authority dialog box, click Finish.
5. Issue the pending Qualified a. In the Certification Authority console, expand DomainCA, and then
Subordination Signing click Pending Requests.
certificate request and then b. In the details pane, select all pending certificate requests.
log off the network.
c. Right-click the pending certificate requests, point to All Tasks, and
then click Issue.
d. Close the Certification Authority console.
e. Close all open windows and then log off.
Important: Perform this procedure on the domain controller for your domain.
• Click Qualified e. On the Certificate Issued page, click Install this certificate.
Subordination Signing f. In the Potential Scripting Violation dialog box, click Yes to allow the
Certificate (Date and Web site to add a certificate to your computer.
Time) g. Ensure that the Certificate Installed page appears, which indicates that
• Click Install this the certificate has been installed successfully.
certificate h. Close Internet Explorer.
i. Close all open windows.
Module 8: Configuring Trust Between Organizations 65
Exercise 4
Generating the Cross Certification Authority Certificate for the
Bridge CA
In this exercise, you will generate the Cross Certification Authority certificate for the Bridge CA,
and then inspect the certificate properties.
Scenario
You must issue a Cross Certification Authority certificate to the Bridge CA to enforce the qualified
subordination constraints that are defined in the Domain-to-Bridge.inf policy file.
Important: Perform this procedure on the domain controller for your domain.
1. Open the a. Click Start, click Run, type \\London\Certenroll and then click OK.
\\London\Certenroll share b. In the Connect to London.nwtraders.msft dialog box, enter the
by using the following following credentials:
credentials:
• User name: Administrator
• User name:
Administrator • Password: P@ssw0rd
(continued)
4. In the Certreq.exe wizard, a. In the Open Request File dialog box, in the Files of type drop-down
provide the following list, select Certificate Files (*.cer,*.crt,*.der).
information: b. In the File name box, type C:\moc\2821\labfiles\module8 and then
• Request file: click Open.
London.nwtraders.msft_ c. Select London.nwtraders.msft_BridgeCA.crt, and then click Open.
BridgeCA.crt
d. In the Open Inf File dialog box, select Domain-to-Bridge.inf, and
• .inf file: Domain-to- then click Open.
Bridge.inf
e. In the Certificate List dialog box, select your QS Signing certificate,
• Enrollment Registration and then click OK.
Agent certificate: QS
Signing certificate f. In the Save Request dialog box, in the File name box, type
CrossCA.req and then click Save.
• Request file name:
CrossCA.req g. Close the command prompt.
5. In the Certification a. On the Start menu, point to Administrative Tools, and then click
Authority console, submit Certification Authority.
the CrossCA.req certificate b. In the console tree, right-click DomainCA, point to All Tasks, and then
request file, and then save click Submit new request.
the resulting certificate as
BridgeCA.cer. c. In the Open Request File dialog box, select CrossCA.req, and then
click Open.
d. In the Save Certificate dialog box, in the File name box, type
BridgeCA.cer and then click Save.
e. Close the Certification Authority console.
6. Ensure that you are logged " Ensure that you are logged on to the domain with the following
on to the network with your credentials:
domain administrator • User name: Student1 (on the domain controller) or Student2 (on
account. the member server)
• Password: Password (where Password is the password for your
administrative account)
• Domain: Domain
(continued)
Do the certificate purposes match the application policies that are defined in the Domain-to-Bridge.inf file?
Yes. The purposes are: Protects e-mail messages (secure email), Ensures the identity of a remote
computer (server authentication), and Proves your identity to a remote computer (client
authentication).
What name constraints are defined in the Cross Certification Authority certificate? Do these name constraints
match those that are defined in the Domain-to-Bridge.inf file?
Yes. The certificate shows name constraint exclusions for your namespace as defined in the Domain-to-
Bridge.inf file.
What policy mappings are defined in the Cross Certification Authority certificate? Do these policy mappings
match the certificate policy extensions in the Domain-to-Bridge.inf file?
The certificate shows policy mapping where the OID for Medium Assurance in your organization
maps to the Medium Assurance OID for Northwind Traders.
7. (continued) e. In the Certificate dialog box, click the Certification Path tab.
68 Module 8: Configuring Trust Between Organizations
(continued)
RootCA # DomainCA # BridgeCA (where RootCA is the NetBIOS name of your offline root CA and
Domain is the NetBIOS name of your domain)
Exercise 5
Modifying the Policy.inf File on the Bridge CA
In this exercise, you will generate a Cross Certification Authority certificate on the Bridge CA for
your organization’s subordinate enterprise CA.
Scenario
After you issue a Cross Certification Authority certificate on the Bridge CA from your subordinate
enterprise CA, the Bridge CA must now issue a Cross Certification Authority certificate to your
organization’s subordinate enterprise CA.
Important: Perform this procedure on the member server for your domain.
1. Log on to the network using " Log on to the domain by using the following credentials:
your domain administration • User name: Student2
account.
• Password: Password (where Password is the password for your
administrative account)
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. Copy the Medium a. Click Start, click Run, type Certtmpl.msc and then click OK.
Assurance certificate policy b. In the console tree, right-click Certificate Templates, and then click
OID for your domain to the View Object Identifiers.
Windows clipboard.
c. In the View Object Identifiers dialog box, in the Available object
identifiers list, select Medium Assurance, and then click Copy
Object Identifier.
d. In the View Object Identifiers dialog box, click Close.
e. Close Certificate Templates.
3. Connect to the London a. On the Start menu, point to All Programs, point to Accessories, point
computer by using Remote to Communications, and then click Remote Desktop Connection.
Desktop Connection to log b. In the Remote Desktop Connection dialog box, in the Computer box,
on as Administrator with a type London and then click Connect.
password of P@ssw0rd.
c. In the Log On to Windows dialog box, log on by using the following
credentials:
• User name: Administrator
• Password: P@ssw0rd
• Log on to: Nwtraders
d. In the Log On to Windows dialog box, click OK.
70 Module 8: Configuring Trust Between Organizations
(continued)
6. Copy the Medium a. Click Start, click Run, type Certtmpl.msc and then click OK.
Assurance certificate policy b. In the console tree, right-click Certificate Templates, and then click
OID for the Northwind View Object Identifiers.
Traders domain to the
Clipboard. c. In the View Object Identifiers dialog box, in the Available object
identifiers list, select Medium Assurance, and then click Copy
Object Identifier.
d. In the View Object Identifiers dialog box, click Close.
e. Close Certificate Templates.
8. Save any changes and then a. On the File menu, click Save, and then close the window.
close Domain.inf. b. Close all open windows in the Remote Desktop Connection.
Important: Do not disconnect or log off from the Remote Desktop Connection.
Module 8: Configuring Trust Between Organizations 71
Exercise 6
Creating the Cross Certification Authority Certificate
In this exercise, you will create the Cross Certification Authority certificate for your enterprise
subordinate CA on the Bridge CA.
Scenario
You must now create a Cross Certification Authority certificate for your subordinate enterprise CA
that implements the qualified subordination constraints that are implemented in the Domain.inf
information file.
Important: Perform this procedure on the member server for your domain.
1. Ensure that you are still " Ensure that you are still connected to the London computer using the
connected to London using Remote Desktop Connection with the following credentials:
the Remote Desktop • User name: Administrator
Connection.
• Password: P@ssw0rd
• Log on to: Nwtraders
2. Request a Qualified a. Click Start, click Run, type Certmgr.msc and then click OK.
Subordination Signing b. In the console tree, expand Personal, and then click Certificates.
certificate with a friendly
name of Computer QS c. In the console tree, right-click Certificates, point to All Tasks, and
Signing then click Request New Certificate.
d. On the Certificate Request Wizard page, click Next.
e. On the Certificate Types page, in the Certificate Types list, select
Qualified Subordination Signing, and then click Next.
f. On the Certificate Friendly Name and Description page, in the
Friendly name box, type Computer QS Signing (where Computer is
the NetBIOS name of your computer), and then click Next.
g. On the Completing the Certificate Request Wizard page, click
Finish.
h. In the Certificate Request Wizard message box, click OK.
i. Close the Certificates – Current User console.
3. Copy your domain’s a. Open \\Dcname\certenroll (where Dcname is the NetBIOS name of the
enterprise CA’s subordinate domain controller in your domain).
Certification Authority b. In the \\Dcname\certenroll window, right-click
certificate to the dcname.Domain.msft_DomainCA.crt (where Domain is the NetBIOS
C:\moc\2821\labfiles\ name of your domain), and then click Copy.
module8 folder.
c. Open C:\moc\2821\labfiles\module8.
d. Right-click C:\moc\2821\labfiles\module8, and then click Paste.
e. Close all open windows.
72 Module 8: Configuring Trust Between Organizations
(continued)
5. In the Certreq.exe prompts, a. In the Open Request File dialog box, in the Files of type drop-down
provide the following list, select Certificate Files (*.cer,*.crt,*.der).
information: b. In the File name box, type C:\moc\2821\labfiles\module8 and then
• Request file: click Open.
Dcname.Domain.msft_ c. Select Dcname.Domain.msft_DomainCA.crt, and then click Open.
DomainCA.crt
d. In the Open Inf File dialog box, select Domain.inf, and then click
• Inf file: Domain.inf Open.
• Enrollment Registration e. In the Certificate List dialog box, select the certificate with the
Agent certificate: friendly name of Computer QS Signing, and then click OK.
Computer QS Signing
certificate f. In the Save Request dialog box, in the File name box, type
Domain.req (where Domain is the NetBIOS name of your domain),
• Request file name: and then click Save.
Domain.req
g. Close the command prompt.
6. In the Certification a. On the Start menu, point to Administrative Tools, and then click
Authority console, submit Certification Authority.
the Domain.req certificate b. In the console tree, right-click BridgeCA, point to All Tasks, and then
request file and then save click Submit new request.
the resulting certificate as
Domain.cer. c. In the Open Request File dialog box, select Domain.req, and then
click Open.
d. In the Save Certificate dialog box, in the File name box, type
Domain.cer and then click Save.
e. Close the Certification Authority console.
8. Close all open windows and " Close all open windows and then log off.
log off the network.
Wait until all student teams reach this point in the lab before you continue.
Module 8: Configuring Trust Between Organizations 73
Exercise 7
Publishing the Bridge CA Cross CA Certificates
In this exercise, you will publish the Cross Certification Authority certificates that the Bridge CA
issued to each subordinate enterprise CA in the classroom. The publication ensures that your
organization will recognize certificates that meet the qualified subordination constraints from all
other organizations that participate in the Bridge CA hierarchy.
Scenario
Now that your organization has successfully issued a Cross Certification Authority certificate to the
Bridge CA, you must publish all Cross Certification Authority certificates that the Bridge CA issues
to participating organizations to your organization’s Active Directory directory service.
Important: The instructor will perform this procedure on the London computer.
2. Move all Domain.cer files to " Move all Domain.cer (where Domain is the NetBIOS name of each
the BridgeCerts folder. student domain) files to the BridgeCerts folder.
3. Create and share a subfolder a. Ensure that you are in the C:\moc\2821\labfiles\module8 window.
named ClientCerts. b. Create a subfolder named ClientCerts.
c. Right-click ClientCerts, and then click Sharing and Security.
d. In the ClientCerts Properties dialog box, click Share this folder, and
then click Permissions.
e. In the Permissions for ClientCerts dialog box, select Everyone, click
Change, and then click OK.
f. In the ClientCerts Properties dialog box, on the Security tab, assign
the Users group Modify permissions, and then click OK.
g. Close the C:\moc\2821\labfiles\module8 window.
74 Module 8: Configuring Trust Between Organizations
(continued)
4. Log on using your domain " Log on to the domain by using the following credentials:
administrator account. • User name: Student1 (on the domain controller) or Student2 (on
the member server)
• Password: Password (where Password is the password for your
administrative account)
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
Important: Perform this procedure on the domain controller for your domain.
Why must you publish the Cross Certification Authority certificates that were issued by the BridgeCA in
your organization’s Active Directory?
The certificate chaining engine requires these certificates to build certificate chains for certificates that
other CAs issued in the Bridge CA hierarchy.
Module 8: Configuring Trust Between Organizations 75
(continued)
Exercise 8
Issuing Certificates that Meet Qualified Subordination
Constraints
In this exercise, you will create certificate templates for two certificates, one that meets the
qualified subordination constraints and one that does not meet the qualified subordination
constraints. You will then copy the issued certificates to a common share on the London computer.
Scenario
After you enable qualified subordination for the bridge CA hierarchy, you must evaluate certificates
that other organizations issued in the bridge CA hierarchy.
1. Log on using your " Log on to the domain by using the following credentials:
certificate template • User name: Template2
administrator account.
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. Open the Certificate " Click Start, click Run, type Certtmpl.msc and then click OK.
Templates console.
3. Create a new certificate a. In the Certificate Templates console, in the details pane, right-click
template named QS Email User Signature Only, and then click Duplicate Template.
based on the User Signature b. In the Properties of New Template dialog box, on the General tab, in
Only certificate template. the Template display name box, type QS Email and then click OK.
(continued)
Important: Perform this procedure on the domain controller for your domain.
6. Log on using your domain " Log on to your computer by using the following credentials:
administrator account and • User name: CAadmin1
password.
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
7. Publish the QS Email a. On the Start menu, click Administrative Tools, and then click
certificate template to Certification Authority.
DomainCA. b. In the console tree, expand DomainCA, and then click Certificate
Templates.
c. Right-click Certificate Templates, click New, and then click
Certificate Template to Issue.
d. In the Enable Certificate Templates dialog box, click QS Email, and
then click OK.
e. In the details pane, ensure that the QS Email certificate template
appears.
f. Close the Certification Authority console.
g. Log off of the network.
8. Log on using your qualified " Log on to your computer by using the following credentials:
subordination user account. • User name: QualSub1 (on the domain controller) or QualSub2 (on
the member server)
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
78 Module 8: Configuring Trust Between Organizations
(continued)
9. In the Certificates – Current a. Click Start, click Run, type Certmgr.msc and then click OK.
User console, request a QS b. In the console tree, click Personal.
Email certificate.
c. In the console tree, right-click Personal, point to All Tasks, and then
click Request New Certificate.
d. On the Certificate Request Wizard page, click Next.
e. On the Certificate Types page, in the Certificate Types list, select QS
Email, and then click Next.
f. On the Certificate Friendly Name and Description page, in the
Friendly name box, type QS Email and then click Next.
g. On the Completing the Certificate Request Wizard page, click
Finish.
h. In the Certificate Request Wizard message box, click OK.
10. Export the QS Email a. In the console tree, expand Personal, and then click Certificates.
certificate to b. In the details pane, right-click the certificate with the friendly name of
\\London\ClientCerts\ QS Email, point to All Tasks, and then click Export.
ComputerQSEmail.
c. On the Certificate Export Wizard page, click Next.
d. On the Export Private Key page, click Next.
e. On the Export File Format page, accept the default settings, and then
click Next.
f. On the File to Export page, in the File name box, type
\\London\ClientCerts\ComputerQSEmail (where Computer is the
NetBIOS name of your computer), and then click Next.
g. On the Completing the Certificate Export Wizard page, click
Finish.
h. In the Certificate Export Wizard message box, click OK.
i. Close the Certificates – Current User console.
11. Open the a. Click Start, click Run, type \\London\ClientCerts and then click OK.
\\London\ClientCerts share. b. In the \\London\ClientCerts window, double-click any QSEmail
certificate that a computer in another organization issued.
c. In the File Download dialog box, click Open.
.
Module 8: Configuring Trust Between Organizations 79
(continued)
Does the Certificate dialog box indicate that all certificate purposes are recognized?
Yes. The Certificate dialog box does not indicate any unknown purposes. The certificate purposes are:
Protect e-mail messages (Secure email) and Prove your identity to a remote computer (client
authentication).
11. (continued) d. In the Certificate dialog box, click the Certification Path tab.
RootCA # DomainCA # BridgeCA # PartnerCA #Qualsubx (where RootCA is the name of your
offline root CA, Domain is the NetBIOS name of your domain, Partner is the NetBIOS name of the
partner’s domain, and x is either 1 or 2).
12. If time permits, repeat the a. If time permits, repeat the process with certificates that are issued by
process with other other organizations.
organization’s certificates, b. Close all open windows and log off.
and then log off the
network.
THIS PAGE INTENTIONALLY LEFT BLANK
Module 9: Deploying
Smart Cards
Contents
Overview 1
Lesson: Introduction to Smart Cards 2
Lesson: Enrolling Smart Card Certificates 12
Lesson: Deploying Smart Cards 19
Lab A: Deploying Smart Cards 35
Course Evaluation 63
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, MS-DOS, Windows, Windows NT, Windows Server, Active Directory, ActiveX,
MSDN, Outlook, PowerPoint, and Windows Media are either registered trademarks or trademarks
of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Module 9: Deploying Smart Cards iii
Instructor Notes
Presentation: Smart cards provide secure storage for data and support authentication of users.
60 minutes Smart cards can take a number of forms, including credit cards, key-shaped
tokens, Subscriber Identity Module (SIM) chips in Group Special Mobile
Lab: (GSM) cellular phones, and Universal Serial Bus (USB) tokens. In this module,
90 minutes students will learn about smart cards and how to deploy them.
After completing this module, students will be able to:
! Describe the use of smart cards in a Microsoft® Windows Server™ 2003 PKI
environment.
! Deploy smart cards in a Windows Server 2003 PKI environment.
Steps for Configuring an Review each requirement for implementing a smart card enrollment station.
Enrollment Station Remind students that smart card enrollment is typically performed on
designated enrollment stations, not domain controllers.
How to Enroll Smart Consider demonstrating the Web Enrollment pages for smart card enrollment.
Cards Using an Emphasize that only a local administrator can install the smart card enrollment
Enrollment Agent Microsoft ActiveX® control. Once the control is downloaded, a non-
administrator can use the control if an administrator configures Group Policy to
allow the initialization of unsafe ActiveX controls.
How to Autoenroll Smart Review which PKI management roles perform each required task. Mention that
Cards on some networks, one person may hold more than one role. Having multiple
roles depends on whether common criteria role separation is enforced.
How to Configure Smart Compare and contrast each of the available options for smart card removal
Card Removal Behavior behavior. A good scenario to use is the case of a user with two smart cards: one
for day-to-day activities and one for administrative functions. Ask the students
how they can implement this scenario if the smart card removal behavior is set
to either lock the workstation or force logoff. The solution is to implement two
smart card readers on the workstation.
How to Enforce Smart Review how to enforce smart card authentication for both interactive and
Card Authentication remote authentication attempts. If students implement smart cards at their
organization, ask them if they enforce smart card use for interactive logons,
remote logons, or both logon scenarios.
Lab A Some training centers may not provide smart card readers and smart cards for
the students. In this scenario, students can perform all exercises in the lab
except for the following exercises:
! Exercise 0, in which students install the smart card reader
! Exercise 5, in which students enroll the smart card
! Exercise 7, in which students sign a Code Signing certificate request with
the private key that is associated with the student’s smart card certificate
Lab Setup
The following list describes the setup requirements for the labs in this module.
Setup requirement 1 The labs in this module require that there is a CA hierarchy with an offline root
CA and an enterprise subordinate CA. Complete all of Labs A, B, and C in
Module 3, “Creating a Certification Authority Hierarchy,” in Course 2821,
Designing and Managing a Windows Public Key Infrastructure.
Setup requirement 2 All of the procedures in the lab assume that Common Criteria role separation is
enforced. Complete Lab A in Module 4, “Managing a Public Key
Infrastructure,” in Course 2821.
Setup requirement 3 The ability to create and modify certificate templates is delegated to the
CertTmplAdmins global group. Complete Lab A in Module 5, “Configuring
Certificate Templates,” in Course 2821.
Setup requirement 4 The http://WebServer (where WebServer is the fully qualified domain name of
the student’s domain controller) is configured as a member of the Local intranet
zone in the Default Domain Policy. Complete Lab B in Module 3, “Creating a
Certification Authority Hierarchy,” in Course 2821.
Lab Results
Performing the labs in this module introduces the following configuration
changes:
Lab A At the completion of Lab A:
! A smart card reader is installed on each student computer.
! The Enrollment Agent certificate template is modified to allow enrollment
only by members of the EnrollmentAgents group.
! The Enrollment Agent certificate template is published on the enterprise
subordinate CA in each student forest.
! Enrollment Agent certificates are issued to Agent1 and Agent2.
! A version 2 certificate template named AgentSmartCard, based on the
Smartcard Logon certificate template, is created and published on the
enterprise subordinate CA.
! Internet Explorer is modified to allow the download of unsafe ActiveX
controls.
! AgentSmartCard certificates are issued to SCUser1 and SCUser2 by the
enrollment agents.
! The Autoenrollment Group Policy object (GPO) is linked to the Module09
organizational unit (OU).
! CodeSignComputer certificate templates are created and published to the
enterprise subordinate CA.
! CodeSignComputer certificates are issued to SCUser1 and SCUser2.
Module 9: Deploying Smart Cards 1
Overview
Using smart cards Smart cards enhance the security for network authentication by using
cryptography-based identification. Instead of supplying a user name and
password, the user must possess the smart card and know the personal
identification number (PIN) of the smart card to be authenticated on the
network. An attacker must obtain both the user’s smart card and the PIN to
impersonate the user, rather than simply guess the user’s user name and
password.
Smart cards enhance the security for the following purposes:
! Interactive logon. The user presents her smart card credentials when she
initially logs on to a workstation.
! Client authentication. The user presents her smart card credentials for all
client authentication attempts, such as connecting to a share on a remote
server.
! Remote logon. The user presents her smart card credentials for remote
access and virtual private network (VPN) authentication attempts.
! Wireless authentication. In a network that implements 802.1x
authentication, a smart card provides authentication for users when they
connect to the wireless network.
Module 9: Deploying Smart Cards 5
Note The feature set of the smart card and the smart card management tools
are the primary decision factors when you choose a smart card vendor.
Typically, these factors are more important in the selection of a smart card
vendor that the price of the individual smart cards.
Smart card storage A smart card uses a custom file system to store data. It provides storage for one
or more of the following things:
! Private keys. The private key is protected by the PIN of the smart card.
! Public keys. The public key of the key pair is presented as a form of
authentication.
! Certificates. The certificate that is associated with the key pair is presented
during authentication.
Module 9: Deploying Smart Cards 7
Note The new domain controller must be a domain member to allow smart
card authentication when running Dcpromo.exe.
! Use alternate credentials. Use the runas command with the /smartcard
option to use a smart card as proof of identity when running applications
that use the Secondary Logon service.
! Connect to a terminal server. Use Remote Desktop Connection to enable
smart card authentication to a terminal server if the terminal server runs a
Windows Server 2003 family operating system.
! Connect to network resources. Use the net use command with the
/smartcard option to provide a smart card as authentication when you
connect to network resources with alternate credentials. Or, if the Credential
Manager appears when you connect to a network resource, you can choose
the smart card and type the associated PIN to prove your identity.
Module 9: Deploying Smart Cards 9
Note To find a complete list of supported Plug and Play smart card readers
in Windows XP and Windows Server 2003, search for the phrase “smart
card readers” in the Windows XP or Windows Server 2003 Help files.
! Select a smart card vendor. Select one smart card vendor for your
organization. Using multiple vendors results in the need for multiple smart
card CSPs. The smart card must be on the Windows 2000, Windows XP, or
Windows Server 2003 family HCL. In addition, ensure that the smart card
vendor provides a tool set to manage the issued smart cards.
Software requirements Meet the following software requirements to implement smart card
authentication in your network:
! Acquire the CSP that is associated with the selected smart cards. The CSP
provides an interface between the operating system and the smart card to
enable the storage and retrieval of key material from the smart card.
Although the default installation includes CSPs for GemPlus, Infineon, and
Schlumberger smart cards, other Rivest Shamir Adleman (RSA)-based
cryptographic smart cards are also supported, provided the card vendor has
developed its own CSP for the card using CryptoAPI and the Smart Card
Software Developer’s Kit.
Note If you deploy a CSP that is not included in the default installation,
ensure that you fully test the CSP and associated smart card drivers before
you deploy the solution in your organization.
Note For more information about implementing smart cards with a third-party
CA, see the Knowledge Base article 281245, “Guidelines for Enabling Smart
Card Logon with Third-Party Certification Authorities,” under Additional
Reading on the Web page on the Student Materials compact disc.
12 Module 9: Deploying Smart Cards
When you deploy smart cards, you must decide whether to implement an
enrollment agent, to implement smart card autoenrollment to issue the smart
card certificates, or to use a combination of both deployment methods.
Lesson objectives After completing this lesson, you will be able to:
! Compare smart card deployment methods.
! Identify when to implement a smart card enrollment agent.
! Identify when to implement smart card autoenrollment.
! Describe the best practices for smart card enrollment.
Module 9: Deploying Smart Cards 13
Autoenrollment You typically use autoenrollment for smart card renewal requests. After the
smart card user proves her identity during the initial registration, many
organizations consider possession of the smart card and knowledge of the smart
card’s PIN sufficient proof of identity.
A PKI administrator can reduce the costs that are associated with smart card
enrollment for certificate renewal by requiring that the certificate renewal
request be signed by a smart card certificate. This way, the original user that
was issued the smart card can renew the smart card certificate.
Note Some organizations use autoenrollment for the initial smart card
deployment and for certificate renewal. This strategy is only possible when the
security policy of the organization allows smart card enrollment without
additional validation of the user’s identity.
14 Module 9: Deploying Smart Cards
Note The smart card certificate request is typically performed in the presence
of the certificate requestor. Some organizations enroll the smart card certificates
before the meeting with the smart card certificate requestor. In this case, the
validation of the subject’s identity is delegated to a security officer or notary
public within the organization, who distributes the smart card to the user only
after validating the identity of the user.
Using an enrollment Use an enrollment agent for smart card deployment if your organization has the
agent following conditions:
! Client computers on the network run Windows 2000 or later. For these
client computers, using an enrollment agent is the only way to distribute
smart card certificates securely. Windows 2000 clients do not support the
automatic distribution of certificates by using Autoenrollment Settings in
Group Policy.
! Your security policy requires face-to-face meetings. Establish a process to
ensure that the enrollment agent verifies the identity of the user before
processing the certificate request. This verification ensures that the
enrollment agent requests the certificate only for the requesting user.
! Your security policy allows enrollment agents. An Enrollment Agent
certificate is a high-value certificate that allows the holder to request a
certificate on behalf of another user. Some organizations consider the
implementation of enrollment agents as a security risk.
Module 9: Deploying Smart Cards 15
Securing the enrollment You can add additional security to the enrollment agent process by performing
agent process the following actions:
! Keep all enrollment agent requests pending. By creating a version 2
certificate template that is based on the Enrollment Agent certificate
template, you can add an issuance requirement that the certificate request
must be approved by a CA certificate manager. This requirement ensures
that only authorized personnel receive an Enrollment Agent certificate.
! Train enrollment agents. By providing training for enrollment agents, you
ensure that they enforce the certificate policy when they issue smart card
certificates to network users. For example, enrollment agents may require
training about what information to record for a user, such as a passport or
driver license, before they issue the smart card certificates.
! Audit all enrollment agent activities. Ensure that you audit all issue and
manage certificate request events. This way, you ensure that all certificate
requests that enrollment agents make to Windows Server 2003 are recorded
in the security log. Ensure that the enrollment agent is not configured to
perform auditing in the domain or on the CA, so that they cannot modify the
event logs.
16 Module 9: Deploying Smart Cards
Securing the You can secure the autoenrollment process by requiring a smart card signature
autoenrollment method for autoenrollment requests. Require that the signing certificate includes the
Smart Card Logon application policy object identifier (OID) or a custom
certificate policy that indicates that the original smart card was issued in a face-
to-face meeting.
Module 9: Deploying Smart Cards 17
Autoenrollment Use the following guidelines if you plan to deploy smart card certificates by
using autoenrollment:
! Limit membership in the global or universal group with Read, Enroll, and
Autoenroll permissions. Do not place users in these groups until an
enrollment agent has issued their initial smart card certificates. By delaying
the membership assignment, you ensure that the user cannot bypass the
enrollment process.
! Use autoenrollment only for smart card certificate renewal. Only an
enrollment agent can confirm the certificate requestor’s identity before
issuing the smart card certificate. You can increase autoenrollment security
by requiring that the renewal request be signed with the previous smart card
certificate.
! Choose one smart card vendor for smart card deployment. Using multiple
smart card CSPs in the Smart Card certificate template prompts the user to
insert each type of smart card during the autoenrollment process, even if the
user possesses only one smart card.
! Require user input for the autoenrollment process. This way, users are
prompted to insert their smart card when the certificate request is
completed.
Module 9: Deploying Smart Cards 19
Envisioning Before you start detailed planning for deploying smart cards, ensure that your
organization possesses a clear vision of how it will use smart card technology.
In the envisioning phase, identify the business requirements for smart card
deployment.
Business requirements The following business requirements can affect a smart card deployment:
! Enhancement of the security of users who log on to the corporate network.
! Secure remote access to the corporate network.
! Migration toward the elimination of passwords.
Planning After the stakeholders in the organization approve the vision scope document,
begin to write the detailed planning and specifications for smart card logon. In
the planning phase, you create the functional specifications document, which
should identify the following requirements:
! Smart card requirements. Identifies what storage space is required on the
smart card and if there are any physical dimension requirements. For
example, some smart cards are thicker than others and they deteriorate faster
because they rub against the smart card readers.
! Smart card reader requirements. Identifies which types of smart card
readers are required. For example, USB, serial, or PC Card readers. Some
computers now offer built-in smart card readers.
! Smart card management tools. Identify which smart card management tools
your deployment plan requires. For example, you may want a tool that
allows remote resets of smart card PINs.
Note For more information about planning a smart card deployment project,
see the white paper, Logistics of Smart Card Deployment, under Additional
Reading on the Web page on the Student Materials compact disc. Also see The
Smart Card Deployment Cookbook, at http://www.microsoft.com/technet/
security/prodtech/smrtcard/smrtcdcb.
Module 9: Deploying Smart Cards 23
Note You can modify the CSPs that the default certificate templates use and
the permissions for each certificate template. For other modifications, you must
create a version 2 certificate template based on the default certificate template.
24 Module 9: Deploying Smart Cards
Procedure for enrolling After you, as a certificate manager, modify and publish the Enrollment Agent
the Enrollment Agent certificate template on one or more CAs in your organization’s CA hierarchy,
certificate each designated enrollment agent must acquire an Enrollment Agent certificate.
Because of the requirement to keep all Enrollment Agent certificate requests
pending, request Enrollment Agent certificates by using the Web Enrollment
pages of an enterprise CA.
To request the modified Enrollment Agent certificate:
1. Log on as a user who is a member of the global or universal group and is
assigned Read and Enroll permissions for the modified Enrollment Agent
certificate.
2. In Internet Explorer, in the Address bar, type http://EnterpriseCA/certsrv,
where EnterpriseCA is the name of the Windows Server 2003 Web server
that hosts the CA.
3. On the Welcome page, click Request a certificate.
4. On the Request a Certificate page, click advanced certificate request.
5. On the Advanced Certificate Request page, click Create and submit a
request to this CA.
6. On the Advanced Certificate Request page, perform the following actions:
• In the Certificate Template drop-down list, select the version 2
certificate template based on the Enrollment Agent template.
• Under Key Options, in the CSP drop-down list, select the CSP that you
require. The default CSP is the Microsoft Enhanced Cryptographic
Provider 1.0.
• In the Friendly name box, type a display name for the certificate.
7. Click Submit.
8. On the Certificate Pending page, record the certificate request ID.
Procedure for installing After you issue the pending certificate request, install the modified Enrollment
the modified Enrollment Agent certificate by completing the following steps:
Agent certificate
1. Log on as the user who requested the modified Enrollment Agent certificate.
2. In the Address bar of Internet Explorer, type http://EnterpriseCA/certsrv,
where EnterpriseCA is the name of the Windows Server 2003 Web server
that hosts the CA.
3. Click View the status of a pending certificate request.
4. On the View the Status of a Pending Certificate Request page, click the
pending certificate request link.
5. On the Certificate Issued page, click Install this certificate.
6. On the Certificate Installed page, ensure that the message states that your
new certificate has been installed successfully.
26 Module 9: Deploying Smart Cards
2. Install additional CSPs. If you implement smart cards that use a CSP that is
not included in the default installation of Windows 2000, Windows XP, or
Windows Server 2003, you must manually install the CSP on the enrollment
station.
3. Determine if the enrollment station has a certificate with the Client
Authentication object identifier in its Extended Key Usage or Application
Policy extensions in the computer store. If a certificate exists, no additional
certificates are required. If a certificate does not exist, enroll a Computer
certificate in the certificate store of the computer.
Important Only a local administrator can install the smart card enrollment
ActiveX control. After the control is downloaded, non-administrators can use
the control if you configure Group Policy to allow the download of unsafe
ActiveX controls.
Procedure for enrolling To manually request a Smart Card certificate on behalf of another user:
smart cards using an
enrollment agent 1. Ensure that you log on as a user who has an Enrollment Agent certificate in
his personal store, or in higher security networks, on a separate smart card.
2. In Internet Explorer, open http://EnterpriseCA/certsrv (where
EnterpriseCA is the DNS name of the enterprise CA that is configured to
issue the smart card certificates).
3. On the Welcome page, click Request a certificate.
4. On the Request a Certificate page, click advanced certificate request.
5. On the Advanced Certificate Request page, click Request a certificate
for a smart card on behalf of another user using the smart card
certificate enrollment station.
28 Module 9: Deploying Smart Cards
Note Users must be prompted to insert their smart card and enter their PIN
during the autoenrollment process.
30 Module 9: Deploying Smart Cards
Procedure for the CA Publish the certificate template on one or more enterprise CAs in the CA
administrator hierarchy.
Procedure for a member After the certificate template is available for autoenrollment, a member of the
of the Domain Admins Domain Admins group must enable Autoenrollment Settings in Group Policy.
group To do so, create a Group Policy object (GPO) and perform the following
actions in User Configuration:
! Click Enroll certificates automatically. This setting enables
autoenrollment of certificates for the OU or domain where the GPO is
linked.
! Select the Renew expired certificates, update pending certificates, and
remove revoked certificates check box. This enables certificate
autoenrollment for certificate renewal, issuance of pending certificates, and
removal of revoked certificates from the subject’s certificate store.
! Select the Update certificates that use certificate templates check box.
This enables autoenrollment of superseded certificate templates.
After the GPO is defined, link the GPO to the OU or domain where the user
accounts that will be enabled for smart card autoenrollment exist in Active
Directory.
Procedure for the smart After Group Policy is implemented to enable autoenrollment for users, the
card enrollee smart card enrollee performs the following tasks:
1. After autoenrollment has been enabled, an informational balloon appears on
the user’s taskbar during the next Group Policy pulse interval or the next
logon. The user clicks the balloon to start the autoenrollment process. After
a few seconds, the balloon disappears and only the icon remains in the
system tray.
2. The user is prompted to insert the smart card and type the user PIN for the
smart card. This completes the autoenrollment process.
Note If the Smart Card certificate template contains more than one CSP,
the user may need to repeat the installation of the smart card in the reader to
reach the appropriate smart card CSP.
Module 9: Deploying Smart Cards 31
In some PKI deployments, an administrator may have two smart cards; one to
authenticate users and one to perform administrative tasks. If your organization
configures smart card removal behavior to lock the workstation or log off the
user, the administrator’s workstation requires a second smart card reader to
perform a secondary logon.
If a second smart card reader is not installed, the attempt to switch between the
two smart cards either logs off the administrator or locks the workstation.
Module 9: Deploying Smart Cards 33
Warning To enforce smart card logon in your organization, plan for situations
in which users forget their smart card at home. In such a situation, you can issue
temporary smart cards or make the Smart card is required for interactive logon
option unavailable temporarily.
34 Module 9: Deploying Smart Cards
Procedure for enforcing To enforce smart card authentication for remote access, configure a remote
smart card access policy to require EAP/TLS authentication in the profile settings. The
authentication for certificate that is used for authentication must contain the Client Authentication
remote access OID in the application policy or Enhanced Key Usage (EKU) extensions.
To configure a remote access policy to require EAP/TLS authentication:
1. In Administrative Tools, click Routing and Remote Access.
Note The Routing and Remote Access server must have a certificate
installed in the certificate store of the computer that enables Server
Authentication. You can enroll either a Domain Controller certificate or
Computer certificate to meet this requirement.
Note This lab focuses on the concepts that are explained in this module and
may not comply with Microsoft security recommendations.
Additional information For more information about deploying smart cards, see the white paper,
Certificate Autoenrollment in Windows Server 2003, under Additional
Reading on the Web page on the Student Materials compact disc.
36 Module 9: Deploying Smart Cards
Exercises that require a The following exercises in this lab require a smart card reader:
smart card reader
! Exercise 0
! Exercise 5
! Exercise 7
A smart card reader is required to perform this exercise. If you do not have a
smart card reader, watch the demonstration instead. The demonstration is
located under Multimedia on the Web page on the Student Materials compact
disc.
Estimated time to
complete this lab:
90 minutes
Module 9: Deploying Smart Cards 37
Exercise 0
Lab Setup
Before you begin this lab, you must install the USB smart card reader that is provided.
1. Log on using your domain " Log on to the domain by using the following credentials:
administration account and • User name: Student1 (on the domain controller) or Student2 (on
password. the member server)
• Password: Password (where Password is the password for your
administrative account)
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. Plug in the USB smart card a. Plug the USB smart card reader into a USB port on your computer.
reader so that Plug and Play b. In the notification area, double-click the Safely Remove Hardware
can automatically install the icon.
drivers.
c. In the Safely Remove Hardware dialog box, ensure that the operating
system recognizes the smart card reader, and then click Close.
3. If the installation fails, a. If the installation does not proceed automatically, the Welcome to the
download updated drivers Found New Hardware Wizard page appears.
from the Internet for your b. Download the latest Windows XP or Windows Server 2003 family
USB smart card reader and drivers for your USB smart card reader.
then manually install the
necessary drivers. c. On the Welcome to the Found New Hardware Wizard page, click
Install from a list or specific location (Advanced), and then click
Next.
d. On the Please choose your search and installation options page,
click Search for the best driver in these locations, and then click
Next.
e. On the Please choose your search and installation options page,
select the Include this location in the search check box, type the path
where you downloaded the updated drivers, and then click Next.
f. On the Completing the Found New Hardware Wizard page, click
Finish.
Exercise 1
Modifying and Publishing the Enrollment Agent Certificate
Template
In this exercise, you will modify the permissions of the Enrollment Agent certificate template, and
then publish the certificate template on your organization’s enterprise subordinate CA.
Scenario
Your organization’s security policy requires that a smart card enrollment agent only issue smart
cards after validating the identity of the smart card requestor. The security policy requires that the
smart card requestor’s identity be validated by attending a face-to-face meeting with the smart card
enrollment agent. The Enrollment Agent certificate enables the holder to enroll certificates on
behalf of another user. You must modify the permissions to allow only designated enrollment
agents to acquire the certificate.
1. Log on using your " Log on to the domain by using the following credentials:
certificate template • User name: Template2
administration account.
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. Open the Certificate a. Click Start, click Run, type Certtmpl.msc and then click OK.
Templates console and view b. If the Certificate Templates message box appears, click OK.
the properties of the
Enrollment Agent certificate c. In the details pane, double-click Enrollment Agent.
template.
3. Take ownership of the a. In the Enrollment Agent Properties dialog box, on the Security tab,
Enrollment Agent certificate click Advanced.
template. b. In the Advanced Security Settings for
LDAP://ForestName/KeyEnrollmentAgent (where ForestName is the
DNS name of your forest), on the Owner tab, click Template2, and
then click Apply.
c. Click OK.
Module 9: Deploying Smart Cards 39
(continued)
4. Modify the Enrollment a. On the Security tab, click Domain Admins, and then clear the Enroll
Agent certificate templates check box.
to remove the Enroll b. Click Enterprise Admins, and then clear the Enroll check box.
Permission for the Domain
Admins and Enterprise c. On the Security tab, click Add.
Admins groups. Then, d. In the Select Users, Computers, or Groups dialog box, in the Enter
assign the EnrollmentAgents the object names to select box, type Enrollment, and then click
group Read and Enroll Check Names.
permissions. e. In the Select Users, Computers, or Groups dialog box, ensure that
EnrollmentAgents appears in the Enter the object names to select
box, and then click OK.
f. Assign the EnrollmentAgents group Read and Enroll permissions,
and then click OK.
g. Close all open windows and then log off.
Important: Perform this procedure on the domain controller for your domain.
5. Log on using your CA " Log on to your computer by using the following credentials:
Administrator account and • User name: CAadmin1
password.
• Password: P@ssw0rd
• Domain: Domain
6. Publish the Enrollment a. On the Start menu, click Administrative Tools, and then click
Agent certificate template Certification Authority.
on DomainCA. b. In the console tree, expand DomainCA, and then click Certificate
Templates.
c. Right-click Certificate Templates, click New, and then click
Certificate Template to Issue.
d. In the Enable Certificate Templates dialog box, select Enrollment
Agent, and then click OK.
e. In the details pane, verify that Enrollment Agent appears.
f. Close the Certification Authority console.
g. Log off.
40 Module 9: Deploying Smart Cards
Exercise 2
Acquiring the Enrollment Agent Certificates
In this exercise, you will log on as a non-administrative account that is a member of the
EnrollmentAgents global group, and then request an Enrollment Agent certificate.
Scenario
Your organization has decided to designate the corporate security officers as the enrollment agents
for your organization. The security officers must acquire an Enrollment Agent certificate so they
can enroll smart card certificates on behalf of other users.
1. Log on to the network as a " Log on to your computer by using the following credentials:
member of the • User name: Agent1 (on the domain controller) or Agent2 (on the
EnrollmentAgents group. member server)
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
(continued)
2. (continued) i. In the Potential Scripting Violation dialog box, click Yes to allow the
Web site to request a certificate on your behalf.
j. On the Certificate Issued page, click Install this certificate.
k. In the Potential Scripting Violation dialog box, click Yes to allow the
Web site to add a certificate to your computer.
l. Ensure that the Certificate Installed page appears, which indicates that
the certificate has been installed successfully.
m. Close Internet Explorer.
n. Close all open windows and then log off.
42 Module 9: Deploying Smart Cards
Exercise 3
Creating a Custom Smart Card Certificate
In this exercise, you will create a new version 2 certificate template for smart cards. Available only
to enrollment agents, the version 2 certificate template designates that the certificate was issued in
an interview in person.
Scenario
Your organization’s security policy requires that you deploy a customized version of the Smart
Card Logon certificate to all smart card users. The security policy also requires that all smart card
certificates are issued by an enrollment agent.
Important: Perform this procedure on the member server for your domain.
1. Log on using your " Log on to the domain by using the following credentials:
certificate template • Logon name: Template2
administrator account.
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. Create a version 2 certificate a. Click Start, click Run, type Certtmpl.msc and then click OK.
template named b. If the Certificate Templates message box appears, click OK.
AgentSmartCard based on
the Smart Card Logon c. In the details pane, right-click Smartcard Logon, and then click
certificate template. Duplicate Template.
d. In the Properties of New Template dialog box, in the Template
display name box, type AgentSmartCard and then click OK.
4. Configure the certificate a. In the AgentSmartCard Properties dialog box, on the Issuance
template to mandate that the Requirements tab, click This number of authorized signatures.
requestor sign a request with b. Ensure that the Policy type required in signature drop-down list
a certificate with the displays Application policy.
Certificate Request Agent
application policy. c. Ensure that the Application policy drop-down list displays Certificate
Request Agent.
d. Click Apply.
Module 9: Deploying Smart Cards 43
(continued)
5. Add the High Assurance a. In the AgentSmartCard Properties dialog box, on the Extensions
issuance policy to the tab, click Issuance Policies, and then click Edit.
AgentSmartCard certificate b. In the Edit Issuance Policies Extension dialog box, click Add.
template.
c. In the Add Issuance Policy dialog box, click High Assurance, and
then click OK.
d. In the Edit Issuance Policies Extension dialog box, click OK.
e. Click Apply.
6. In the AgentSmartCard a. In the AgentSmartCard Properties dialog box, on the Security tab,
certificate template, assign click Add.
the EnrollmentAgents Read b. In the Select Users, Computers, or Groups dialog box, in the Enter
and Enroll permissions. the object names to select box, type Enrollment, and then click
Check Names.
c. In the Select Users, Computers, or Groups dialog box, ensure that
EnrollmentAgents appears in the Enter the object names to select
box, and then click OK.
d. In the AgentSmartCard Properties dialog box, on the Security tab, in
the Group or user names list, select EnrollmentAgents, allow Read
and Enroll permissions, and then click OK.
e. Close all open windows and then log off.
Important: Perform this procedure on the domain controller for your domain.
7. Log on to the domain as a " Log on to the domain by using the following credentials:
CA administrator. • Logon name: CAAdmin1
• Password: P@ssw0rd
• Domain: Domain
8. Configure the DomainCA to a. On the Start menu, click Administrative Tools, and then click
issue AgentSmartCard Certification Authority.
certificates. b. In the console tree, expand Certification Authority, expand
DomainCA, and then click Certificate Templates.
c. Right-click Certificate Templates, click New, and then click
Certificate Template to Issue.
d. In the Enable Certificate Templates dialog box, select
AgentSmartCard, and then click OK.
e. In the details pane, verify that AgentSmartCard appears.
f. Close the Certification Authority console.
g. Close all open windows and then log off.
44 Module 9: Deploying Smart Cards
Exercise 4
Enabling Unsafe ActiveX Control Download
Internet Explorer considers the smart card enrollment ActiveX control an unsafe ActiveX control.
In this exercise, you will modify Group Policy to allow the downloading of unsafe ActiveX
controls.
Scenario
The security policy of your organization does not allow users to be local administrators of their
computers. By default, only local administrators can download unsafe ActiveX controls in the
Local intranet site. You must configure Group Policy so that all users are prompted whether to
allow Internet Explorer to download unsafe ActiveX controls.
1. Log on to the domain using " Log on to the domain by using the following credentials:
your enrollment agent • User name: Agent1 (on the domain controller) or Agent2 (on the
account. member server)
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
A message that states that an ActiveX control on this page is not safe.
(continued)
Can you customize the Active X download settings? If not, who can?
No, the configuration of custom security settings is not available for non-administrator accounts. Only
a member of the local Administrators group can modify the security options.
Important: Perform this procedure on the domain controller for your domain.
4. Log on to the domain using " Log on to the domain by using the following credentials:
your administrative account. • User name: Student1
• Password: Password (where Password is the password assigned to
your domain administration account)
• Domain: Domain
(continued)
6. Open the Default Domain a. On the Start menu, point to Administrative Tools, and then click
Policy in Group Policy Active Directory Users and Computers.
Object Editor. b. In the console tree, right-click Domain, and then click Properties.
c. In the Domain Properties dialog box, on the Group Policy tab, click
Default Domain Policy, and then click Edit.
7. Modify the GPO to prompt a. In Group Policy Object Editor, in the console tree, expand User
the user when Internet Configuration, expand Windows Settings, expand Internet Explorer
Explorer attempts to Maintenance, and then click Security.
download an unsafe b. In the details pane, double-click Security Zones and Content
ActiveX control. Ratings.
c. In the Internet Explorer Enhanced Security Configuration dialog
box, click Continue.
d. In the Security Zones and Content Ratings dialog box, click Import
the current security zones and privacy settings, and then click
Modify Settings.
e. In the Internet Properties dialog box, on the Security tab, click Local
intranet, and then click Custom Level.
f. In the Security Settings dialog box, in the Settings list, ensure that
Initialize and script ActiveX controls not marked as safe is set to
Prompt, and then click OK.
g. In the Internet Properties dialog box, click OK.
h. In the Security Zones and Content Ratings dialog box, click OK.
i. Close Group Policy Object Editor.
j. In the Domain Properties dialog box, click OK.
k. Close Active Directory Users and Computers.
l. Close all open windows and then log off.
Important: Perform this procedure on the member server for your domain.
8. Log on to domain with your " Log on to the domain by using the following credentials:
administrative account. • User name: Student1
• Password: Password (where Password is the password assigned to
your domain administration account)
• Domain: Domain
Module 9: Deploying Smart Cards 47
(continued)
Exercise 5
Performing Smart Card Enrollment Agent Requests
In this exercise, you will act as the enrollment agent and request a smart card certificate on behalf
of another user.
A smart card reader is required to perform this exercise. If you do not have a smart card reader,
view the demonstration instead. The demonstration is located under Multimedia on the Web page
on the Student Materials compact disc.
Scenario
Now that you have configured Internet Explorer to allow the downloading of unsafe ActiveX
controls, you are ready to start enrolling smart cards for other users.
If you do not have access to a Schlumberger smart card and smart card reader, view the demonstration on the
Student Materials compact disc.
1. Log on to the domain using " Log on to the domain by using the following credentials:
your enrollment agent • User name: Agent1 (on the domain controller) or Agent2 (on the
account. member server)
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
(continued)
2. (continued) g. On the Smart Card Certificate Enrollment Station page, ensure that
the following information appears:
• Certificate Template: AgentSmartCard
• Certification Authority: DomainCA
• Cryptographic Service Provider: Schlumberger Cryptographic
Service Provider
• Administrator Signing Certificate: Agent1 (on the domain
controller) or Agent2 (on the member server)
h. On the Smart Card Certificate Enrollment Station page, click Select
User.
i. In the Select User dialog box, in the Enter the object name to select
box, type SC and then click Check Names.
j. In the multiple Names Found dialog box, click SCUser1 (on the
domain controller) or SCUser2 (on the member server), and then click
OK.
k. In the Select User dialog box, click OK.
l. Insert the Schlumberger smart card into the smart card reader.
m. On the Smart Card Certificate Enrollment Station page, click
Enroll.
n. In the Confirm Smart Card PIN dialog box, in the Please enter your
PIN box, type 00000000 and then click OK.
The CSP generates the key pair on the smart card, the enrollment
agent certificate signs the certificate request, the CA issues the
certificate, and the CSP installs the certificate on the smart card.
When the enrollment is completed, the View Certificate button
appears.
3. View the details of the issued a. On the Smart Card Certificate Enrollment Station page, click View
certificate. Certificate.
b. In the Certificate dialog box, click the Details tab.
How does the certificate indicate that it was issued in a face-to-face interview?
The Certificate Policies attribute contains the High Assurance object identifier.
Does the certificate indicate that an enrollment agent requested the certificate?
No, the certificate does not contain any indication that the certificate was requested by an enrollment
agent.
50 Module 9: Deploying Smart Cards
(continued)
4. Remove the smart card from a. In the Certificate dialog box, click OK.
the smart card reader and then b. Close Internet Explorer.
log off the network.
c. Remove the smart card from the smart card reader.
d. Close all open windows and log off.
5. Log on to the network using a. Insert the smart card into the smart card reader.
smart card authentication. b. In the Log On to Windows dialog box, in the PIN box, type 00000000
and then click OK.
c. Press CTRL+ALT+DELETE.
6. Close all open windows and a. Remove the smart card from the smart card reader.
log off the network. b. Close all open windows and then log off.
7. Log on using your domain " Log on to the domain by using the following credentials:
administration account and • User name: Student1 (on the domain controller) or Student2 (on
password. the member server)
• Password: Password (where Password is the password defined for
your administrative account)
• Domain: Domain
(continued)
Exercise 6
Configuring a Certificate to Require a Smart Card Signature
During Autoenrollment
In this exercise, you will design a version 2 certificate template based on the Code Signing
certificate template, which requires a smart card signature during the smart card autoenrollment
process.
Scenario
Your organization must increase the issuance security for code signing certificates. It has
determined that signing the Code Signing certificate request with your smart card will meet the
issuance requirements of the organization. You must implement a version 2 certificate template that
requires that users use a smart card certificate to sign the Code Signing certificate request.
1. Log on to the domain using " Log on to the domain by using the following credentials:
your certificate manager • User name: Template1 (on the domain controller) or Template2
account with a password of (on the member server)
P@ssw0rd.
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. Create a new certificate a. Click Start, click Run, type Certtmpl.msc and then click OK.
template named b. If the Certificate Templates message box appears, click OK.
CodeSignComputer based
on the Code Signing c. In the details pane, right-click Code Signing, and then click Duplicate
certificate template. Template.
d. In the Properties of New Template dialog box, in the Template
display name box, type CodeSignComputer (where Computer is the
NetBIOS name of your computer), and then click OK.
4. Modify the issuance a. On the Issuance Requirements tab, click This number of authorized
requirements to require an signatures.
authorized signature with a b. In the Policy type required in signature drop-down list, select
Smart Card Logon Application policy.
application policy OID.
c. In the Application policy drop-down list, select Smart Card Logon.
d. In the CodeSignComputer Properties dialog box, click Apply.
Module 9: Deploying Smart Cards 53
(continued)
5. Add the Medium Assurance a. On the Extensions tab, click Issuance Policies, and then click Edit.
issuance policy OID. b. In the Edit Issuance Policies Extension dialog box, click Add.
c. Click Medium Assurance, and then click OK twice.
d. In the CodeSignComputer Properties dialog box, click Apply.
Wait at this point until your partner completes the creation of the CodeSignComputer certificate template.
Important: Perform this procedure on the domain controller for your domain.
7. Log on using your CA " Log on to the domain by using the following credentials:
administrator account with a • User name: CAAdmin1
password of P@ssw0rd.
• Password: P@ssw0rd
• Domain: Domain
8. Configure the DomainCA to a. On the Start menu, click Administrative Tools, and then click
issue the two Certification Authority.
CodeSignComputer b. In the console tree, expand Certification Authority, expand
certificate templates. DomainCA, and then click Certificate Templates.
c. Right-click Certificate Templates, click New, and then click
Certificate Template to Issue.
d. In the Enable Certificate Templates dialog box, click
CodeSignComputer (where Computer is the NetBIOS name of your
computer), press CTRL and click CodeSignPartnerComputer (where
PartnerComputer is the NetBIOS name of your partner’s computer),
and then click OK.
e. In the details pane, ensure that CodeSignComputer and
CodeSignPartnerComputer appear.
9. Close all open windows and a. Close the Certification Authority console.
log off the network. b. Close all open windows and then log off.
54 Module 9: Deploying Smart Cards
(continued)
10. Log on with your domain " Log on to the domain by using the following credentials:
administration account. • User name: Student1
• Password: Password (where Password is the password for your
administrative account)
• Domain: Domain
11. In Active Directory Users a. On the Start menu, click Administrative Tools, and then click Active
and Computers, link the Directory Users and Computers.
Autoenrollment GPO to the b. In the console tree, expand Domain.msft, expand Labs, and then click
Module09 organizational Module09.
unit.
c. Right-click Module09, and then click Properties.
d. In the Module09 Properties dialog box, on the Group Policy tab,
click Add.
e. In the Add a Group Policy Object Link dialog box, on the All tab,
select Autoenrollment, and then click OK.
f. In the Module09 Properties dialog box, click OK.
12. Close all open windows and a. Close Active Directory Users and Computers.
log off the network. b. Close all open windows and then log off.
Module 9: Deploying Smart Cards 55
Exercise 7
Signing an Autoenrollment Certificate Request with a Smart Card
In this exercise, you will test your CodeSignComputer certificate deployment to ensure that you are
prompted to provide your smart card PIN to sign the certificate request.
A smart card reader is required to perform this exercise. If you do not have a smart card reader,
view the demonstration instead. The demonstration is located under Multimedia on the Web page
on the Student Materials compact disc.
Scenario
To increase the issuance security of Code Signing certificates, the version 2 certificate template
requires that all certificate requests be signed with a smart card certificate. You must test the
autoenrollment process to ensure that the requesting user is prompted for the smart card PIN during
autoenrollment.
If you do not have access to a Schlumberger smart card and smart card reader, you can view the
demonstration under Multimedia on the Web page on the Student Materials compact disc.
1. Log on using your smart a. Insert the smart card into the smart card reader.
card. b. In the Log On to Windows dialog box, in the PIN box, type 00000000
and then click OK.
Wait for the automatic enrollment ballon to appear in the notification area, which may take up to 90 seconds.
If it does not appear, type gpupdate /force at a command prompt.
2. Click the autoenrollment a. In the notification area, click the Certificate enrollment balloon.
balloon and start the b. In the Certificate Enrollment dialog box, click Start.
certificate enrollment
A dialog box appears, informing you that you may need to enter
process.
your password or personal identification number (PIN) or insert
a smart card.
3. Sign the certificate request a. In the Certificate Enrollment dialog box, click OK.
with your smart card. b. In the Confirm Smart Card PIN dialog box, in the Please enter your
PIN code box, type 00000000 and then click OK.
4. View the properties of the a. Click Start, click Run, type Certmgr.msc and then click OK.
CodeSignComputer b. In the console tree, expand Personal, and then click Certificates.
certificate, and then save
any change and log off the c. Double-click CodeSignComputer (where Computer is the NetBIOS
network. name of your computer).
You must scroll to the right to view the Certificate Template
column.
56 Module 9: Deploying Smart Cards
(continued)
Is there any indication in the properties of the CodeSignComputer certificate that a smart card signature was
required to issue the certificate?
No. As currently configured, the certificate properties do not indicate that a smart card signature is
required. If such a requirement is defined elsewhere, the Medium Assurance issuance policy OID or a
custom issuance policy OID can designate this issuance process.
Exercise 8
Planning for Re-enrollment
In this exercise, you will determine the best method to re-enroll the smart card certificates that were
issued to the users in your organization.
Scenario
You are the PKI administrator of your organization’s network. The organization successfully
deployed smart card certificates to the organization’s users by using an enrollment agent.
The validity period of the smart card certificates will expire in a few months. Your manager has
asked you to develop a method to re-enroll the smart card certificates, but without the same
administrative effort and time of the initial project, when smart card certificates were issued.
Requirements
In addition to reducing the time and effort involved, you must meet the following requirements:
! The client computers run a mix of Windows 2000 Professional and Windows XP Professional.
The solution must provide automated re-enrollment for both client operating systems.
! Some portable computers are not members of domains in the organization’s forest. The re-
enrollment design must allow users of these portable computers to re-enroll their smart card
certificates.
! The smart card users must provide proof that their previous smart card was issued in a face-to-face
interview.
! If a smart card user attempts to enroll the previous version of the smart card certificate template,
the users must be issued a certificate based on the new certificate template.
! Smart card certificates must be issued only to Schlumberger smart cards.
58 Module 9: Deploying Smart Cards
CA Hierarchy Configuration
Your organization’s network has a Windows 2000 Active Directory directory service that
implements the Windows Server 2003 PKI. It has deployed the following CA hierarchy:
1. Ensure that you are logged " Log on to your computer by using the following information:
on to the domain as a • User name: Template1 (on the domain controller) or Template2
Certificate Template (on the member server)
administrator.
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. Open the Certificate a. Click Start, click Run, type Certtmpl.msc and then click OK.
Templates console. b. In the Certificate Templates dialog box, click OK.
60 Module 9: Deploying Smart Cards
Questions Based on the CA hierarchy configuration and the stated requirements, answer
the following design questions:
1. How can you automate the renewal of smart card certificates for users who
have Windows XP computers that are members of the forest?
You can automate the renewal of smart card certificates by using
Autoenrollment Settings to automatically distribute the updated
certificates to user accounts.
____________________________________________________________
____________________________________________________________
____________________________________________________________
2. How can you automate the re-enrollment of smart card certificates for users
who have computers running Windows XP that are not members of the
forest?
Autoenrollment Settings do not work for users who use computers that
are not domain members. Several alternatives exist. The user can log on
to a computer that is a member of a domain or use remote desktop to
connect to a computer running Windows Server 2003 that is a member
of the domain.
____________________________________________________________
____________________________________________________________
____________________________________________________________
3. If a user has a computer running Windows 2000 Professional, can you use
autoenrollment to re-enroll the smart card certificate? If not, what do you
recommend as a solution for this user?
A user that has a computer running Windows 2000 Professional must
log on to a computer running Windows XP that is a member of the
domain.
____________________________________________________________
____________________________________________________________
____________________________________________________________
4. How can a user prove her identity when you renew her smart card certificate
without having another face-to-face meeting with a smart card enrollment
agent?
The certificate template can require that the user sign the certificate
request with the private key of their current smart card certificate.
____________________________________________________________
____________________________________________________________
____________________________________________________________
Module 9: Deploying Smart Cards 61
____________________________________________________________
____________________________________________________________
6. How would you configure the Issuance Requirements tab of a new version
2 smart card certificate template to require the user to sign the smart card
certificate request with his current smart card?
Attribute Your recommended design
7. In the following table, define the settings on the Request Handling tab to
meet the design requirements for the new smart card certificate template.
Attribute Your recommended design
8. How would you ensure that certificate requests for a certificate based on the
AgentSmartCard certificate template are issued a certificate based on the
new certificate template?
Add the AgentSmartCard certificate to the Superseded Templates tab
of the new version 2 smart card certificate.
____________________________________________________________
____________________________________________________________
____________________________________________________________
62 Module 9: Deploying Smart Cards
____________________________________________________________
____________________________________________________________
Module 9: Deploying Smart Cards 63
Course Evaluation
Overview 1
Lesson: Introduction to SSL Security 2
Lesson: Enabling SSL on a Web Server 9
Lesson: Implementing Certificate-based
Authentication 20
Lab A: Deploying SSL Encryption on a
Web Server 31
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or
for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, MS-DOS, Windows, Windows NT, Windows Server, Active Directory, ActiveX,
MSDN, Outlook, PowerPoint, and Windows Media are either registered trademarks or trademarks
of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Module 10: Securing Web Traffic by Using SSL iii
Instructor Notes
Presentation: Secure Sockets Layer (SSL) is a protocol that provides encrypted
60 minutes communications over the Internet. It is the default protocol that e-commerce
sites use to protect data from theft and exposure, to enable certificate-based
Lab: authentication, and to verify the Web site name. This module describes how
45 minutes security is implemented in a Web environment.
The students will learn to implement SSL security and certificate-based
authentication.
After completing this module, students will be able to:
! Describe how security is implemented in a Web environment.
! Configure Internet Information Services 6.0 (IIS) to implement SSL
security.
! Implement certificate-based authentication for Web applications.
How to Acquire a Web Tell students that they should install a Web Server certificate from a
Server Certificate from a commercial CA if the Web server is an extranet Web server or is exposed to
Commercial CA external clients that must trust the content of your Web server. Mention to
students that the same installation method is used if you acquire a Web Server
certificate from a standalone CA, rather than from an enterprise CA. The only
difference with the acquisition from a commercial CA is that money is
exchanged when the certificate is purchased.
SSL Configuration Explain to students that after they install a Web Server certificate on a Web
Options server, they can configure various SSL options. Demonstrate the options if you
installed a Web Server certificate on the instructor computer.
Certificate Deployment Expect to spend some extra time on this page, because students like to discuss
for Complex their own custom configurations. Although the slide shows ISA as the firewall,
Configurations you can discuss other firewall and SSL-acceleration options. For example, if
you use a CheckPoint Firewall-1 firewall, you use the same certificate
deployment as ISA with Server Publishing. Likewise, if you use a Web
accelerator, such as an F5 device, you implement the same configuration as the
ISA with Web Publishing. To decide whether to use a particular firewall or
device, students should review the documentation of the firewall or SSL
acceleration device.
Guidelines for Enabling Review each guideline in the slide and answer any questions. Spend extra time
SSL Security discussing the modification requirements for the CPS when a Web server is
exposed to nonemployees.
How to Implement Explain that Active Directory does not necessarily require them to perform the
Certificate Mapping in mapping as described on the page. If the certificate is issued by an enterprise
Active Directory CA in your organization, the user’s User Principal Name (UPN) may exist in a
subject alternate name. The UPN is mapped to a user’s account by matching the
UPN in the certificate to a UPN in the global catalog. This implicit mapping
works because the UPN is unique in the forest.
Guidelines for Review each guideline and answer any questions.
Certificate Mapping
Lab A Ensure that the students enter the correct DNS name for their Web server in
Exercise 1, step 3i of the lab. Many students will accept the default setting,
which is the computer’s NetBIOS name, rather than the computer’s DNS name.
Lab Setup
The following list describes the setup requirements for the labs in this module.
Setup requirement 1 The labs in this module require that there is a CA hierarchy with an offline root
CA and an enterprise subordinate CA. Students must complete all of Labs A, B,
and C in Module 3, “Creating a Certification Authority Hierarchy,” in Course
2821, Designing and Managing a Windows Public Key Infrastructure.
Setup requirement 2 All of the procedures in the lab assume that Common Criteria role separation is
enforced. Students must complete Lab A in Module 4, “Managing a Public Key
Infrastructure,” in Course 2821.
Setup requirement 3 The ability to create and modify certificate templates is delegated to the
CertTmplAdmins global group. Students must complete Lab A in Module 5,
“Configuring Certificate Templates,” in Course 2821.
Setup requirement 4 The http://WebServer (where WebServer is the fully qualified domain name of
the student’s domain controller) is configured as a member of the Local intranet
zone in the Default Domain Policy. Students must complete Lab B in Module 3,
“Creating a Certification Authority Hierarchy,” in Course 2821.
Module 10: Securing Web Traffic by Using SSL vii
Lab Results
Performing the labs in this module introduces the following configuration
changes:
! A Web Server certificate is installed on the member server and the domain
controller for each student pair of computers.
! C:\moc\2821\labfiles\Module10 is configured as an IIS virtual directory
named Security.
! The permissions for the folder c:\moc\2821\labfiles\Module10 are modified
to allow only Read access to the Domain\WebAccess domain local group.
! The Security virtual folder is configured to require client certificates for
authentication.
! The Windows Directory Service Mapper is enabled to allow Active
Directory certificate mapping.
! The Windows Directory Service Mapper is later made unavailable to allow
IIS certificate mapping.
! Web Authentication certificates are issued to the Web1 and Web2 user
accounts.
! The Web1 and Web2 Web Authentication certificates are exported to
Base 64-encoded export files.
! The Base 64-encoded export files are mapped to the Web1 and Web2 user
accounts in IIS by implementing one-to-one mappings.
Module 10: Securing Web Traffic by Using SSL 1
Overview
Note The Domain Name System (DNS) name that a user types in the Web
browser must match the subject of the Web Server certificate. If the name does
not match, a warning appears.
4 Module 10: Securing Web Traffic by Using SSL
Note The Web Server Certificate Wizard issues only certificates that are based
on the Web Server certificate template. If you require a customized version 2
certificate template that is based on the Web Server certificate template, you
cannot use the Web Server Certificate Wizard to generate the Web server’s
certificate request.
6 Module 10: Securing Web Traffic by Using SSL
User certificates When you enable SSL, you can also implement certificate-based authentication.
In this authentication method, the user presents a certificate that includes the
Client Authentication application policy object identifier (OID) to the Web
server. The certificate that the user presents must chain to a root CA that the
Web server trusts and pass all validity tests that the Web server applies to the
certificate.
When the user connects to a Web site that enforces certificate-based
authentication, the user’s Internet browser prompts the user to select a
certificate from the user’s certificate store. IIS examines the information in the
presented certificate and uses the user account that is associated with the
certificate to log on the user. When IIS has verified the user with the user’s
certificate, the user is authenticated and can use the site.
Module 10: Securing Web Traffic by Using SSL 7
Choosing private CAs Organizations create and manage private CAs internally. Choose a private CA
if you conduct most of your business with partner organizations and you want
to maintain control of how your company issues certificates.
The advantages of choosing a private CA include:
! Ability of an organization to enforce its certificate policies.
! Ability of an organization to manage its certificate policy to match its
overall security policy.
! Easy modification of certificates to include custom application policies or
certificate policies in issued certificates.
! The use of autoenrollment to deploy both user and computer certificates
without user intervention.
! Reduced costs that are associated with issuing certificates.
4. Provide name and key details for the Web Server certificate request by
performing the following steps:
a. On the Name and Security Settings page, enter the Friendly name for
the certificate, key length, and CSP information, and then click Next.
b. On the Organizational Information page, enter the names of the
organization and the organizational unit (OU), and then click Next.
c. On the Your Site’s Common Name page, enter the fully qualified
domain name (FQDN) of the Web site, and then click Next.
d. On the Geographical Information page, enter country/region,
state/province and city/locality information, and then click Next.
e. On the SSL Port page, accept the default SSL port, and then click Next.
5. On the Choose a Certification Authority page, choose which online
enterprise CA you want to submit the certificate request to, and then click
Next.
6. On the Certificate Request Submission page, review the certificate request
parameters, and then click Next.
The CA will either issue or deny the certificate request based on the
issuance requirements of the Web Server certificate template.
7. On the Completing the Web Server Certificate Wizard page, click
Finish.
If a Web server hosts multiple Web sites, you can install separate Web Server
certificates for each Web site. To do this, run the Web server Certificate Wizard
in the properties of each Web site the Web server hosts.
Note When you request a Web Server certificate, ensure that the FQDN that
you enter in the display name of the Web site matches the FQDN that all clients
use to connect to the Web site. If the name does not match, the user receives an
error message that the certificate name does not match the name of the Web
site. The only way to rectify the name mismatch is to remove the existing Web
Server certificate and request a new Web Server certificate with the correct
FQDN.
12 Module 10: Securing Web Traffic by Using SSL
6. Provide name and key details for the Web Server certificate request by
performing the following steps:
a. On the Name and Security Settings page, enter the Friendly name for
the certificate, the key length, and CSP information, and then click Next.
b. On the Organization Name page, enter the names of the organization
and the OU, and then click Next.
c. On the Your site’s Common Name page, enter the FQDN of the Web
site, and then click Next.
d. On the Geographical Information page, enter country/region,
state/province and city/locality information, and then click Next.
e. On the Certificate Request File Name page, enter a name for the
certificate request file, and then click Next.
f. On the Certificate Request Submission page, review the certificate
request parameters, and then click Next.
g. On the Completing the Web Server Certificate Wizard page, click
Finish.
7. Send the certificate request file to the commercial CA organization.
8. Install the certificate from the commercial CA organization by performing
the following steps:
a. In the Internet Information Services (IIS) console, in the Web Site
Properties dialog box, on the Directory Security tab, click Server
Certificate.
b. On the Welcome to the Web Server Certificate Wizard page, click
Next.
c. On the Pending Certificate Request page, click Process the pending
request and install the certificate, and then click Next.
d. On the Process a Pending Request page, designate the certificate
response file from the commercial CA organization, and then click Next.
e. On the Certificate Summary page, review the details of the Web Server
certificate, and then click Next.
f. On the Completing the Web Server Certificate Wizard page, click
Finish.
Note You must implement this procedure when you request certificates for
third-party Web servers, such as an Apache Web server, or for SSL-acceleration
network devices, such as an F5 Web accelerator device.
14 Module 10: Securing Web Traffic by Using SSL
Note To implement host headers, acquire Web Server certificates for each
FQDN that is defined in a host header.
! Define SSL listening ports. Defines what port the Web site uses to listen for
SSL connections. By default, the Web site listens on Transport Control
Protocol (TCP) port 443, but you can configure a custom port. For example,
if your Web server hosts multiple Web sites, and the Web browsers in your
organization do not support host headers, you can host multiple SSL-
protected Web sites on a Web server by configuring unique listening ports
for SSL for each Web site.
16 Module 10: Securing Web Traffic by Using SSL
Implementing SSL for Microsoft Internet Security and Acceleration (ISA) Server enables you to
Web servers that are publish Web servers that are located in a network segment that is protected by
protected by ISA server the ISA server. There are two methods for publishing a Web site:
! Server publishing. All HTTPS traffic that is destined to the Web server is
routed from the ISA server to the Web server. The content of the HTTPS
data stream remains encrypted and is not inspected on the ISA server.
! Web publishing. All HTTPS traffic is terminated on the ISA server.
Therefore, an organization can apply application-level filters that enable
perimeter inspection of all content that is sent to the Web server. For
example, by installing the URLScan filter on the ISA server, the ISA server
can inspect all Web-based traffic for allowed HTTP verbs and allowed
extensions of Web content. After the ISA server inspects the HTTPS data, it
can redirect the data as either HTTP or HTTPS traffic, depending on how
Web publishing is defined.
Note For more information about configuring Server Publishing and Web
Publishing on an ISA server, see Module 7, “Configuring Access to Internal
Resources,” in Course 2159, Deploying and Managing Microsoft Internet and
Security Acceleration Server 2000.
! If the ISA server implements Server publishing, the Web Server certificate
is only required on the Web server. The SSL data stream is not decrypted
until it reaches the Web server.
! If the ISA server implements Web publishing, the installation locations of
the Web Server certificate depend on how Web publishing is configured.
Consider the following guidelines for determining where to install the Web
Server certificate:
• If the ISA server redirects the HTTPS traffic as HTTP traffic, install the
Web Server certificate only on the ISA server. The certificate is not
required on the Web server.
• If the ISA server redirects HTTPS traffic as HTTPS traffic, install a Web
Server certificate on the ISA server and another Web Server certificate
on the Web server. The subject of the ISA server’s Web Server
certificate must be the URL that Web clients use to connect to the Web
site. The subject of the Web server’s Web Server certificate must be the
URL that the ISA server uses to redirect HTTPS traffic to the Web
server.
! Ensure that all CA certificates and CRLs in the certificate chain can be
downloaded. Most Web browsers check CRLs when a user connects to
SSL-protected Web sites. If all CA certificates and CRLs are unavailable,
the certificate chaining engine cannot determine the validity of the Web
Server’s certificate, which results in the connecting users receiving a
Security Alert message.
! Ensure that the subject of the Web Server certificate matches the DNS name
of the Web server. If the subject name does not match the FQDN of the Web
site, the connecting user is warned that it may be a fake Web site.
20 Module 10: Securing Web Traffic by Using SSL
Note To implement digest authentication, you must select the Store password
in reversible encryption option for a user account and the user must change
their password after the option is selected.
Many-to-one certificate To implement many-to-one certificate mapping, install the CA that issues
mapping certificates to the users as a trusted root for your site, domain, OU, or forest.
You can then set rules that associate all certificates that the CA issues with a
single user account in Windows 2000.
You can use separate many-to-one certificate mappings for different groups that
may require access to resources on your network. You can configure user
accounts that grant different sets of rights and permissions on the basis of the
clients’ ownership of valid certificates that match the mapping rules. For
example, you can associate your employees with a user account that grants
Read access to the entire Web site. Then, you can associate consultants and
employees of business partners with other user accounts that allow access only
to nonconfidential information and selected proprietary information.
Mixing mappings If you define both one-to-one and many-to-one mappings in Active Directory or
IIS, the one-to-one mappings take precedence, which means that you can map
specific groups and individuals. For example, you can associate users from your
company with many-to-one mappings allowing common access privileges to all
users in your company when connecting to a Web site. If one or two specific
individuals require additional privileges when connecting to the Web site,
implement specific one-to-one mappings for those users.
Manually administering one-to-one mappings requires more administrative
effort than administering many-to-one mappings.
Module 10: Securing Web Traffic by Using SSL 25
Note The easiest way to export the certificate is to open the Certificates
console and use the Certificate Export Wizard.
The IIS server must trust the root CA of the user’s certificate chain, because the
certificate is from an external organization. You can trust the user’s root CA by
importing the root CA certificate into the trusted root store in Active Directory
or on the IIS server. Or, your organization can issue a Cross Certification
Authority certificate to the CA that issued the user’s certificate. This certificate
implements qualified subordination constraints so that the presented certificate
is trusted.
26 Module 10: Securing Web Traffic by Using SSL
Certificate mapping in After you obtain the user’s certificate, configure IIS to define the one-to-one or
IIS many-to-one certificate mappings. To perform the certificate mapping in IIS:
1. In the Internet Information Services (IIS) console, enable certificate
mapping.
2. Choose whether to perform a one-to-one or many-to-one mapping. The
mapping method determines what attributes of the user certificate IIS uses
to determine which user account to associate with the presented certificate.
3. Import the user’s certificate. You can import and sort multiple certificates
within the list to determine certificate mapping priorities. If you use a many-
to-one mapping, you can define what attributes IIS inspects in the presented
certificate to determine which organization issued the certificate.
4. Select the user account to map to the user certificate and provide the
password for the user account.
Note In the certificate mapping process, you must enter the user’s
password. If the person who configures the certificate mapping is not the
user, the person must know the user’s password or be able to reset it.
Module 10: Securing Web Traffic by Using SSL 27
Note To use the Active Directory certificate mapping on multiple Web servers,
each Web server must enable certificate mapping and enable the Windows
Directory Service Mapper.
28 Module 10: Securing Web Traffic by Using SSL
Using Active Directory You can define certificate mappings in Active Directory Users and Computers.
Users and Computers You can use the defined mappings in this console at any IIS server in the forest
for certificate mapping that enables the Windows Directory Service Mapper.
Note This lab focuses on the concepts that are explained in this module and
may not comply with Microsoft security recommendations.
32 Module 10: Securing Web Traffic by Using SSL
Exercise 1
Enabling SSL Encryption in IIS
In this exercise, you will install a Web Server certificate on both computers in your domain. You
will then enforce SSL encryption for the Security virtual directory to ensure that SSL protects all
communications to the virtual directory.
Scenario
Your organization posts sensitive information to a publicly accessible Web site. To protect the data
in the Web virtual directory from interception, you must enable SSL encryption.
1. Log on using your domain " Log on to the domain by using the following credentials:
administration account and • User name: Student1 (on the domain controller) or Student2 (on
password. the member server)
• Password: Password (where Password is the password for your
administrative account)
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. In the Internet Information a. On the Start menu, point to Administrative Tools, and then click
Services (IIS) Manager Internet Information Services (IIS) Manager.
console, browse to the b. In the console tree, expand Computer (where Computer is the NetBIOS
default Web site. name of your computer), expand Web Sites, and then click Default
Web Site.
34 Module 10: Securing Web Traffic by Using SSL
(continued)
3. Enable SSL by running the a. Right-click Default Web Site, and then click Properties.
Web Server Certificate b. In the Default Web Site Properties dialog box, on the Directory
Wizard with the following Security tab, click Server Certificate.
options:
c. On the Welcome to the Web Server Certificate Wizard page, click
• Create a new certificate Next.
• Send the request d. On the Server Certificate page, click Create a new certificate, and
immediately to an online then click Next.
certification authority
e. On the Delayed or Immediate Request page, click Send the request
• Organization: Domain immediately to an online certification authority, and then click
• Organizational unit: Next.
Corporate f. On the Name and Security Settings page, accept the default settings,
• Common name: and then click Next.
Computer.Domain.msft g. On the Organization Information page, in the Organization box,
• Country/Region: CA type Domain (where Domain is the NetBIOS name of your domain).
(Canada) h. In the Organizational unit box, type Corporate and then click Next.
• State/province: i. On the Your Site’s Common Name page, in the Common name box,
Manitoba type Computer.Domain.msft (where Computer is the NetBIOS name of
• City/locality: Winnipeg your computer and Domain is the NetBIOS name of your domain), and
• SSL port: 443 then click Next.
4. Create a new virtual a. Right-click Default Web Site, point to New, and then click Virtual
directory named Security Directory.
that refers to C:\moc\2821\ b. On the Virtual Directory Creation Wizard page, click Next.
labfiles\module10.
c. On the Virtual Directory Alias page, in the Alias box, type Security
and then click Next.
d. On the Web Site Content Directory page, in the Path box, type
C:\moc\2821\labfiles\module10 and then click Next.
e. On the Virtual Directory Access Permissions page, accept the default
settings, and then click Next.
f. On the Virtual Directory Creation Wizard page, click Finish.
Module 10: Securing Web Traffic by Using SSL 35
(continued)
5. Enable SSL and require a. In the console tree, right-click Security, and then click Properties.
128-bit encryption for the b. In the Security Properties dialog box, on the Directory Security tab,
Security virtual directory. under Secure communications, click Edit.
c. In the Secure Communications dialog box, click Require secure
channel (SSL), click Require 128-bit encryption, and then click OK.
d. In the Security Properties dialog box, click OK.
e. Close Internet Information Services (IIS) Manager.
Wait until your partner completes the previous procedure before you proceed with the lab.
What zone is the Web site located in? If the Web site has any active content, what zone would you
configure for the URL?
The Web site is part of the Internet zone. To view active content, add the zone to the Trusted Sites
zone or the Local intranet zone. These zones allow ActiveX controls to be downloaded.
Exercise 2
Securing the Security Virtual Folder
In this exercise, you will change the permissions of the folder that contains the contents of the
Security Web site so that only members of the Web Access group can access the Web site.
Scenario
You must protect the contents of the Security Web site so that only authorized users may connect to
the site, rather than all users in the domain.
1. Log on using your domain " Ensure that you are logged on with the following credentials:
administration account and • User name: Student1 (on the domain controller) or Student2 (on
password. the member server)
• Password: Password (where Password is the password for your
administrative account)
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
Exercise 3
Enabling Certificate Mapping in Active Directory
In this exercise, you will enable IIS to use Active Directory to perform certificate mapping.
Scenario
Your organization plans to replicate the Security Web site to multiple Web servers in the
organization. To ensure that consistent certificate mappings occur, you must configure IIS to use
the Active Directory name mapper.
1. Log on using your domain " Ensure that you are logged on to the domain with the following
administration account and credentials:
password. • User name: Student1 (on the domain controller) or Student2 (on
the member server)
• Password: Password (where Password is the password for your
administrative account)
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. Configure the properties of a. On the Start menu, point to Administrative Tools, and then click
the Security virtual directory Internet Information Services (IIS) Manager.
with the following options: b. In the console tree, expand Computer (where Computer is the NetBIOS
• Require client name of your computer), expand Web Sites, expand Default Web
certificates Site, and then click Security.
• Enable client certificate c. In the console tree, right-click Security, and then click Properties.
mapping d. In the Security Properties dialog box, on the Directory Security tab,
under Secure communications, click Edit.
e. In the Secure Communications dialog box, click Require client
certificates.
f. In the Secure Communications dialog box, click Enable client
certificate mapping, and then click OK.
g. In the Security Properties dialog box, click Apply.
3. Clear the check boxes for all a. In the Security Properties dialog box, in the Authentication and
forms of authentication for access control section, click Edit.
the Security Web site. b. In the Authentication Methods dialog box, clear all authentication
method check boxes, and then click OK.
c. In the Security Properties dialog box, click OK.
38 Module 10: Securing Web Traffic by Using SSL
(continued)
Clearing all check boxes prevents Internet Explorer from presenting a user authentication dialog box
if certificate-based authentication fails.
4. In the Web site’s properties, a. In the console tree, right-click Web Sites, and then click Properties.
activate the Windows b. In the Web Sites Properties dialog box, on the Directory Security
directory service mapper. tab, click Enable the Windows directory service mapper, and then
click OK.
c. If the Inheritance Overrides dialog box appears, click Cancel.
d. Close Internet Information Services (IIS) Manager.
e. Close all open windows and log off.
Wait until your partner completes the previous procedure before you proceed with the lab.
5. Log on using your Web " Log on to the domain by using the following credentials:
access account. • User name: Web1 (on the domain controller) or Web2 (on the
member server)
• Password: P@ssw0rd
• Domain: Domain
6. Acquire a user certificate a. Click Start, click Run, type Certmgr.msc and then click OK.
using the Certificates – b. In the console tree, click Personal.
Current User console
(Certmgr.msc). c. In the console tree, right-click Personal, point to All Tasks, and then
click Request New Certificate.
d. On the Certificate Request Wizard page, click Next.
e. On the Certificate Types page, in the Certificate Types list, select
User, and then click Next.
f. On the Certificate Friendly Name and Description page, in the
Friendly name box, type Web Authentication and then click Next.
g. On the Completing the Certificate Request Wizard page, click
Finish.
h. In the Certificate Request Wizard message box, click OK.
i. Close the Certificates console.
Module 10: Securing Web Traffic by Using SSL 39
(continued)
Did you successfully connect to the Web site by using certificate-based authentication?
Yes. The certificate successfully mapped to the Web1 or Web2 user accounts in Active Directory.
What attribute must you select in a certificate template to enable Active Directory certificate mapping?
The certificate template must enable the Publish certificate in Active Directory attribute, so that the
certificate is stored as an attribute of the user account that the certificate was issued to.
Exercise 4
Enabling Certificate Mapping in Internet Information Services
In this exercise, you will change IIS to perform the certificate mapping between certificate and user
accounts.
Scenario
You must post the Security Web site on a Web server that is not a domain member in your
organization’s DMZ. You must modify the properties of the Security Web site to perform the
certificate mapping in IIS, rather than in Active Directory.
1. Ensure that you are logged " Ensure that you are logged on with the following credentials:
on using your Web access • User name: Web1 (on the domain controller) or Web2 (on the
account. member server)
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. Export your User certificate a. Click Start, click Run, type Certmgr.msc and then click OK.
by using a Base-64 encoded b. In the console tree, expand Personal, and then click Certificates.
X.509 (.CER) format to a
file named c. In the details pane, right-click the certificate that is issued to Web1 or
C:\temp\web.cer. Web2, point to All Tasks, and then click Export.
d. On the Certificate Export Wizard page, click Next.
e. On the Export Private Key page, click No, do not export the private
key, and then click Next.
f. On the Export File Format page, click Base-64 encode X.509
(.CER), and then click Next.
g. On the File to Export page, in the File name box, type
C:\temp\web.cer and then click Next.
h. On the Completing the Certificate Export Wizard page, click
Finish.
i. In the Certificate Export Wizard message box, click OK.
j. Close the Certificates – Current User console.
k. Close all open windows and then log off.
Wait until your partner completes the previous procedure before you proceed with the lab.
Module 10: Securing Web Traffic by Using SSL 41
(continued)
3. Log on to the network using " Log on to the domain by using the following credentials:
your domain administrative • User name: Student1 (on the domain controller) or Student2 (on
account. the member server)
• Password: Password (where Password is the password for your
administrative account)
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
.
4. In Web Sites properties, a. On the Start menu, point to Administrative Tools, and then click
clear the Enable the Internet Information Services (IIS) Manager.
Windows directory service b. In the console tree, expand Computer (where Computer is the NetBIOS
mapper check box. name of your computer), and then click Web Sites.
c. In the console tree, right-click Web Sites, and then click Properties.
d. In the Web Sites Properties dialog box, on the Directory Security
tab, clear the Enable the Windows directory service mapper check
box, and then click OK.
e. If the Inheritance Overrides dialog box appears, click Cancel.
5. In the properties of the a. In the console tree, expand Computer (where Computer is the NetBIOS
Security virtual directory, name of your computer), expand Web Sites, expand Default Web
define a 1-to-1 mapping Site, and then click Security.
with the following b. In the console tree, right-click Security, and then click Properties.
properties:
c. In the Security Properties dialog box, on the Directory Security tab,
• Certificate: in the Secure communications section, click Edit.
\\Partner\c$\temp\
web.cer d. In the Secure Communications dialog box, click Edit.
• Map Name: Web e. In the Account Mappings dialog box, on the 1-to-1 tab, click Add.
Authentication f. If the Insert disk message box appears, click Cancel.
• Account: Domain\Web2 g. In the Open dialog box, in the File name box, type
(on the domain \\Partner\c$\temp\web.cer (where Partner is the NetBIOS name of
controller) or your partner’s computer), and then click Open.
Domain\Web1 (on the h. In the Map to Account dialog box, enter the following information:
member server)
• Map Name: Web Authentication
• Password: P@ssw0rd
• Account: Domain\Web2 (on the domain controller) or
Close all open windows and Domain\Web1 (on the member server) where Domain is the
log off the network. NetBIOS name of your domain.
• Password: P@ssw0rd
i. In the Map to Account dialog box, click OK.
j. In the Confirm Password dialog box, in the Password box, type
P@ssw0rd and then click OK.
42 Module 10: Securing Web Traffic by Using SSL
(continued)
Wait until your partner completes the previous procedure before you proceed with the lab.
6. Log on using your Web " Log on to the domain by using the following credentials:
access account. • User name: Web1 (on the domain controller) or Web2 (on the
member server)
• Password: P@ssw0rd
• Domain: Domain(where Domain is the NetBIOS name of your
domain)
Did you successfully connect to the Web site with certificate-based authentication?
Yes. The certificate mapped successfully to the Web1 or Web2 user accounts in IIS.
Module 10: Securing Web Traffic by Using SSL 43
(continued)
What security risk exists when you enable certificate mapping in IIS?
The person who enables certificate mapping must know the password of the user account that the
certificate is associated with.
Contents
Overview 1
Lesson: Introduction to E-mail Security 2
Lesson: Configuring Secure E-mail
Messages 7
Lesson: Recovering E-mail Private Keys 16
Lesson: Migrating a KMS Database to a
CA Running Windows Server 2003 20
Lab A: Configuring Secure E-mail in
Exchange Server 2003 26
Course Evaluation 43
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, MS-DOS, Windows, Windows NT, Windows Server, Active Directory, ActiveX,
MSDN, Outlook, PowerPoint, and Windows Media are either registered trademarks or trademarks
of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Module 11: Configuring E-mail Security iii
Instructor Notes
Presentation: E-mail security protects e-mail messages from modification and inspection
60 minutes when the e-mail is transmitted from the sender to the receiver. The
Windows Server™ 2003 Public Key Infrastructure (PKI) prevents the
Lab: modification and inspection of e-mail messages by providing e-mail digital
45 minutes signing and e-mail encryption certificates to users. In this module, students will
learn how to secure e-mail messages in a Microsoft Exchange 2003
environment.
After completing this module, students will be able to:
! Describe how e-mail security is implemented by a server running Exchange
in a Windows Server 2003 environment.
! Implement secure e-mail messages in an Exchange 2003 environment.
! Recover e-mail private keys.
! Migrate a Key Management Server (KMS) database to a
Windows Server 2003 Enterprise Edition enterprise certification authority
(CA).
Required materials To teach this module, you need Microsoft PowerPoint® file 2821A_11.ppt.
Preparation tasks To prepare for this module:
! Read all of the materials for this module.
! Complete the lab.
! Read the white paper, Key Archival and Management in
Windows Server 2003, under Additional Reading on the Web page on the
Student Materials compact disc for more information about how to archive
private keys on a Windows Server 2003 CA and how to migrate a KMS
database to a Windows Server 2003 CA.
! Read the white paper, Windows 2000 Server and Key Management Server
Interoperability, under Additional Reading on the Web page on the
Student Materials compact disc for more information about how the KMS
service in Exchange Server 2000 provides private key archival for e-mail
encryption certificates.
iv Module 11: Configuring E-mail Security
Steps for Configuring an Demonstrate each configuration step to configure the enterprise CA. Mention
Enterprise CA that although not all organizations implement role separation, it is a best
practice to separate the certificate manager and key recovery agent roles.
How to Deploy E-mail Demonstrate each step in deploying an e-mail certificate to the organization’s
Certificates users. Highlight which consoles and resource kit utilities are used in each step
of the process. Most students will be familiar with deploying certificates, so
consider asking them to tell you how they accomplish each task.
Configure Outlook 2002 Mention that the configuration steps that are in this topic are applicable to
for Secure E-mail Microsoft Outlook 2000 and Outlook 2002. Do not spend time comparing the
Messages various encryption and digital signing protocols. Instead, recommend that the
students implement the strongest form of encryption possible for both
encryption and digital signing.
Lab A Before students begin the lab, explain how qualified subordination constraints
enables e-mail messages to be exchanged securely between the organizations
that participate in the bridge CA hierarchy.
If you have time, ask students to complete the “If time permits” lesson of the
lab. This lesson builds on the bridge CA hierarchy that is defined in Module 8.
Students exchange e-mail messages with other organizations by using the
SMIMESign certificate and SMIMEEncrypt certificate that are issued by their
organization’s CA hierarchy.
Module 11: Configuring E-mail Security vii
Lab Setup
The following list describes the setup requirements for the labs in this module.
Setup requirement 1 The labs in this module require the existence of a CA hierarchy with an offline
root CA and an enterprise subordinate CA. Complete all of Labs A, B, and C in
Module 3, “Creating a Certification Authority Hierarchy,” in Course 2821.
Setup requirement 2 All of the procedures in the lab assume that Common Criteria role separation is
enforced. Complete Lab A in Module 4, “Managing a Public Key
Infrastructure” in Course 2821.
Setup requirement 3 The ability to create and modify certificate templates is delegated to the
CertTmplAdmins global group. Complete Lab A in Module 5, “Configuring
Certificate Templates,” in Course 2821.
Setup requirement 4 The http://WebServer (where WebServer is the fully qualified domain name of
the student’s domain controller) is configured as a member of the Local intranet
zone in the Default Domain Policy. Complete Lab B in Module 3, “Creating a
Certification Authority Hierarchy,” in Course 2821.
Setup requirement 5 Each student’s domain is a participant in the bridge CA network that
implements the instructor computer’s CA as a bridge CA. The student’s
enterprise subordinate CA must issue a Cross Certification Authority certificate
to the Bridge CA, and the Bridge CA must issue a Cross Certification Authority
certificate to each domain enterprise subordinate CA. Complete Lab A in
Module 8, “Configuring Trust Between Organizations,” in Course 2821.
viii Module 11: Configuring E-mail Security
Lab Results
Performing the labs in this module introduces the following configuration
changes:
! Exchange Server 2003 mailboxes are created for Mail1 and Mail2.
! The Force strong key protection for users keys stored on the computer
Group Policy setting is selected in the Default Domain Policy.
! The SMIMESign version 2 certificate template is created based on the
Exchange Signature Only certificate template.
! The MailUsers group is assigned Read, Enroll, and Autoenroll permissions
for the SMIMESign certificate template.
! The SMIMEEncrypt version 2 certificate template is created based on the
Exchange User certificate template.
! The MailUsers group is assigned Read, Enroll, and Autoenroll permissions
for the SMIMEEncrypt certificate template.
! The SMIMESign and SMIMEEncrypt certificate templates are published on
the enterprise subordinate CA in each student forest.
! SMIMESign and SMIMEEncrypt certificates are issued to the Mail1 and
Mail2 user accounts.
! Strong private key protection is enforced for the Mail1 and Mail2 user
accounts when the users access the private keys of the SMIMESign and
SMIMEEncrypt certificates.
! The SMIMESign certificate is designated as the default e-mail digital
signing certificate.
! The SMIMEEncrypt certificate is designated as the default e-mail
encryption certificate.
! Secure e-mail messages are exchanged between the Mail1 and Mail2 user
accounts.
! Mail Exchanger (MX) Domain Name System (DNS) resource records are
created for each student domain to send e-mail messages to the Exchange
Server in each domain.
! Secure e-mail messages are exchanged between two or more organizations.
Module 11: Configuring E-mail Security 1
Overview
The KMS service publishes the e-mail encryption certificates to the user’s
userSMIMECertificate attribute in Active Directory. This publication enables
other users to send encrypted e-mail messages to the user whose certificate is
published in Active Directory.
4 Module 11: Configuring E-mail Security
Note Exchange 2000 Server can exist in a Windows Server 2003 forest as long
as it runs on a member server running Windows 2000. You cannot install
Exchange 2000 Server on a server running Windows Server 2003.
E-mail security in If you are running Exchange 2000, you can move all key archival functions to a
Windows Server 2003 Windows Server 2003 enterprise CA by upgrading your CAs to
Windows Server 2003, Enterprise Edition or Windows Server 2003, Datacenter
Edition. Upgrading your CAs offers the following advantages:
! Moves the key archival functionality to a single location. Certificates are
issued from the same location where the private keys are archived.
! Enables autoenrollment of S/MIME certificates. When you deploy version 2
certificate templates, you can use autoenrollment to deploy the certificates
to users on your network.
! Imports previously archived private keys. You can import private keys and
certificates that are archived in a KMS database to a CA running
Windows Server 2003. This way, the CA can recover private keys that were
previously archived in the KMS database.
Module 11: Configuring E-mail Security 5
Implementing SSL To implement SSL for POP3, IMAP4, SMTP, and NNTP on a server running
Exchange, perform the following steps:
1. Install a Web Server certificate on the server running Exchange. A Web
Server certificate includes the Server Authentication application policy
required for SSL encryption. You can use one Web Server certificate for all
SSL-enabled protocols on the server running Microsoft Exchange.
2. Enable SSL Listening ports on the Microsoft Exchange Server. Designate
the Web Server certificate for each protocol that can implement SSL, and
then enable SSL protection.
Note All protocols that can implement SSL can use the same Web Server
certificate, but you must designate the certificate individually for each
protocol.
4. Verify the configuration of Outlook. After you deploy the digital signing
and e-mail encryption certificates, the user must configure Outlook 2002 to
use the certificates to send and receive secure e-mail messages.
Module 11: Configuring E-mail Security 9
Note For more information about how to delegate permissions to create and
modify certificate templates, see the white paper, Implementing and
Administering Certificate Templates in Windows Server 2003, under
Additional Reading on the Web page on the Student Materials compact disc.
Choosing a certificate To deploy certificates for secure e-mail messages, first choose the certificate
template strategy templates that you want to deploy. You can:
! Implement split keys by designing two certificate templates, one for e-mail
encryption and one for digitally signing e-mail messages.
! Implement either e-mail encryption or implement digital signing—not both.
This approach requires that you implement only one certificate template.
! Implement one e-mail certificate template that enables both e-mail
encryption and digital signing.
10 Module 11: Configuring E-mail Security
Creating an e-mail To create a version 2 certificate template for e-mail digital signing:
signing certificate
1. Create a new version 2 certificate template by duplicating the Exchange
Signature Only certificate template. This certificate template allows secure
e-mail messages to be digital signed, but not encrypted.
2. In the version 2 certificate template, on the Request Handling tab, select
Prompt the user during enrollment and require user input when the
private key is used.
3. On the General tab, select the Publish certificate in Active Directory
check box. This step ensures that other users on the network can find the
user’s certificate in Active Directory to access the signing public key when
they verify a signed message that the user sent.
4. Enable autoenrollment for the version 2 certificate template. Assign Read,
Enroll, and Autoenroll permissions to a global group or universal group that
contains all users that require the e-mail encryption certificates.
Module 11: Configuring E-mail Security 11
Note If the security policy of your organization does not require strong
password protection, you can deploy the certificates without user
intervention.
Note You can implement separate certificates for signing and encryption. Or,
if you acquire a multipurpose certificate, you can designate the same certificate
for both purposes.
Choosing a hash After users select their certificate for signing e-mail, they must choose the
algorithm algorithm for signing e-mail messages. Users can choose from the following
cryptographic message digest algorithms:
! Secure Hash Algorithm version 1 (SHA1). Takes a message of fewer than
264 bits in length and produces a 160-bit message digest.
! Message Digest version 5 (MD5). Takes a message of arbitrary length and
produces a 128-bit message digest.
Module 11: Configuring E-mail Security 15
Choosing an encryption After users select their certificate for encrypting e-mail, they must choose an
algorithm algorithm for encrypting e-mail messages. Users can choose from the following
symmetric encryption algorithms:
! Data Encryption Standard (DES). An encryption algorithm that encrypts
data with a 56-bit randomly generated symmetric key.
! Rivest’s Cipher version 2 (RC2) (40-bit). A variable key-size block cipher
with an initial block size of 64 bits that uses an additional string of 40 bits
called a salt. The salt is appended to the encryption key, and this lengthened
key is used to encrypt the message.
! RC2 (128-bit). A variation on the RC2 (40-bit) cipher where the salt length
is increased to a length of 88 bits.
! Triple DES (3DES). A variation on the DES encryption algorithm in which
DES encryption is applied three times to the plaintext. The plaintext gets
encrypted with key A, then key B, and finally key C. The most common
form of 3DES uses only two keys: the plaintext gets encrypted with key A,
then with key B, and finally with key A again.
Defining e-mail default The final step in configuring an e-mail client is to designate the default settings
settings for outgoing e-mail messages. A user designates these settings by performing
the following procedures:
1. Open Microsoft Outlook.
2. On the Tools menu, click Options.
3. In the Options dialog box, on the Security tab, configure the following
settings:
• Encrypt contents and attachments for outgoing messages. Encrypts
all outgoing messages. To send an encrypted outgoing message, you
must have access to all recipients’ encryption digital certificates, which
are stored in individual contact objects in Outlook or retrieved from
User, InetOrgPerson, or Contact objects in Active Directory.
• Add digital signature to outgoing messages. Digitally signs all
outgoing e-mail messages and includes the user’s encryption certificate
in the outgoing signed e-mail message.
• Send clear text signed message when sending signed messages. Sends
a clear text message that allows the message to be viewed in the preview
pane without validating the digital signature.
• Request secure receipt for all S/MIME signed messages. Requires
that a return receipt is sent by the recipient of messages signed by
S/MIME.
16 Module 11: Configuring E-mail Security
Note If you recover a private key from the CA database because the private
key was compromised, revoke the associated certificate so that the certificate
cannot be used for further encryption.
18 Module 11: Configuring E-mail Security
KRA tasks The KRA performs the following tasks after obtaining the PKCS #7 blob from
the certificate manager:
1. Selects a tool to recover the private key from the PKCS #7 blob. If role
separation is enabled, the KRA can recover the private key by using the
certutil –recoverkey <Certificate Serial Number> command or the Key
Recovery Tool to extract the PKCS #7 blob from the CA database.
2. Performs the private key and certificate recovery operation. The KRA
extracts the private key and certificate from the PKCS #7 blob and stores the
private key and certificate in a PKCS #12 file that is password protected, by
using one of the following processes:
• If using the Key Recovery Tool, the KRA indicates the CA on which the
private key is archived, selects the certificate that is associated with the
archived private key, and then clicks Recover.
• If using the Certutil.exe command, the KRA uses the
certutil –recoverkey <Certificate Serial Number>
command to recover the private key and the certificate.
3. Transports the private key to the user. The KRA must securely transport the
PKCS #12 file that contains the extracted private key and certificate to the
original user of the private key. The transport method that the KRA uses
must follow the security policy of your organization. For example, some
organizations may require hand delivery of the PKCS #12 file; other
organizations may allow the KRA to e-mail the PKCS #12 file to the user.
User tasks After the key recovery agent recovers the private key and certificate, the user
imports the PKCS #12 file into his certificate store. To import it, the user must
have the PKCS #12 file and know the associated password that the KRA
defined. The user then:
1. Imports the certificate and private key into their certificate store. The user
imports them by using the Certificate Import Wizard, during which the user
must provide the associated password for the PKCS #12 file.
2. Reconfigures Outlook to use the private key. After the private key and
certificate are imported into the user’s certificate store, the user ensures that
Outlook uses the recovered private key for e-mail encryption operations.
Module 11: Configuring E-mail Security 19
At the end of this step, the KMS service exports the records. On average,
approximately 100 records are exported per minute. The actual performance
varies depending on the hardware configuration.
Module 11: Configuring E-mail Security 23
Note For more information about how to implement key archival and
recovery, see Module 7, “Configuring Key Archival and Recovery,” in Course
2821, Designing and Managing a Windows Public Key Infrastructure.
Note This step is only required if you are migrating the certificates in the KMS
database to a different CA than the CA that issued the certificates. If you
upgrade the Windows 2000 CA to Windows Server 2003 Enterprise Server, it is
not necessary to perform this step.
24 Module 11: Configuring E-mail Security
Copy the export file After you export the KMS database, copy the export file to the CA running
Windows Server 2003 where the KMS database is to be imported. The import
file is encrypted with the public key of the target CA running
Windows Server 2003, so that only that CA can decrypt the export file and
import the KMS database contents. Copy the export file to the local file system
of the target CA or to removable media that may be loaded on the target CA.
Import the KMS After the KMS database export file is available on the target CA, a CA
database administrator can import the KMS database into the CA database running
Windows Server 2003 by using the following Certutil.exe command:
certutil.exe –f –importKMS [name of import file]
When foreign certificates are imported into a CA database, the –f switch is used
to inform the CA that the private keys and certificates are from a foreign CA.
Note You can also use the certutil –f –importKMS command to import
PKCS #12 and Outlook EPF files into the CA database if foreign CAs issued
the certificates.
Module 11: Configuring E-mail Security 25
Note This lab focuses on the concepts in this module and as a result may not
comply with Microsoft security recommendations. For instance, this lab enables
encrypting and digital signing of all outgoing messages, rather than encrypting
and digital signing on a message-by-message basis.
Module 11: Configuring E-mail Security 27
Additional information For more information about securing e-mail in Exchange Server 2003, read the
white paper, Windows 2000 Server and Key Management Server
Interoperability, under Additional Reading on the Web page on the Student
Materials compact disc.
Estimated time to
complete this lab:
45 minutes
28 Module 11: Configuring E-mail Security
Exercise 1
Creating Exchange Server 2003 Mailboxes
In this exercise, you will create mailboxes for the Mail1 and Mail2 user accounts. In addition, you
will implement certificate autoenrollment for user accounts in the Module11 organizational unit.
Scenario
Your organization wants to enable S/MIME for specific users in the organization, so that they can
encrypt and digitally sign e-mail messages. You must create mailboxes for the selected users and
then enable autoenrollment in Group Policy to allow the automatic distribution of the S/MIME
digital certificates.
1. Log on to the domain using " Log on to the domain by using the following credentials:
your domain administrative • Logon name: Student2
account.
• Password: Password (where Password is the password for your
administrative account)
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
2. Create Exchange mailboxes a. On the Start menu, point to All Programs, point to Microsoft
for the Mail1 and Mail2 user Exchange, and then click Active Directory Users and Computers.
accounts. b. In the console tree, expand Domain.msft, expand Labs, and then click
Module11.
c. In the details pane, select Mail1 and Mail2, right-click the selected
user accounts, and then click Exchange Tasks.
d. On the Exchange Task Wizard page, click Next.
e. On the Available Tasks page, in the Select a task to perform list,
click Create Mailbox, and then click Next.
f. On the Create Mailbox page, accept the default settings, and then
click Next.
g. On the Completing the Exchange Task Wizard page, click Finish.
3. Link the Autoenrollment a. In the console tree, right-click Module11, and then click Properties.
GPO to the Module11 b. In the Module11 Properties dialog box, on the Group Policy tab,
organizational unit. click Add.
c. In the Add a Group Policy Object Link dialog box, on the All tab,
click Autoenrollment, and then click OK.
d. In the Module11 Properties dialog box, click OK.
Module 11: Configuring E-mail Security 29
(continued)
4. Configure the E-mail a. In the details pane, select both Mail1 and Mail2, right-click both
attribute for the Mail1 and Mail1 and Mail2, and then click Properties.
Mail2 user accounts. When b. In the Properties On Multiple Objects dialog box, click E-mail.
completed, close all open
windows and log off the c. In the E-mail box, type %username%@Domain.msft (where Domain
network. is the NetBIOS name of your domain), and then click OK.
d. Close Active Directory Users and Computers.
e. Close all open windows and then log off.
Important: Perform this procedure on the domain controller for your domain.
5. Log on to the domain as a " Log on to the domain with the following credentials:
user who has been delegated • Logon name: Student1
permissions to create and
modify certificate templates • Password: Password (where Password is the password for your
or by using your domain administrative account)
administrative account. • Domain: Domain (where Domain is the NetBIOS name of your
domain)
6. In Domain Security Policy, a. On the Start menu, point to Administrative Tools, and then click
enable strong private key Domain Security Policy.
protection so that the user b. In Default Domain Security Settings, in the console tree, expand
must always enter a Local Policies, and then click Security Options.
password when accessing a
certificate’s private key. c. In the details pane, double-click System cryptography: Force strong
When completed, close all key protection for user keys stored on the computer.
open windows and log off d. In the System cryptography: Force strong key protection for user
the network. keys stored on the computer dialog box, click Define this policy
setting, click User must enter a password each time they use a key,
and then click OK.
e. Close Default Domain Security Settings.
f. Close all open windows and then log off.
30 Module 11: Configuring E-mail Security
Exercise 2
Creating and Publishing S/MIME Certificate Templates
In this exercise, you will create two certificate templates for secure e-mail: a digital signing
certificate template and an e-mail encryption certificate template.
Scenario
Your company wants to implement S/MIME e-mail security by using split key pairs. To meet this
goal, you must create two certificate templates, one for digital signing and one for e-mail
encryption.
1. Log on to the domain as a " Log on to the domain by using the following credentials:
user who has been delegated • Logon name: Template2
permissions to create and
modify certificate templates • Password: P@ssw0rd
or log on using your domain • Domain: Domain (where Domain is the NetBIOS name of your
administrative account. Active Directory domain)
3. Open the Certificate a. Click Start, click Run, type Certtmpl.msc and then click OK.
Template console and create b. If the Certificate Templates message box appears, click OK.
a new certificate template
named SMIMESign, based c. In the details pane, right-click Exchange Signature Only, and then
on the Exchange Signature click Duplicate Template.
Only certificate template. d. In the Properties of New Template dialog box, in the Template
display name box, type SMIMESign and then click OK.
(continued)
5. On the Extensions tab, add a. On the Extensions tab, click Issuance Policies, and then click Edit.
the Medium Assurance b. In the Edit Issuance Policies Extension dialog box, click Add.
issuance policy OID.
c. In the Add Issuance Policy dialog box, click Medium Assurance, and
then click OK.
d. In the Edit Issuance Policies Extension dialog box, click OK.
e. On the Extensions tab, click Apply.
6. On the Subject name tab, a. On the Subject name tab, click Build from this Active Directory
select the following: information, and then select the following:
• Subject name format: • Subject name format: Fully distinguished name
Fully distinguished • Include e-mail name in subject name: Enabled
name
• E-mail name: Enabled
• Include e-mail name in
subject name: Enabled • User principal name (UPN): Enabled
8. Create a new certificate a. In the details pane, right-click Exchange User, and then click
template named Duplicate Template.
SMIMEEncrypt, based on b. In the Properties of New Template dialog box, in the Template
the Exchange User display name box, type SMIMEEncrypt and then click OK.
certificate template.
32 Module 11: Configuring E-mail Security
(continued)
11. On the Subject name tab, a. On the Subject name tab, click Build from this Active Directory
select the following check information, and then select the following:
boxes: • Subject name format: Fully distinguished name
• Subject name format: • Include e-mail name in subject name: Enabled
Fully distinguished
name • E-mail name: Enabled
(continued)
12. On the Security tab, assign a. On the Security tab, click Add.
the MailUsers group Read, b. In the Select Users, Computers, or Groups dialog box, in the Enter
Enroll, and Autoenroll the object names to select box, type Mail and then click Check
permissions. Names.
c. In the Multiple Names Found dialog box, in the Matching names list,
click MailUsers, and then click OK.
d. In the Select Users, Computers, or Groups dialog box, click OK.
e. In the SMIMEEncrypt Properties dialog box, in the Group or user
names list, ensure that MailUsers is selected.
f. In the Group or user names list, select MailUsers, assign MailUsers
Read, Enroll, and Autoenroll permissions, and then click OK.
13. Close all open windows and a. Close the Certificate Templates console.
then log off the network. b. Close all open windows and then log off.
Important: Perform this procedure on the domain controller for your domain.
14. Log on using your domain " Log on to the domain by using the following credentials:
administrative account. • Logon name: CAadmin1
• Password: P@ssw0rd
• Domain: Domain
16. Configure DomainCA to a. On the Start menu, point to Administrative Tools, and then click
issue the SMIMEEncrypt Certification Authority.
and SMIMESign certificate b. In the console tree, expand DomainCA, and then click Certificate
templates. Templates.
c. In the console tree, right-click Certificate Templates, click New, and
then click Certificate Template to Issue.
d. In the Enable Certificate Templates dialog box, click
SMIMEEncrypt, press CTRL and click SMIMESign, and then click
OK.
e. In the details pane, ensure that SMIMEEncrypt and SMIMESign
appear.
f. Close the Certification Authority console.
g. Close all open windows and then log off.
34 Module 11: Configuring E-mail Security
Exercise 3
Configuring Outlook 2002
In this exercise, you will autoenroll the SMIMEEncrypt and SMIMESign certificates and then
configure Outlook 2002 to use two certificates when you implement S/MIME e-mail security.
Scenario
After you deploy the two S/MIME certificates, the users can now send and receive digitally signed
and encrypted e-mail messages.
1. Log on to your domain " Log on to the domain by using the following credentials:
using your e-mail user • User name: Mail1 (on the domain controller) or Mail2 (on the
account. member server)
• Password: P@ssw0rd
• Domain: Domain (where Domain is the NetBIOS name of your
domain)
Note: It may take up to 90 seconds for the Certificate Enrollment balloon to appear on the screen. You can
type gpupdate /force to speed up the application of the GPO.
Note: In step 2 below, the order of the procedural steps may vary, depending on Group Policy. For example,
steps f through i may occur before steps c through e. The order is a random event that is based on the
Autoenrollment GPO.
2. Start the Certificate a. In the notification area, click the Certificate Enrollment balloon.
Autoenrollment process. b. In the Certificate Enrollment dialog box, click Start.
c. In the Creating a new RSA signature key dialog box, click Set
Security Level.
d. In the Creating a new RSA signature key dialog box, in the
Password and Confirm boxes, type P@ssw0rd and then click Finish.
e. In the Creating a new RSA signature key dialog box, click OK.
f. In the Creating a new RSA exchange key, click Set Security Level.
g. In the Creating a new RSA exchange key dialog box, in the
Password and Confirm boxes, type P@ssw0rd and then click Finish.
h. In the Creating a new RSA exchange key dialog box, click OK.
i. In the Exporting your private exchange key dialog box, in the
CryptoAPI Private Key box, type P@ssw0rd and then click OK.
Module 11: Configuring E-mail Security 35
(continued)
Why do you have to provide the password associated with your exchange key?
The SMIMEEncrypt certificate template enables private key archival. The private key is encrypted
and securely transmitted to the issuing CA.
4. Define the user name as a. In the User Name dialog box, in the Name box, type Mail1 (on the
Mail1 (on the domain domain controller).
controller), and then skip the b. In the Initials box, type m1 (on the domain controller), and then click
activation of Outlook 2002. OK.
c. If the Microsoft Office XP Professional with FrontPage Activation
Wizard page appears, click Activate Later, and then click Exit.
If you are performing these tasks on the domain controller,
proceed to step 6.
36 Module 11: Configuring E-mail Security
(continued)
5. Define the user name as a. In the Microsoft Outlook error dialog, click Don’t Send.
mail2 (on the member b. In the Microsoft Outlook dialog, click No.
server), verify the Outlook
mail account configuration, c. In the User Name dialog box, in the Name box, type Mail2 (on the
and then skip the activation member server).
of Outlook 2002. d. In the Initials box, type m2 (on the member server), and then click
OK.
e. If the Microsoft Office XP Professional with FrontPage Activation
Wizard page appears, click Activate Later, and then click Exit.
f. Close Microsoft Outlook.
g. On the desktop, right-click Microsoft Outlook, and then click
Properties.
h. In the Mail Setup - Outlook dialog box, click E-mail Accounts.
i. In the E-Mail Accounts dialog box, click View or change existing
e-mail accounts, and then click Next.
j. In the Deliver new e-mail to the following location drop-down list,
verify that Mailbox - Mail2 (on the member server) appears, click
Cancel, and then click Close.
k. On the desktop, double-click Microsoft Outlook.
l. If the Microsoft Office XP Professional with FrontPage Activation
Wizard page appears, click Activate Later, and then click Exit.
6. View the security settings a. Maximize the Inbox – Microsoft Outlook window.
for Outlook 2002. b. On the Tools menu, click Options.
c. In the Options dialog box, on the Security tab, click Settings.
Does Outlook 2002 automatically recognize the SMIMESign and SMIMEEncrypt certificates?
Yes. The Change Security Settings dialog box is automatically configured to use the newly installed
certificates.
(continued)
7. Enable encryption and a. In the Options dialog box, on the Security tab, select the following
digital signing for all check boxes:
outgoing messages. • Encrypt contents and attachments for outgoing messages
• Add digital signature to outgoing messages
b. In the Options dialog box, leave all other default settings, and then
click OK.
Are the default settings that you defined enforced for outgoing messages?
Yes. The Security Properties dialog box is set to encrypt and digitally sign the outgoing message.
Wait until your partner completes the previous procedure before you proceed with the lab.
Why was it necessary to enter your password? How does this password protect your identity?
The Default Domain Policy enforces strong private key protection. The password protects your
identity because an attacker must not only gain access to your user account, he must also know the
password that protects your digital signing private key.
38 Module 11: Configuring E-mail Security
(continued)
9. Open the message from your a. Wait for the message to arrive from your partner.
partner. b. In the Inbox, select the encrypted e-mail message from your partner.
How does Outlook 2002 indicate that the e-mail message is encrypted? Can you preview the message?
A blue lock icon indicates that the e-mail message is encrypted. You cannot view an encrypted message
in the preview pane.
9. (continued) c. In the Inbox, double-click the encrypted e-mail message from your
partner.
d. In the Using your private exchange key to decrypt dialog box, in the
CryptoAPI Private Key dialog box, type P@ssw0rd and then click
OK.
It was necessary to type a password because the private key that decrypts the message is protected
with strong private key protection, which requires that you enter a password.
How do you know that the message was both encrypted and digitally signed?
In the right-hand corner of the message, a blue lock indicates that the message is encrypted and a red
ribbon indicates that the message is digitally signed.
Scenario
Your organization must now exchange secure e-mail messages with the other organizations in the
classroom.
Use the following table to help you complete the lab.
Computer MailServer
Vancouver Denver.adatum.msft
Perth Brisbane.fabrikam.msft
Lisbon Bonn.lucernepublish.msft
Lima Santiago.litwareinc.msft
Bangalore Singapore.tailspintoys.msft
Casablanca Tunis.wingtiptoys.msft
Acapulco Miami.thephonecompany.msft
Auckland Suva.cpandl.msft
Stockholm Moscow.adventureworks.msft
Caracas Montevideo.blueyonderair.msft
Manila Tokyo.woodgrovebank.msft
Khartoum Nairobi.treyresearch.msft
Note This lab assumes that you have successfully completed Lab 8A: Implementing a Bridge CA.
40 Module 11: Configuring E-mail Security
1. Log on to the domain using " Log on to the domain by using the following credentials:
your domain administrative • Logon name: Student1
account.
• Password: Password (where Password is the password for your
administrative account)
• Domain: Domain (where Domain is the NetBIOS name of your
Active Directory domain)
2. In the DNS console, create a. On the Start menu, point to Administrative Tools, and then click
an MX record for your mail DNS.
server in your domain’s b. In the console tree, expand Computer (where Computer is the NetBIOS
forward lookup zone. name of your computer), expand Forward Lookup Zones, and then
click Domain.msft (where Domain is the NetBIOS name of your
domain).
c. Right-click the details pane, and then click New Mail Exchanger
(MX).
d. In the New Resource Record dialog box, in the Fully qualified
domain name (FQDN) of mail server box, type MailServer (where
MailServer is the fully qualified domain name of your mail server from
the table at the beginning of this exercise), and then click OK.
3. Verify that the DNS server a. In the console tree, right-click Computer (where Computer is the
is configured to forward NetBIOS name of your computer), and then click Properties.
unresolved DNS queries. b. In the Computer Properties dialog box, click the Forwarders tab.
When completed, close all
open windows and log off.
What IP address are the unresolved DNS queries forwarded to? What computer does this IP address belong
to?
Unresolved DNS queries are forwarded to 192.168.x.200 (where x is the classroom number). This is the
IP address of the London computer.
3. (continued) c. If the IP address for the forwarder is missing, in the Selected domain’s
forwarder IP address list box, type 192.168.x.200 (where x is your
classroom number), click Add, and then click Apply.
d. In the Computer Properties dialog box, click OK.
e. Close the DNS console.
f. Close all open windows and then log off.
Wait until all DNS forwarders in the classroom are configured before proceeding.
Module 11: Configuring E-mail Security 41
(continued)
4. Log on to your domain with " Log on to the domain by using the following credentials:
your e-mail user account. • User name: Mail1 (on the domain controller) or Mail2 (on the
member server)
• Password: P@ssw0rd
• Domain: Domain
5. Record the e-mail address of a. In the space provided, record the e-mail name of a user in a different
a user in another organization who is participating in this exercise:
organization, and then start
Microsoft Outlook.
b. On the desktop, double-click Outlook.
c. If the Microsoft Office XP Professional with FrontPage Activation
Wizard appears, click Activate Later.
d. On the Welcome to the Microsoft Office Activation Wizard page,
click Exit.
8. View the certificate used to a. In your Inbox, double-click the message titled Signing between
sign the e-mail message, organizations.
Signing between b. In the message window, click the red ribbon.
organizations.
42 Module 11: Configuring E-mail Security
(continued)
8. (continued) c. In the Message Security Properties dialog box, select Signer: e-mail
name (where e-mail name is the e-mail name of the person that sent the
message), and then click View Details.
d. In the Signature dialog box, click View Certificate.
e. In the View Certificate dialog box, click the Certification Path tab.
What is the certification path of the certificate?
Course Evaluation