Microsoft® Official Course

Module 7

Deploying and Managing Active Directory Certificate

Services

Module Overview

Deploying CAsAdministering CAs•Troubleshooting, Maintaining, and Monitoring CAs

Lesson 1: Deploying CAs

AD CS in Windows Server 2012What Is Certification Authority?Public vs. Private CAsStand-alone vs. Enterprise CAsOptions for Implementing CA HierarchiesConsiderations for Deploying a Root CAConsiderations for Deploying a Subordinate CAHow to Use the CAPolicy.inf File for Installing a CA•Demonstration: Deploying an Enterprise Root CA

AD CS in Windows Server 2012

CA

Online Responder

Network Device Enrollment Service

CA Web Enrollment

Certificate Enrollment Web ServiceCertificate Enrollment Policy Web Service

Firewall

Enrollment

Linux

ProxyWindows 7

or new

er

PolicyWindows 7

or new

er

What Is Certification Authority?

CA

Root CA issues a self-

signed certificate for

itself

Verifies the identity of the

certificate requestor

Manages certificate revocation

Issues certificates to

users, computers, and

services

Firewall

Public vs. Private CAs

•External public CAs:• Are trusted by many external clients, such as web browsers, operating systems • Are slower compared to internal CAs• Have higher cost

• Internal private CAs:• Require greater administration than external public CAs• Cost less than external public CAs and provide greater control over certificate management• Are not trusted by external clients by default• Offer advantages such as customized templates and autoenrollment

Stand-alone vs. Enterprise CAs

Standalone CAs Enterprise CAsMust be used if any CA (root/intermediate/policy) is offline because a standalone CA is not joined to an AD DS domain

Requires the use of AD DS and stores information in AD DSCan use Group Policy to propagate certificates to the trusted root CA certificate store

Users must provide identifying information and specify the type of certificate

Publishes user certificates and CRLs to AD DS

Does not support certificate templates

Issues certificates based on a certificate template

All certificate requests are kept pending until administrator approval

Supports autoenrollment for issuing certificates

Options for Implementing CA Hierarchies

Root CA

Policy CAs

Issuing CA

Issuing CA

Issuing CA

Root CA

Issuing CAs

Root CA

Policy CA

Root CA

Policy CA

Issuing CAIssuing CA

Issuing CA

Issuing CA

Issuing CA Issuing CA

Policy CA Usage

Two-Tier Hierarchy

Cross-Certification Trust

Considerations for Deploying a Root CA

• Computer name and domain membership cannot change

• When you plan private key configuration, consider the following:• CSP• Key character length with a default of 2,048• The hash algorithm that is used to sign

certificates issued by a CA

• When you plan a root CA, consider the following:• Name and configuration• Certificate database and log location• Validity period

Considerations for Deploying a Subordinate CA

Root

Subordinate

RASEFSS/MIMECertificate Uses

Root

Subordinate

Load Balancing

India Canada USA

Root

Subordinate

Locations

Root

Subordinate

Employee Contractor

PartnerOrganizational Divisions

How to Use the CAPolicy.inf File for Installing a CA•The CAPolicy.inf file is stored in the %Windir% folder of the root or subordinate CA

•The CAPolicy.inf file defines the following:• Certification practice statement• Object identifier• CRL publication intervals• CA renewal settings• Key size• Certificate validity period• CDP and AIA paths

Demonstration: Deploying an Enterprise Root CAIn this demonstration, your instructor will show you how to deploy the enterprise root CA

Lesson 2: Administering CAs

Managing CA HierarchyConfiguring CA Administration and SecurityConfiguring CA Policy and Exit ModulesConfiguring CRL Distribution Points and AIA Locations•Demonstration: Configuring CA Properties

Managing CA Hierarchy• For managing CA hierarchy, you can use:• CA Management console• Windows PowerShell • Certutil command-line utility

•Certutil provides an interface for advanced CA and PKI configuration and management•PKI options are manageable through Group Policy, if you use the following:• Credential roaming• Autoenrollment of certificates• Certificate path validation• Certificate distribution

Configuring CA Administration and Security

• You can establish role-based administration for CA hierarchy by defining the following roles:• CA Administrator• Certificate Manager• Backup Operator• Auditor• Enrollees

• You can assign the following permissions on the CA level:• Read• Issue and Manage Certificates• Manage CA• Request Certificates

• Certificate Managers can be restricted to a template

Configuring CA Policy and Exit Modules• The policy module determines the action that is performed after the certificate request is received• The exit module determines what happens with a certificate after it is issued• Each CA is configured with default policy and exit modules• The FIM 2010 Certification Management deploys custom policy and exit modules• The exit module can send email or publish a certificate to a file system• You have to use certutil to specify these settings, as they are not available in the CA the administrator console

Configuring CRL Distribution Points and AIA Locations•The AIA specifies where to retrieve the CA's certificate•The CDP specifies from where the CRL for a CA can be retrieved•Publication locations for AIA and CDP:• AD DS• Web servers• File Transfer Protocol FTP servers• File servers

•Ensure that you properly configure CRL and AIA locations for offline and stand-alone CAs•Ensure that the CRL for an offline root CA does not expire

Demonstration: Configuring CA Properties

In this demonstration, you will see how to configure CA properties

Lesson 3: Troubleshooting, Maintaining, and Monitoring CAsTroubleshooting CAsRenewing a CA CertificateMoving a Root CA to Another Computer•Monitoring and Maintaining CA Hierarchy

Troubleshooting CAs

•Tools for managing CAs:• Certificates snap-in• PKIView tool• CA snap-in• Certutil.exe• Certificate Templates snap-in

•AD CS common issues:• Client autoenrollment issues• Unavailable enterprise CA option• Error accessing CA web pages• Enrollment agent restriction

Renewing a CA Certificate

• The CA certificate needs to be renewed when the validity period of the CA certificate is close to its expiration date• The CA will never issue a certificate that has a longer validity time than its own certificate• Considerations for renewing a root CA certificate:• Key length• Validity period

• Considerations for renewing a certificate for an issuing CA:• New key pair• Smaller CRLs

• Procedure for CA certificate renewal

Moving a Root CA to Another ComputerTo move a CA from one computer to another, you have to perform backup and restore:• To back up a computer, follow this procedure:

1. Record the names of the certificate templates2. Back up a CA in the CA admin console3. Export the registry subkey4. Uninstall the CA role 5. Confirm the %Systemroot% folder locations6. Remove the old CA from the domain

• To restore, follow this procedure:1. Install AD CS2. Use the existing private key3. Restore the registry file 4. Restore the CA database and settings5. Restore the certificate templates

Monitoring and Maintaining CA Hierarchy

• For monitoring and maintenance of a CA hierarchy, you can use PKIView and CA auditing•With the PKIView, you can:• Access and manage AD DS PKI-related containers • Monitor CAs and their health state• Check the status of CA certificates• Check the status of AIA locations• Check the status of CRLs• Check the status of CRL distribution points• Evaluate the state of the online responder

•CA auditing provides logging for various events that happen on the CA

Lab: Deploying and Configuring a Two-Tier CA HierarchyExercise 1: Deploying an Offline Root CA•Exercise 2: Deploying an Enterprise Subordinate CA

Logon InformationVirtual machines: 10969A-LON-DC1,

10969A-LON-SVR1,10969A-CA-SVR1

User name: Adatum\AdministratorPassword: Pa$$w0rd

Estimated Time: 60 minutes

Lab Scenario

As A. Datum Corporation has expanded, its security requirements also have increased. The Security department is particularly interested in enabling secure access to critical websites, and in providing additional security for features. To address these and other security requirements, A. Datum has decided to implement a PKI by using the Active Directory Certificate Services role in Windows Server 2012.As one of the senior network administrators at A. Datum, you are responsible for implementing the AD CS deployment.

Lab Review

Why is it not recommended to install only an enterprise root CA?•What are some reasons that an organization would use an Enterprise root CA?

Module Review and Takeaways

Review QuestionsToolsBest Practice•Common Issues and Troubleshooting Tips