Module 7
description
Transcript of Module 7
Microsoft® Official Course
Module 7
Deploying and Managing Active Directory Certificate
Services
Module Overview
Deploying CAs
Administering CAs•Troubleshooting, Maintaining, and Monitoring CAs
Lesson 1: Deploying CAs
AD CS in Windows Server 2012
What Is Certification Authority?
Public vs. Private CAs
Stand-alone vs. Enterprise CAs
Options for Implementing CA Hierarchies
Considerations for Deploying a Root CA
Considerations for Deploying a Subordinate CA
How to Use the CAPolicy.inf File for Installing a CA•Demonstration: Deploying an Enterprise Root CA
AD CS in Windows Server 2012
CA
Online Responder
Network Device Enrollment Service
CA Web Enrollment
Certificate Enrollment Web Service
Certificate Enrollment Policy Web Service
Firewall
Enrollment
Linux
ProxyWin
dows
7
or new
er
PolicyW
indow
s 7
or new
er
What Is Certification Authority?
CA
Root CA issues a self-
signed certificate for
itself
Verifies the identity of the
certificate requestor
Manages certificate revocation
Issues certificates to
users, computers, and
services
Firewall
Public vs. Private CAs
•External public CAs:• Are trusted by many external clients, such as web browsers, operating systems • Are slower compared to internal CAs• Have higher cost
• Internal private CAs:• Require greater administration than external public CAs• Cost less than external public CAs and provide greater control over certificate management• Are not trusted by external clients by default• Offer advantages such as customized templates and autoenrollment
Stand-alone vs. Enterprise CAs
Standalone CAs Enterprise CAs
Must be used if any CA (root/intermediate/policy) is offline because a standalone CA is not joined to an AD DS domain
Requires the use of AD DS and stores information in AD DS
Can use Group Policy to propagate certificates to the trusted root CA certificate store
Users must provide identifying information and specify the type of certificate
Publishes user certificates and CRLs to AD DS
Does not support certificate templates
Issues certificates based on a certificate template
All certificate requests are kept pending until administrator approval
Supports autoenrollment for issuing certificates
Options for Implementing CA Hierarchies
Root CA
Policy CAs
Issuing CA
Issuing CA
Issuing CA
Root CA
Issuing CAs
Root CA
Policy CA
Root CA
Policy CA
Issuing CAIssuing CA
Issuing CA
Issuing CA
Issuing CA Issuing CA
Policy CA Usage
Two-Tier Hierarchy
Cross-Certification Trust
Considerations for Deploying a Root CA
• Computer name and domain membership cannot change
• When you plan private key configuration, consider the following:• CSP• Key character length with a default of 2,048• The hash algorithm that is used to sign
certificates issued by a CA
• When you plan a root CA, consider the following:• Name and configuration• Certificate database and log location• Validity period
Considerations for Deploying a Subordinate CA
Root
Subordinate
RASEFSS/MIMECertificate
Uses
Root
Subordinate
Load Balancing
India Canada USA
Root
Subordinate
Locations
Root
Subordinate
Employee Contractor
PartnerOrganizational Divisions
How to Use the CAPolicy.inf File for Installing a CA
•The CAPolicy.inf file is stored in the %Windir% folder of the root or subordinate CA
•The CAPolicy.inf file defines the following:• Certification practice statement• Object identifier• CRL publication intervals• CA renewal settings• Key size• Certificate validity period• CDP and AIA paths
Demonstration: Deploying an Enterprise Root CA
In this demonstration, your instructor will show you how to deploy the enterprise root CA
Lesson 2: Administering CAs
Managing CA Hierarchy
Configuring CA Administration and Security
Configuring CA Policy and Exit Modules
Configuring CRL Distribution Points and AIA Locations•Demonstration: Configuring CA Properties
Managing CA Hierarchy
• For managing CA hierarchy, you can use:• CA Management console• Windows PowerShell • Certutil command-line utility
•Certutil provides an interface for advanced CA and PKI configuration and management
•PKI options are manageable through Group Policy, if you use the following:• Credential roaming• Autoenrollment of certificates• Certificate path validation• Certificate distribution
Configuring CA Administration and Security
• You can establish role-based administration for CA hierarchy by defining the following roles:• CA Administrator• Certificate Manager• Backup Operator• Auditor• Enrollees
• You can assign the following permissions on the CA level:• Read• Issue and Manage Certificates• Manage CA• Request Certificates
• Certificate Managers can be restricted to a template
Configuring CA Policy and Exit Modules
• The policy module determines the action that is performed after the certificate request is received• The exit module determines what happens with a certificate after it is issued• Each CA is configured with default policy and exit modules• The FIM 2010 Certification Management deploys custom policy and exit modules• The exit module can send email or publish a certificate to a file system• You have to use certutil to specify these settings, as they are not available in the CA the administrator console
Configuring CRL Distribution Points and AIA Locations
•The AIA specifies where to retrieve the CA's certificate•The CDP specifies from where the CRL for a CA can be retrieved•Publication locations for AIA and CDP:• AD DS• Web servers• File Transfer Protocol FTP servers• File servers
•Ensure that you properly configure CRL and AIA locations for offline and stand-alone CAs•Ensure that the CRL for an offline root CA does not expire
Demonstration: Configuring CA Properties
In this demonstration, you will see how to configure CA properties
Lesson 3: Troubleshooting, Maintaining, and Monitoring CAs
Troubleshooting CAs
Renewing a CA Certificate
Moving a Root CA to Another Computer•Monitoring and Maintaining CA Hierarchy
Troubleshooting CAs
•Tools for managing CAs:• Certificates snap-in• PKIView tool• CA snap-in• Certutil.exe• Certificate Templates snap-in
•AD CS common issues:• Client autoenrollment issues• Unavailable enterprise CA option• Error accessing CA web pages• Enrollment agent restriction
Renewing a CA Certificate
• The CA certificate needs to be renewed when the validity period of the CA certificate is close to its expiration date
• The CA will never issue a certificate that has a longer validity time than its own certificate
• Considerations for renewing a root CA certificate:• Key length• Validity period
• Considerations for renewing a certificate for an issuing CA:• New key pair• Smaller CRLs
• Procedure for CA certificate renewal
Moving a Root CA to Another Computer
To move a CA from one computer to another, you have to perform backup and restore:• To back up a computer, follow this procedure:
1. Record the names of the certificate templates
2. Back up a CA in the CA admin console
3. Export the registry subkey
4. Uninstall the CA role
5. Confirm the %Systemroot% folder locations
6. Remove the old CA from the domain
• To restore, follow this procedure:1. Install AD CS
2. Use the existing private key
3. Restore the registry file
4. Restore the CA database and settings
5. Restore the certificate templates
Monitoring and Maintaining CA Hierarchy
• For monitoring and maintenance of a CA hierarchy, you can use PKIView and CA auditing•With the PKIView, you can:• Access and manage AD DS PKI-related containers • Monitor CAs and their health state• Check the status of CA certificates• Check the status of AIA locations• Check the status of CRLs• Check the status of CRL distribution points• Evaluate the state of the online responder
•CA auditing provides logging for various events that happen on the CA
Lab: Deploying and Configuring a Two-Tier CA Hierarchy
Exercise 1: Deploying an Offline Root CA•Exercise 2: Deploying an Enterprise Subordinate CA
Logon InformationVirtual machines: 10969A-LON-DC1,
10969A-LON-SVR1,10969A-CA-SVR1
User name: Adatum\AdministratorPassword: Pa$$w0rd
Estimated Time: 60 minutes
Lab Scenario
As A. Datum Corporation has expanded, its security requirements also have increased. The Security department is particularly interested in enabling secure access to critical websites, and in providing additional security for features. To address these and other security requirements, A. Datum has decided to implement a PKI by using the Active Directory Certificate Services role in Windows Server 2012.
As one of the senior network administrators at A. Datum, you are responsible for implementing the AD CS deployment.
Lab Review
Why is it not recommended to install only an enterprise root CA?•What are some reasons that an organization would use an Enterprise root CA?
Module Review and Takeaways
Review Questions
Tools
Best Practice•Common Issues and Troubleshooting Tips