Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Module 7 - ICTSHOP

advertisement 
Microsoft Official Course
®
Module 7
Deploying and Managing Active
Directory Certificate Services
Module Overview
• Deploying CAs
• Administering CAs
• Troubleshooting, Maintaining, and
Monitoring CAs
Lesson 1: Deploying CAs
• AD CS in Windows Server 2012
• What Is Certification Authority?
• Public vs. Private CAs
• Stand-alone vs. Enterprise CAs
• Options for Implementing CA Hierarchies
• Considerations for Deploying a Root CA
• Considerations for Deploying a Subordinate CA
• How to Use the CAPolicy.inf File for Installing a CA
• Demonstration: Deploying an Enterprise Root CA
AD CS in Windows Server 2012
CA
CA Web Enrollment
Online Responder
Network Device Enrollment Service
Enrollment
Certificate Enrollment Web Service
Proxy
Certificate Enrollment Policy Web
Service
Policy
What Is Certification Authority?
CA
Root CA issues
a self-signed
certificate for
itself
Verifies the
identity of the
certificate
requestor
Issues certificates
to users,
computers, and
services
Manages
certificate
revocation
Public vs. Private CAs
• External public CAs:
• Are trusted by many external clients, such as web
browsers, operating systems
• Are slower compared to internal CAs
• Have higher cost
• Internal private CAs:
• Require greater administration than external public CAs
• Cost less than external public CAs and provide greater
control over certificate management
• Are not trusted by external clients by default
• Offer advantages such as customized templates and
autoenrollment
Stand-alone vs. Enterprise CAs
Standalone CAs
Enterprise CAs
Must be used if any CA
(root/intermediate/policy) is offline
because a standalone CA is not
joined to an AD DS domain
Requires the use of AD DS and
stores information in AD DS
Users must provide identifying
information and specify the type of
certificate
Publishes user certificates and
CRLs to AD DS
Does not support certificate
templates
Issues certificates based on a
certificate template
All certificate requests are kept
pending until administrator
approval
Supports autoenrollment for
issuing certificates
Can use Group Policy to propagate
certificates to the trusted root CA
certificate store
Options for Implementing CA Hierarchies
Two-Tier Hierarchy
Root
CA
Root CA
Policy CAs
Issuing CAs
Issuing CA Issuing CA Issuing CA
Policy CA Usage
Root CA
Root CA
Policy CA
Policy CA
Issuing CA
Issuing CA Issuing CA
Issuing CA Issuing CA
Cross-Certification Trust
Issuing CA
Considerations for Deploying a Root CA
• Computer name and domain membership cannot
change
• When you plan private key configuration, consider
the following:
• CSP
• Key character length with a default of 2,048
• The hash algorithm that is used to sign certificates issued
by a CA
• When you plan a root CA, consider the following:
• Name and configuration
• Certificate database and log location
• Validity period
Considerations for Deploying a Subordinate CA
Root
Root
Subordinate
EFS
S/MIME
RAS
Certificate Uses
Root
Subordinate
Load Balancing
Subordinate
India
Canada
USA
Locations
Root
Subordinate
Employee Contractor Partner
Organizational Divisions
How to Use the CAPolicy.inf File for Installing a CA
• The CAPolicy.inf file is stored in the %Windir%
folder of the root or subordinate CA
• The CAPolicy.inf file defines the following:
• Certification practice statement
• Object identifier
• CRL publication intervals
• CA renewal settings
• Key size
• Certificate validity period
• CDP and AIA paths
Demonstration: Deploying an Enterprise Root CA
In this demonstration, your instructor will show you
how to deploy the enterprise root CA
Lesson 2: Administering CAs
• Managing CA Hierarchy
• Configuring CA Administration and Security
• Configuring CA Policy and Exit Modules
• Configuring CRL Distribution Points and AIA
Locations
• Demonstration: Configuring CA Properties
Managing CA Hierarchy
• For managing CA hierarchy, you can use:
• CA Management console
• Windows PowerShell
• Certutil command-line utility
• Certutil provides an interface for advanced CA and
PKI configuration and management
• PKI options are manageable through Group Policy,
if you use the following:
Credential roaming
• Autoenrollment of certificates
• Certificate path validation
• Certificate distribution
•
Configuring CA Administration and Security
• You can establish role-based administration for CA hierarchy
by defining the following roles:
•
•
•
•
•
CA Administrator
Certificate Manager
Backup Operator
Auditor
Enrollees
• You can assign the following permissions on the CA level:
•
•
•
•
Read
Issue and Manage Certificates
Manage CA
Request Certificates
• Certificate Managers can be restricted to a template
Configuring CA Policy and Exit Modules
• The policy module determines the action that is
performed after the certificate request is received
• The exit module determines what happens with a
certificate after it is issued
• Each CA is configured with default policy and exit
modules
• The FIM 2010 Certification Management deploys
custom policy and exit modules
• The exit module can send email or publish a
certificate to a file system
• You have to use certutil to specify these settings, as
they are not available in the CA the administrator
console
Configuring CRL Distribution Points and AIA
Locations
• The AIA specifies where to retrieve the CA's
certificate
• The CDP specifies from where the CRL for a CA
can be retrieved
• Publication locations for AIA and CDP:
AD DS
• Web servers
• File Transfer Protocol FTP servers
• File servers
•
• Ensure that you properly configure CRL and AIA
locations for offline and stand-alone CAs
• Ensure that the CRL for an offline root CA does not
expire
Demonstration: Configuring CA Properties
In this demonstration, you will see how to configure
CA properties
Lesson 3: Troubleshooting, Maintaining, and
Monitoring CAs
• Troubleshooting CAs
• Renewing a CA Certificate
• Moving a Root CA to Another Computer
• Monitoring and Maintaining CA Hierarchy
Troubleshooting CAs
• Tools for managing CAs:
• Certificates snap-in
• PKIView tool
• CA snap-in
• Certutil.exe
• Certificate Templates snap-in
• AD CS common issues:
• Client autoenrollment issues
• Unavailable enterprise CA option
• Error accessing CA web pages
• Enrollment agent restriction
Renewing a CA Certificate
• The CA certificate needs to be renewed when the validity
period of the CA certificate is close to its expiration date
• The CA will never issue a certificate that has a longer validity
time than its own certificate
• Considerations for renewing a root CA certificate:
•
•
Key length
Validity period
• Considerations for renewing a certificate for an issuing CA:
New key pair
• Smaller CRLs
•
• Procedure for CA certificate renewal
Moving a Root CA to Another Computer
To move a CA from one computer to another, you have to
perform backup and restore:
• To back up a computer, follow this procedure:
1.
2.
3.
4.
5.
6.
Record the names of the certificate templates
Back up a CA in the CA admin console
Export the registry subkey
Uninstall the CA role
Confirm the %Systemroot% folder locations
Remove the old CA from the domain
• To restore, follow this procedure:
1.
2.
3.
4.
5.
Install AD CS
Use the existing private key
Restore the registry file
Restore the CA database and settings
Restore the certificate templates
Monitoring and Maintaining CA Hierarchy
• For monitoring and maintenance of a CA
hierarchy, you can use PKIView and CA auditing
• With the PKIView, you can:
Access and manage AD DS PKI-related containers
• Monitor CAs and their health state
• Check the status of CA certificates
• Check the status of AIA locations
• Check the status of CRLs
• Check the status of CRL distribution points
• Evaluate the state of the online responder
•
• CA auditing provides logging for various events
that happen on the CA
Lab: Deploying and Configuring a Two-Tier CA
Hierarchy
• Exercise 1: Deploying an Offline Root CA
• Exercise 2: Deploying an Enterprise Subordinate CA
Logon Information
Virtual machines:
User name:
Password:
10969A-LON-DC1,
10969A-LON-SVR1,
10969A-CA-SVR1
Adatum\Administrator
Pa$$w0rd
Estimated Time: 60 minutes
Lab Scenario
As A. Datum Corporation has expanded, its
security requirements also have increased. The
Security department is particularly interested in
enabling secure access to critical websites, and
in providing additional security for features. To
address these and other security requirements,
A. Datum has decided to implement a PKI by
using the Active Directory Certificate Services role
in Windows Server 2012.
As one of the senior network administrators at
A. Datum, you are responsible for implementing
the AD CS deployment.
Lab Review
• Why is it not recommended to install only an
enterprise root CA?
• What are some reasons that an organization
would use an Enterprise root CA?
Module Review and Takeaways
• Review Questions
• Tools
• Best Practice
• Common Issues and Troubleshooting Tips
Related documents
SCHOOL BOARD RECOGNITION
SCHOOL BOARD RECOGNITION
Child Protection study day 12th June 2007
Child Protection study day 12th June 2007
Community Schools, the Director - Coalition for Community Schools
Community Schools, the Director - Coalition for Community Schools
Application for Land Value Tax Rate Applicable to Land Used for
Application for Land Value Tax Rate Applicable to Land Used for
Download
advertisement