Creating and Creating and ManagingManaging

Digital Digital CertificatesCertificates

ChapterEleven

Exam Objectives in this Chapter: Configure Active Directory directory

service for certificate publication. Plan a public key infrastructure (PKI) that

uses Certificate Services. Identify the appropriate type of certificate

authority to support certificate issuance requirements.

Plan the enrollment and distribution of certificates.

Plan for the use of smart cards for authentication.

Lessons in this Chapter: Introducing Certificates Designing a Public Key Infrastructure Managing Certificates

Certificates To provide this protection, Windows Server

2003 includes the components needed to create a PKI.

We need to understand: The secret key encryption The contents of a certificate The function of a certification authority

The Public Key Infrastructure A public key infrastructure is a collection

of software components and operational policies that govern the distribution and use of public and private keys, using digital certificates.

Understanding Secret Key Encryption EncryptionEncryption is essentially a system in which a system in which

one character is substituted for anotherone character is substituted for another. If you create a key specifying that the letter A

should be replaced by Q, the letter B by O, the letter C by T, and so forth, any message you encode using that key can be decoded by anyone else who has that key.

This is called secret key encryptionsecret key encryption, because you must protect the key from compromise.

Public Key Encryption For encryption on a data network to be

both possible and practical, computers typically use a form of public key encryption.

In public key encryptionpublic key encryption, every user has two keys, a public key and a private key.

Note: It is usually not practical to encrypt an

entire message for the purpose of digitally signing it.

Instead, most PKI systems create a hash from the message and then encrypt the hash using the private key.

A hash is a digital summary of the message created by removing redundant bits according to a specialized hashing algorithm.

Using Certificates To distribute public keys, Windows Server

2003 and most other systems supporting a PKI use digital certificatesdigital certificates.

A digital certificatedigital certificate is a document that verifiably associates a public key with a particular person or organization.

Digital Certificate Contains:

The public key for a particular entity Information about the entity About the certification authority (CA) that

issued the certificate.

X.509 “The Directory: Public-key and Attribute

Certificate Frameworks,” which defines the format of the certificates used by most PKI systems, including Windows Server 2003.

every digital certificate contains these attributes:

Version Serial number Signature algorithm identifier Issuer name Validity period Subject name

Using Public Key Encryption To use public key encryption, you must

obtain a certificate from an administrativeentity called a certification authority certification authority (CA)(CA). A CACA can be a third-party company that is

trusted to verify the identities of all parties involved in a digital transaction, or

It can be a piece of software on a computer running Windows Server 2003 or another operating system.

Obtaining a certificate from a CA Two ways to obtain a certificate:

can be manual or automatic

The CA issues a public key and a private key as a matched pair. The private key is stored on the user’s

computer in encrypted form, and The public key is issued as part of a certificate.

Using Internal and External CAs For a certificate to be useful in securing a digital

transaction, it must be issued by an authority that both parties to the transaction trust to verify each other’s identities.

If you want to ensure that internal communications in your organization are secure, you would be best served by installing your own CAs.

For securing external transactions, the best practice is to obtain certificates from a neutral third-party organization that functions as a commercial certification authority.

Understanding PKI Functions Network administrators can perform the

following tasks: Publish certificates Enroll clients Use certificates Renew certificates Revoke certificates

Practice: Viewing a Certificate

Page 11-7

Designing a Public Key Infrastructure Defining Certificate Requirements

Digital signatures Encrypting File System user and recovery

certificates Internet authentication IP Security Secure e-mail Smart card logon Software code signing Wireless network authentication

Creating a CA Infrastructure If you trust a particular root CA, you should also

trust any lowerlevel CAs that are authenticated and validated by that root CA.

Trusts between CAs flow downward through the hierarchy, just as file system permissions do.

Root CATrust

Intermediate CA

Issuing CAIssuing CA

Trust

Trust

Using Internal or External CAs The choice depends on the needs and

capabilities of your organization. The advantages and disadvantages of

using internal and external CAs are summarized in Table 11-2.

Use internal CAsinternal CAs to secure their internalinternal communicationscommunications and

Use external CAsexternal CAs when you must secure communications with outside partiesoutside parties, such as customers.

How Many CAs? A single CA running on Windows Server

2003 can support as many as 35 million certificates, issuing two million or more a day.

Factors affect the performance and number of a CA: Number and speed of processors Key length Disk performance

Creating a CA Hierarchy Root CAsRoot CAs are the only CAs that do not

have a certificate issued by a higher authority.

A root CAroot CA issues its own self-signed self-signed certificatecertificate, which functions as the top of the certificate chain for all the certificates issued by all the CAs subordinate to the root.

Creating a CA Hierarchy cont. Subordinate CAs

Every CA in a PKI is either a root CAroot CA or a subordinate CAsubordinate CA. A root CA is the parent that issues certificates to the subordinate CAs beneath it.

If a client trusts the root CA, it must also trust all the subordinate CAs that have been issued certificates by the root CA.

Creating a CA Hierarchy cont. Subordinate CAs can also issue certificates

to other subordinate CAs. Every certificate issued by every CA in the

hierarchy can trace its trust relationships back to a root CA.

This hierarchy of relationships is called a certificate chaincertificate chain.

Understanding Windows Server 2003 CA Types Enterprise Enterprise CAs are integrated

into the Active Directory directory service. They use certificate templates, publish

their certificates and CRLs to Active Directory, and use the information in the Active Directory database to approve or deny certificate enrollment requests automatically.

Understanding Windows Server 2003 CA Types cont.

Stand-alone Stand-alone CAs do not use certificate templates or Active Directory; they store their information locally.

By default, stand-alone CAs do not automatically respond to certificate enrollment requests, as enterprise CAs do.

Requests wait in a queue for an administrator to manually approve or deny them.

Stand-alone CAs are intended for situations in which users outside the enterprise submit requests for certificates.

Smart Card Certificates If you plan to use smart cards to

authenticate users on your network, you must create enterprise CAs,

Exam Tip Be sure to understand the differences

between enterprise rootenterprise root CAs, enterprisesubordinatesubordinate CAs, stand-alone rootstand-alone root CAs, and stand-alone subordinatesubordinate CAs.

Configuring Certificates Criteria to consider when planning

certificate configurations are as follows: Certificate type Encryption key length and algorithm Certificate lifetime Renewal policies

Installing Certificate Services Add/Remove Programs

Installing Certificate Services Components for

Certificate Services

Installing Certificate Services Choose the CA Type

Installing Certificate Services Information

Installing Certificate Services Location of the

Certificate Logs

Installing Certificate Services Certificate Services

will now install

Installing Certificate Services Must have IIS installed

Practice: Installing a Windows Server 2003

Certification Authority Page 11-16

Managing Certificates

Understanding Certificate Enrollment and Renewal The actual process by which CAs issue

certificates to clients varies, depending on the types of CAs you have installed.

If you have installed enterprise CAs, you can use auto-enrollmentauto-enrollment, in which the CA receives certificate requests from clients, evaluates them, and automatically determines whether to issue the certificate or deny the request.

Exam Tip Be sure to understand the circumstances

in which clients use auto-enrollmentand manual enrollment, and to be familiar with the Microsoft Management Console (MMC) snap-ins used to manage certificates and certification authorities

Using Auto-Enrollment Auto-enrollment enables clients to

automatically request and receive certificates from a CA with no manual intervention from administrators.

Using Auto-Enrollment Auto-enrollment enables clients to automatically

request and receive certificates from a CA with no manual intervention from administrators.

To use auto-enrollment, you must have domain controllers running Windows Server 2003, an enterprise CA running on Windows Server 2003, and clients running Microsoft Windows XP Professional.

You control the auto-enrollment process using a combination of group policy settings and certificate templates

Auto-Enrollment In a GPO

Using Manual Enrollment Stand-alone CAs cannot use auto-

enrollment, so when a stand-alone CA receives a certificate request from a client, it stores the request in a queue until an administrator decides whether to issue the certificate.

Manually Requesting Certificates Using the Certificates

Snap-in

Manually Requesting Certificates Using Web Enrollment To function properly, this module requires

you to have IIS installed on the computer first, along with support for ASP.

The Web Enrollment Support interface is intended to give internal or external network users access to stand-alone CAs.

Revoking Certificates If a private key is compromised, or An unauthorized user has gained access to

the CA, or If you want to issue a certificate using

different parameters, such as longer keys, you must revoke the certificates that are no longer usable.

Revoking Certificates By selecting the Revoked Certificates

folder in the Certification Authority console and then displaying its Properties dialog box, you can specify how often the CA should publish a new CRL, and also configure the CA to publish delta CRLs.

Practice: Requesting a Certificate

Exercise 1: Requesting a Certificate Exercise 2: Issuing a Certificate

Page 11-26 Exercise 3: Retrieving a Certificate Exercise 4: Viewing a Certificate

Page 11-27

Summary Case Scenario Exercise

Page 11-29 Troubleshooting Lab

Page 11-30 Exam Highlights

Key Points Key Terms

Page 11-32