1 / 20

CN1276 Server

CN1276 Server. Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+. Agenda. Chapter 13: Configuring Active Directory Certificate Services Exercise Lab Quiz. Public Key Infrastructure.

coen
Télécharger la présentation

CN1276 Server

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

  2. Agenda • Chapter 13: Configuring Active Directory Certificate Services • Exercise • Lab • Quiz

  3. Public Key Infrastructure • Allow two parties to communicate securely, without any previous communication, through the use of public key cryptography • Public key cryptography stores a public key for each participant in a PKI • Each participant also possesses a private key • By combining the public key with private key, one entity can communicate with another entity in a secure fashion without exchanging any sort of shared secret key beforehand • A shared secret key is a secret piece of information that is shared between two parties

  4. Shared Secret Key http://en.wikipedia.org/wiki/Public_key

  5. Certificate Authority (CA) • An entity that issues and manages digital certificates for use in a PKI • For Server 2008, it requires AD CS server role • CAs are hierarchical (One root and several subordinate CAs) • Three-tier hierarchy, where a single root CA issues certificates to a number of intermediate CAs, allowing the intermediate CAs to issue certificates to users or computers

  6. Digital Certificate (certificate) • The digital certificate contains • The certificate holder’s name • Public key • The digital signature of the Certificate Authority that issued the certificate • The certificate’s expiration date

  7. Digital Signature • Proves the identity of the entity that has signed a particular document • A digital signature indicates that the message is authentic and has not been tampered with since it left the sender’s Outbox

  8. Certificate Practice Statement and Certificate Revocation List • Certificate Practice Statement (CPS) • Provides a detailed explanation of how a particular CA manages certificates and keys • Certificate Revocation List (CRL) • This list identifies certificates that have been revoked or terminated, corresponding user, computer, or service • Services that utilize PKI should reference the CRL to confirm that a particular certificate has not been revoked prior to its expiration date

  9. Certificate Templates • Templates used by a CA to simplify the administration and issuance of digital certificates

  10. Self-Enrollment and Enrollment Agents • Self-Enrollment • This feature enables users to request their own PKI certificates, typically through a Web browser • Enrollment agents • These are used to request certificates on behalf of a user, computer, or service • You can use either self-enrollment or enrollment agents

  11. Auto-Enrollment • Supported by Windows Server 2003 and later • Allows users and computers to automatically enroll for certificates based on: • One or more certificate templates • Group Policy settings in Active Directory • Certificate templates that are based on Windows 2000 will not allow auto-enrollment to maintain backwards compatibility

  12. Recovery Agent • These agents are configured within a CA to allow users to recover private keys for users, computers, or services if their keys are lost

  13. Key Archival • This is the process by which private keys are maintained by the CA for retrieval by a recovery agent • In a Windows PKI implementation, users’ private keys can be stored within AD

  14. Windows Server 2008 and Certificate Services • The AD CS server role consists of the following services and features: • Web enrollment • Online Responder • Responds the requests from clients about the certificate status • Online Certificate Status Protocol (OCSP) • Network Device Enrollment Service (NDES) • To enroll the hardware-based routers and other network device for PKI certificates

  15. Types of CAs • When deploying a Windows-based PKI, two different types of CAs can be deployed: • Standalone CA • Not integrated with AD • It requires administrator intervention to respond to certificate requests • Enterprise CA • Integrated with AD • Can use certificate templates

  16. Configuring Certificate Auto-enrollment for Wireless Networks • You can control PKI in Public Key Policies area in the group policy • Encrypting File System (EFS) • Recovery agents (In computer configuration node) • Automatic Certificate Request • All computers to automatically submit a request for a certificate from an Enterprise CA

  17. Configuring Certificate Auto-enrollment for Wireless Networks • You can control PKI in Public Key Policies area in the group policy • Trusted Root Certificate Authorities • It determines if uses can choose to trust root CAs • Enterprise Trust • Allows an administrator to define and distribute a CTL for external root CAs • Certificate Services Client-Auto-Enrollment • Allows an administrator to enable or disable the automatic enrollment • Use auto-enrollment to write certificate information to the smart card through GPO

  18. Infrastructure components for Auto-Enrollment of PKI • Clients must be running XP, Vista Business or Ent., Server 2003, Server 2008 • Enterprise CA running on Server 2003 or 2008

  19. Extra materials • http://networklore.com/components-of-pki/

  20. Assignment • Fill in the blank • 1-10 • Multiple Choice • 1-10 • Online Lab 13

More Related