MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory Chapter 11: Active Directory Certificate Services
Objectives Describe the components of a PKI system Deploy the Active Directory Certificate Services role Configure a certification authority Maintain a PKI MCTS Windows Server 2008 Active Directory 2
Introducing Active Directory Certificate Services Active Directory Certificate Services (AD CS) is a server role in Windows Server 2008 Provides the services for creating a public key infrastructure (PKI) Adds a level of security for a variety of applications, such as VPNs, EFS, smart cards, and SSL/TLS MCTS Windows Server 2008 Active Directory 3
Public Key Infrastructure Overview A public key infrastructure is a security system that binds a user s or device s identity to a cryptographic key PKI provides the following services to a network: Confidentiality Integrity Nonrepudiation Authentication Without adequate security, communications can be tampered with, causing Web sites to be redirected or other unwanted behaviors MCTS Windows Server 2008 Active Directory 4
PKI Terminology List of components that compose a PKI Plaintext Ciphertext Key Secret key Private key Public key Symmetric cryptography Asymmetric cryptography Digital certificate Digital signature Certification authority MCTS Windows Server 2008 Active Directory 5
PKI Terminology (cont.) Steps of a secure Web transaction: MCTS Windows Server 2008 Active Directory 6
AD CS Terminology Terms related to AD CS Certificate revocation list (CRL) Certificate template Certificate distribution point (CDP) Delta CRL Enterprise CA Standalone CA Enrollment agent CA hierarchy Online responder Certificate enrollment Key management Authority Information Access (AIA) MCTS Windows Server 2008 Active Directory 7
Standalone and Enterprise CAs An enterprise CA is a server running Windows Server 2008 with the Active Directory Certificate Services role installed A standalone CA is a server running Windows Server 2008 with the Active Directory Certificate Services role installed but with little Active Directory integration A network with non-windows devices needs at least one standalone CA MCTS Windows Server 2008 Active Directory 8
Standalone and Enterprise CAs (cont.) MCTS Windows Server 2008 Active Directory 9
Online and Offline CAs If a CA is compromised, all certificates the CA has issued are also compromised and must be revoked immediately Offline CAs aren t connected to the network All certificates and CRLs must be distributed with removable media Root CA is the server most typically configured for offline operation Offline CAs must be standalone CAs MCTS Windows Server 2008 Active Directory 10
Creating a CA Hierarchy The root CA is the first CA installed in a network Two-level hierarchy involves the root CA issuing certificates to subordinate CAs called issuing CAs Three-level hierarchy involves the root CA issuing certificates to intermediate CAs, which then issue certificates to other CAs Multilevel CA hierarchies are commonly used to distribute certificate-issuing load MCTS Windows Server 2008 Active Directory 11
Creating a CA Hierarchy (cont.) MCTS Windows Server 2008 Active Directory 12
Certificate Practice Statement A certificate practice statement (CPS) is a document describing how a CA issues certificates Not a required component of a PKI A CPS usually contains: Identification of the CA Security practices used to maintain CA integrity Types of certificates used Policies and procedures used Cryptographic algorithms sued Certificate lifetimes CRL-related policies, including where CRL distribution points are located Renewal policy of the CA s certificate Installed by creating a CAPolicy.inf file and placing it into the CA s %systemroot% directory MCTS Windows Server 2008 Active Directory 13
Installing the AD CS Role Best practices dictate that the AD CS role shouldn t be installed on a domain controller; ideally, AD CS should be the only installed role Enterprise CAs must be installed on a member server running Windows Server 2008 Enterprise or Datacenter Edition AD CS is installed by adding the AD CS role in Server Manager MCTS Windows Server 2008 Active Directory 14
Installing the AD CS Role (cont.) MCTS Windows Server 2008 Active Directory 15
Installing the AD CS Role (cont.) MCTS Windows Server 2008 Active Directory 16
Installing the AD CS Role (cont) MCTS Windows Server 2008 Active Directory 17
Configuring a Certification Authority Several configuration tasks must be taken care of before the CA can be used properly Configure certificate templates Configure enrollment options Configure the online responder Create a revocation configuration MCTS Windows Server 2008 Active Directory 18
Configuring Certificate Templates If you install an Enterprise CA, a number of predefined certificate templates can be configured to generate certificates Windows Server 2008 supports three versions of certificate templates Version 1 templates Supported by Windows Server 2003 Standard Edition and Windows 2000 Server Version 2 templates Supported by Windows Server 2003 Enterprise Edition and later Version 3 templates Supported by Windows Server 2008 and Vista Certificate templates are created and modified in the Certificate Templates snap-in MCTS Windows Server 2008 Active Directory 19
Configuring Certificate Templates (cont.) MCTS Windows Server 2008 Active Directory 20
Configuring Certificate Templates (cont.) MCTS Windows Server 2008 Active Directory 21
Configuring Certificate Enrollment Options Certificate enrollment occurs when a user or device requests a certificate and the certificate is granted Enrollment can occur with several methods Autoenrollment Certificates MMC Web enrollment Network Device Enrollment Service (NDES) Smart card enrollment MCTS Windows Server 2008 Active Directory 22
Configuring Certificate Autoenrollment When autoenrollment is configured, users and devices don t have to make explicit certificate requests to be issued certificates Most commonly used for EFS Autoenrollment is enabled in the Computer Configuration or User Configuration node of the Group Policy Management Console The CA must be set to allow autoenrollment by configuring request-handling options MCTS Windows Server 2008 Active Directory 23
Configuring Certificate Autoenrollment (cont.) MCTS Windows Server 2008 Active Directory 24
Requesting a Certificate with the Certificates Snap-in Users can request certificates that aren t configured for autoenrollment by using the Certificates snap-in This method for requesting certificates can be used only with enterprise CAs Autoenrollment is preferred over manual requests MCTS Windows Server 2008 Active Directory 25
Requesting a Certificate with the Certificates Snap-in (cont.) MCTS Windows Server 2008 Active Directory 26
Configuring Web Enrollment Requires installing the Certification Authority Web Enrollment role service Web enrollment is the main method for accessing CA services on a standalone CA To access the Certification Authority Web Enrollment role service, users simply open a browser and browse to the server s page Server configured for Web enrollment is called a registration authority or a CA Web proxy MCTS Windows Server 2008 Active Directory 27
Configuring Web Enrollment (cont.) MCTS Windows Server 2008 Active Directory 28
Network Device Enrollment Service Allows network devices, such as routers and switches, to obtain certificates by using Simple Certificate Enrollment Protocol (SCEP), a Cisco proprietary protocol Cisco devices can request and obtain certificates to run IPSec, even if they don t have domain credentials MCTS Windows Server 2008 Active Directory 29
Smart Card Enrollment Takes place through Web enrollment at a smart card station User supplies credentials to request the smart card certificate and presents his or her card, and then the certificate information is embedded in the car Cards use PINs, much like using an ATM A user designated as an enrollment agent can enroll smart card certificates on behalf of users to simplify the process MCTS Windows Server 2008 Active Directory 30
Configuring the Online Responder An online responder enables clients to check a certificate s revocation status without having to download the CRL To use, the Online Responder role service must be installed with the CA role or later Requires the Web Server role service MCTS Windows Server 2008 Active Directory 31
Creating a Revocation Configuration A revocation configuration tells the CA what methods are available for clients to access CRLs To create a revocation configuration, you use the Active Directory Certificate Services snap-in, under the Roles node in Server Manager MCTS Windows Server 2008 Active Directory 32
Maintaining and Managing a PKI By default, administrators can perform all tasks on a CA server After roles have been assigned, administrators can perform only tasks related to their assigned roles Four key roles must be filled to administer a CA and its components CA Administrator Certificate Manager Backup Operator Auditor MCTS Windows Server 2008 Active Directory 33
CA Backup and Restore Regular backup of all servers in a network is mandatory Full backup or system state backup on a CA server automatically backs up the certificate store along with other data The Active Directory Certificate Services snap-in provides a simple wizard-based backup utility you can use to perform backups; the AD CS snap-in can also restore a backup CA backups and restores can be done with the certutil command as well MCTS Windows Server 2008 Active Directory 34
Key and Certificate Archival and Recovery If a user s private key is lost or damaged, he or she might lose access to systems or documents By using key archival, the key can be locked away and then restored if the user s private key is lost Two methods for archiving private keys Manual Involves exporting the certificate Automatic Uses a key recovery agent MCTS Windows Server 2008 Active Directory 35
Key and Certificate Archival and Recovery (cont.) MCTS Windows Server 2008 Active Directory 36
Chapter Summary Active Directory Certificate Services (AD CS) provides services for creating a PKI in a Windows Server 2008 environment A PKI binds the identity of a user or device to a cryptographic key Some key terms for describing a PKI and AD CS include private and public keys, digital signature, certification authority, certificate revocation list, online responder, and certificate enrollment MCTS Windows Server 2008 Active Directory 37
Chapter Summary (cont.) An enterprise CA integrates with Active Directory; a standalone CA does not A CA can be online or offline; an offline CA is more secure and usually used in a CA hierarchy with one or more online issuing CAs The AD CS role is installed in Server Manager and should not be installed on a domain controller Configuring a CA involves configuring certificate templates, enrollment options, and an online responder as well as creating a revocation configuration MCTS Windows Server 2008 Active Directory 38
Chapter Summary (cont.) Certificate enrollment occurs when a user or device requests a certificate and the certificate is granted; enrollment can occur with autoenrollment, the Certificates MMC, Web enrollment, NDES, and smart cards An online responder allows clients to check a certificates revocation status without having to download the CRL periodically Role-based administration limits the PKI tasks a domain administrator account can perform MCTS Windows Server 2008 Active Directory 39
Chapter Summary (cont.) When a full backup or system state backup is performed on a CA server, the certificate store is backed up along with other data When users private keys are lost or damaged, they could lose access to systems or documents MCTS Windows Server 2008 Active Directory 40