Module 7
1 / 27

Module 7 - PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Module 7. Deploying and Managing Active Directory Certificate Services. Module Overview. Deploying CAsAdministering CAsTroubleshooting, Maintaining, and Monitoring CAs. Lesson 1: Deploying CAs.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Module 7

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Module 7
Module 7

Deploying and Managing Active Directory Certificate Services

Module overview
Module Overview

  • Deploying CAsAdministering CAsTroubleshooting, Maintaining, and Monitoring CAs

Lesson 1 deploying cas
Lesson 1: Deploying CAs

  • AD CS in Windows Server 2012What Is Certification Authority?Public vs. Private CAsStand-alone vs. Enterprise CAsOptions for Implementing CA HierarchiesConsiderations for Deploying a Root CAConsiderations for Deploying a Subordinate CAHow to Use the CAPolicy.inf File for Installing a CADemonstration: Deploying an Enterprise Root CA

Ad cs in windows server 2012
AD CS in Windows Server 2012


CA Web Enrollment


Online Responder

Network Device Enrollment Service



Certificate Enrollment Web Service

Windows 7

or newer


Certificate Enrollment Policy Web Service

Windows 7

or newer


What is certification authority
What Is Certification Authority?



Root CA issues a self-signed certificate for itself

Manages certificate revocation

Issues certificates to users, computers, and services

Verifies the identity of the certificate requestor

Public vs private cas
Public vs. Private CAs

  • External public CAs:

    • Are trusted by many external clients, such as web browsers, operating systems

    • Are slower compared to internal CAs

    • Have higher cost

  • Internal private CAs:

    • Require greater administration than external public CAs

    • Cost less than external public CAs and provide greater control over certificate management

    • Are not trusted by external clients by default

    • Offer advantages such as customized templates and autoenrollment

Options for implementing ca hierarchies
Options for Implementing CA Hierarchies

Two-Tier Hierarchy

Root CA

Root CA

Policy CAs

Issuing CAs

Issuing CA

Issuing CA

Issuing CA

Policy CA Usage

Root CA

Root CA

Policy CA

Policy CA

Issuing CA

Issuing CA

Issuing CA

Issuing CA

Issuing CA

Issuing CA

Cross-Certification Trust

Considerations for deploying a root ca
Considerations for Deploying a Root CA

  • Computer name and domain membership cannot change

  • When you plan private key configuration, consider the following:

    • CSP

    • Key character length with a default of 2,048

    • The hash algorithm that is used to sign certificates issued by a CA

  • When you plan a root CA, consider the following:

    • Name and configuration

    • Certificate database and log location

    • Validity period

Considerations for deploying a subordinate ca
Considerations for Deploying a Subordinate CA





















Organizational Divisions

How to use the capolicy inf file for installing a ca
How to Use the CAPolicy.inf File for Installing a CA

  • The CAPolicy.inf file is stored in the %Windir% folder of the root or subordinate CA

  • The CAPolicy.inf file defines the following:

    • Certification practice statement

    • Object identifier

    • CRL publication intervals

    • CA renewal settings

    • Key size

    • Certificate validity period

    • CDP and AIA paths

Demonstration deploying an enterprise root ca
Demonstration: Deploying an Enterprise Root CA

In this demonstration, your instructor will show you how to deploy the enterprise root CA

Lesson 2 administering cas
Lesson 2: Administering CAs

  • Managing CA HierarchyConfiguring CA Administration and SecurityConfiguring CA Policy and Exit ModulesConfiguring CRL Distribution Points and AIA LocationsDemonstration: Configuring CA Properties

Managing ca hierarchy
Managing CA Hierarchy

  • For managing CA hierarchy, you can use:

    • CA Management console

    • Windows PowerShell

    • Certutilcommand-line utility

  • Certutil provides an interface for advanced CA and PKI configuration and management

  • PKI options are manageable through Group Policy, if you use the following:

    • Credential roaming

    • Autoenrollment of certificates

    • Certificate path validation

    • Certificate distribution

Configuring ca administration and security
Configuring CA Administration and Security

  • You can establish role-based administration for CA hierarchy by defining the following roles:

    • CA Administrator

    • Certificate Manager

    • Backup Operator

    • Auditor

    • Enrollees

  • You can assign the following permissions on the CA level:

    • Read

    • Issue and Manage Certificates

    • Manage CA

    • Request Certificates

  • Certificate Managers can be restricted to atemplate

Configuring ca policy and exit modules
Configuring CA Policy and Exit Modules

  • The policy module determines the action that is performed after the certificate request is received

  • The exit module determines what happens with a certificate after it is issued

  • Each CA is configured with default policy and exit modules

  • The FIM 2010 Certification Management deploys custom policy and exit modules

  • The exit module can send email or publish a certificate to a file system

  • You have to use certutil to specify these settings, as they are not available in the CA the administrator console

Configuring crl distribution points and aia locations
Configuring CRL Distribution Points and AIA Locations

  • The AIAspecifies where to retrieve the CA's certificate

  • The CDP specifies from where the CRL for a CA can be retrieved

  • Publication locations for AIA and CDP:

    • AD DS

    • Web servers

    • File Transfer Protocol FTP servers

    • File servers

  • Ensure that you properly configure CRL and AIA locations for offline and stand-alone CAs

  • Ensure that the CRL for an offline root CA does not expire

Demonstration configuring ca properties
Demonstration: Configuring CA Properties

In this demonstration, you will see how to configure CA properties

Lesson 3 troubleshooting maintaining and monitoring cas
Lesson 3: Troubleshooting, Maintaining, and Monitoring CAs

  • Troubleshooting CAsRenewing a CA CertificateMoving a Root CA to Another ComputerMonitoring and Maintaining CA Hierarchy

Troubleshooting cas
Troubleshooting CAs

  • Tools for managing CAs:

    • Certificates snap-in

    • PKIView tool

    • CA snap-in

    • Certutil.exe

    • Certificate Templates snap-in

  • AD CS common issues:

    • Client autoenrollment issues

    • Unavailable enterprise CA option

    • Error accessing CA web pages

    • Enrollment agent restriction

Renewing a ca certificate
Renewing a CA Certificate

  • The CA certificate needs to be renewedwhen the validity period of the CA certificate is close to its expiration date

  • The CA will never issue a certificate that has a longer validity time than its own certificate

  • Considerations for renewing a root CAcertificate:

    • Key length

    • Validity period

  • Considerations for renewing a certificate for an issuing CA:

    • New key pair

    • Smaller CRLs

  • Procedure for CA certificate renewal

Moving a root ca to another computer
Moving a Root CA to Another Computer

To move a CA from one computer to another, you have to perform backup and restore:

  • To backup a computer, follow this procedure:

    • Record the names of the certificate templates

    • Back up a CA in the CA admin console

    • Export the registry subkey

    • Uninstall the CA role

    • Confirm the %Systemroot% folder locations

    • Remove the old CA from the domain

  • To restore, follow this procedure:

    • Install AD CS

    • Use the existing private key

    • Restore the registry file

    • Restore the CA database and settings

    • Restore the certificate templates

Monitoring and maintaining ca hierarchy
Monitoring and Maintaining CA Hierarchy

  • For monitoring and maintenance of a CA hierarchy, you can use PKIView and CA auditing

  • With the PKIView, you can:

    • Access and manage AD DS PKI-related containers

    • Monitor CAs and their health state

    • Check the status of CA certificates

    • Check the status of AIA locations

    • Check the status of CRLs

    • Check the status of CRL distribution points

    • Evaluate the state of the online responder

  • CA auditing provides logging for various events that happen on the CA

Lab deploying and configuring a two tier ca hierarchy
Lab: Deploying and Configuring a Two-Tier CA Hierarchy

  • Exercise 1: Deploying an Offline Root CAExercise 2: Deploying an Enterprise Subordinate CA

Logon Information

Virtual machines:10969A-LON-DC1,



User name:Adatum\Administrator


Estimated Time: 60 minutes

Lab scenario
Lab Scenario

As A. Datum Corporation has expanded, its security requirements also have increased. The Security department is particularly interested in enabling secure access to critical websites, and in providing additional security for features. To address these and other security requirements, A. Datum has decided to implement a PKI by using the Active Directory Certificate Services role in Windows Server 2012.

As one of the senior network administrators at A. Datum, you are responsible for implementing the AD CS deployment.

Lab review
Lab Review

  • Why is it not recommended to install only an enterprise root CA?What are some reasons that an organization would use an Enterprise root CA?

Module review and takeaways
Module Review and Takeaways

  • Review QuestionsToolsBest PracticeCommon Issues and Troubleshooting Tips

  • Login