Documente Academic
Documente Profesional
Documente Cultură
Version 1
Created by default when CA is installed
Cannot be modified (except for permissions) or removed
Can be duplicated to create version 2 or version 3 templates
Version 2
Allows customization of most settings in the template
Supports autoenrollment
Version 3
Supports advanced Suite B cryptographic settings
Includes advanced options for encryption, digital signatures, key
exchange, and hashing
Version 4
Supports both CSPs and key storage providers
Supports renewal with the same key
Configuring certificate template permissions
Permission Description
Allows a designated user, group, or computer to
Full Control modify all attributesincluding ownership and
permissions
Allows a designated user, group, or computer to
Read read the certificate in AD DS when enrolling
Allows a designated user, group, or computer to
Write modify all attributes except permissions
Allows a designated user, group, or computer to
Enroll enroll for the certificate template
Allows a designated user, group, or computer to
Autoenroll receive a certificate through the autoenrollment
process
Configuring certificate template settings
Modifying
Modify the original certificate
template to incorporate the new
Original Updated settings
Superseding
Smart card 1
Replace one or more certificate
templates with an updated
certificate template
Smart cards
(new)
Smart card 2
Demonstration: Modifying and enabling a certificate
template
Method Use
To automate the request, retrieval, and
Autoenrollment storage of certificates for domain-based
computers
To request certificates by using the
Certificates console or Certreq.exe
Manual enrollment
when the requestor cannot
communicate directly with the CA
To request certificates from a website
that is located on a CA
CA Web enrollment
To issue certificates when
autoenrollment is not available
To provide IT staff with the right to
Enroll on behalf request certificates on behalf of another
user (Enrollment Agent)
Overview of certificate autoenrollment
Encryption protects
data from unauthorized File encryption key: Data
access Encrypted with the file owners Decryption
public key Field
EFS uses certificates for
File encryption key:
file encryption Encrypted with the public key of
Recovery Agent 1
Header
File encryption key: Data
Encrypted with the public key of Recovery
Recovery Agent 2 (optional) Fields
Encrypted data
To send an encrypted
message, you must
possess the recipients
public key
Demonstration: Encrypting a file with EFS
Smart cards:
Provide options for multifactor authentication
Provide enhanced security over passwords
Logon Information
Virtual machines: 20742B-LON-DC1
20742B-LON-SVR1
20742B-LON-SVR2
20742B-LON-CL1
User name: Adatum\Administrator
Password: Pa55w.rd
Review Questions
Real-world Issues and Scenarios
Tools
Best Practices
Common Issues and Troubleshooting Tips