1 / 27

Module 7

Module 7. Deploying and Managing Active Directory Certificate Services . Module Overview. Deploying CAs Administering CAs Troubleshooting, Maintaining, and Monitoring CAs. Lesson 1: Deploying CAs.

alden
Download Presentation

Module 7

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 7 Deploying and Managing Active Directory Certificate Services

  2. Module Overview • Deploying CAs Administering CAs Troubleshooting, Maintaining, and Monitoring CAs

  3. Lesson 1: Deploying CAs • AD CS in Windows Server 2012 What Is Certification Authority? Public vs. Private CAs Stand-alone vs. Enterprise CAs Options for Implementing CA Hierarchies Considerations for Deploying a Root CA Considerations for Deploying a Subordinate CA How to Use the CAPolicy.inf File for Installing a CA Demonstration: Deploying an Enterprise Root CA

  4. AD CS in Windows Server 2012 CA CA Web Enrollment Linux Online Responder Network Device Enrollment Service Enrollment Firewall Certificate Enrollment Web Service Windows 7 or newer Proxy Certificate Enrollment Policy Web Service Windows 7 or newer Policy

  5. What Is Certification Authority? CA Firewall Root CA issues a self-signed certificate for itself Manages certificate revocation Issues certificates to users, computers, and services Verifies the identity of the certificate requestor

  6. Public vs. Private CAs • External public CAs: • Are trusted by many external clients, such as web browsers, operating systems • Are slower compared to internal CAs • Have higher cost • Internal private CAs: • Require greater administration than external public CAs • Cost less than external public CAs and provide greater control over certificate management • Are not trusted by external clients by default • Offer advantages such as customized templates and autoenrollment

  7. Stand-alone vs. Enterprise CAs

  8. Options for Implementing CA Hierarchies Two-Tier Hierarchy Root CA Root CA Policy CAs Issuing CAs Issuing CA Issuing CA Issuing CA Policy CA Usage Root CA Root CA Policy CA Policy CA Issuing CA Issuing CA Issuing CA Issuing CA Issuing CA Issuing CA Cross-Certification Trust

  9. Considerations for Deploying a Root CA • Computer name and domain membership cannot change • When you plan private key configuration, consider the following: • CSP • Key character length with a default of 2,048 • The hash algorithm that is used to sign certificates issued by a CA • When you plan a root CA, consider the following: • Name and configuration • Certificate database and log location • Validity period

  10. Considerations for Deploying a Subordinate CA Root Root Subordinate Subordinate USA India Canada EFS S/MIME RAS Locations CertificateUses Root Root Subordinate Subordinate Employee Partner Contractor LoadBalancing Organizational Divisions

  11. How to Use the CAPolicy.inf File for Installing a CA • The CAPolicy.inf file is stored in the %Windir% folder of the root or subordinate CA • The CAPolicy.inf file defines the following: • Certification practice statement • Object identifier • CRL publication intervals • CA renewal settings • Key size • Certificate validity period • CDP and AIA paths

  12. Demonstration: Deploying an Enterprise Root CA In this demonstration, your instructor will show you how to deploy the enterprise root CA

  13. Lesson 2: Administering CAs • Managing CA Hierarchy Configuring CA Administration and Security Configuring CA Policy and Exit Modules Configuring CRL Distribution Points and AIA Locations Demonstration: Configuring CA Properties

  14. Managing CA Hierarchy • For managing CA hierarchy, you can use: • CA Management console • Windows PowerShell • Certutilcommand-line utility • Certutil provides an interface for advanced CA and PKI configuration and management • PKI options are manageable through Group Policy, if you use the following: • Credential roaming • Autoenrollment of certificates • Certificate path validation • Certificate distribution

  15. Configuring CA Administration and Security • You can establish role-based administration for CA hierarchy by defining the following roles: • CA Administrator • Certificate Manager • Backup Operator • Auditor • Enrollees • You can assign the following permissions on the CA level: • Read • Issue and Manage Certificates • Manage CA • Request Certificates • Certificate Managers can be restricted to atemplate

  16. Configuring CA Policy and Exit Modules • The policy module determines the action that is performed after the certificate request is received • The exit module determines what happens with a certificate after it is issued • Each CA is configured with default policy and exit modules • The FIM 2010 Certification Management deploys custom policy and exit modules • The exit module can send email or publish a certificate to a file system • You have to use certutil to specify these settings, as they are not available in the CA the administrator console

  17. Configuring CRL Distribution Points and AIA Locations • The AIAspecifies where to retrieve the CA's certificate • The CDP specifies from where the CRL for a CA can be retrieved • Publication locations for AIA and CDP: • AD DS • Web servers • File Transfer Protocol FTP servers • File servers • Ensure that you properly configure CRL and AIA locations for offline and stand-alone CAs • Ensure that the CRL for an offline root CA does not expire

  18. Demonstration: Configuring CA Properties In this demonstration, you will see how to configure CA properties

  19. Lesson 3: Troubleshooting, Maintaining, and Monitoring CAs • Troubleshooting CAs Renewing a CA Certificate Moving a Root CA to Another Computer Monitoring and Maintaining CA Hierarchy

  20. Troubleshooting CAs • Tools for managing CAs: • Certificates snap-in • PKIView tool • CA snap-in • Certutil.exe • Certificate Templates snap-in • AD CS common issues: • Client autoenrollment issues • Unavailable enterprise CA option • Error accessing CA web pages • Enrollment agent restriction

  21. Renewing a CA Certificate • The CA certificate needs to be renewedwhen the validity period of the CA certificate is close to its expiration date • The CA will never issue a certificate that has a longer validity time than its own certificate • Considerations for renewing a root CAcertificate: • Key length • Validity period • Considerations for renewing a certificate for an issuing CA: • New key pair • Smaller CRLs • Procedure for CA certificate renewal

  22. Moving a Root CA to Another Computer To move a CA from one computer to another, you have to perform backup and restore: • To backup a computer, follow this procedure: • Record the names of the certificate templates • Back up a CA in the CA admin console • Export the registry subkey • Uninstall the CA role • Confirm the %Systemroot% folder locations • Remove the old CA from the domain • To restore, follow this procedure: • Install AD CS • Use the existing private key • Restore the registry file • Restore the CA database and settings • Restore the certificate templates

  23. Monitoring and Maintaining CA Hierarchy • For monitoring and maintenance of a CA hierarchy, you can use PKIView and CA auditing • With the PKIView, you can: • Access and manage AD DS PKI-related containers • Monitor CAs and their health state • Check the status of CA certificates • Check the status of AIA locations • Check the status of CRLs • Check the status of CRL distribution points • Evaluate the state of the online responder • CA auditing provides logging for various events that happen on the CA

  24. Lab: Deploying and Configuring a Two-Tier CA Hierarchy • Exercise 1: Deploying an Offline Root CA Exercise 2: Deploying an Enterprise Subordinate CA Logon Information Virtual machines: 10969A-LON-DC1, 10969A-LON-SVR1, 10969A-CA-SVR1 User name: Adatum\Administrator Password: Pa$$w0rd Estimated Time: 60 minutes

  25. Lab Scenario As A. Datum Corporation has expanded, its security requirements also have increased. The Security department is particularly interested in enabling secure access to critical websites, and in providing additional security for features. To address these and other security requirements, A. Datum has decided to implement a PKI by using the Active Directory Certificate Services role in Windows Server 2012. As one of the senior network administrators at A. Datum, you are responsible for implementing the AD CS deployment.

  26. Lab Review • Why is it not recommended to install only an enterprise root CA? What are some reasons that an organization would use an Enterprise root CA?

  27. Module Review and Takeaways • Review Questions Tools Best Practice Common Issues and Troubleshooting Tips

More Related