Lab Answer Key for Module 13: Enterprise PKI Active Directory Certificate Services (AD CS) Table of Contents Lab 1: Enterprise PKI Active Directory Certificate Services (ADCS) 1
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e- mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links are provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2008 Microsoft Corporation. All rights reserved. Microsoft, Microsoft Press, Active Directory, ActiveSync, ActiveX, BitLocker, BizTalk, ForeFront, Internet Explorer, MSDN, Outlook, PowerPoint, SharePoint, SQL Server, Visual Studio, Windows, Windows Media, Windows Mobile, Windows NT, Windows PowerShell, Windows Server, Windows Vista, and WinFX are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Version 1.2
Lab Answer Key for Module 13: Enterprise PKI Active Directory Certificate Services (AD CS) 1 Lab 1: PKI Enhancements in Windows Vista and Windows Server 2008 Lab Setup For this lab, you will use the available virtual machine environment. Before you begin the lab: Turn on NY-DC-01 Log on to NY-DC-01 as ADATUM\Administrator with a password of Pa$$w0rd. Exercise 1: Add Certificate Server Role UI Task 1: Add Certificate Server Role Note: Perform these steps on NY-DC-01. 1. The Server Manager starts automatically. 2. In the Server Manager Details pane, scroll down to Roles Summary. 3. Click Add Roles. 4. The Add Roles Wizard dialog box appears. Click Next. 5. The Select Server Roles page appears. Select Active Directory Certificate Services. 6. Click Next. 7. The Introduction to Active Directory Certificate Services page appears. Click Next. 8. The Select Role Services page appears. Select Certification Authority Web Enrollment. 9. The Add Roles Wizard dialog box appears. Click Add Required Role Services. 10. Select Online Responder. Click Next. 11. The Specify Setup Type page appears. Click Next. 12. The Specify CA Type page appears. Click Next. 13. The Set Up Private Key page appears. Click Next. 14. The Configure Cryptography for CA page appears. In the Select a cryptographic service provider (CSP) list, examine the options. 15. Click RSA#Microsoft Software Key Storage Provider. 16. Click Next. 17. The Configure CA Name page appears. Click Next.
2 Lab Answer Key for Module 13: Enterprise PKI Active Directory Certificate Services (AD CS) 18. The Set Validity Period page appears. Click Next. 19. The Configure Certificate Database page appears. Click Next. 20. The Web Server (IIS) page appears. Click Next. 21. The Select Role Services page appears. Click Next. 22. The Confirm Installation Selections page appears. Click Print, e-mail, or save this information. 23. The Installation Report window opens. Examine Certification Authority. 24. Close the Installation Report window. 25. Click Install. 26. Click Close. 27. Minimize Server Manager.
Lab Answer Key for Module 13: Enterprise PKI Active Directory Certificate Services (AD CS) 3 Exercise 2: Explore New Enrollment UI Task 1: Explore new enrollment UI Note: Perform these steps on NY-DC-01. 1. Click Start Run, and then type MMC. 2. Click OK. 3. On the File menu, click Add/Remove Snap-in. 4. The Add or Remove Snap-ins dialog box appears. Click Certificates, and then click Add. 5. The Certificates snap-in dialog box appears. Ensure My User Account is selected, and then click Finish. 6. Click OK. Note: You might want to resize the console tree pane. 7. Expand Certificates Current User Personal, and then click Certificates. 8. On the Action menu, point to All Tasks, and then click Request New Certificate. 9. The Certificate Enrollment dialog box appears. Click Next. 10. The Request Certificates page appears. Select Show all templates. 11. Scroll up, and for User, expand the Details list box. 12. Click Properties. 13. The Certificate Properties dialog box appears. In the Friendly name field, type Test User Certificate. 14. Click the Subject tab. 15. Under Subject name, in the Type list, examine the options. 16. Click the Extensions tab. 17. Expand the Key Usage list box. 18. Expand the Basic Constraints list box. 19. Click the Private Key tab. 20. Expand the Cryptographic Service Provider list box. 21. Examine the items displayed. 22. Click the Certification Authority tab.
4 Lab Answer Key for Module 13: Enterprise PKI Active Directory Certificate Services (AD CS) 23. Click OK. 24. Select User. 25. Click Enroll. 26. The Certificate Installation Results page appears. Click Finish. 27. Minimize the Console1 window.
Lab Answer Key for Module 13: Enterprise PKI Active Directory Certificate Services (AD CS) 5 Exercise 3: Explore CA performance monitors UI Task 1: Explore CA Performance Monitors Note: Perform these steps on NY-DC-01. 1. Click Start Administrative Tools Reliability and Performance Monitor, 2. The Reliability and Performance Monitor window opens. 3. In the console tree, expand Reliability and Performance Monitoring Tools and then click Performance Monitor. 4. In the Details pane, click the Add Counter toolbar button. Note: This button looks like a green plus sign. 5. The Add Counters dialog box appears. Under <Local computer>, expand Certification Authority. 6. Click Request processing time (ms). Note: You may have to click twice to populate the Instances of selected object. 7. Click Add. 8. Under <Local computer>, expand OCSP Server. 9. Click Request processing time (ms). Note: You may have to click twice to populate the Instances of selected object. 10. Click Add. 11. Click OK. 12. Examine the graph in the Details pane. 13. On the toolbar, in the Change Graph Type list, click Report. Note: This button looks like a graph stacked on top of a bar chart. It is to the left of the Add Counter button. 14. Examine the Details pane. 15. Minimize Reliability and Performance Monitor. 16. Restore Console1. 17. On the Action menu, point to All Tasks, and then click Request New Certificate.
6 Lab Answer Key for Module 13: Enterprise PKI Active Directory Certificate Services (AD CS) 18. The Certificate Enrollment dialog box appears. Click Next. 19. The Request Certificate page appears. Select User. 20. Click Enroll. 21. The Certificate Installation Results page appears. Click Finish. 22. Close Console1. 23. The Microsoft Management Console dialog box appears. Click No. 24. Restore Reliability and Performance Monitor. 25. In the Details pane, examine Certification Authority. 26. Notice that the Certification Authority Request Processing Time has changed. 27. Close Reliability and Performance Monitor.
Lab Answer Key for Module 13: Enterprise PKI Active Directory Certificate Services (AD CS) 7 Exercise 4: Explore delegated enrollment UI Task 1: Explore Delegated Enrollment 1. Click Start Administrative Tools Certification Authority. 2. The certsrv window opens. In the console tree, right-click Adatum-NY-DC-01-CA, and then click Properties. The Adatum-NY-DC-01-CA Properties dialog box appears. 3. Click the Enrollment Agents tab. 4. Click Restrict enrollment agents. 5. The Enrollment Agents dialog box appears. Click OK. 6. Examine Certificate Templates, and then Permissions. 7. Click OK. 8. Minimize certsrv.
8 Lab Answer Key for Module 13: Enterprise PKI Active Directory Certificate Services (AD CS) Exercise 5: Introduce OCSP configuration UI Task 1: Deploy the Online Responder Note: Perform these steps on NY-DC-01. 1. Click Start Command Prompt. 2. The Command Prompt window opens. Type Certutil -vocsproot delete, and press ENTER. 3. Type Certutil -vocsproot, and press ENTER. 4. Minimize Command Prompt. 5. Restore certsrv. 6. In the console tree, right-click Adatum-NY-DC-01-CA, and then click Properties. 7. The Adatum-NY-DC-01-CA Properties dialog box appears. Click the Extensions tab. 8. In the Select extension list, click Authority Information Access (AIA). 9. Click Add. 10. The Add Location dialog box appears. In the Location field, type http://ny-dc-01/ocsp. 11. Click OK. 12. Select Include in the online certificate status protocol (OCSP) extension, and then click OK. 13. The Certification Authority dialog box appears. Click Yes. 14. Minimize certsrv. Task 2: Configure the OCSP Signing Certificate Template 1. Click Start Run and then type MMC 2. Click OK. 3. On the File menu, click Add/Remove Snap-in. 4. The Add or Remove Snap-ins dialog box appears. Click Certificate Templates, and then click Add. 5. Click OK. 6. The Certificate Templates window opens. In the console tree, click Certificate Templates.
Lab Answer Key for Module 13: Enterprise PKI Active Directory Certificate Services (AD CS) 9 7. In the Details pane, right-click the OCSP Response Signing template, and then click Duplicate Template. 8. The Duplicate Template dialog box appears. Click Windows 2003 Server, Enterprise Edition. 9. Click OK. 10. The Properties of New Template dialog box appears. Click OK. 11. Minimize Console1. 12. Restore Command Prompt. 13. Type certutil -v -setreg policy\enablerequestextensionlist +1.3.6.1.5.5.7.48.1.5, and then press ENTER. 14. Type net stop certsvc, and then press ENTER. 15. Type net start certsvc, and then press ENTER. 16. Close Command Prompt. 17. Restore Console1. 18. In the Details pane, right-click OCSP Response Signing, and then click Properties. 19. The OCSP Response Signing Properties dialog box appears. Click the Security tab. 20. Click Add. 21. The Select Users, Computers, or Groups dialog box appears. Click Object Types. 22. The Object Types dialog box appears. Select Computers, and then click OK. 23. In the Enter the object names to select field, type NY-DC-01, and then click OK. 24. For Enroll, select Allow. 25. Click the Request Handling tab. 26. Notice Add Read permissions to Network Service on the private key (enable for machine templates only). 27. Click OK. 28. Close Console1. 29. The Microsoft Management Console dialog box appears. Click No. 30. Restore certsrv. 31. In the console tree, expand Adatum-NY-DC-01-CA. 32. Right-click Certificate Templates, and then click New Certificate Template to Issue.
10 Lab Answer Key for Module 13: Enterprise PKI Active Directory Certificate Services (AD CS) 33. The Enable Certificate Templates dialog box appears. Click OCSP Response Signing, and then click OK. 34. Minimize certsrv. Task 3: Configure the Online Responder 1. Click Start Administrative Tools Online Responder Management. 2. The ocsp window opens. In the Actions pane, click Responder Properties. 3. The Online Responder Properties dialog box appears. Notice the setting for Web Proxy Threads. 4. Notice the setting for Cache entries. 5. Examine the contents of the Audit tab. 6. Click the Security tab. 7. Examine Proxy Requests. 8. Examine Manage Online Responder. 9. Click Cancel. 10. Close ocsp.
Lab Answer Key for Module 13: Enterprise PKI Active Directory Certificate Services (AD CS) 11 Exercise 6: Explore Certificate Revocation Task 1: Explore Certificate Revocation 1. Restore certsrv. 2. In the console tree, click Issued Certificates. 3. In the Details pane, right-click the certificate with Request ID of 3, point to All Tasks, and then click Revoke Certificate. 4. The Certificate Revocation dialog box appears. In the Reason Code list, click Certificate Hold. 5. Click Yes. 6. In the console tree, click Revoked Certificates. 7. In the Details pane, right-click the certificate with Request ID of 3, point to All Tasks, and then click Unrevoke certificate. 8. Close certsrv. Lab Shutdown After you complete the lab, you must shut down all virtual machines and discard any changes.