Creating and Managing Digital Certificates Chapter Eleven.
-
Upload
lesley-roberts -
Category
Documents
-
view
224 -
download
0
Transcript of Creating and Managing Digital Certificates Chapter Eleven.
Creating and Creating and ManagingManaging
Digital Digital CertificatesCertificates
ChapterEleven
Exam Objectives in this Chapter: Configure Active Directory directory
service for certificate publication. Plan a public key infrastructure (PKI) that
uses Certificate Services. Identify the appropriate type of certificate
authority to support certificate issuance requirements.
Plan the enrollment and distribution of certificates.
Plan for the use of smart cards for authentication.
Lessons in this Chapter: Introducing Certificates Designing a Public Key Infrastructure Managing Certificates
Certificates To provide this protection, Windows Server
2003 includes the components needed to create a PKI.
We need to understand: The secret key encryption The contents of a certificate The function of a certification authority
The Public Key Infrastructure A public key infrastructure is a collection
of software components and operational policies that govern the distribution and use of public and private keys, using digital certificates.
Understanding Secret Key Encryption EncryptionEncryption is essentially a system in which a system in which
one character is substituted for anotherone character is substituted for another. If you create a key specifying that the letter A
should be replaced by Q, the letter B by O, the letter C by T, and so forth, any message you encode using that key can be decoded by anyone else who has that key.
This is called secret key encryptionsecret key encryption, because you must protect the key from compromise.
Public Key Encryption For encryption on a data network to be
both possible and practical, computers typically use a form of public key encryption.
In public key encryptionpublic key encryption, every user has two keys, a public key and a private key.
Note: It is usually not practical to encrypt an
entire message for the purpose of digitally signing it.
Instead, most PKI systems create a hash from the message and then encrypt the hash using the private key.
A hash is a digital summary of the message created by removing redundant bits according to a specialized hashing algorithm.
Using Certificates To distribute public keys, Windows Server
2003 and most other systems supporting a PKI use digital certificatesdigital certificates.
A digital certificatedigital certificate is a document that verifiably associates a public key with a particular person or organization.
Digital Certificate Contains:
The public key for a particular entity Information about the entity About the certification authority (CA) that
issued the certificate.
X.509 “The Directory: Public-key and Attribute
Certificate Frameworks,” which defines the format of the certificates used by most PKI systems, including Windows Server 2003.
every digital certificate contains these attributes:
Version Serial number Signature algorithm identifier Issuer name Validity period Subject name
Using Public Key Encryption To use public key encryption, you must
obtain a certificate from an administrativeentity called a certification authority certification authority (CA)(CA). A CACA can be a third-party company that is
trusted to verify the identities of all parties involved in a digital transaction, or
It can be a piece of software on a computer running Windows Server 2003 or another operating system.
Obtaining a certificate from a CA Two ways to obtain a certificate:
can be manual or automatic
The CA issues a public key and a private key as a matched pair. The private key is stored on the user’s
computer in encrypted form, and The public key is issued as part of a certificate.
Using Internal and External CAs For a certificate to be useful in securing a digital
transaction, it must be issued by an authority that both parties to the transaction trust to verify each other’s identities.
If you want to ensure that internal communications in your organization are secure, you would be best served by installing your own CAs.
For securing external transactions, the best practice is to obtain certificates from a neutral third-party organization that functions as a commercial certification authority.
Understanding PKI Functions Network administrators can perform the
following tasks: Publish certificates Enroll clients Use certificates Renew certificates Revoke certificates
Practice: Viewing a Certificate
Page 11-7
Designing a Public Key Infrastructure Defining Certificate Requirements
Digital signatures Encrypting File System user and recovery
certificates Internet authentication IP Security Secure e-mail Smart card logon Software code signing Wireless network authentication
Creating a CA Infrastructure If you trust a particular root CA, you should also
trust any lowerlevel CAs that are authenticated and validated by that root CA.
Trusts between CAs flow downward through the hierarchy, just as file system permissions do.
Root CATrust
Intermediate CA
Issuing CAIssuing CA
Trust
Trust
Using Internal or External CAs The choice depends on the needs and
capabilities of your organization. The advantages and disadvantages of
using internal and external CAs are summarized in Table 11-2.
Use internal CAsinternal CAs to secure their internalinternal communicationscommunications and
Use external CAsexternal CAs when you must secure communications with outside partiesoutside parties, such as customers.
How Many CAs? A single CA running on Windows Server
2003 can support as many as 35 million certificates, issuing two million or more a day.
Factors affect the performance and number of a CA: Number and speed of processors Key length Disk performance
Creating a CA Hierarchy Root CAsRoot CAs are the only CAs that do not
have a certificate issued by a higher authority.
A root CAroot CA issues its own self-signed self-signed certificatecertificate, which functions as the top of the certificate chain for all the certificates issued by all the CAs subordinate to the root.
Creating a CA Hierarchy cont. Subordinate CAs
Every CA in a PKI is either a root CAroot CA or a subordinate CAsubordinate CA. A root CA is the parent that issues certificates to the subordinate CAs beneath it.
If a client trusts the root CA, it must also trust all the subordinate CAs that have been issued certificates by the root CA.
Creating a CA Hierarchy cont. Subordinate CAs can also issue certificates
to other subordinate CAs. Every certificate issued by every CA in the
hierarchy can trace its trust relationships back to a root CA.
This hierarchy of relationships is called a certificate chaincertificate chain.
Understanding Windows Server 2003 CA Types Enterprise Enterprise CAs are integrated
into the Active Directory directory service. They use certificate templates, publish
their certificates and CRLs to Active Directory, and use the information in the Active Directory database to approve or deny certificate enrollment requests automatically.
Understanding Windows Server 2003 CA Types cont.
Stand-alone Stand-alone CAs do not use certificate templates or Active Directory; they store their information locally.
By default, stand-alone CAs do not automatically respond to certificate enrollment requests, as enterprise CAs do.
Requests wait in a queue for an administrator to manually approve or deny them.
Stand-alone CAs are intended for situations in which users outside the enterprise submit requests for certificates.
Smart Card Certificates If you plan to use smart cards to
authenticate users on your network, you must create enterprise CAs,
Exam Tip Be sure to understand the differences
between enterprise rootenterprise root CAs, enterprisesubordinatesubordinate CAs, stand-alone rootstand-alone root CAs, and stand-alone subordinatesubordinate CAs.
Configuring Certificates Criteria to consider when planning
certificate configurations are as follows: Certificate type Encryption key length and algorithm Certificate lifetime Renewal policies
Installing Certificate Services Add/Remove Programs
Installing Certificate Services Components for
Certificate Services
Installing Certificate Services Choose the CA Type
Installing Certificate Services Information
Installing Certificate Services Location of the
Certificate Logs
Installing Certificate Services Certificate Services
will now install
Installing Certificate Services Must have IIS installed
Practice: Installing a Windows Server 2003
Certification Authority Page 11-16
Managing Certificates
Understanding Certificate Enrollment and Renewal The actual process by which CAs issue
certificates to clients varies, depending on the types of CAs you have installed.
If you have installed enterprise CAs, you can use auto-enrollmentauto-enrollment, in which the CA receives certificate requests from clients, evaluates them, and automatically determines whether to issue the certificate or deny the request.
Exam Tip Be sure to understand the circumstances
in which clients use auto-enrollmentand manual enrollment, and to be familiar with the Microsoft Management Console (MMC) snap-ins used to manage certificates and certification authorities
Using Auto-Enrollment Auto-enrollment enables clients to
automatically request and receive certificates from a CA with no manual intervention from administrators.
Using Auto-Enrollment Auto-enrollment enables clients to automatically
request and receive certificates from a CA with no manual intervention from administrators.
To use auto-enrollment, you must have domain controllers running Windows Server 2003, an enterprise CA running on Windows Server 2003, and clients running Microsoft Windows XP Professional.
You control the auto-enrollment process using a combination of group policy settings and certificate templates
Auto-Enrollment In a GPO
Using Manual Enrollment Stand-alone CAs cannot use auto-
enrollment, so when a stand-alone CA receives a certificate request from a client, it stores the request in a queue until an administrator decides whether to issue the certificate.
Manually Requesting Certificates Using the Certificates
Snap-in
Manually Requesting Certificates Using Web Enrollment To function properly, this module requires
you to have IIS installed on the computer first, along with support for ASP.
The Web Enrollment Support interface is intended to give internal or external network users access to stand-alone CAs.
Revoking Certificates If a private key is compromised, or An unauthorized user has gained access to
the CA, or If you want to issue a certificate using
different parameters, such as longer keys, you must revoke the certificates that are no longer usable.
Revoking Certificates By selecting the Revoked Certificates
folder in the Certification Authority console and then displaying its Properties dialog box, you can specify how often the CA should publish a new CRL, and also configure the CA to publish delta CRLs.
Practice: Requesting a Certificate
Exercise 1: Requesting a Certificate Exercise 2: Issuing a Certificate
Page 11-26 Exercise 3: Retrieving a Certificate Exercise 4: Viewing a Certificate
Page 11-27
Summary Case Scenario Exercise
Page 11-29 Troubleshooting Lab
Page 11-30 Exam Highlights
Key Points Key Terms
Page 11-32