|





   



  


  
   
Module 2: Configuring AD CS
‡ Overview of PKI

‡ Deploying a CA Hierarchy

‡ Installing AD CS

‡ Managing CA
Lesson 1: Overview of PKI
‡ What Is PKI? : public key infra-structure

‡ Managing IDA and Enhancing Security by Using PKI

‡ Components of a PKI Solution

‡ Validating Certificates by Using PKI Solutions

‡ How AD CS Supports PKI

What Is PKI?

A Public Key Infrastructure (PKI):

Is the combination of software, encryption technologies, processes, and services

that enable an organization to secure communication and business transactions
Relies on the exchange of digital certificates between authenticated users and
trusted resources

PKI enhances infrastructure security by providing:

Confidentiality
Integrity: issuer use private key to encrypt data, then receiver /user use public
key to match/decrypt the private key, if matches, then intergrity assured
Authenticity: Issuer use a private key to stamp a certificate with a pair of
public-private key pair, to ask the issuer to issue a public key, then match the
public key with private key on data: same process as integrity
Non-repudiationV

Discussion: Managing IDA and Enhancing
Security by Using PKI
‡ What benefit would a PKI solution provide to your organization?

‡ Give a few examples of services that can use certificates to enhance

security.
‡ How does PKI solution support IDA Management?
Components of a PKI Solution

Certificate
Revocation Lists
Certification Authority Digital Certificates Certificate Templates (CRL) & Online
Responders

Public-key Enabled Certificates and CA AIA(authority

Applications and Management Tools information access)
Services and CRL Distribution
Points
Validating Certificates by Using PKI Solutions

PKI-enabled applications use CryptoAPI to validate certificates.

Certificate Discovery Path Validation Revocation Checking

How AD CS Supports PKI

AD CS

CA Online Responder Network Device

CA Web Enrollment
Enrollment Service
Lesson 2: Deploying a CA Hierarchy
‡ Overview of CA

‡ Options for Implementing CA

‡ Types of CAs

‡ Stand-Alone vs Enterprise CAs

‡ Usage Scenarios in CA Hierarchy

‡ What Is a Cross-Certification Hierarchy?

 Overview of CA

Certification Authority

Issues a Certificate Verifies the Identity of Issues Certificates to Users, Manages Certificate
for Itself the Certificate Requestor Computers, and Services Revocation
Discussion: Options for Implementing CA
‡ What are the advantages and disadvantages of using an external public
CA?
‡ What are the advantages and disadvantages of using an internal CA?
Types of CAs
Root CA: turn off computer after set-up
‡ Is the most trusted type of CA in a PKI
infrastructure
‡ Is a self-signed certificate

‡ Issues certificates to other subordinate CAs

‡ Possesses physical security and the certificate

issuance policy that are typically more rigorous
than subordinate CAs

Subordinate CA
‡ Is issued by another CA

‡ Addresses specific usage policies,

organizational or geographical boundaries,
load balancing, and fault tolerance
‡ Issues certificates to other CAs to form a
hierarchical PKI infrastructure
Stand-Alone vs. Enterprise CAs
Stand-Alone CAs Enterprise CAs
Requires the use of Active
Directory®

A stand-alone CA must be used if

any CA (root or intermediate/
policy) is offline. This is because Requires AD DS
a stand-alone CA does not joined
to an AD DS domain(more safe).
No auto enrol
Can use Group Policy to
propagate certificate to
Trusted Root CA certificate
store

Users provide identifying Publishes user certificates and

information and specify type of CRLs to AD DS
certificate

Issues certificates based upon

Does not require Certificate a certificate template
templates

All certificate requests kept Supports auto-enrollment for

pending till administrator issuing certificates
approval, manual enrol
Usage Scenarios in CA Hierarchy

Root Root

Subordinate Subordinate

S/MIME EFS RAS India Canada USA

Certificate Use Location

Root Root

Subordinate Subordinate

Manufacturing Engineering Accounting Employee Contractor Partner

Departments Organizational Unit

 What Is a Cross-Certification Hierarchy?
Cross-certification at the root CA level

Root CA Root CA

Subordinate Subordinate
CA CA

Organization 1 Organization 2

Cross-certification subordinate CA to root CA

Root CA Root CA

Subordinate
Subordinate
CA
CA

Organization 1 Organization 2
Lesson 3: Installing AD CS
‡ Considerations for Installing Root CA

‡ How To Install AD CS as Root CA

‡ Installing Subordinate CA

‡ How CAPolicy.inf File Is Used for Installation

‡ Overview of CA Administration Console

Considerations for Installing Root CA

Computer Name and Certificate Database

Name and
Domain Membership Configuration and Log Location

Validity Period

Planning a Root CA

#
Certificate
CSP
Default: 2048 Hash Algorithm
Key Character Length
Private Key Configuration
Demonstration: How To Install AD CS as a
Root CA
‡ To install the AD CS server role as an Enterprise Root CA
Considerations for Installing a Subordinate CA

Computer Name and Certificate Database

Name and
Domain Membership Configuration and Log Location

Validity Period

Planning a Root CA

#
Certificate
CSP
Default: 2048 Hash Algorithm
Key Character Length
Private Key Configuration

Request Certificate for Subordinate CA

How CAPolicy.inf File Is Used for Installation
The CAPolicy.inf file is stored in the %Windir% folder of the root or
subordinate CA. This file defines:

 Certification Practice Statement (CPS)

 Object Identifier (OID)

 CRL Publication Intervals

 CA Renewal Settings

 Key Size

 Certificate Validity Period

 CDP and AIA Paths

Demonstration: Overview of the CA
Administration Console
‡ To open the CA administrative console and review the available options
Lesson 4: Managing a CA
‡ What Are CRLs?

‡ How CRLs Are Published

‡ Where to Publish AIAs and CDPs?

‡ Configuring AIA and CRL Availability

What Are CRLs?
Base CRLs

All revoked Lesser publication interval Large size Client computer using
certificates any version of Windows®

Delta CRLs

Last base CRL

certificate Greater publication interval Small size Client computer using
Windows XP® or
Windows Server® 2003
How CRLs Are Published

Delta CRL# 2 Delta CRL# 3

Cert5
Cert5 Cert7

Revoke Revoke
Cert5 Cert7

Time

Cert3 Cert3
Cert5
Cert7
Base CRL# 1 Base CRL# 2
 Where to Publish AIAs and CDPs
Publish the root certificate CA and URL to:
‡ Active Directory®

‡ Web servers

‡ FTP servers Offline

Root CA
‡ File servers
External Web Server FTP Server
Active Directory®

Firewall Firewall
Internet

Internal Web Server File Server

Demonstration: How To Configure AIA and
CRL Availability
‡ To configure AIA and CDP settings

‡ To publish the latest version of the CRL

‡ To publish the CRL and CA certificate for the offline root CA to an HTTP
location
‡ To view the CRL

‡ To publish the CRL and CA certificate to Active Directory®

Lab 2: Configuring AD CS
‡ Exercise 1: Installing the AD CS Server Role

‡ Exercise 2: Issuing and Installing a Subordinate Certificate

‡ Exercise 3: Publishing the CRL

Logon information
6426A-NYC-DC1
Virtual machine
6426A-NYC-SVR1
User name Administrator
Password Pa$$w0rd
_