Module 7
This presentation is the property of its rightful owner.
Sponsored Links
1 / 27

Module 7 PowerPoint PPT Presentation


  • 149 Views
  • Uploaded on
  • Presentation posted in: General

Module 7. Deploying and Managing Active Directory Certificate Services. Module Overview. Deploying CAsAdministering CAsTroubleshooting, Maintaining, and Monitoring CAs. Lesson 1: Deploying CAs.

Download Presentation

Module 7

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Module 7

Module 7

Deploying and Managing Active Directory Certificate Services


Module overview

Module Overview

  • Deploying CAsAdministering CAsTroubleshooting, Maintaining, and Monitoring CAs


Lesson 1 deploying cas

Lesson 1: Deploying CAs

  • AD CS in Windows Server 2012What Is Certification Authority?Public vs. Private CAsStand-alone vs. Enterprise CAsOptions for Implementing CA HierarchiesConsiderations for Deploying a Root CAConsiderations for Deploying a Subordinate CAHow to Use the CAPolicy.inf File for Installing a CADemonstration: Deploying an Enterprise Root CA


Ad cs in windows server 2012

AD CS in Windows Server 2012

CA

CA Web Enrollment

Linux

Online Responder

Network Device Enrollment Service

Enrollment

Firewall

Certificate Enrollment Web Service

Windows 7

or newer

Proxy

Certificate Enrollment Policy Web Service

Windows 7

or newer

Policy


What is certification authority

What Is Certification Authority?

CA

Firewall

Root CA issues a self-signed certificate for itself

Manages certificate revocation

Issues certificates to users, computers, and services

Verifies the identity of the certificate requestor


Public vs private cas

Public vs. Private CAs

  • External public CAs:

    • Are trusted by many external clients, such as web browsers, operating systems

    • Are slower compared to internal CAs

    • Have higher cost

  • Internal private CAs:

    • Require greater administration than external public CAs

    • Cost less than external public CAs and provide greater control over certificate management

    • Are not trusted by external clients by default

    • Offer advantages such as customized templates and autoenrollment


Stand alone vs enterprise cas

Stand-alone vs. Enterprise CAs


Options for implementing ca hierarchies

Options for Implementing CA Hierarchies

Two-Tier Hierarchy

Root CA

Root CA

Policy CAs

Issuing CAs

Issuing CA

Issuing CA

Issuing CA

Policy CA Usage

Root CA

Root CA

Policy CA

Policy CA

Issuing CA

Issuing CA

Issuing CA

Issuing CA

Issuing CA

Issuing CA

Cross-Certification Trust


Considerations for deploying a root ca

Considerations for Deploying a Root CA

  • Computer name and domain membership cannot change

  • When you plan private key configuration, consider the following:

    • CSP

    • Key character length with a default of 2,048

    • The hash algorithm that is used to sign certificates issued by a CA

  • When you plan a root CA, consider the following:

    • Name and configuration

    • Certificate database and log location

    • Validity period


Considerations for deploying a subordinate ca

Considerations for Deploying a Subordinate CA

Root

Root

Subordinate

Subordinate

USA

India

Canada

EFS

S/MIME

RAS

Locations

CertificateUses

Root

Root

Subordinate

Subordinate

Employee

Partner

Contractor

LoadBalancing

Organizational Divisions


How to use the capolicy inf file for installing a ca

How to Use the CAPolicy.inf File for Installing a CA

  • The CAPolicy.inf file is stored in the %Windir% folder of the root or subordinate CA

  • The CAPolicy.inf file defines the following:

    • Certification practice statement

    • Object identifier

    • CRL publication intervals

    • CA renewal settings

    • Key size

    • Certificate validity period

    • CDP and AIA paths


Demonstration deploying an enterprise root ca

Demonstration: Deploying an Enterprise Root CA

In this demonstration, your instructor will show you how to deploy the enterprise root CA


Lesson 2 administering cas

Lesson 2: Administering CAs

  • Managing CA HierarchyConfiguring CA Administration and SecurityConfiguring CA Policy and Exit ModulesConfiguring CRL Distribution Points and AIA LocationsDemonstration: Configuring CA Properties


Managing ca hierarchy

Managing CA Hierarchy

  • For managing CA hierarchy, you can use:

    • CA Management console

    • Windows PowerShell

    • Certutilcommand-line utility

  • Certutil provides an interface for advanced CA and PKI configuration and management

  • PKI options are manageable through Group Policy, if you use the following:

    • Credential roaming

    • Autoenrollment of certificates

    • Certificate path validation

    • Certificate distribution


Configuring ca administration and security

Configuring CA Administration and Security

  • You can establish role-based administration for CA hierarchy by defining the following roles:

    • CA Administrator

    • Certificate Manager

    • Backup Operator

    • Auditor

    • Enrollees

  • You can assign the following permissions on the CA level:

    • Read

    • Issue and Manage Certificates

    • Manage CA

    • Request Certificates

  • Certificate Managers can be restricted to atemplate


Configuring ca policy and exit modules

Configuring CA Policy and Exit Modules

  • The policy module determines the action that is performed after the certificate request is received

  • The exit module determines what happens with a certificate after it is issued

  • Each CA is configured with default policy and exit modules

  • The FIM 2010 Certification Management deploys custom policy and exit modules

  • The exit module can send email or publish a certificate to a file system

  • You have to use certutil to specify these settings, as they are not available in the CA the administrator console


Configuring crl distribution points and aia locations

Configuring CRL Distribution Points and AIA Locations

  • The AIAspecifies where to retrieve the CA's certificate

  • The CDP specifies from where the CRL for a CA can be retrieved

  • Publication locations for AIA and CDP:

    • AD DS

    • Web servers

    • File Transfer Protocol FTP servers

    • File servers

  • Ensure that you properly configure CRL and AIA locations for offline and stand-alone CAs

  • Ensure that the CRL for an offline root CA does not expire


Demonstration configuring ca properties

Demonstration: Configuring CA Properties

In this demonstration, you will see how to configure CA properties


Lesson 3 troubleshooting maintaining and monitoring cas

Lesson 3: Troubleshooting, Maintaining, and Monitoring CAs

  • Troubleshooting CAsRenewing a CA CertificateMoving a Root CA to Another ComputerMonitoring and Maintaining CA Hierarchy


Troubleshooting cas

Troubleshooting CAs

  • Tools for managing CAs:

    • Certificates snap-in

    • PKIView tool

    • CA snap-in

    • Certutil.exe

    • Certificate Templates snap-in

  • AD CS common issues:

    • Client autoenrollment issues

    • Unavailable enterprise CA option

    • Error accessing CA web pages

    • Enrollment agent restriction


Renewing a ca certificate

Renewing a CA Certificate

  • The CA certificate needs to be renewedwhen the validity period of the CA certificate is close to its expiration date

  • The CA will never issue a certificate that has a longer validity time than its own certificate

  • Considerations for renewing a root CAcertificate:

    • Key length

    • Validity period

  • Considerations for renewing a certificate for an issuing CA:

    • New key pair

    • Smaller CRLs

  • Procedure for CA certificate renewal


Moving a root ca to another computer

Moving a Root CA to Another Computer

To move a CA from one computer to another, you have to perform backup and restore:

  • To backup a computer, follow this procedure:

    • Record the names of the certificate templates

    • Back up a CA in the CA admin console

    • Export the registry subkey

    • Uninstall the CA role

    • Confirm the %Systemroot% folder locations

    • Remove the old CA from the domain

  • To restore, follow this procedure:

    • Install AD CS

    • Use the existing private key

    • Restore the registry file

    • Restore the CA database and settings

    • Restore the certificate templates


Monitoring and maintaining ca hierarchy

Monitoring and Maintaining CA Hierarchy

  • For monitoring and maintenance of a CA hierarchy, you can use PKIView and CA auditing

  • With the PKIView, you can:

    • Access and manage AD DS PKI-related containers

    • Monitor CAs and their health state

    • Check the status of CA certificates

    • Check the status of AIA locations

    • Check the status of CRLs

    • Check the status of CRL distribution points

    • Evaluate the state of the online responder

  • CA auditing provides logging for various events that happen on the CA


Lab deploying and configuring a two tier ca hierarchy

Lab: Deploying and Configuring a Two-Tier CA Hierarchy

  • Exercise 1: Deploying an Offline Root CAExercise 2: Deploying an Enterprise Subordinate CA

Logon Information

Virtual machines:10969A-LON-DC1,

10969A-LON-SVR1,

10969A-CA-SVR1

User name:Adatum\Administrator

Password:Pa$$w0rd

Estimated Time: 60 minutes


Lab scenario

Lab Scenario

As A. Datum Corporation has expanded, its security requirements also have increased. The Security department is particularly interested in enabling secure access to critical websites, and in providing additional security for features. To address these and other security requirements, A. Datum has decided to implement a PKI by using the Active Directory Certificate Services role in Windows Server 2012.

As one of the senior network administrators at A. Datum, you are responsible for implementing the AD CS deployment.


Lab review

Lab Review

  • Why is it not recommended to install only an enterprise root CA?What are some reasons that an organization would use an Enterprise root CA?


Module review and takeaways

Module Review and Takeaways

  • Review QuestionsToolsBest PracticeCommon Issues and Troubleshooting Tips


  • Login