Deploying a Windows Public Key...

Deploying a Windows Public Key Infrastructure

Objectives At the end of this lab, you will be able to:

Install and configure a stand-alone Root Certification Authority (CA). Install and configure a subordinate Enterprise CA. Configure custom certificate templates and deploy certificates using

autoenrollment. Secure e-mail communication and Web-site authentication using digital

certificates.

Scenario You are the network administrator for Northwind Traders. To increase security you are required to implement a Windows Server 2003 public key infrastructure (PKI). In this lab, you will see how to build the PKI infrastructure, how to implement certificates for Secure Sockets Layer (SSL)-enhanced Web sites and how certificates can be deployed to enable client authentication and improve e-mail security.

A portion of the Northwind Traders network infrastructure is illustrated below:

Important This hands-on lab is designed to test the installation and configuration of specific features on a limited number of computer resources. The placement of network services reflects neither best practices nor a desired or recommended configuration for a production environment.

This lab uses the following computers: VAN-DC1, VAN-VPN1 and VAN-CL1. VAN-VPN1 will be configured as a standalone root Certification Authority (CA). VAN-DC1 will be configured as an Enterprise Subordinate CA.

Computers

Estimated time to complete this lab: 75 minutes

Before you begin the lab, you must start the VAN-DC1, VAN-VPN1 and VAN-CL1 computers.

2 Deploying a Windows Public Key Infrastructure

Lab Setup To complete each lab module, you need to review the following:

Virtual PC

This lab makes use of Microsoft Virtual PC 2004, an application that allows you to run multiple virtual computers on the same physical hardware. During the lab, you will switch among different windows, each of which contains a separate virtual machine.

Before you start the lab, familiarize yourself with the following basics of Virtual PC:

Task Procedure To switch the focus for your mouse and keyboard to the virtual machine.

Click inside the virtual machine window.

To remove the focus from a virtual machine.

Move the mouse pointer outside the virtual machine window.

To issue the CTRL+ALT+DELETE keyboard combination inside a virtual machine.

Use the <RIGHT>ALT+DELETE keyboard combination. In Virtual PC, the <RIGHT>ALT key is called the host key.

To make the virtual machine window larger.

Drag the lower-right corner of the window.

To switch to full-screen mode, and to return from full-screen mode.

Press the <RIGHT>ALT+ENTER keyboard combination.

To complete this lab, you need to start the virtual machines and then log on to the computers. In each exercise, you only have to start the virtual machines that are needed.

To log on to a computer in a virtual machine

1. Press <RIGHT>ALT+DEL (instead of CTRL+ALT+DEL) to open the Logon dialog box.

Important If a service startup error appears on VAN-DC1 during the boot process, check to ensure that the Exchange Server services have started as expected.

Deploying a Windows Public Key Infrastructure 3

Exercise 1 Creating a Certification Authority Hierarchy In this exercise you create a standalone root CA for Northwind Traders. You begin by modifying a CAPolicy.inf file to assist in the custom installation of the service. You will also perform post-installation tasks such as defining the Certification Revocation List Distribution Point (CDP) and Authority Information Access (AIA) extensions for issued certificates as well as configuring the publishing interval for certificate revocation lists.

Scenario To meet the design requirements of your PKI solution, you need to implement a standalone root CA. This CA will be used to enroll subordinate Enterprise Issuing CAs.

Tasks Detailed steps

Note: This exercise uses the following computers: VAN-DC1 and VAN-VPN1

Note: Perform the following steps on the VAN-VPN1 computer.

1. Log on to VAN-VPN1 and copy a sample capolicy.inf file from VAN-DC1. The capolicy.inf file provides Certificate Services configuration information, which is read during initial CA installation and whenever you renew a CA certificate. This file defines settings specific for the root CAs, as well as settings that affect all CAs in the hierarchy. By default, the capolicy.inf file does not exist when you install Windows Server 2003. You must manually create and configure the file and then store it in the %windir% folder.

a. Log on to VAN-VPN1 as Administrator with the password P@ssw0rd.

b. Click Start, and then click Run. The Run dialog box opens.

c. In the Open box, type \\VAN-DC1\C$. Click OK. After a few moments the \\van-dc1\c$ window opens.

d. In the \\VAN-DC1\C$ window, double-click the Tools folder.

e. In the Tools folder, double-click the PKIFiles folder.

f. In the PKIFiles folder, right-click and copy the capolicy.inf file.

g. Browse to C:\Windows and then paste the capolicy.inf in to the C:\Windows folder.

2. Configure the capolicy.inf file. OID: 1.2.3.4.5.6.7.8.9.2 Webserver variable: VAN-DC1.nwtraders.msft CrlPeriodUnits: 26

a. Right-click C:\Windows\capolicy.inf and then click Open. The capolicy.inf text file opens in Notepad. Notice the various sections throughout the file. The [Version] section defines that the .inf file is in Windows NT format. The [PolicyStatementExtension] section defines a Certificate Authorities’ certificate policies and certificate practice statements (CPS).

b. Under [LegalPolicy], change OID to 1.2.3.4.5.6.7.8.9.2. An object identifier (OID) is configured for the CPS, or if multiple policies are defined, to each CA’s certificate policy. In this case



CRLPeriod: weeks CRLDeltaPeriodUnits: 0

only the legalpolicy variable requires an OID.

c. On the URL line, change webserver to VAN-DC1.nwtraders.msft. The URL provides a link to the actual text of the CPS. The URL line should now read URL= “http://VAN-DC1.nwtraders.msft/LegalPolicy/rootcps.htm”

d. Under [Certsrv_server], make the following changes:

• CrlPeriodUnits=26

• CRLPeriod=weeks

• CRLDeltaPeriodUnits=0

• CRLDeltaPeriod=days (default) This section defines various settings for the Certificate Revocation List publication invervals.

e. Leave the CRLDistributionPoint and AuthorityInformationAccess sections at the default setting.

By defining the CDP and AIA URLs as empty, you ensure that applications do not check the root CA certificate for revocation.

f. Save all changes, and then close capolicy.inf.

g. Close all open windows.

3. Install the standalone CA. CA Type: Stand-alone Root CA CSP: Microsoft Strong Cryptographic Provider Hash algorithm: SHA-1 Key length: 4096 Common Name: VAN-VPN1 Validity Period: 20 Years

a. Click Start, point to Control Panel, and then click Add or Remove Programs.

b. In the Add or Remove Programs window, click Add/Remove Windows Components.

After a few moments the Windows Components Wizard opens.

c. Select the check box next to Certificate Services. A Microsoft Certificate Services message states that the machine name and domain membership may not be changed.

d. Click Yes to continue.

e. In the Windows Components dialog box, click Next.

f. In the CA Type dialog box, select Stand-alone root CA.

g. Select the Use custom settings to generate the key pair and CA certificate check box, and then click Next.

h. On the Public and Private Key Pair page, set the following options and then click Next:

• CSP: Microsoft Strong Cryptographic Provider

• Hash algorithm: SHA-1

• Key length: 4096

i. In the CA Identifying Information dialog box, enter the following and then click Next:

• Common name for this CA: VAN-VPN1.

• Validity Period: 20 Years

j. On the Certificate Database Settings dialog box, accept the defaults and then click Next.

A Microsoft Certificate Services message states that Internet



Information Services must be temporarily stopped.

k. In the Microsoft Certificate Services prompt, click Yes. The Configuring Components page shows the progress of the component configuration and installation.

l. When the Insert Disk prompt displays, click OK.

m. In the Files Needed dialog box, click the Browse button.

n. Browse to C:\Win2k3\I386 and then click Open.

o. In the Files Needed dialog box, click OK. The component configuration continues. This may take a few minutes to complete.

p. When the Microsoft Certificate Services prompt is displayed click Yes to enable Active Server Pages.

q. On the Completing the Windows Components Wizard page, click Finish.

r. Close the Add or Remove Programs window.

4. Define CRL and AIA Publication Settings. After you install the standalone root CA, you must modify the CDP and AIA extensions at the root CA to refer to locations that are available when the standalone root CA is removed from the network.

a. Click Start, point to Administrative Tools, and then click Certification Authority.

b. In the left-hand console tree pane, expand VAN-VPN1.

c. In the console tree pane, right-click Revoked Certificates and then click Properties.

Notice that the CRL publication interval is set to 26 Weeks, and that the Publish Delta CRLs has been disabled. This option was configured in the capolicy.inf configuration file during installation.

d. Click OK to close the Revoked Certificates Properties dialog box.

e. In the console tree pane, right-click VAN-VPN1, and then click Properties.

f. In the VAN-VPN1 Properties dialog box, on the Extensions tab, in the Select extension drop-down list, ensure that the box reads CRL Distribution Point (CDP).

g. Review the default ldap:///, http://, and file://\\ URLs in the CRL distribution points (CDP) list.

The URL that begins with C:\Windows\system32\CertSrv should not be deleted because this is where the updated CRL is posted when you manually publish a CRL or when Certificate Services publishes the CRL at the CRL publication interval.

h. On the Extensions tab, in the Select extension drop-down list, select Authority Information Access (AIA).

i. Review the default ldap:///, http://, and file://\\ URLs.

j. Click OK.

k. Click Start, and then click Run. The Run dialog box opens.

l. In the Open box, type \\VAN-DC1\C$. Click OK. After a few moments the \\van-dc1\c$ window opens.



m. In the \\VAN-DC1\C$ window, double-click the Tools folder.

n. In the Tools folder, double-click the PKIFiles folder.

o. In the PKIFiles folder, right-click and copy ModifyAIAandCDP.cmd.

p. Browse to C:\ and then paste the ModifyAIAandCDP.cmd in to the root of the C drive.

q. Right-click C:\ModifyAIAandCDP.cmd and then click Edit.

r. On the Edit menu, click Replace.

s. In the Replace dialog box, in the Find what box, type Webserver.

t. In the Replace with box, type VAN-DC1.nwtraders.msft and then click Replace All.

u. In the Replace dialog box, in the Find what box, type ForestName.

v. In the Replace with box, type DC=NWtraders, DC=msft and then click Replace All.

w. Cancel the Replace dialog box and then save and close the file.

x. Double-click ModifyAIAandCDP.cmd to run the batch file. The batch file runs and modifies the AIA and CDP entries. It also restarts Certificate Services.

5. Publish the latest version of the CRL.

a. In the Certification Authority console, in the left-hand console tree pane, right-click Revoked Certificates, point to All Tasks, and then click Publish.

b. In the Publish CRL dialog box, click New CRL, and then click OK. The latest version of the CRL is published.

6. At a command prompt, increase the validity period of issued certificates to 10 years by using certutil setreg.

a. Open a command prompt, type certutil -setreg ca\ ValidityPeriodUnits 10 and then press ENTER.

b. At the command prompt, type certutil -setreg ca\ValidityPeriod “Years” and then press ENTER.

c. Close the command prompt.

7. Restart Certificate Services a. In the Certification Authority console, right-click VAN-VPN1, point to All Tasks, and then click Stop Service.

b. In the Certification Authority console, right-click VAN-VPN1, point to All Tasks, and then click Start Service.

c. Close the Certification Authority console and close all open windows.

Note: Perform the following steps on the VAN-DC1 computer.

8. Publish the CRL and CA certificate for the offline root CA to the LDAP and HTTP locations.

a. Log on to VAN-DC1 as Administrator with the password P@ssw0rd.

b. Start Windows Explorer and then browse to the C:\Inetpub\wwwroot folder.

c. Under the wwwroot folder, create a new subfolder named Legalpolicy.

d. Browse to C:\Tools\PKIFiles.

e. In the PKIFiles folder, right-click and copy rootcps.htm.

f. Browse to C:\inetpub\wwwroot\legalpolicy and then paste the



rootcps.htm in to the folder.

9. Copy the contents of \\Computer\admin$\ system32\certsrv\Certenroll to the C:\inetpub\wwwroot\ CertData folder.

a. Browse to and click C:\Inetpub\wwwroot.

b. Create a new subfolder named CertData.

c. Click Start, and then click Run.

d. In the Open box, type \\VAN-VPN1\admin$. Click OK.

e. In Windows Explorer, double-click System32, double-click Certsrv, and then double-click Certenroll.

f. Copy all files in the \\VAN-VPN1\admin$\system32\ Certsrv\Certenroll share to C:\inetpub\wwwroot\CertData.

These files include the Certificate Revocation List and the Security Certificate for VAN-VPN1.

g. Close all open windows.

10. View the Certificate Practice Statement

a. Open Internet Explorer.

b. In the Address bar, type http://VAN-DC1.nwtraders.msft/ Legalpolicy/rootcps.htm, and then press ENTER.

The sample Certificate Practice Statement is displayed.

11. View the certificate revocation list.

a. In the Address bar, type http://VAN-DC1.nwtraders.msft/ CertData/VAN-VPN1.crl, and then press ENTER.

The File Download dialog box is displayed.

b. Click the Open button. The certificate revocation list is displayed.

c. Click OK to close the Certificate Revocation List.

d. Close Internet Explorer.

12. Publish the CRL and CA certificate to Active Directory.

a. Open a command prompt.

b. At a command prompt, type cd \inetpub\wwwroot\Certdata and then press ENTER.

c. To publish the latest CRL to Active Directory, at the command prompt, type certutil -dspublish -f VAN-VPN1.crl and then press ENTER.

You should receive a prompt stating that the –dsPublish command completed successfully.

d. Close the command prompt.

e. To publish the CA certificate to Active Directory, open Windows Explorer and browse to C:\Inetpub\wwwroot\CertData.

f. Double-click VAN-VPN1.NWtraders.msft_VAN-VPN1. After a few moments, the security certificate opens, notice that is it not trusted and needs to be placed into the Trusted Root Certification Authorities store.

g. Click Install Certificate. The Certificate Import Wizard starts.

h. Click Next.

i. On the Certificate Store page, click the button next to Place all certificates in the following store.



j. Click the Browse button and then select Trusted Root Certification Authorities. Click OK.

k. Click Next and then Finish. A Security Warning is displayed.

l. Click Yes to install this certificate.

m. Click OK.

n. Click OK to close the Certificate window.

o. Double-click VAN-VPN1.NWtraders.msft_VAN-VPN1. Notice that VAN-DC1 now trusts the VAN-VPN1 Certificate Authority.

p. Close all open windows.


Exercise 2 Implementing a Subordinate Enterprise CA In this exercise, you configure a subordinate Enterprise CA below the Northwind Traders stand-alone Root CA. You will also use the PKI Health Tool to validate CRL and AIA publication points.

Scenario You have just completed the installation and configuration of the stand-alone Root CA for Northwind Traders. The next step is to install and configure the Enterprise Subordinate CA.


Note: This exercise uses the following computers: VAN-DC1 and VAN-VPN1.


1. Install Certificates Services with the following options, and then save the request to a file named a:\request.req. CA Type: Enterprise subordinate CA CSP: Microsoft Strong Cryptographic Provider Hash algorithm: SHA-1 Key length: 2048 Common name: NWtradersCA

a. If necessary, log on to VAN-DC1 as Administrator with the password P@ssw0rd.

b. Click Start, point to Control Panel, and then click Add or Remove Programs.

c. In the Add or Remove Programs window, click Add/Remove Windows Components.

After a few moments the Windows Components Wizard opens.

d. Select the check box next to Certificate Services. A Microsoft Certificate Services message states that the machine name and domain membership may not be changed.

e. Click Yes to continue.

f. In the Windows Components dialog box, click Next.

g. In the CA Type dialog box, select Enterprise subordinate CA.

h. Select the Use custom settings to generate the key pair and CA certificate check box, and then click Next.

i. On the Public and Private Key Pair page, set the following options and then click Next:

• CSP: Microsoft Strong Cryptographic Provider

• Hash algorithm: SHA-1

• Key length: 2048

j. In the CA Identifying Information dialog box, enter the following and then click Next:

• Common name for this CA: NWtradersCA. Notice that the Validity period is determined by the parent CA.

k. On the Certificate Database Settings page, accept the default settings, and then click Next.

l. On the CA Certificate Request page, click Save the request to a file. Saving the request to a file would provide the ability to transfer this request to an offline Root CA using removable storage, such



as a floppy disk or USB digital drive.

m. In the Request file box, type c:\request.req, and then click Next.

n. In the Microsoft Certificate Services message, click Yes to temporarily stop Internet Information Services.

o. When the Insert Disk dialog box appears, click OK.

p. In the Files Needed dialog box, browse to C:\Win2k3\I386 and then click Open.

q. In the Files Needed dialog box, click OK. The component configuration continues. This may take a few minutes to complete.

s. In the Microsoft Certificate Services message box, acknowledge that the CA installation is incomplete, and then click OK.

The installation is incomplete until you manually submit the request.req file to the root CA.

t. On the Completing the Windows Components Wizard page, click Finish.

r. Close the Add or Remove Programs window.


2. In the Certification Authority console, request a new certificate by using the request.req request file.

a. If necessary, log on to VAN-VPN1 as Administrator with the password of P@ssw0rd.

b. Click Start, point to Administrative Tools, and then click Certification Authority.

c. In the console tree pane, right-click VAN-VPN1, point to All Tasks, and then click Submit new request.

d. In the Open Request File dialog box, in the File name box, type \\van-dc1\c$\Request.req and then click Open.

If the stand-alone root CA is disconnected from the network, the Request.req file can be transported by a physical device such as a floppy disk or USB digital drive.

3. In the Certification Authority console, issue the pending certificate request.

a. In the console tree pane, expand VAN-VPN1, and then click Pending Requests.

b. In the details pane, right-click the pending certificate, point to All Tasks, and then click Issue.

4. Export the issued certificate to a PKCS #7 file named subca.p7b that includes all of the certificates in the certification path.

a. In the console tree pane, click Issued Certificates.

b. In the details pane, double-click the issued certificate.

c. In the Certificate dialog box, on the Details tab, click Copy to File.

d. On the Welcome to the Certificate Export Wizard page, click Next.

e. On the Export File Format page, click Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B), select the Include all certificates in the certification path if possible check box, and then click Next.

f. On the File to Export page, in the File name box, type c:\subca.p7b and then click Next.

g. On the Completing the Certificate Export Wizard page, click



Finish.

h. In the Certificate Export Wizard message box, click OK.

i. In the Certificate dialog box, click OK.

j. Close the Certification Authority console.

k. Close all open windows.


5. Install the CA certificate in the Certification Authority console by using the subca.p7b file.

a. Click Start, point to Administrative Tools, and then click Certification Authority.

b. In the console tree, right-click NWTradersCA, point to All Tasks, and then click Install CA Certificate.

c. In the Select file to complete CA installation dialog box, in the File name box, type \\VAN-VPN1\c$\subca.p7b and then click Open.

After a few moments a message states that the root certificate is untrusted.

d. Click OK at the Microsoft Certificate Services message.

e. In the console tree, right-click NWTradersCA, point to All Tasks, and then click Start Service.

f. In the Certification Authority console, in the console tree pane, right-click NWTradersCA, and then click Properties.

g. In the NWTradersCA Properties dialog box, click View Certificate. Notice that the validity period is for ten years, as defined in the ValidityPeriodUnits registry entry of the root CA.

h. In the Certificate dialog box, click the Certification Path tab. Notice that the CA hierarchy path is VAN-VPN1=>NWtradersCA.

i. In the Certificate dialog box, click OK.

j. In the NWTradersCA Properties dialog box, click OK.

k. Close the Certification Authority console.

6. Before you issue a subordinate CA certificate from the offline root CA, verify that the offline root CA’s CDP and AIA extensions are properly configured. you can use the PKI Health Tool from the Windows Server 2003 Server Resource Kit to validate the CDP and AIA extensions that you configured on the offline root CA.

a. Open a command prompt.

b. At the command prompt, type cd \tools\pkifiles.

c. At the command prompt, type regsvr32 pkiview.dll and then press ENTER.

d. In the RegSvr32 message box, click OK.

e. At the command prompt type pkiview.msc. Press ENTER. The pkiview console opens.

f. In the left-hand console tree pane, click VAN-VPN1.

g. Verify that the status for all certificates, AIA, and CDP locations are OK.

h. Expand VAN-VPN1 and click NWTradersCA.

i. Verify that the status for all certificates, AIA, and CDP locations are OK.



j. Close the pkiview console.

k. Close the command prompt and all other open windows.


Exercise 3 Deploying Certificates to Secure E-mail In this exercise, you learn how to configure certificate templates which can be used to implement secure e-mail communication. You will also configure and test certificate autoenrollment.

Scenario To increase the security of email communication for specific users in your organization, you have decided to implement S/MIME certificates to be used to encrypt and digitally sign e-mail messages. Your first task is to create and enable two custom certificate templates; one to be used for encryption and the other to be used for digital signing. You must then determine the best way to deploy the certificates to your users. Since you have Windows XP Professional clients, autoenrollment is a practical choice.


Note: This exercise uses the following computers: VAN-DC1, VAN-VPN1, and VAN-CL1.


1. Create a security group for users that require secure e-mail.


b. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

c. In the left-hand console tree pane, right-click Users, point to New, and then click Group.

The New Object – Group dialog box is displayed.

d. In the Group Name box, type SecureMailUsers.

e. Configure the following additional settings:

• Group Scope: Global

• Group Type: Security

f. Click Next.

g. Do not create an Exchange e-mail address for the group. Click Next.

h. Click Finish.

i. In the console tree pane, click the Users container.

j. In the details pane, right-click SecureMailusers and then click Properties.

k. In the SecureMailUsers Properties dialog box, click the Members tab.

l. Click Add.

m. In the Select Users, Contacts, Computers, or Groups dialog box, type Kim and Don separated by a semi-colon (;). Click OK.

Don Hall and Kim Akers are added as members of the SecureMailUsers security group.

n. Click OK to close the SecureMailUsers Properties dialog box.

o. Close Active Directory Users and Computers.



2. Create the Autoenrollment Group Policy Object and link it to the NWTraders domain.

a. Click the Start menu, point to Administrative Tools, and then click Group Policy Management.

b. In the Group Policy Management console, expand Forest:NWtraders.msft, Domains, NWTraders.msft, and then click Group Policy Objects.

c. Right-click Group Policy Objects and then click New.

d. In the New GPO dialog box, type Secure Mail Policy. Click OK.

e. In the details pane, double-click Secure Mail Policy.

f. On the Scope tab, under Security Filtering, click Add.

g. In the Select User, Computer, or Group dialog box, type SecureMailUsers and then click OK.

h. Click Authenticated Users and then click Remove. Click OK.

i. In the console tree pane, right-click Secure Mail Policy and then click Edit.

j. In Group Policy Object Editor, expand User Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

k. In the details pane, double-click Autoenrollment Settings.

l. In the Autoenrollment Settings Properties dialog box, enable the following options and then click OK:

• Enroll certificates automatically

• Renew expired certificates, update pending certificates, and remove revoked certificates

• Update certificates that use certificate templates

m. Close the Group Policy Object Editor.

n. In the console tree pane, right-click NWtraders.msft.

o. Click Link an Existing GPO.

p. In the Select GPO dialog box, click Secure Mail Policy and then click OK.

q. Close the Group Policy Management console.

3. Update Group Policy. a. Open a command prompt.

b. At the command prompt, type gpupdate /force and then press ENTER.



4. Open the Certificate Template console and create a new certificate template called SMIMESign based on the Exchange Signature Only certificate template.

a. If necessary, log on to VAN-VPN1 as Administrator with the password of P@ssw0rd.

b. Click Start, click Run, type Certtmpl.msc and then click OK.

c. In the details pane, right-click Exchange Signature Only, and then click Duplicate Template.

d. In the Properties of New Template dialog box, in the Template display name box, type SMIMESign and then click OK.



5. In the SMIMESign certificate template, configure the following: Publish in Active Directory. Do not automatically reenroll if a duplicate certificate exists in Active Directory. Prompt the user during enrollment and require user input when the private key is used.

a. In the details pane, double-click SMIMESign.

b. In the SMIMESign Properties dialog box, on the General tab, select the Publish certificate in Active Directory check box, select the Do not automatically reenroll if a duplicate certificate exists in Active Directory check box, and then click Apply.

c. On the Request Handling tab, click Prompt the user during enrollment and require user input when the private key is used, and then click Apply.

The option to prompt the user during enrollment enables the user to be notified that a certificate is being installed on their machine. The require user input when the private key is used option forces the user to provide a password each time the certificate is used. You may want to enable this second option to increase security at the time the certificate is used.

6. Add the Medium Assurance issuance policy OID.

a. On the Extensions tab, click Issuance Policies, and then click Edit.

b. In the Edit Issuance Policies Extension dialog box, click Add.

c. In the Add Issuance Policy dialog box, click Medium Assurance, and then click OK.

d. In the Edit Issuance Policies Extension dialog box, click OK.

e. On the Extensions tab, click Apply.

7. On the Subject name tab configure the following: Subject name format: Fully distinguished name Include e-mail name in subject name: Enabled E-mail name: Enabled User principal name (UPN): Enabled

a. On the Subject Name tab, click Build from this Active Directory information, and then configure the following:

• Subject name format: Fully distinguished name

• Include e-mail name in subject name: Enabled

• E-mail name: Enabled

• User principal name (UPN): Enabled

b. On the Subject name tab, click Apply.

8. On the Security tab, assign the SecureMailUsers group Read, Enroll, and Autoenroll permissions.

a. On the Security tab, click Add.

b. In the Select Users, Computers, or Groups dialog box, in the text box, type SecureMailUsers and then click OK.

c. In the Group or user names list, select SecureMailUsers, assign the SecureMailUsers group Read, Enroll, and Autoenroll permissions, and then click OK.

9. Create a new certificate template named SMIMEEncrypt, based on the Exchange User certificate template. Configure the following: Publish certificate in Active

a. In the details pane, right-click Exchange User, and then click Duplicate Template.

b. In the Properties of New Template dialog box, in the Template display name box, type SMIMEEncrypt and then click OK.

c. In the details pane, double-click SMIMEEncrypt.

d. In the SMIMEEncrypt Properties dialog box, on the General tab, select the Publish certificate in Active Directory check box, select



Directory. Do not automatically reenroll if a duplicate certificate exists in Active Directory. Prompt the user during enrollment and require user input when the private key is used.

the Do not automatically reenroll if a duplicate certificate exists in Active Directory check box, and then click Apply.

e. On the Request Handling tab, click Prompt the user during enrollment and require user input when the private key is used, and then click Apply.

10. On the Extensions tab, add the Medium Assurance issuance policy OID.

a. On the Extensions tab, click Issuance Policies, and then click Edit.

b. In the Edit Issuance Policies Extension dialog box, click Add.

c. In the Add Issuance Policy dialog box, click Medium Assurance, and then click OK.

d. In the Edit Issuance Policies Extension dialog box, click OK.

e. On the Extensions tab, click Apply.

11. On the Subject name tab configure the following: Subject name format: Fully distinguished name Include e-mail name in subject name: Enabled E-mail name: Enabled User principal name (UPN): Enabled

a. On the Subject Name tab, click Build from this Active Directory information, and then configure the following:

• Subject name format: Fully distinguished name

• Include e-mail name in subject name: Enabled

• E-mail name: Enabled

• User principal name (UPN): Enabled

b. On the Subject name tab, click Apply.

12. On the Security tab, assign the SecureMailUsers group Read, Enroll, and Autoenroll permissions.

a. On the Security tab, click Add.

b. In the Select Users, Computers, or Groups dialog box, in the text box, type SecureMailUsers and then click OK.

c. In the Group or user names list, select SecureMailUsers, assign the SecureMailUsers group Read, Enroll, and Autoenroll permissions, and then click OK.

d. Close the Certificate Templates console

e. Close all open windows.





14. Configure NWTradersCA to issue the SMIMEEncrypt and SMIMESign certificate

a. Click the Start menu, point to Administrative Tools, and then click Certification Authority.



templates. b. In the console tree pane, expand NWTradersCA, and then click Certificate Templates.

c. In the console tree pane, right-click Certificate Templates, point to New, and then click Certificate Template to Issue.

d. In the Enable Certificate Templates dialog box, click SMIMEEncrypt, press CTRL and click SMIMESign, and then click OK.

e. In the details pane, ensure that SMIMEEncrypt and SMIMESign appear.

f. Close the Certification Authority.




Note: Perform the following steps on the VAN-CL1 computer.

16. Log on to the domain as Don Hall.

a. Log on to VAN-CL1 as Don with the password P@ssw0rd.




18. Start the Certificate Autoenrollment process.

a. In the notification area, click the Certificate Enrollment balloon. If the certificate enrollment balloon does not appear, wait for approximately 90 seconds. If it does not appear after 90 seconds log off and log back on as Don. It is important that Don is registered as a member of the SecureMailUsers security group. If you receive any additional error messages upon logon, click OK to close the message.

b. In the Certificate Enrollment dialog box, click Start. This first enrollment process is for the SMIMESign certificate. It will be configured to require a password each time the certificate is used.

c. In the Creating a new RSA signature key dialog box, click Set Security Level.

d. Click the button next to High. Click Next.

e. In the Creating a new RSA signature key dialog box, in the Password and Confirm boxes, type P@ssw0rd and then click Finish.

f. In the Creating a new RSA signature key dialog box, click OK. The next sets of steps enroll the SMIMEEncrypt certificate. The configuration will be set to Medium security level to only request permission to use the encryption key.

g. In the Creating a new RSA exchange key, click Set Security Level.

h. Click the button next to Medium. Click Next.



i. In the Creating a new RSA exchange key dialog box, click Finish.

j. Click OK to close the Creating a new RSA exchange key dialog box.

19. View the security settings for Outlook 2002.

a. Click Start, and then click E-mail.

b. Click the Tools menu, and then click Options.

c. Click the Security tab.

d. Under Encrypted e-mail, click the Settings button. Notice that S/MIME has been configured using SHA1 and 3DES as the Hash and Encryption algorithm.

e. Click Cancel to close the Change Security Settings dialog box.

f. Click Cancel to close the Options dialog box.

20. Send a digitally signed e-mail message.

a. Click the New button.

b. In the To: box type Kim.

c. In the subject box type Signed e-mail.

d. In the message body type: This is a test for signed e-mail.

e. Click the Options button.

f. In the Message Options dialog box, click Security Settings.

g. Select the check box next to Add digital signature to this message.

h. Click OK.

i. In the Message Options dialog box, click Close.

j. Click Send. A password box prompts you for your CryptoAPI Private Key password.

k. In the CryptoAPI Private key dialog box, type P@ssw0rd. Click OK.

l. Close Microsoft Outlook and log off.

21. Verify that Kim is a member of the SecureMailUsers group.

a. Log on to VAN-CL1 as Kim with the password P@ssw0rd.

b. Open a command prompt.

c. At the command prompt type gpresult. Press ENTER. If Kim is not a member of the SecureMailUsers security group log off and log back on again as Kim.

d. Close the command prompt window.

22. Start the Certificate Autoenrollment process for Kim.

a. In the notification area, click the Certificate Enrollment balloon. If the certificate enrollment balloon does not appear, wait for approximately 90 seconds. If it does not appear after 90 seconds log off and log back on as Kim. It is important that Kim is registered as a member of the SecureMailUsers security group. If you receive any additional error messages upon logon, click OK to close the message.

b. In the Certificate Enrollment dialog box, click Start. This first enrollment process is for the SMIMESign certificate. It will be configured to require a password each time the certificate is used.



c. In the Creating a new RSA signature key dialog box, click Set Security Level.

d. Click the button next to High. Click Next.

e. In the Creating a new RSA signature key dialog box, in the Password and Confirm boxes, type P@ssw0rd and then click Finish.

f. In the Creating a new RSA signature key dialog box, click OK. The next sets of steps are used to enroll the SMIMEEncrypt certificate. This will be set to Medium security level to only request permission to use the encryption key

g. In the Creating a new RSA exchange key, click Set Security Level.

h. Click the button next to Medium. Click Next.

i. In the Creating a new RSA exchange key dialog box, click Finish.

j. Click OK to close the Creating a new RSA exchange key dialog box.

23. Verify that the signed message has been received from Don.

a. Click Start, and then click E-mail. A message is displayed asking if you would like to import a new account.

b. In the Microsoft Office Outlook message box, click No.

c. Double-click the message from Don Hall.

d. Click the seal icon in the top right-hand corner of the e-mail message.

e. Click the details button.

f. Click the Signer:[email protected] entry. Notice that the message was signed using RSA/SHA1.

g. Click Close.

h. Click Close to close the Digital Signature dialog box.

24. Send an encrypted reply. a. Click Reply.

b. Click the Options button.

c. In the Message Options dialog box, click Security Settings.

d. Select the check box next to Encrypt message contents and attachments.

e. Ensure that the check box next to Add digital signature to this message is selected.

f. Click OK.

g. Click Close to close the Message Options dialog box.

h. Click Send.

i. In the CryptoAPI Private Key prompt type P@ssw0rd. Click OK.

j. Close all windows and log off.

25. Log on as Don Hall and verify that an encrypted message has been received from Kim.

a. Log on to VAN-CL1 as Don with the password P@ssw0rd.

b. Click Start, and then click E-mail.

c. Open the e-mail message from Kim Akers.

d. In the CrytoAPI Private Key prompt, click OK. The prompt appears indicating that you are using your private key to open the encrypted e-mail message. When the message is



opened, notice that the lock and seal icons are displayed in the top right-hand corner of the message, indicating an encrypted and signed e-mail message.

e. Close all windows and log off.


Exercise 4 Securing Web Sites Using SSL Encryption In this exercise, you will learn how to install a Web Server certificate. You will also enforce SSL encryption on the Web site’s virtual directory to ensure that communication is secure. Finally you will enable client certificate mapping to provide the ability for user certificates to be used for Web site authentication.

Scenario Northwind Traders requires authentication in order to access their company web site. In order to encrypt logon credentials, you have to implement SSL certificates on the Web server.


Note: This lab exercise uses the following computers: VAN-DC1 and VAN-CL1.

Note: Perform the following step on the VAN-DC1 computer.

1. In the Internet Information Services (IIS) Manager console, browse to the default Web site.


b. On the Start menu, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

c. In the console tree pane, expand VAN-DC1 (local computer), expand Web Sites, and then click Default Web Site.

2. Enable SSL by running the Web Server Certificate Wizard with the following options: Create a new certificate Send the request immediately to an online certification authority Organization: NWTraders Organizational unit: Corporate Common name: VAN-DC1.NWtraders.msft Country/Region: CA (Canada) State/province: BC City/locality: Vancouver

a. Right-click Default Web Site, and then click Properties.

b. In the Default Web Site Properties dialog box, on the Directory Security tab, click Server Certificate.

c. On the Welcome to the Web Server Certificate Wizard page, click Next.

d. On the Server Certificate page, click Create a new certificate, and then click Next.

e. On the Delayed or Immediate Request page, click Send the request immediately to an online certification authority, and then click Next.

f. On the Name and Security Settings page, accept the default settings, and then click Next.

g. On the Organization Information page, in the Organization box, type NWTraders.

h. In the Organizational unit box, type Corporate and then click Next.

i. On the Your Site’s Common Name page, in the Common name box, type VAN-DC1.NWtraders.msft, and then click Next.

j. On the Geographical Information page, in the Country/Region dropdown list, select CA (Canada).

k. In the State/province box, type BC.

l. In the City/locality box, type Vancouver and then click Next.

m. On the SSL Port page, accept the default setting (443), and then click Next.



SSL port: 443 Certification authority: default

n. On the Choose a Certification Authority page, accept the CA that is presented, and then click Next.

o. On the Certificate Request Submission page, click Next.

p. On the Completing the Web Server Certificate Wizard page, click Finish.

3. Verify that the certificate has been installed.

a. In the Secure communications section, click View Certificate. The Certificate is displayed. Notice that it is valid for two years.

b. Click the Certification Path tab. Notice that the certificate trusts the entire certification path including NTradersCA and VAN-VPN1.

c. Click OK.

d. Click OK to close the Default Web Site Properties dialog box.

4. Create a new virtual directory named Security that refers to C:\Tools\PKIFiles.

a. Right-click Default Web Site, point to New, and then click Virtual Directory.

The Virtual Directory Creation Wizard starts.

b. On the Welcome to the Virtual Directory Creation Wizard page, click Next.

c. On the Virtual Directory Alias page, in the Alias box, type Security and then click Next.

d. On the Web Site Content Directory page, in the Path box, type C:\Tools\PKIFiles and then click Next.

e. On the Virtual Directory Access Permissions page, accept the default settings, and then click Next.

f. On the You have successfully completed the Virtual Directory Creation Wizard page, click Finish.

5. Configure authentication for the Security Web site.

a. In the console tree pane, right-click Security, and then click Properties.

b. Click the Directory Security tab.

c. Under the Authentication and access control section, click Edit. The Authentication Methods dialog box is displayed.

d. Clear the check box next to Enable anonymous access.

e. Select the check box next to Basic authentication. A warning is displayed indicating that Basic authentication does not encrypt data. You are going to configure an SSL connection and so this will not apply.

f. Click Yes.

g. Click OK to close the Authentication Methods dialog box.

6. Enable SSL and require 128-bit encryption for the Security virtual directory.

a. In the Security Properties dialog box, on the Directory Security tab, under Secure communications, click Edit.

b. In the Secure Communications dialog box, click Require secure channel (SSL), click Require 128-bit encryption, and then click OK.

c. In the Security Properties dialog box, click OK.




7. Test the security web page. In Internet Explorer, open https://VAN-DC1.NWTraders.msft/ security.

a. If necessary, log on to VAN-CL1 as Don with the password P@ssw0rd.

b. Open Internet Explorer.

c. In the Address bar, type https://VAN-DC1.NWtraders.msft/security, and then press ENTER.

d. If a Security Alert is displayed, click OK.

e. In the Connect to van-dc1.nwtraders.msft dialog box enter the following information and then click OK:

• User name: Don

• Password: P@ssw0rd After a few moments, the security Web page is displayed. Notice the lock icon in the bottom right-hand corner of Internet Explorer.

f. Double-click the lock icon. The VAN-DC1.NWtraders.msft certificate information is displayed.

g. Click OK to close the Certificate information.

h. Close Internet Explorer.


8. Enable certificate mapping for the Security Web site. Configure the properties of the Security virtual directory with the following options: Require client certificates Enable client certificate mapping

a. In the IIS Manager console tree pane, right-click Security, and then click Properties.

b. In the Security Properties dialog box, on the Directory Security tab, under Secure communications, click Edit.

c. In the Secure Communications dialog box, click Require client certificates.

d. In the Secure Communications dialog box, click Enable client certificate mapping, and then click OK.

e. In the Security Properties dialog box, click Apply.

9. Clear the check boxes for all forms of authentication for the Security Web site.

a. In the Security Properties dialog box, on the Directory Security tab, in the Authentication and access control section, click Edit.

b. In the Authentication Methods dialog box, clear all authentication method check boxes, and then click OK.

Clearing all of the check boxes prevents Internet Explorer from presenting a user authentication dialog box if the certificate-based authentication fails.

c. In the Security Properties dialog box, click OK.

10. In the Web site’s properties, activate the Windows directory service mapper.

a. In the console tree pane, right-click Web Sites, and then click Properties.

b. In the Web Sites Properties dialog box, on the Directory Security tab, click Enable the Windows directory service mapper, and then click OK.

c. In the Inheritance Overrides dialog box, click Cancel.

d. Close Internet Information Services (IIS) Manager.

e. Close all open windows and log off.




11. Acquire a user certificate using the Certificates console (Certmgr.msc).

a. Click Start, click Run, type Certmgr.msc and then click OK. The Certificates console opens.

b. In the left-hand console tree pane, click Personal.

c. Right-click Personal, point to All Tasks, and then click Request New Certificate.

d. On the Welcome to the Request Wizard page, click Next.

e. On the Certificate Types page, in the Certificate types list, select User, and then click Next.

f. On the Certificate Friendly Name and Description page, in the Friendly name box, type Web Authentication and then click Next.

g. On the Completing the Certificate Request Wizard page, click Finish.

h. In the Certificate Request Wizard message box, click OK. Verify that a certificate is displayed with the Friendly name Web Authentication.

i. Close the Certificates console.

12. Test the security web page. In Internet Explorer, open https://VAN-DC1.NWTraders.msft/ security.

a. Open Internet Explorer.

b. In the Address bar, type https://VAN-DC1.NWtraders.msft/security, and then press ENTER.

c. If a Security Alert is displayed, click OK.

d. In the Choose a digital certificate dialog box, click View Certificate. Notice that the certificate is issued to Don Hall and is valid for 1 year.

e. Click OK.

f. In the Choose a digital certificate dialog box, select the Users certificate and then click OK.

The Security web site is displayed with the lock icon indicating an SSL connection.

g. Close Internet Explorer.

13. Shut down computers. a. Shut down all Virtual PC computers without saving the changes.

Date post:	30-Jul-2018
Category:	Documents
Upload:	doanquynh
View:	229 times
Download:	0 times

Deploying a Windows Public Key...

Documents