Module 9

Deploying and managing

certificates
Module Overview

Deploying and managing certificate templates

Managing certificate deployment, revocation, and
recovery
Using certificates in a business environment
Implementing and managing smart cards
Lesson 1: Deploying and managing certificate
templates

What are certificates and certificate templates?

Certificate template versions in
Windows Server 2016
Configuring certificate template permissions
Configuring certificate template settings
Options for updating a certificate template
Demonstration: Modifying and enabling a
certificate template
What are certificates and certificate templates?

A certificate contains information about users,

devices, usage, validity, and a key pair
A certificate template defines:
The format and contents of a certificate
The process for creating and submitting a valid
certificate request
The security principals that are allowed to read, enroll, or
use autoenrollment for a certificate that will be based on
the template
The permissions that are required to modify a certificate
template
Certificate template versions in Windows Server 2016

Version 1
Created by default when CA is installed
Cannot be modified (except for permissions) or removed
Can be duplicated to create version 2 or version 3 templates
Version 2
Allows customization of most settings in the template
Supports autoenrollment
Version 3
Supports advanced Suite B cryptographic settings
Includes advanced options for encryption, digital signatures, key
exchange, and hashing
Version 4
Supports both CSPs and key storage providers
Supports renewal with the same key
Configuring certificate template permissions

Permission Description
Allows a designated user, group, or computer to
Full Control modify all attributesincluding ownership and
permissions
Allows a designated user, group, or computer to
Read read the certificate in AD DS when enrolling
Allows a designated user, group, or computer to
Write modify all attributes except permissions
Allows a designated user, group, or computer to
Enroll enroll for the certificate template
Allows a designated user, group, or computer to
Autoenroll receive a certificate through the autoenrollment
process
Configuring certificate template settings

For each certificate template, you can customize several

settings, such as validity time, purpose, CSP, private key
exportability, and issuance requirements

Example of single Example of

Category
purpose multipurpose
Basic EFS Administrator
Authenticated session User
Users
Smart card sign-in Smart card user
Web server Computer
Computers
IPsec Domain
controller
Options for updating a certificate template

Modifying
Modify the original certificate
template to incorporate the new
Original Updated settings

Superseding

Smart card 1
Replace one or more certificate
templates with an updated
certificate template
Smart cards
(new)

Smart card 2
Demonstration: Modifying and enabling a certificate
template

In this demonstration, you will see how to modify

and enable a certificate template
Lesson 2: Managing certificate deployment,
revocation, and recovery

Certificate enrollment methods

Overview of certificate autoenrollment
What is an enrollment agent?
How does certificate revocation work?
Overview of key archival and recovery
Configuring automatic key archival
Demonstration: Configuring a CA for key archival
Certificate enrollment methods

Method Use
To automate the request, retrieval, and
Autoenrollment storage of certificates for domain-based
computers
To request certificates by using the
Certificates console or Certreq.exe
Manual enrollment
when the requestor cannot
communicate directly with the CA
To request certificates from a website
that is located on a CA
CA Web enrollment
To issue certificates when
autoenrollment is not available
To provide IT staff with the right to
Enroll on behalf request certificates on behalf of another
user (Enrollment Agent)
Overview of certificate autoenrollment

A certificate template is configured for Allow,

Enroll, and Autoenroll permissions for users who
receive the certificates
The CA is configured to issue the template

An AD DS Group Policy Object should be created to

enable autoenrollment
The GPO should be linked to the appropriate site,
domain, or Organizational Unit
The user or computer receives the certificates
during the next Group Policy refresh interval
What is an enrollment agent?

An Enrollment Agent is a user account used to

request certificates on behalf of another user
account
An Enrollment Agent must possess a certificate
based on the Enrollment Agent template
Enrollment Agents are typically members of
corporate or IT security departments
You can limit the scope of an Enrollment Agent to:
Specific users or security groups
Specific certificate templates
How does certificate revocation work?

The following are steps in the certificate revocation

lifecycle:
1. A certificate is revoked
2. A CRL is published
3. A client computer verifies certificate validity and
revocation
Overview of key archival and recovery
Private keys can get lost when:
A user profile is deleted
An operating system is reinstalled
A disk is corrupted
A computer is lost or stolen
It is critical that you archive private keys for certificates that
are used for encryption
The KRA is needed for key recovery
You must configure key archival on the CA and on the
certificate template
Key recovery is a two-phase process:
1. Key retrieval
2. Key recovery
The KRA certificate must be protected
Configuring automatic key archival

Steps to configure automatic key archival:

1. Configure the KRA certificate template
2. Designated Key Recovery Agents enroll for a KRA
certificate
3. Enable Key Recovery Agents on the CA
4. Configure necessary certificate templates for key
archival
Demonstration: Configuring a CA for key archival

In this demonstration, you will see how to configure

a CA for key archival
Lesson 3: Using certificates in a business environment

Using certificates for SSL

Using certificates for digital signatures
Demonstration: Signing a document digitally
Using certificates for content encryption
Demonstration: Encrypting a file with EFS
Using certificates for authentication
Using certificates for SSL

The purpose of securing a connection with SSL is to

protect data during communication
For SSL, a certificate must be installed on the server
Be aware of trust issues
SSL works in the following steps:
1. The user types an HTTPS URL
2. The web server sends its SSL certificate
3. The client performs a check of the server certificate
4. The client generates a symmetric encryption key
5. The client encrypts this key with the servers public key
6. The server uses its private key to decrypt the encrypted
symmetric key
Using certificates for digital signatures

Digital signatures ensure that:

Content is not modified during transport
The identity of the author is verifiable
Digital signatures work in the following way:
1. When an author digitally signs a document or a message, the
operating system on his or her computer creates a message
cryptographic digest
2. The cryptographic digest is then encrypted by using the authors
private key and added to the end of the document or message
3. The recipient uses the authors public key to decrypt the
cryptographic digest and compare it to the cryptographic digest
created on the recipients computer
Users need to have a certificate that is based on a User
template to use digital signatures
Demonstration: Signing a document digitally

In this demonstration, you will see how to sign a

document digitally
 Using certificates for content encryption

Encryption protects
data from unauthorized File encryption key: Data
access Encrypted with the file owners Decryption
public key Field
EFS uses certificates for
File encryption key:
file encryption Encrypted with the public key of
Recovery Agent 1

Header
File encryption key: Data
Encrypted with the public key of Recovery
Recovery Agent 2 (optional) Fields

Encrypted data
To send an encrypted
message, you must
possess the recipients
public key
Demonstration: Encrypting a file with EFS

In this demonstration, you will see how to encrypt a

file with EFS
Using certificates for authentication

You can use certificates for user and device

authentication
You can also use certificates in network and
application access scenarios such as:
L2TP/IPsec VPN
EAP-TLS
PEAP
NAP with IPsec
Outlook Web App
Mobile device authentication
Lesson 4: Implementing and managing smart cards

What is a smart card?

How does smart card authentication work?
What is a virtual smart card?
Enrolling certificates for smart cards
Smart card management
What is a smart card?

A smart card is a miniature computer, with limited

storage and processing capabilities, embedded in
a plastic card about the size of a credit card

Smart cards:
Provide options for multifactor authentication
Provide enhanced security over passwords

You must use a valid smart card and PIN together

How does smart card authentication work?

Smart cards can be used for:

Interactive sign in to AD DS
Client authentication
Remote sign-in
Offline sign-in

Interactive sign-in steps:

1. The sign-in request goes to the LSA, which is forwarded to the
Kerberos package
2. KDC verifies the certificate
3. KDC verifies the digital signature on the authentication service
4. KDC performs an AD DS query to locate the user account
5. KDC generates a random encryption key to encrypt the TGT
6. KDC signs the reply with its private key and sends it to the user
What is a virtual smart card?

A smart card infrastructure might be expensive

Windows Server 2012 AD CS introduced virtual
smart cards
Virtual smart cards use the capabilities of the
TPM chip
No cost for buying smart cards and smart card
readers
The computer acts like a smart card
The cryptographic capabilities of the TPM protect
the private keys
Enrolling certificates for smart cards

Before you issue smart cards, define the method of

enrolling smart card certificates
Smart card certificate enrollment requires some
manual intervention
For smart card enrollment:
Define the certificate template for the smart cards
Enroll one or more users for the Enrollment Agent
certificate
Configure the enrollment station
Start the Enroll On Behalf Of wizard

Ensure that users change their personal PINs

Smart card management
Smart card management tasks:
Issuance
Revocation
Renewal
Blocking and unblocking
Duplication
Suspension
Use MIM to:
Issue smart cards to users
Store information in a SQL database
Manage revocation, renewal, unblocking, suspension, and
reinstatement procedures
Provide users and administrators with a web-based, self-service smart
card management interface
Manage smart card printing with appropriate hardware
Implement workflows for each management task
Lab: Deploying and using certificates

Exercise 1: Configuring certificate templates

Exercise 2: Enrolling and using certificates
Exercise 3: Configuring and implementing key
recovery

Logon Information
Virtual machines: 20742B-LON-DC1
20742B-LON-SVR1
20742B-LON-SVR2
20742B-LON-CL1
User name: Adatum\Administrator
Password: Pa55w.rd

Estimated Time: 50 minutes

Lab Scenario

You are working as an administrator at A. Datum Corporation.

As A. Datum expands, its security requirements are also
increasing. The Security department particularly is interested in
enabling secure access to critical websites and in providing
additional security for features such as EFS, digital signatures,
smart cards, and the DirectAccess feature in Windows 8.1 and
Windows 10. The Security department especially wants to
evaluate digital signatures in Microsoft Office documents. To
address these and other security requirements, A. Datum has
decided to use certificates issued by the AD CS role in Windows
Server 2016.
As a senior network administrator at A. Datum, you are
responsible for implementing certificate enrollment. You also
will be developing the procedures and process for managing
certificate templates and for deploying and revoking certificates.
Lab Review

What must you do to recover private keys?

What is the benefit of using a restricted
Enrollment Agent?
Module Review and Takeaways

Review Questions
Real-world Issues and Scenarios
Tools
Best Practices
Common Issues and Troubleshooting Tips