Module 7
Download
1 / 27

Module 7 - PowerPoint PPT Presentation


  • 185 Views
  • Uploaded on

Module 7. Deploying and Managing Active Directory Certificate Services . Module Overview. Deploying CAs Administering CAs Troubleshooting, Maintaining, and Monitoring CAs. Lesson 1: Deploying CAs.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Module 7' - kylia


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Module 7

Module 7

Deploying and Managing Active Directory Certificate Services


Module overview
Module Overview

  • Deploying CAs Administering CAs Troubleshooting, Maintaining, and Monitoring CAs


Lesson 1 deploying cas
Lesson 1: Deploying CAs

  • AD CS in Windows Server 2012 What Is Certification Authority? Public vs. Private CAs Stand-alone vs. Enterprise CAs Options for Implementing CA Hierarchies Considerations for Deploying a Root CA Considerations for Deploying a Subordinate CA How to Use the CAPolicy.inf File for Installing a CA Demonstration: Deploying an Enterprise Root CA


Ad cs in windows server 2012
AD CS in Windows Server 2012

CA

CA Web Enrollment

Linux

Online Responder

Network Device Enrollment Service

Enrollment

Firewall

Certificate Enrollment Web Service

Windows 7

or newer

Proxy

Certificate Enrollment Policy Web Service

Windows 7

or newer

Policy


What is certification authority
What Is Certification Authority?

CA

Firewall

Root CA issues a self-signed certificate for itself

Manages certificate revocation

Issues certificates to users, computers, and services

Verifies the identity of the certificate requestor


Public vs private cas
Public vs. Private CAs

  • External public CAs:

    • Are trusted by many external clients, such as web browsers, operating systems

    • Are slower compared to internal CAs

    • Have higher cost

  • Internal private CAs:

    • Require greater administration than external public CAs

    • Cost less than external public CAs and provide greater control over certificate management

    • Are not trusted by external clients by default

    • Offer advantages such as customized templates and autoenrollment



Options for implementing ca hierarchies
Options for Implementing CA Hierarchies

Two-Tier Hierarchy

Root CA

Root CA

Policy CAs

Issuing CAs

Issuing CA

Issuing CA

Issuing CA

Policy CA Usage

Root CA

Root CA

Policy CA

Policy CA

Issuing CA

Issuing CA

Issuing CA

Issuing CA

Issuing CA

Issuing CA

Cross-Certification Trust


Considerations for deploying a root ca
Considerations for Deploying a Root CA

  • Computer name and domain membership cannot change

  • When you plan private key configuration, consider the following:

    • CSP

    • Key character length with a default of 2,048

    • The hash algorithm that is used to sign certificates issued by a CA

  • When you plan a root CA, consider the following:

    • Name and configuration

    • Certificate database and log location

    • Validity period


Considerations for deploying a subordinate ca
Considerations for Deploying a Subordinate CA

Root

Root

Subordinate

Subordinate

USA

India

Canada

EFS

S/MIME

RAS

Locations

CertificateUses

Root

Root

Subordinate

Subordinate

Employee

Partner

Contractor

LoadBalancing

Organizational Divisions


How to use the capolicy inf file for installing a ca
How to Use the CAPolicy.inf File for Installing a CA

  • The CAPolicy.inf file is stored in the %Windir% folder of the root or subordinate CA

  • The CAPolicy.inf file defines the following:

    • Certification practice statement

    • Object identifier

    • CRL publication intervals

    • CA renewal settings

    • Key size

    • Certificate validity period

    • CDP and AIA paths


Demonstration deploying an enterprise root ca
Demonstration: Deploying an Enterprise Root CA

In this demonstration, your instructor will show you how to deploy the enterprise root CA


Lesson 2 administering cas
Lesson 2: Administering CAs

  • Managing CA Hierarchy Configuring CA Administration and Security Configuring CA Policy and Exit Modules Configuring CRL Distribution Points and AIA Locations Demonstration: Configuring CA Properties


Managing ca hierarchy
Managing CA Hierarchy

  • For managing CA hierarchy, you can use:

    • CA Management console

    • Windows PowerShell

    • Certutilcommand-line utility

  • Certutil provides an interface for advanced CA and PKI configuration and management

  • PKI options are manageable through Group Policy, if you use the following:

    • Credential roaming

    • Autoenrollment of certificates

    • Certificate path validation

    • Certificate distribution


Configuring ca administration and security
Configuring CA Administration and Security

  • You can establish role-based administration for CA hierarchy by defining the following roles:

    • CA Administrator

    • Certificate Manager

    • Backup Operator

    • Auditor

    • Enrollees

  • You can assign the following permissions on the CA level:

    • Read

    • Issue and Manage Certificates

    • Manage CA

    • Request Certificates

  • Certificate Managers can be restricted to atemplate


Configuring ca policy and exit modules
Configuring CA Policy and Exit Modules

  • The policy module determines the action that is performed after the certificate request is received

  • The exit module determines what happens with a certificate after it is issued

  • Each CA is configured with default policy and exit modules

  • The FIM 2010 Certification Management deploys custom policy and exit modules

  • The exit module can send email or publish a certificate to a file system

  • You have to use certutil to specify these settings, as they are not available in the CA the administrator console


Configuring crl distribution points and aia locations
Configuring CRL Distribution Points and AIA Locations

  • The AIAspecifies where to retrieve the CA's certificate

  • The CDP specifies from where the CRL for a CA can be retrieved

  • Publication locations for AIA and CDP:

    • AD DS

    • Web servers

    • File Transfer Protocol FTP servers

    • File servers

  • Ensure that you properly configure CRL and AIA locations for offline and stand-alone CAs

  • Ensure that the CRL for an offline root CA does not expire


Demonstration configuring ca properties
Demonstration: Configuring CA Properties

In this demonstration, you will see how to configure CA properties


Lesson 3 troubleshooting maintaining and monitoring cas
Lesson 3: Troubleshooting, Maintaining, and Monitoring CAs

  • Troubleshooting CAs Renewing a CA Certificate Moving a Root CA to Another Computer Monitoring and Maintaining CA Hierarchy


Troubleshooting cas
Troubleshooting CAs

  • Tools for managing CAs:

    • Certificates snap-in

    • PKIView tool

    • CA snap-in

    • Certutil.exe

    • Certificate Templates snap-in

  • AD CS common issues:

    • Client autoenrollment issues

    • Unavailable enterprise CA option

    • Error accessing CA web pages

    • Enrollment agent restriction


Renewing a ca certificate
Renewing a CA Certificate

  • The CA certificate needs to be renewedwhen the validity period of the CA certificate is close to its expiration date

  • The CA will never issue a certificate that has a longer validity time than its own certificate

  • Considerations for renewing a root CAcertificate:

    • Key length

    • Validity period

  • Considerations for renewing a certificate for an issuing CA:

    • New key pair

    • Smaller CRLs

  • Procedure for CA certificate renewal


Moving a root ca to another computer
Moving a Root CA to Another Computer

To move a CA from one computer to another, you have to perform backup and restore:

  • To backup a computer, follow this procedure:

    • Record the names of the certificate templates

    • Back up a CA in the CA admin console

    • Export the registry subkey

    • Uninstall the CA role

    • Confirm the %Systemroot% folder locations

    • Remove the old CA from the domain

  • To restore, follow this procedure:

    • Install AD CS

    • Use the existing private key

    • Restore the registry file

    • Restore the CA database and settings

    • Restore the certificate templates


Monitoring and maintaining ca hierarchy
Monitoring and Maintaining CA Hierarchy

  • For monitoring and maintenance of a CA hierarchy, you can use PKIView and CA auditing

  • With the PKIView, you can:

    • Access and manage AD DS PKI-related containers

    • Monitor CAs and their health state

    • Check the status of CA certificates

    • Check the status of AIA locations

    • Check the status of CRLs

    • Check the status of CRL distribution points

    • Evaluate the state of the online responder

  • CA auditing provides logging for various events that happen on the CA


Lab deploying and configuring a two tier ca hierarchy
Lab: Deploying and Configuring a Two-Tier CA Hierarchy

  • Exercise 1: Deploying an Offline Root CA Exercise 2: Deploying an Enterprise Subordinate CA

Logon Information

Virtual machines: 10969A-LON-DC1,

10969A-LON-SVR1,

10969A-CA-SVR1

User name: Adatum\Administrator

Password: Pa$$w0rd

Estimated Time: 60 minutes


Lab scenario
Lab Scenario

As A. Datum Corporation has expanded, its security requirements also have increased. The Security department is particularly interested in enabling secure access to critical websites, and in providing additional security for features. To address these and other security requirements, A. Datum has decided to implement a PKI by using the Active Directory Certificate Services role in Windows Server 2012.

As one of the senior network administrators at A. Datum, you are responsible for implementing the AD CS deployment.


Lab review
Lab Review

  • Why is it not recommended to install only an enterprise root CA? What are some reasons that an organization would use an Enterprise root CA?


Module review and takeaways
Module Review and Takeaways

  • Review Questions Tools Best Practice Common Issues and Troubleshooting Tips


ad