Вы находитесь на странице: 1из 38

Module 3

Deploying and
Managing Certificates

Module Overview
Configuring Certificate Templates
Deploying Certificates by Using AD CS
Deploying Certificates by Using Autoenrollment
Revoking Certificates
Configuring Certificate Recovery

Lesson 1: Configuring Certificate Templates


What Are Certificate Templates?
Certificate Template Versions
Certificate Template Categories and Purposes
Configuring Certificate Template Permissions
Methods for Updating a Certificate Template
Demonstration: How to Modify and Enable a Certificate

Template

What Are Certificate Templates?

Certificate templates define:


Format and contents of a certificate
Process of creating and submitting a valid certificate
request
Security principles that are allowed to read, enroll, or
autoenroll for a certificate
Permissions to read, enroll, autoenroll, or modify a
certificate template

Certificate Template Versions


Version 1:
Provided for backward compatibility
Created by default when a CA is installed
Cannot be modified or removed but can be duplicated to become version 2 or
3 templates

Version 2:
Allows customization of most settings in the template
Several preconfigured templates are provided when a CA is installed

Version 3:
Supports advanced Suite B cryptographic settings
Includes advanced options for encryption, digital signatures, key exchange,
and hashing
Only supports Windows Server 2008 and Windows Vista

Certificate Template Categories and Purposes

Category

Single Purpose
Basic Encrypting File
System (EFS)
Authenticated Session
Smart Card Logon

Multiple Purposes
Administrator
User
Smart Card User

Users

Computers

Web Server

Computer

IPSec

Domain Controller

Configuring Certificate Template Permissions


Permission

Description

Allows a security principal to modify all attributes


Full Control

Allows a security principal to find the certificate in Active


Directory when enrolling
Read

Allows a security principal to modify all the attributes


except permissions
Write

Allows a security principal to enroll for a certificate based


on the certificate template
Enroll

Allows a security principal to receive a certificate through


the autoenrollment process
Autoenroll

Methods for Updating a Certificate Template

Modifying

Original

Updated

Modify the original certificate


template to incorporate the new
settings

Superseding
Smart Card

Smart Card

Smart Cards

Two-Factor

Replace one or more certificate


templates with an updated
certificate template

Demonstration: How to Modify and Enable a


Certificate Template
Create, modify, and supersede a template
Issue a certificate to be used by a CA

Lesson 2: Deploying Certificates by Using AD CS


What Is a Digital Certificate?
Overview of Certificate Life Cycle
Certificate Enrollment Methods
Obtaining Certificates by Using Web Enrollment
Obtaining Certificates by Using Manual Enrollment
Demonstration: How to Manually Obtain a Certificate for a

Web Service

What Is NDES?

What Is a Digital Certificate?

Digital Certificate

Public Cryptographic Key

Subject Information

CA Information

Overview of Certificate Life Cycle


1

A user, computer, or service


requests a certificate from a
CA.
The CA generates a
certificate.
The CA distributes the
certificate to the user,
computer, or service.
The certificate is used with
PKI-enabled applications.
The certificate reaches the
end of its lifetime.

The certificate is
expired, renewed, or
revoked.

Certificate Enrollment Methods


Method

Use

To automate the request, retrieval, and storage of certificates


for domain-based computers

To request certificates by using the Certificates console or


Certreq.exe when the requestor cannot communicate directly
with the CA

To request certificates from a Web site located on a CA

To issue certificates when autoenrollment is not available

To provide a CA administrator the right to request certificates


on behalf of another user

Autoenrollment

Manual Enrollment

Web Enrollment

Enrollment Agents

Obtaining Certificates by Using Web Enrollment


1

2
Connect to
http://ServerName/certsrv by
using a Web browser.

Click Request A Certificate.

Select the type of certificate


that you want to request.

Install the certificate.

4
Type or verify your
identification.

Obtaining Certificates by Using Manual Enrollment

Manual Enrollment

Certificates MMC

Web Server

NDES

Demonstration: How to Manually Obtain a


Certificate for a Web Service
To perform enrollment by using one of the manual

enrollment methods

What Is NDES?

Network Router
CA

Network

NDES:

Uses SCEP to communicate with compatible network devices such as routers


and switches

Functions as an AD CS role service

Requires IIS

Lesson 3: Deploying Certificates by


Using Autoenrollment
Discussion: Benefits and Uses of Autoenrollment
Functioning of Autoenrollment

Discussion: Benefits and Uses of Autoenrollment


How does autoenrollment simplify certificate management in your

organization?

What are examples of applications that can benefit from autoenrollment?

Functioning of Autoenrollment
A certificate template is configured to allow, enroll,
and autoenroll permissions for users who receive the
certificates.
Certificate Template

The CA is configured to issue the template.


Certification Authority

An Active Directory Group Policy Object (GPO) is


created to enable autoenrollment. The GPO is linked
to the appropriate site, domain, or organizational unit.
GPO

The client machine receives the certificates during the


next Group Policy refresh interval.
Client Machine

Lesson 4: Revoking Certificates


Reason Codes for Revoking a Certificate
Demonstration: How to Revoke a Certificate
What Is an Online Responder?
How Online Responders Work
Steps to Configure an Online Responder
Demonstration: How to Configure an Online Responder

Reason Codes for Revoking a Certificate


Reason code

Description

Key compromise

A computer is stolen or a smart card is lost.

CA compromise

A CA certificate is compromised.

Affiliation change

An employee is terminated or suspended.

Superseded

An issued certificate is replaced.

Cessation of operation

A smart card has failed or the legal name of a user


has changed.

Certificate hold

A certificate is put on hold temporarily.

Unspecified

A certificate is revoked without providing a reason.

Demonstration: How to Revoke a Certificate


Revoke a certificate

What Is an Online Responder?


Uses OCSP validation and
revocation checking using HTTP

Receives and responds


dynamically to individual
requests

Supports only Windows Server


2008 and Windows Vista
computers
Online Responder
Functions as a responder to
multiple CAs

How Online Responders Work


An application verifies a certificate that contains locations
to OCSP responders.

If a cached OCSP response is not found, the Online


Responder receives a request through HTTP.

The Online Responder Web proxy component decodes and


verifies the request.

The Online Responder takes the request and checks a


local CRL.

The Web proxy encodes and sends the response back to


the client.

Steps to Configure an Online Responder


Start

Configure the CA

Install the Online


Responder Role Service

Create a
Revocation Configuration

Stop

Demonstration: How to Configure an Online Responder


Configure the CA to support the Online Responder
Install and configure the Online Responder role service

Lesson 5: Configuring Certificate Recovery


Importance of Key Archival and Recovery
Manually Exporting Certificates and Private Keys
Configuring Automatic Key Archival
Demonstration: How to Configure Key Archival
Recovering a Lost Key
Demonstration: How to Recover a Lost Key

Importance of Key Archival and Recovery


Keys get lost when:
User profile is deleted
Operating system is reinstalled
Disk is corrupted
Computer is stolen

Data recovery methods that use:


Key archival and KRAs
Manual key archival and recovery

Manually Exporting Certificates and Private Keys

You can use the following to export certificates:


Certificates MMC snap-in
Certification Authority MMC snap-in
Certutil.exe
Microsoft Office Outlook
Internet Explorer

The tool used depends upon the certificate template upon which the certificate is based.

Configuring Automatic Key Archival


To configure automatic key archival:

Configure and issue the KRA certificate template.

Designate a person as the KRA and enroll for


the certificate.

Enable key archival on the CA.

Modify and enable required certificate templates


for key archival.

Demonstration: How to Configure Key Archival


Configure key archival

Recovering a Lost Key


3

Serial #: 00AD036

2
1

The private key is


lost or corrupted.

The user imports


the private key.

The Certificate
Manager finds the
serial number of
the certificate.

PKCS#7

4
5

The KRA recovers


the private key.

The Certificate
Manager extracts
the number
PKCS#7 from the
CA.

The Certificate
Manager transfers
the number PKCS
#7 to the KRA.

Demonstration: How to Recover a Lost key


Recover an archived certificate and a key from Active Directory

Lab: Deploying and Managing Certificates


Exercise 1: Configuring AD CS Certificate Templates
Exercise 2: Configuring AD CS Web Enrollment
Exercise 3: Configuring Certificate Autoenrollment
Exercise 4: Configuring AD CS Certificate Revocation
Exercise 5: Managing Key Archival and Recovery

Logon information

Virtual machine

6426B-HQDC01-B

User name

Contoso\Administrator

Password

Pa$$w0rd

Estimated time: 110 minutes

Lab Scenario
Now that you have deployed an AD CS infrastructure, your IT Director

wants to extend the functionality of the environment by providing a


mechanism for users to automatically utilize the certificates. You have
decided to implement certificate templates and make use of the
autoenrollment mechanisms provided by AD CS.

You must install and configure Windows Server 2008 computers to

support certificate services in the organization. To do so, you must


perform the following consolidation activities:

Install and configure Web enrollment for Certificate Services.

Configure the associated Web site to use Secure Socket Layer


(SSL).

Configure autoenrollment features in Group Policy for Certificate


Services.

Configure certificate revocation and the Online Responder


functionality of Certificate Services.

Implement custom certificate templates and a key archival and key


recovery solution.

Lab Review: Deploying and Managing Certificates


In this lab, you have:
Configured AD CS Certificate Templates
Configured AD CS Web Enrollment
Configured Certificate Autoenrollment
Configured AD CS Certificate Revocation
Managed Key Archival and Recovery

Module Review and Takeaways


Review Questions