Introduction to Active Directory Certificate Services

4-1

Module 4
Introduction to Active Directory Certificate Services
Contents:
Lesson 1: Overview of Active Directory Certificate Services (AD CS) Lesson 2: Understanding AD CS Certificates Lesson 3: Implementing Certificate Enrollment and Revocation Lab: Exploring Active Directory Certificate Services 4-3 4-10 4-16 4-25

BETA COURSEWARE. EXPIRES 4/30/2008

4-2

Fundamentals of Windows Server 2008 Active Directory

Module Overview

One of the most important components in a network security plan is the use of digital certificates. Digital certificates can be used to secure network traffic, secure Web sites and secure AD DS authentication. Active Directory Certificate Services (AD CS) provides the tools and services to create and manage these digital certificates. Furthermore, the integration of AD CS with AD DS provides organizations with a cost-effective, efficient, and secure way to manage the distribution and use of certificates.

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Certificate Services

4-3

Lesson 1

Overview of Active Directory Certificate Services (AD CS)

Many network security components require the digital certificates that are issued by a certification authority (CA). When you implement a CA, you have several options for how to design and configure the CA. This lesson describes some of these options when deploying a CA such as AD CS.

BETA COURSEWARE. EXPIRES 4/30/2008

4-4

Fundamentals of Windows Server 2008 Active Directory

What is a Certification Authority?

Key Points
The certification authority (CA) is the entity entrusted to issue certificates to individuals, computers, or organizations. The CA performs the following functions: Verifies the identity of the certificate requestor. Issues certificates to requesting users, computers and services. Manages certificate revocation.

Additional reading
Public Key Infrastructure

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Certificate Services

4-5

How CA Hierarchies Work

Key Points
Certification authorities can be chained together in hierarchies. A hierarchy is created when one CA trusts another. The root CA is the one that is trusted by all the other CAs in the hierarchy. The subordinate CAs are those that trust the root CA. A trust is created when a subordinate server is issued a certificate from a server higher in the hierarchy.

Additional reading
Active Directory Certificate Services Help File: Public Key Infrastructures

BETA COURSEWARE. EXPIRES 4/30/2008

4-6

Fundamentals of Windows Server 2008 Active Directory

Options for Implementing Certification Authorities

Key Points
You can configure a certification authority for your company using an internal private CA such as AD CS, or you can leverage an external third-party CA.

Additional reading
Certification Authority Trust Model:

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Certificate Services

4-7

Options for Integrating AD CS and AD DS

Key Points
As with other Active Directory server roles, AD CS can be tightly integrated with AD DS. There are two main types of servers running AD CS, stand-alone and enterprise.

Stand-alone CAs
Stand-alone CAs can be installed on a server that is either joined to an Active Directory domain or even in a workgroup. Stand-alone CAs do not depend on the use of AD DS.

Enterprise CAs
Enterprise CAs must be: Installed on a domain joined server Integrated with AD DS.

BETA COURSEWARE. EXPIRES 4/30/2008

4-8

Fundamentals of Windows Server 2008 Active Directory

Additional reading
Active Directory Certificate Services Help File: Enterprise Certification Authorities Stand-Alone Certification Authorities

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Certificate Services

4-9

Demonstration: Tools for Managing AD CS

Questions 1. 2. Which tools should be used to manage the CA settings? You need to determine which certificates have been issued to your user account while using a particular computer. How would you do this?

BETA COURSEWARE. EXPIRES 4/30/2008

4-10

Fundamentals of Windows Server 2008 Active Directory

Lesson 2

Understanding AD CS Certificates

The digital certificates issues by AD CS CAs are distributed to network clients. These certificates are then used by a variety of applications to provide security. This lesson describes what certificates are, how they are used, and how to use certificate templates to generate certificates.

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Certificate Services

4-11

What are Digital Certificates?

Key Points
The public key is able to be distributed to all clients that request it. The public keys provide: Information about the subject of the certificate Information about the validity of the certificate Information about the applications and services that can use the certificate A way to identify the holder of the certificate

The private key is usually only stored on the computer from which the original certificate request was made.

Additional reading
X.509 Technical Supplement

BETA COURSEWARE. EXPIRES 4/30/2008

4-12

Fundamentals of Windows Server 2008 Active Directory

How Public Keys and Private Keys Work

Key Points
The public key and the private key are a mathematically matched pair of numbers. When one of the keys is used to encrypt the data the other key is used to decrypt the data. The key that encrypts that data cannot be used to decrypt the data; this is an asymmetrical key process. Both keys are required to complete an encryption or authorization process.

Additional reading
How Encrypting File System Works

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Certificate Services

4-13

Demonstration: Using Certificates to Secure Data

Questions 1. 2. In order to encrypt a file, what must a user already have? In this case, what was used to encrypt the file?

BETA COURSEWARE. EXPIRES 4/30/2008

4-14

Fundamentals of Windows Server 2008 Active Directory

What are Certificate Templates?

Key Points
Certificate templates are used by AD CS enterprise CAs to define what type of certificates can be issued by the CAs.

Default templates
When you install AD CS, several default templates are created. Some of the default certificate templates are: Basic Encrypting File System (EFS) Key Recovery Agent (for a user that can recover special private keys) Router (for encryption of router communications) Smart card log on (certificates used for smart card log on) Web Server for Secure Sockets Layer (SSL)

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Certificate Services

4-15

Additional reading
Active Directory Certificate Services Help: Default Certificate Templates Managing Certificate Templates

BETA COURSEWARE. EXPIRES 4/30/2008

4-16

Fundamentals of Windows Server 2008 Active Directory

Lesson 3

Implementing Certificate Enrollment and Revocation

When you deploy AD CS, one of the primary issues that you need to address is how you will distribute and revoke certificates. This lesson describes what certificate enrollment is and how to administer and automate the enrollment process. This lesson also discusses certificate revocation, why it is important and how to revoke certificates.

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Certificate Services

4-17

Options for Implementing Certificate Enrollment

Key Points
AD CS provides three main options for enrolling or creating certificates. These options are: using the built-in Web site on the CA, manual enrollment or autoenrollment.

Web enrollment
If Internet Information Services (IIS) is installed on the AD CS CA, you can enable a Web site on the CA, through which users can obtain certificates. This method is good for issuing certificates when auto-enrollment cannot be used.

Manual enrollment
Manual or offline enrollment is used when the requestor cannot communicate directly with the CA or if the device does not support auto-enrollment.

BETA COURSEWARE. EXPIRES 4/30/2008

4-18

Fundamentals of Windows Server 2008 Active Directory

Auto-enrollment
Auto-enrollment is used for AD DS domain joined machines. The auto-enrollment process allows an administrator to define permissions and configuration of a certificate template so that the requestor can automatically request, retrieve and renew certificates without having any end user interaction.

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Certificate Services

4-19

Demonstration: Using Web Enrollment to Obtain Certificates

Questions 1. 2. In what ways can the certificate request be generated? In this demonstration, what did the CA use to determine whether the certificate request should be approved?

BETA COURSEWARE. EXPIRES 4/30/2008

4-20

Fundamentals of Windows Server 2008 Active Directory

Administering Certificate Enrollment

Key Points
Regardless of whether you use Web enrollment, offline or auto-enrollment, there are four basic steps (outlined in the slide) of the enrollment process. The autoenrollment process takes each of the steps without any user or administrative interaction.

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Certificate Services

4-21

Demonstration: Administering Certificate Requests

Questions 1. 2. When was the private key generated for the Web server? Why does Web enrollment require an administrator to approve the certificate requests?

BETA COURSEWARE. EXPIRES 4/30/2008

4-22

Fundamentals of Windows Server 2008 Active Directory

Options for Automating Certificate Enrollment

Key Points
Auto-enrollment enables organizations to automatically deploy certificates to users and computers. The auto-enrollment feature allows organizations to manage all aspects of the certificate life cycle, including certificate enrollment, certificate renewal, and certificate revocation.

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Certificate Services

4-23

What is Certificate Revocation?

Key Points
Certificate revocation is when a certificate is invalidated before the expiration period. You would need to revoke a certificate before its expiration if: The certificate was no longer needed. The computer where the private key was stored on or the CA was compromised and no longer secure. A new certificate was generated.

Additional reading
Active Directory Certificate Services Help: Creating a Revocation Configuration

BETA COURSEWARE. EXPIRES 4/30/2008

4-24

Fundamentals of Windows Server 2008 Active Directory

Demonstration: Revoking Certificates

Question Other than the CA MMC, where would you be able to tell if a certificate is valid?

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Certificate Services

4-25

Lab: Exploring Active Directory Certificate Services

Scenario:
Woodgrove Bank is an enterprise that has offices located in several cities throughout the world. Woodgrove Bank has implemented Windows Server 2008 and is planning on using AD CS to issue certificates for internal network users, computers and servers. The AD CS Server role has been deployed. Your task is to ensure that the Web enrollment and manual processes for managing certificates are working.

BETA COURSEWARE. EXPIRES 4/30/2008

4-26

Fundamentals of Windows Server 2008 Active Directory

Exercise 1: Requesting Certificates Using Web Enrollment

In this exercise you will request a certificate for a user account using Web enrollment. You will view the certificate in the Certificates snap-in and verify the certificate has been issued by using the CA management tool. You will then use the certificate to encrypt data using EFS. The main tasks are as follows: 1. 2. 3. 4. Start the 6424A-NYC-DC1 virtual machine and log on as Administrator. Open Internet Explorer, go to https://NYC-SRV1/CertSrv/Default.asp, and then generate a user certificate for Administrator. Using the Certificates snap-in, verify that the user certificate was successfully installed. Use the Certification Authority Console to verify the certificate was created.

f Task 1: Start the 6424A-NYC-DC1 virtual machine and log on as

Administrator
1. 2. 3. Open the Virtual Server Remote Control Client and then double-click 6424ANYC-DC1. In Virtual Server Remote Control Client, double-click 6424A-NYC-SRV1. Log on to 6424A-NYC-SRV1 as Administrator using the password Pa$$w0rd.

f Task 2: Open Internet Explorer, go to https://NYCSRV1/CertSrv/Default.asp and generate a user certificate for Administrator
1. 2. In Internet Explorer, go to https://NYC-DC1/CertSrv/Default.aspx and request a user certificate. Once the certificate is generated, install the certificate.

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Certificate Services

4-27

f Task 3: Using the Certificates snap-in, verify that the user certificate
was successfully installed
1. 2. Run the mmc.exe command and add the Certificates snap-in associated the current user account. Click Certificates Current User, click Personal and then click the Certificates node to verify that the user certificate is installed.

f Task 4: Use the Certification Authority Console to verify the certificate

was created
Verify that the user certificate is located in the Issued Certificates text box of the Certification Authority console.

Result: At the end of this exercise, you will have requested a certificate using Web enrollment.

BETA COURSEWARE. EXPIRES 4/30/2008

4-28

Fundamentals of Windows Server 2008 Active Directory

Exercise 2: Managing Certificate Requests and Revocation

In this exercise you will request a certificate for a Web server and then use the CA management tool to approve the certificate. After verifying the certificate installation, you will revoke the certificate and publish the revoked certificate. You will then verify that the certificate has been revoked. The main tasks are as follows: 1. 2. 3. 4. 5. 6. Log on to 6424A-NYC-SRV1 as Administrator. Open IIS Manager to create a certificate request. Use Web Enrollment to generate the Web server certificate using the certificate request. Install the issued certificate on the Web server and verify the certificate is valid. Revoke the NYC-SRV1 certificate using the Certificate Authority snap-in. Using Internet Explorer, verify that the Web certificate has been revoked.

f Task 1: Log on to 6424A-NYC-SRV1 as Administrator

Start 6424A-NYC-SRV1 and log on as Administrator using the password Pa$$w0rd.

f Task 2: Open IIS Manager to create a certificate request

1. 2. On NYC-SRV1 open Internet Information Services (IIS) Manager. Using the Server Certificates management module, in the Action pane, click Create Certificate Request.

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Certificate Services

4-29

3.

In the request certificate dialog box, type the following information for each field below: Common name: NYC-SRV1 Organization: Woodgrove Bank Organizational Unit: Corporate City/locality: New York State: New York Country/region: US

4.

Specify a file name for the certificate request. Type C:\Users\Administrator\Documents\NYC-SRV.txt and click Finish.

f Task 3: Use Web Enrollment to generate the Web server certificate

using the certificate request
1. 2. 3. 4. 5. On NYC-SRV1 open Internet Explorer and go to https://NYCDC1/CertSrv/Default.aspx to request a new certificate. On the Request a Certificate page, click advanced certificate request. Use Notepad to paste the contents of C:\Users\Administrator\Documents\NYC-SRV.txt into the certificate request. Download the issued certificate to C:\Users\Administrator\Download\certnew.cer Close Internet Explorer.

f Task 4: Install the issued certificate on the Web server and verify the
certificate is valid
1. 2. 3. On NYC-SRV1 open IIS Manager. Using the Server Certificates management module, in the Action pane, click Complete Certificate Request. Use the certificate response that was downloaded in the previous step: C:\Users\Administrator\Download\certnew

BETA COURSEWARE. EXPIRES 4/30/2008

4-30

Fundamentals of Windows Server 2008 Active Directory

4. 5. 6.

In the Friendly name text box, type NYC-SRV1 SSL Bind this new certificate to the default Web site. Open Internet Explorer and go to https://NYC-SRV1 to verify that the certificate is working.

f Task 5: Revoke the NYC-SRV1 certificate using the Certificate

Authority snap-in
1. 2. Open the Certification Authority console on NYC-DC1 and revoke the Web server certificate. Publish the certification revocation list.

f Task 6: Using Internet Explorer, verify that the Web certificate has
been revoked
Use Internet Explorer, go to https://NYC-SRV1 and verify that the certificate has been revoked.

Result: At the end of this exercise, you will have requested and approved a certificate for a Web server. You will have also revoked the certificate, published the revoked certificate and verified that the certificate has been revoked.

BETA COURSEWARE. EXPIRES 4/30/2008

Introduction to Active Directory Certificate Services

4-31

Module Review and Takeaways

Review Questions
1. 2. 3. 4. What are some reasons that a certificate would need to be revoked? What types of enrollment can be done with NDES? Which editions of Windows Server 2008 support the advanced integration features of AD CS and AD DS? In order to enable auto-enrollment what must be true of the client computers AD DS configuration?

BETA COURSEWARE. EXPIRES 4/30/2008

4-32

Fundamentals of Windows Server 2008 Active Directory

Summary of Active Directory Certificate Services

Active Directory Certificate Services (AD CS) provides customizable services for creating and managing public key certificates used in software security systems that employ public key technologies. It gives organizations a cost-effective, efficient, and secure way to manage the distribution and use of certificates. Digital certificates have two main parts the public and the private key. These two keys are used in the asymmetrical encryption and decryption process. Since the public key should be easily obtained and both keys are required for the process, it is extremely important to protect the private key. AD CS certification authorities can be arranged in a hierarchy to improve security, redundancy or flexibility. It also has templates that can be configured to define how certificates are enrolled and what options the certificates have when they are created. Certificates can be requested automatically through an auto-enrollment process on domain joined computers, or certificates can be manually requested using the CA Enrollment Web site or the CA MMC.

BETA COURSEWARE. EXPIRES 4/30/2008