Chris Macaulay Program Manager Microsoft Steve Roylance Business Development Director GlobalSign...

PKI in a Web Services World

Chris MacaulayProgram ManagerMicrosoft

Steve RoylanceBusiness Development DirectorGlobalSignSIA316

Masakazu AsanoManagerGlobalSign K.K.

Business Ready SecurityHelp securely enable business by managing risk and empowering people

Highly Secure and Inter-operable Platform

IdentityIntegrate and extend

security across the enterprise

Protect everywhere,access anywhere

Simplify the security experience and

manage compliance

Block

from:

Enable

Cost Value

Siloed Seamless

to:

Agenda

Session goalsConceptual enrollment architectureUsing enrollment web services with GlobalSignGlobalSign enrollment architectureWindows enrollment architectureUsing enrollment web services in the enterpriseSummary

Session Goals

Provide an architecture overview of Certificate EnrollmentIntroduce the Certificate Enrollment Web ServicesDemonstrate scenarios where you can use Certificate Enrollment Web Services

Automating certificate lifecycle for web serversExtending the reach of the Enterprise PKI beyond the corporate network boundaries

Public Key Infrastructure

Windows 7 Investments

Enrollment using Web

services

Server consolidation

Improve existing

scenarios

Strong Authentication

Agenda

Session goalsConceptual enrollment architectureUsing Enrollment Web Services with GlobalSignGlobalSign enrollment architectureWindows enrollment architectureUsing enrollment web services in the EnterpriseSummary

Conceptual Enrollment ArchitectureProvides certificate enrollment policy to a requestor

Policy Authority

Enrollment Client

Certificate Enrollment policy consists of:• A unique identifier• A collection of certificate templates• A collection of certificate issuers

Certificate Enrollment Policy is the central point of PKI management for administrators

Conceptual Enrollment ArchitectureProvides certificate enrollment policy to a requestor

Receives, processes and responds to certificate requests

Provides or validates authentication information

Provides identity information

Certification Authority

Policy Authority

Enrollment Client

Identity Authority

Authentication Authority


Policy Authority

LDAP

Legacy Enrollment in Windows

1. Client requests certificate enrollment policy

Authentication Authority: KerberosIdentity Authority: Active Directory

2

1

3

ADCS CA

Enrollment Client

2. Client sends enrollment request

3. CA issues certificate and returns to client

Identity Authority

Authentication Authority Active Directory

DCOM

Certificate Enrollment Web ServicesTwo Web services protocols

Certificate enrollment policy [MS-XCEP]Certificate enrollment [MS-WSTEP]

HTTPS based, so firewall-friendlyPractical to implementIntegrate with non-enterprise issuers

Public Root integration for Web SSL, and Hosted PKI

Make the enterprise betterExtend existing PKI investments with little effort and no additional ongoing cost

Agenda


A Leading Public Certification Authority Steve Roylance Masakazu AsanoBusiness Development Director Technical Team ManagerGlobalSign Limited (UK) GlobalSign KK (Japan)

Who is GlobalSign?Global offices in the US, Europe, Japan and China, part of the GMO Internet (ticker TSE:9449)Certification Authority credentials:

Second longest operational Certification Authority in EuropeOwner of the highly ubiquitous 2048 bit GlobalSign Root CAWebTrust compliant since 2002WebTrust for Extended Validation compliant and CABForum member

Provider of SSL certificates, Digital IDs for people / machines, Code (Kernel) Signing, Document security and compliancy solutions

Directly Issued over 1.4 million digital certificatesIssued over 150,000 SSL Server certificatesOver 20 million certificates worldwide rely on the public trust provided by the GlobalSign root

SSL Certificate deployment continues to grow

Legislation & Compliance (PCI) and best practice to protect consumers/stakeholdersCryptographic technology shift 1024bit-2048bit in readiness to support NIST’s December 31, 2010 guideline Ubiquity, while important, now ranks behind lifecycle management tools as the focus for both the SSL certificate provider and platform vendor

20012002

20032004

20052006

20072008

20092010

20110

500000100000015000002000000

ExtendedDomainOgranizationAll

The SSL Certificate Business

ESTIMATED

Data from Netcraft SSL Survey March 2009 (www.netcraft.com)

http://www.netcraft.com/

“I need an SSL Certificate for my public facing web server”

Challenges with SSL Certificates

Certificate Signing Request (CSR) Generation (1024bit versus 2048bit) – Industry awareness Inconsistent CSR rules (OIDs, Extensions, Hashing etc)Lack of standard (or user friendly) tools for CSR generation

Limitations in IIS for renewalsLimited flexibility to periodically renew (new CSR needed) Limited flexibility for additional subject alternate names during lifetime

General LimitationsComplicated multi-page web experiencesNo yearly (or periodic) automation for renewalsComplex terminology for non-tech savvy buyers

Create CSR

Install Intermediates

Save as…

Download Certificate

Save as…

Validate

Domain Validation

Organization Validation and authorization

Extended Validation checking

Validation of business registration details, physical existence and a

higher degree of verification of the contract signers authority.

DomainSSL™

OrganizationSSL™

ExtendedSSL™

Challenge Response and/or WHO-IS verification of

domain ownership.

Verification of Organizational existence and authorization of the SSL certificate request.

Register

Install Certificate

Today’s SSL Experience

Validate

GlobalSign's New SSL Enrollment

Register Enroll and Install

Domain Validation





DomainSSL™

OrganizationSSL™

ExtendedSSL™


domain ownership.


SSL Certificate Purchasing & RegistrationSteve RoylanceBusiness Development DirectorGlobalSign Limited

demo

The New SSL Registration Experience

Search

Choose Supplier

Choose Product

Apply

Validate



Domain Validation





DomainSSL™

OrganizationSSL™

ExtendedSSL™


domain ownership.


Domain Validation

Validation and Approval

Organization Validation and Authorization

Extended Validation Checking

Validation of business registration details,

physical existence, and a higher degree of

verification of the contract signers authority.

DomainSSL™

OrganizationSSL™

ExtendedSSL™

Challenge Response and/or WHO-IS

verification of domain ownership.

Verification of Organizational existence and

authorization of the SSL certificate

request.

Validate



Domain Validation





DomainSSL™

OrganizationSSL™

ExtendedSSL™


domain ownership.


Approval and Final InstallationSteve RoylanceBusiness Development DirectorGlobalSign Limited

demo

The New SSL Enrollment Experience

Login

Pickup and Install

Complete

Benefits of Windows and Web Services With GlobalSign

New Windows APIs oriented around “in session” issuance for a low friction user experience

No need for CSR generation!Simplifies the purchasing experience with lower requirements from the clientWeb Services configuration and enrollment can happen in a single low prompt interactionRenewals can happen automatically!

“It’s been almost a year, do I need to renew my SSL certificate?”

Renewal Challenges

Most SSL websites are long lived, but on average certificates are issued for 1 year

65-75% of customers renew (5-10% attrition, 20% stop)

Process for a renewed certificate is the same as a new certificate

Same request generation and web experienceSame validationSame PAIN!

After renewal, must reconfigure the web server

Certificate Renewaldemo

Renewal ExperienceAutomatic Renewal!

Automatic Update!

SSL Scenario Summary

SSL certficates are growing in usageConsider SSL and EV certificates to protect your intranet, extranet and internet web assets today

Windows eases the enrollment pain Low friction enrollmentNo and low touch renewal and lifecycle management

GlobalSign and Microsoft provide a better together experience for your certificate needs

Agenda


SSL Scenario Architecture Overview

Two new Certificate Enrollment ProtocolsCertificate Enrollment Policy [MS-XCEP]Certificate Enrollment [MS-WSTEP]

Certificate Enrollment Policy is configured by GlobalSign using Web APIsGlobalSign provides Enrollment Web ServicesWindows autoenrollment retrieves Certificate Enrollment Policy and enrolls for certificatesWindows autoenrollment renews the certificateIIS uses the renewed SSL certificate

Policy Authority


GlobalSign Enrollment Architecture

1. Client reads certificate enrollment policy

2

1

3

Enrollment Client



HTTPS

Enrollment Policy Web Service

Enrollment Web Service

Configuration

HTTPS

GlobalSign CA

GlobalSign Policy Store

Agenda


ADCS Web Services Architecture

Two new ADCS role featuresCertificate Enrollment Policy Web ServiceCertificate Enrollment Web Service

Certificate Enrollment Policy Web Service uses Active Directory stored certificate templatesCertificate Enrollment Web Service provides the web services for access to a Windows CANew Group Policy controls for Certificate Enrollment Policy management

1

Policy Authority

ADCS Enrollment Policy

Web Service


2

ADCS Enrollment Web Service

ADCS CA

Active Directory

HTTPS

Windows Architecture


3

Enrollment Client



HTTPS

Group PolicyConfiguration

1


2

ADCS Enrollment Web Service

Policy Authority

ADCS Enrollment Policy

Web Service




Active Directory

Windows CA

Existing PKI Infrastructure

HTTPS

Windows Architecture

3

Enrollment Client

HTTPS

Active Directory

ADCS CA

Available Enrollment Operations

Functional parity with LDAP/DCOM protocolSupports new and renewed certificatesSupports key archival for encryption certificates

Supported authentication typesKerberosUsername/PasswordX.509 Certificate

Windows autoenrollment and CertEnroll APIs support Web Services Enrollment

No application code change required!

Agenda


Challenges in EnterprisePKI Complexity

More complex the AD deployment, the more complex the PKI becomesReaching external users

Mobile and remote workers are not always on the corporate networkManaging non-domain joined machines

Employee home machinesNon-domain workstations and work load servers

Engaging with partnersStrong authentication is desirable

Managing internal and external server workloads that use SSLIn-House PKI expertise

When can I outsource my PKI?

“I need my users to be able to renew certificates automatically, even when disconnected from the corporate network”

Renewal Challenges

A CA in the extranet seems riskyHow do you renew your VPN certificate (SmartCard, etc) when you are on the road?Branch office and mobile workers are increasingly common in the “connected” workplaceThe lifecycle costs are too high today

“Renewal Only” for Windows Server

Windows features a renewal only mode for the Certificate Enrollment Web ServiceRequires the user to have the original certificate

Used to sign the renewal requestSignificant attack footprint reduction

Wire traffic is well defined and scoped to the renewal operationThe CA remains in the intranetNo Kerberos delegation requiredWindows requires authentication in addition to the existing certificate

Renewing Off the Corporate NetworkChris MacaulayProgram Manager, Microsoft

Demo

Windows AutoEnrollment

Support for multiple certificate enrollment policiesFull support of web services enrollmentManages several client tasks

Enrollment policy cacheServer selection for enrollment operations

Adds renewal only request support with web services enrollmentRuns on all Windows 7 and Windows Server 2008 R2 SKUs

Agenda


SSL Certificate Enrollment

Summary

Extranet Renewals

Summary

Hosted PKI

Client Opportunities

http://www.microsoft.com/windowsxp

http://www.microsoft.com/windowsxp

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learningMicrosoft Certification and Training Resources

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

http://www.microsoft.com/teched

http://microsoft.com/technet

http://microsoft.com/msdn

http://www.microsoft.com/learning

http://www.microsoft.com/learning

Complete an evaluation on CommNet and enter to win!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Date post:	29-Dec-2015
Category:	Documents
Upload:	dominick-ramsey
View:	218 times
Download:	0 times

Chris Macaulay Program Manager Microsoft Steve Roylance Business Development Director GlobalSign...

Documents