200 likes | 321 Vues
CN1276 Server. Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+. Agenda. Chapter 13: Configuring Active Directory Certificate Services Exercise Lab Quiz. Public Key Infrastructure.
E N D
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Agenda • Chapter 13: Configuring Active Directory Certificate Services • Exercise • Lab • Quiz
Public Key Infrastructure • Allow two parties to communicate securely, without any previous communication, through the use of public key cryptography • Public key cryptography stores a public key for each participant in a PKI • Each participant also possesses a private key • By combining the public key with private key, one entity can communicate with another entity in a secure fashion without exchanging any sort of shared secret key beforehand • A shared secret key is a secret piece of information that is shared between two parties
Shared Secret Key http://en.wikipedia.org/wiki/Public_key
Certificate Authority (CA) • An entity that issues and manages digital certificates for use in a PKI • For Server 2008, it requires AD CS server role • CAs are hierarchical (One root and several subordinate CAs) • Three-tier hierarchy, where a single root CA issues certificates to a number of intermediate CAs, allowing the intermediate CAs to issue certificates to users or computers
Digital Certificate (certificate) • The digital certificate contains • The certificate holder’s name • Public key • The digital signature of the Certificate Authority that issued the certificate • The certificate’s expiration date
Digital Signature • Proves the identity of the entity that has signed a particular document • A digital signature indicates that the message is authentic and has not been tampered with since it left the sender’s Outbox
Certificate Practice Statement and Certificate Revocation List • Certificate Practice Statement (CPS) • Provides a detailed explanation of how a particular CA manages certificates and keys • Certificate Revocation List (CRL) • This list identifies certificates that have been revoked or terminated, corresponding user, computer, or service • Services that utilize PKI should reference the CRL to confirm that a particular certificate has not been revoked prior to its expiration date
Certificate Templates • Templates used by a CA to simplify the administration and issuance of digital certificates
Self-Enrollment and Enrollment Agents • Self-Enrollment • This feature enables users to request their own PKI certificates, typically through a Web browser • Enrollment agents • These are used to request certificates on behalf of a user, computer, or service • You can use either self-enrollment or enrollment agents
Auto-Enrollment • Supported by Windows Server 2003 and later • Allows users and computers to automatically enroll for certificates based on: • One or more certificate templates • Group Policy settings in Active Directory • Certificate templates that are based on Windows 2000 will not allow auto-enrollment to maintain backwards compatibility
Recovery Agent • These agents are configured within a CA to allow users to recover private keys for users, computers, or services if their keys are lost
Key Archival • This is the process by which private keys are maintained by the CA for retrieval by a recovery agent • In a Windows PKI implementation, users’ private keys can be stored within AD
Windows Server 2008 and Certificate Services • The AD CS server role consists of the following services and features: • Web enrollment • Online Responder • Responds the requests from clients about the certificate status • Online Certificate Status Protocol (OCSP) • Network Device Enrollment Service (NDES) • To enroll the hardware-based routers and other network device for PKI certificates
Types of CAs • When deploying a Windows-based PKI, two different types of CAs can be deployed: • Standalone CA • Not integrated with AD • It requires administrator intervention to respond to certificate requests • Enterprise CA • Integrated with AD • Can use certificate templates
Configuring Certificate Auto-enrollment for Wireless Networks • You can control PKI in Public Key Policies area in the group policy • Encrypting File System (EFS) • Recovery agents (In computer configuration node) • Automatic Certificate Request • All computers to automatically submit a request for a certificate from an Enterprise CA
Configuring Certificate Auto-enrollment for Wireless Networks • You can control PKI in Public Key Policies area in the group policy • Trusted Root Certificate Authorities • It determines if uses can choose to trust root CAs • Enterprise Trust • Allows an administrator to define and distribute a CTL for external root CAs • Certificate Services Client-Auto-Enrollment • Allows an administrator to enable or disable the automatic enrollment • Use auto-enrollment to write certificate information to the smart card through GPO
Infrastructure components for Auto-Enrollment of PKI • Clients must be running XP, Vista Business or Ent., Server 2003, Server 2008 • Enterprise CA running on Server 2003 or 2008
Extra materials • http://networklore.com/components-of-pki/
Assignment • Fill in the blank • 1-10 • Multiple Choice • 1-10 • Online Lab 13