MCTS Guide to Configuring
Microsoft Windows Server 2008
Active Directory
Chapter 11: Active Directory Certificate
Services
Objectives
• Describe the components of a PKI system
• Deploy the Active Directory Certificate Services role
• Configure a certification authority • Maintain a PKI
Introducing Active Directory Certificate
Services
• Active Directory Certificate Services (AD CS) is a server role in Windows Server 2008
• Provides the services for creating a public key infrastructure (PKI)
• Adds a level of security for a variety of applications, such as VPNs, EFS, smart cards, and SSL/TLS
Public Key Infrastructure Overview
• A public key infrastructure is a security system that binds a user’s or device’s identity to a
cryptographic key
• PKI provides the following services to a network:
– Confidentiality – Integrity
– Nonrepudiation – Authentication
• Without adequate security, communications can be tampered with, causing Web sites to be redirected
PKI Terminology
• List of components that compose a PKI
– Plaintext – Ciphertext – Key – Secret key – Private key – Public key – Symmetric cryptography – Asymmetric cryptography – Digital certificate – Digital signature
PKI Terminology (cont.)
AD CS Terminology
• Terms related to AD CS
– Certificate revocation list (CRL) – Certificate template
– Certificate distribution point (CDP) – Delta CRL – Enterprise CA – Standalone CA – Enrollment agent – CA hierarchy – Online responder – Certificate enrollment – Key management
Standalone and Enterprise CAs
• An enterprise CA is a server running Windows Server 2008 with the Active Directory Certificate Services role installed
• A standalone CA is a server running Windows Server 2008 with the Active Directory Certificate
Services role installed but with little Active Directory integration
• A network with non-Windows devices needs at least one standalone CA
Online and Offline CAs
• If a CA is compromised, all certificates the CA has issued are also compromised and must be revoked immediately
• Offline CAs aren’t connected to the network
• All certificates and CRLs must be distributed with removable media
• Root CA is the server most typically configured for offline operation
Creating a CA Hierarchy
• The root CA is the first CA installed in a network • Two-level hierarchy involves the root CA issuing
certificates to subordinate CAs called issuing CAs • Three-level hierarchy involves the root CA issuing
certificates to intermediate CAs, which then issue certificates to other CAs
• Multilevel CA hierarchies are commonly used to distribute certificate-issuing load
Certificate Practice Statement
• A certificate practice statement (CPS) is a document describing how a CA issues certificates
• Not a required component of a PKI • A CPS usually contains:
– Identification of the CA
– Security practices used to maintain CA integrity – Types of certificates used
– Policies and procedures used – Cryptographic algorithms sued – Certificate lifetimes
– CRL-related policies, including where CRL distribution points are located
– Renewal policy of the CA’s certificate
• Installed by creating a CAPolicy.inf file and placing it into the CA’s %systemroot% directory
Installing the AD CS Role
• Best practices dictate that the AD CS role shouldn’t be installed on a domain controller; ideally, AD CS should be the only installed role
• Enterprise CAs must be installed on a member
server running Windows Server 2008 Enterprise or Datacenter Edition
• AD CS is installed by adding the AD CS role in Server Manager
Configuring a Certification Authority
• Several configuration tasks must be taken care of before the CA can be used properly
– Configure certificate templates – Configure enrollment options – Configure the online responder – Create a revocation configuration
Configuring Certificate Templates
• If you install an Enterprise CA, a number of predefined certificate templates can be configured to generate
certificates
• Windows Server 2008 supports three versions of certificate templates
– Version 1 templates
• Supported by Windows Server 2003 Standard Edition and Windows 2000 Server
– Version 2 templates
• Supported by Windows Server 2003 Enterprise Edition and later
– Version 3 templates
• Supported by Windows Server 2008 and Vista
• Certificate templates are created and modified in the Certificate Templates snap-in
Configuring Certificate Enrollment Options
• Certificate enrollment occurs when a user or device requests a certificate and the certificate is granted • Enrollment can occur with several methods
– Autoenrollment – Certificates MMC – Web enrollment
– Network Device Enrollment Service (NDES) – Smart card enrollment
Configuring Certificate Autoenrollment
• When autoenrollment is configured, users and devices don’t have to make explicit certificate requests to be issued certificates
• Most commonly used for EFS
• Autoenrollment is enabled in the Computer
Configuration or User Configuration node of the Group Policy Management Console
• The CA must be set to allow autoenrollment by configuring request-handling options
Configuring Certificate Autoenrollment
(cont.)
Requesting a Certificate with the
Certificates Snap-in
• Users can request certificates that aren’t configured for autoenrollment by using the Certificates snap-in
• This method for requesting certificates can be used only with enterprise CAs
Requesting a Certificate with the
Certificates Snap-in (cont.)
Configuring Web Enrollment
• Requires installing the Certification Authority Web Enrollment role service
• Web enrollment is the main method for accessing CA services on a standalone CA
• To access the Certification Authority Web Enrollment role service, users simply open a browser and browse to the server’s page
• Server configured for Web enrollment is called a registration authority or a CA Web proxy
Network Device Enrollment Service
• Allows network devices, such as routers and switches, to obtain certificates by using Simple Certificate Enrollment Protocol (SCEP), a Cisco proprietary protocol
• Cisco devices can request and obtain certificates to run IPSec, even if they don’t have domain
Smart Card Enrollment
• Takes place through Web enrollment at a smart card station
• User supplies credentials to request the smart card certificate and presents his or her card, and then the certificate information is embedded in the car • Cards use PINs, much like using an ATM
• A user designated as an enrollment agent can
enroll smart card certificates on behalf of users to simplify the process
Configuring the Online Responder
• An online responder enables clients to check a certificate’s revocation status without having to download the CRL
• To use, the Online Responder role service must be installed with the CA role or later
Creating a Revocation Configuration
• A revocation configuration tells the CA what
methods are available for clients to access CRLs • To create a revocation configuration, you use the
Active Directory Certificate Services snap-in, under the Roles node in Server Manager
Maintaining and Managing a PKI
• By default, administrators can perform all tasks on a CA server
• After roles have been assigned, administrators can perform only tasks related to their assigned roles • Four key roles must be filled to administer a CA
and its components
– CA Administrator – Certificate Manager – Backup Operator – Auditor
CA Backup and Restore
• Regular backup of all servers in a network is mandatory
• Full backup or system state backup on a CA server automatically backs up the certificate store along with other data
• The Active Directory Certificate Services snap-in provides a simple wizard-based backup utility you can use to perform backups; the AD CS snap-in can also restore a backup
Key and Certificate Archival and Recovery
• If a user’s private key is lost or damaged, he or she might lose access to systems or documents
• By using key archival, the key can be locked away and then restored if the user’s private key is lost
• Two methods for archiving private keys
– Manual
• Involves exporting the certificate
– Automatic
Key and Certificate Archival and Recovery
(cont.)
Chapter Summary
• Active Directory Certificate Services (AD CS)
provides services for creating a PKI in a Windows Server 2008 environment
• A PKI binds the identity of a user or device to a cryptographic key
• Some key terms for describing a PKI and AD CS include private and public keys, digital signature, certification authority, certificate revocation list, online responder, and certificate enrollment
Chapter Summary (cont.)
• An enterprise CA integrates with Active Directory; a standalone CA does not
• A CA can be online or offline; an offline CA is more secure and usually used in a CA hierarchy with one or more online issuing CAs
• The AD CS role is installed in Server Manager and should not be installed on a domain controller
• Configuring a CA involves configuring certificate templates, enrollment options, and an online
Chapter Summary (cont.)
• Certificate enrollment occurs when a user or device requests a certificate and the certificate is granted; enrollment can occur with autoenrollment, the
Certificates MMC, Web enrollment, NDES, and smart cards
• An online responder allows clients to check a certificates revocation status without having to download the CRL periodically
• Role-based administration limits the PKI tasks a domain administrator account can perform
Chapter Summary (cont.)
• When a full backup or system state backup is
performed on a CA server, the certificate store is backed up along with other data
• When users’ private keys are lost or damaged, they could lose access to systems or documents
