Lab 11 Implementación de Un PKI (1.3)

Administracin de Sistemas Operativos Avanzado
Laboratorio 11: Implementacin de un PKI
Alumno: <colocar aqu los apellidos y nombres del alumno>
Objetivos:
Al finalizar el laboratorio el estudiante ser capaz de:
Implementar un CA raz aislado
Implementar un CA subordinado de nivel empresarial
Configurar plantillas de certificados
Configurar la solicitud de certificados
Configurar la revocacin de certificados
Configurar y ejecutar el archivado de claves privadas y la recuperacin
Seguridad:
Ubicar maletines y/o mochilas en el gabinete al final de aula de Laboratorio o en los casilleros
asignados al estudiante.
No ingresar con lquidos, ni comida al aula de Laboratorio.
Al culminar la sesin de laboratorio apagar correctamente la computadora y la pantalla, y ordenar
las sillas utilizadas.
Equipos y Materiales:
Una computadora con:

Windows 7 o superior
VMware Workstation 10+ o VMware Player 7+
Conexin a la red del laboratorio
Mquinas virtuales:
DVD:
De Windows Server 2012
Gua de Laboratorio Pg. 1

Procedimiento:
Escenario A
Debido a que la empresa A. Datum se ha expandido, los requerimientos de seguridad tambin se han
incrementado. El departamento de seguridad est interesado en habilitar el acceso seguro a los sitios
web crticos, y proporcionar seguridad adicional a los servicios de red. Para cumplir con estos y otros
requerimientos de seguridad, la empresa ha decidido implementar un PKI utilizando el rol AD CS en
Windows Server 2012.
Como uno de los administradores de red ms experimentados, ser responsable de la

implementacin del AD CS.
Lab Setup
1. Abrir VMware Workstation y crear un snapshot de las mquinas virtuales: LON-DC1, LON-
SVR1, LON-SVR2 y LON-CA1.
2. Encender las mquinas virtuales e iniciar sesin con la cuenta Administrador y la contrasea Pa$
$w0rd.

EJERCICIO 1: Implementacin de un CA raz aislado
Escenario
A. Datum ha decidido utilizar certificados para diferentes propsitos. Necesita instalar la

infraestructura del CA. Debido a que se est utilizando Windows Server 2012 AD DS, ha decidido
implementar el rol AD CS. Cuando estaba revisando los diseos disponibles ha decidido implementar
un CA raz aislado. Este CA se pondr fuera de servicio despus de que se entregue un certificado a
un CA subordinado.
Las principales tareas para este ejercicio son las siguientes:

Instalar y configurar el AD CS en LON-CA1.
Crear un registro host para LON-CA1
Task 1: Install and configure Active Directory Certificate Services on LON-CA1

1. Sign in to LON-CA1 as Administrator with the password Pa$$w0rd.
2. In the Server Manager, click Add roles and features.
3. On the Before You Begin page, click Next.
4. On the Select installation type page, click Next.
5. On the Select destination server page, click Next.
6. On the Select server roles page, select Active Directory Certificate Services. When the Add
Roles and Features Wizard displays, click Add Features, and then click Next.
7. On the Select features page, click Next.
8. On the Active Directory Certificate Services page, click Next.
9. On the Select role services page, ensure that Certification Authority is selected, and then click
Next.
10. On the Confirm installation selections page, click Install.
11. On the Installation progress page, after installation completes successfully, click the text
Configure Active Directory Certificate Services on the destination server.
12. In the AD CS Configuration Wizard, on the Credentials page, click Next.

13. On the Role Services page, select Certification Authority, and then click Next.
14. On the Setup Type page, select Standalone CA, and then click Next.
15. On the CA Type page, ensure that Root CA is selected, and then click Next.
16. On the Private Key page, ensure that Create a new private key is selected, and then click Next.
17. On the Cryptography for CA page, keep the default but set the Key length to 4096, and then
click Next.
18. On the CA Name page, in the Common name for this CA box, type AdatumRootCA, and then
click Next.
19. On the Validity Period page, click Next.
20. On the CA Database page, click Next.
21. On the Confirmation page, click Configure.

22. On the Results page, click Close.

23. On the Installation progress page, click Close.
24. On LON-CA1, in Server Manager, click Tools, and then click Certification Authority.
25. In the certsrv - [Certification Authority (Local)] console, right-click AdatumRootCA, and then
click Properties.
26. In the AdatumRootCA Properties dialog box, click the Extensions tab.
27. On the Extensions tab, in the Select extension drop-down list box, click CRL Distribution
Point (CDP), and then click Add.
28. In the Location box, type http://lon-svr1.adatum.com/CertData/, in the Variable drop-down list
box, click <CaName>, and then click Insert.
29. In the Variable drop-down list box, click <CRLNameSuffix>, and then click Insert.
30. In the Variable drop-down list box, click <DeltaCRLAllowed>, and then click Insert.
31. In the Location box, position the cursor at the end of the URL, type .crl, and then click OK.
32. Select the following options, and then click Apply:
Include in CRLs. Clients use this to find Delta CRL locations
Include in the CDP extension of issued certificates
1. In the Certification Authority pop-up window, click No.
2. In the Select extension drop-down list box, click Authority Information Access (AIA), and then
click Add.
3. In the Location box, type http://lon-svr1.adatum.com/CertData/, in the Variable drop-down
list box, click <ServerDNSName>, and then click Insert.
4. In the Location box, type an underscore (_), in the Variable drop-down list box, click <CaName>,
and then click Insert. Position the cursor at the end of the URL.
5. In the Variable drop-down list box, click <CertificateName>, and then click Insert.
6. In the Location box, position the cursor at the end of the URL, type .crt, and then click OK.
7. Select the Include in the AIA extension of issued certificates check box, and then click OK.
8. Click Yes to restart the Certification Authority service.
9. In the Certification Authority console, expand AdatumRootCA, right-click Revoked

Certificates, point to All Tasks, and then click Publish.
10. In the Publish CRL window, click OK.
11. Right-click AdatumRootCA, and then click Properties.
12. In the AdatumRootCA Properties dialog box, click View Certificate.
13. In the Certificate dialog box, click the Details tab.
14. On the Details tab, click Copy to File.
15. In the Certificate Export Wizard, on the Welcome page, click Next.
16. On the Export File Format page, select DER encoded binary X.509 (.CER), and then click
Next.
17. On the File to Export page, click Browse. In the File name box, type \\lon-svr1\C$, and then
press Enter.
18. In the File name box, type RootCA, click Save, and then click Next.
19. Click Finish, and then click OK three times.
20. Open a File Explorer window, and browse to C:\Windows\System32\CertSrv\CertEnroll.
21. In the CertEnroll folder, select both files, right-click the highlighted files, and then click Copy.
22. In the File Explorer address bar, type \\lon-svr1\C$, and then press Enter.
23. Right-click the empty space, and then click Paste.
24. Close File Explorer.
Task 2: Creating a DNS host record for LON-CA1 and configure sharing
1. ON LON-DC1, in the Server Manager, click Tools, and then click DNS.
2. In the DNS Manager console, expand LON-DC1, expand Forward Lookup Zones, click
Adatum.com, right-click Adatum.com, and then click New Host (A or AAAA).
3. In the New Host window, in the Name box, type LON-CA1.
4. In the IP address window, type 172.16.0.40, click Add Host, click OK, and then click Done.
5. Close the DNS Manager.
Entregable 1. Capture la pantalla que muestre el registro DNS creado.
1. Switch to LON-CA1.
2. On the Start screen, click Control Panel.
3. In the Control Panel window, click View network status and tasks.
4. In the Network and Sharing Center window, click Change advanced sharing settings.
5. Under Guest or Public (current profile), select the Turn on file and printer sharing option,
and then click Save changes.
Results: After completing this exercise, you will have deployed a root stand-alone certification
authority (CA).

EJERCICIO 2: Implementacin de un CA subordinado de nivel empresarial
Escenario
Despus de implementar un CA raz aislado, el siguiente paso es implementar un CA subordinado

empresarial. A. Datum desea utilizar un CA subordinado empresarial para utilizar la integracin con
AD DS. Adicionalmente, debido a que el CA raz est aislado, debe publicar su certificado a todos los
clientes.

Instalar y configurar AD CS en LON-SVR1
Instalar un certificado para el CA subordinado
Publicar el certificado del CA raz a travs de un GPO
Task 1: Install and configure AD CS on LON-SVR1

1. Sign in to LON-SVR1 as Adatum\Administrator with the password Pa$$w0rd.
3. On the Before You Begin page, click Next.
4. On the Select installation type page, click Next.
5. On the Select destination server page, click Next.
6. On the Select server roles page, select Active Directory Certificate Services.
7. When the Add Roles and Features Wizard displays, click Add Features, and then click Next.
8. On the Select features page, click Next.
9. On the Active Directory Certificate Services page, click Next.
10. On the Select role services page, ensure that Certification Authority is selected already,
and then select Certification Authority Web Enrollment.
11. When the Add Roles and Features Wizard displays, click Add Features, and then click Next.
12. On the Confirm installation selections page, click Install.
13. On the Installation progress page, after installation is successful, click the text Configure
Active Directory Certificate Services on the destination server.
14. In the AD CS Configuration Wizard, on the Credentials page, click Next.

15. On the Role Services page, select both Certification Authority and Certification Authority
Web Enrollment, and then click Next.
16. On the Setup Type page, select Enterprise CA, and then click Next.
17. On the CA Type page, click Subordinate CA, and then click Next.
18. On the Private Key page, ensure that Create a new private key is selected, and then click Next.
19. On the Cryptography for CA page, keep the default selections, and then click Next.
20. On the CA Name page, in the Common name for this CA box, type Adatum-IssuingCA, and
then click Next.
21. On the Certificate Request page, ensure that Save a certificate request to file on the target
machine is selected, and then click Next.

22. On the CA Database page, click Next.

23. On the Confirmation page, click Configure.
24. On the Results page, click Close.
25. On the Installation progress page, click Close.
Task 2: Install a subordinate CA certificate

1. On LON-SVR1, open a File Explorer window, and then navigate to Local Disk (C:).
2. Right-click RootCA.cer, and then click Install Certificate.
3. In the Certificate Import Wizard, click Local Machine, and then click Next.
4. On the Certificate Store page, click Place all certificates in the following store, and then
click Browse.
5. Select Trusted Root Certification Authorities, click OK, click Next, and then click Finish.
6. When the Certificate Import Wizard window appears, click OK.
7. In the File Explorer window, press F5, select the AdatumRootCA.crl and LON-
CA1_AdatumRootCA.crt files, right-click the files, and then click Copy.
8. Double-click inetpub.
9. Double-click wwwroot.
10. Create a new folder, and then name it CertData.
11. Paste the two copied files into that folder.
12. Switch to Local Disk (C:\).
13. Right-click the file LON-SVR1.Adatum.com_Adatum-LON-SVR1-CA.req, and then click
Copy.
14. In the File Explorer address bar, type \\LON-CA1\C$, and then press Enter.
15. In the File Explorer window, right-click an empty space, and then click Paste. Make sure that the
request file is copied to LON-CA1.
16. Switch to the LON-CA1 server.

17. In the Certificate Authority console, right-click AdatumRootCA, point to All Tasks, and then
click Submit new request.
18. In the Open Request File window, navigate to Local Disk (C:), click file LON-
SVR1.Adatum.com_Adatum-LON-SVR1-CA.req, and then click Open.
19. In the Certification Authority console, click the Pending Requests container. Right-click
Pending Requests, and then click Refresh.
20. In the details pane, right-click the request (with ID 2), point to All Tasks, and then click Issue.
21. In the Certification Authority console, click the Issued Certificates container.
22. In the details pane, double-click the certificate, click the Details tab, and then click Copy to File.
23. In the Certificate Export Wizard, on the Welcome page, click Next.
24. On the Export File Format page, click Cryptographic Message Syntax Standard - PKCS #7
Certificates (.P7B), click Include all certificates in the certification path if possible, and
then click Next.
25. On the File to Export page, click Browse.
26. In the File name box, type \\lon-svr1\C$, and then press Enter.
27. In the File name box, type SubCA, click Save, click Next, click Finish, and then click OK twice.
28. Switch to LON-SVR1.

29. In the Server Manager, click Tools, and then click Certification Authority.
30. In the Certification Authority console, right-click Adatum-IssuingCA, point to All Tasks, and then
click Install CA Certificate.
31. Navigate to Local Disk (C:), click the SubCA.p7b file, and then click Open.
32. Wait for 15 to 20 seconds, and then on the toolbar, click the green icon to start the CA service.
33. Ensure that the CA starts successfully.
Task 3: Publish the root CA certificate through Group Policy

1. On LON-DC1, on the taskbar, click the Server Manager icon.
2. In the Server Manager, click Tools, and then click Group Policy Management.
3. In the Group Policy Management Console, expand Forest: Adatum.com, expand Domains,
expand Adatum.com, right-click Default Domain Policy, and then click Edit.
4. In the Computer Configuration node, expand Policies, expand Windows Settings, expand
Security Settings, expand Public Key Policies, right-click Trusted Root Certification
Authorities, click Import, and then click Next.
5. On the File to Import page, click Browse.
6. In the file name box, type \\lon-svr1\C$, and then press Enter.
7. Click file RootCA.cer, and then click Open.
8. Click Next two times, and then click Finish.
9. When the Certificate Import Wizard window appears, click OK.
10. Close the Group Policy Management Editor and the Group Policy Management Console.
Entregable 1. Capture la pantalla que muestre el contenido del GPO

modificado.
Task 4: Prepare for the next lab
Keep all virtual machines running for the next lab. Do not revert any virtual machines.
Results: After completing this exercise, you will have deployed and configured an enterprise
subordinate CA.

Escenario B
Debido a que la empresa A. Datum se ha expandido, los requerimientos de seguridad tambin se han
incrementado. El departamento de seguridad est interesado en habilitar el acceso seguro a los sitios
web crticos, y proporcionar seguridad adicional para las caractersticas como encriptacin de discos,
tarjetas inteligentes y DirectAccess. Para cumplir con estos y otros requerimientos de seguridad, la
empresa ha decidido implementar un PKI utilizando el rol AD CS en Windows Server 2012.
Como uno de los administradores de red ms experimentados, ser responsable de la

implementacin del AD CS. Implementar la jerarqua CA, desarrollar los procedimientos y procesos
para administrar plantillas de certificados, as como implementar y revocar certificados.
Lab Setup
1. Abrir VMware Workstation y crear un snapshot de las mquinas virtuales: LON-DC1, LON-
SVR1, LON-SVR2, LON-CA1 y LON-CL1.
2. Encender las mquinas virtuales e iniciar sesin con la cuenta Administrador y la contrasea Pa$
$w0rd.

EJERCICIO 3: Configuracin de plantillas de certificados
Escenario
Despus de implementar la infraestructura de CA, el siguiente paso es implementar las plantillas de

certificados que son requeridos por la empresa. Primero, A. Datum desde implementar un nuevo
certificado para el servidor web e implementar certificados de tarjetas inteligentes. Tambin desean
implementar nuevos certificados en el servidor web LON-SVR2.

Crear una nueva plantilla basada en la plantilla de servidor web
Crear una nueva plantilla para usuarios que usan tarjetas inteligentes
Configurar las plantillas para que puedan ser utilizadas
Actualizar el certificado del servidor web en LON-SVR2
Task 1: Create a new template based on the web server template

1. On LON-SVR1, in the Certification Authority console, expand Adatum-IssuingCA right-click
Certificate Templates, and then select Manage.
2. In the Certificate Templates console, locate the Web Server template in the list, right-click it,
and then click Duplicate Template.
3. Click the General tab.
4. In the Template display name field, type Adatum WebSrv, and set the Validity period to 3
years.
5. Click the Request Handling tab, select Allow private key to be exported, and then click OK.
Entregable 1. Capture la pantalla que muestre las propiedades de la plantilla

creada.
Task 2: Create a new template for users that includes smart card logon
1. In the Certificate Templates console, right-click the User certificate template, and then click
Duplicate Template.
2. In the Properties of New Template dialog box, click the General tab, and then in the Template
display name text box, type Adatum User.
3. On the Subject Name tab, clear both the Include e-mail name in subject name and the E-
mail name check boxes.
4. On the Extensions tab, click Application Policies, and then click Edit.
5. In the Edit Application Policies Extension dialog box, click Add.
6. In the Add Application Policy dialog box, select Smart Card Logon, and then click OK twice.
7. Click the Superseded Templates tab, and then click Add.
8. Click the User template, and then click OK.
9. On the Security tab, click Authenticated Users. Under Permissions for Authenticated
Users, select the Allow check box for Read, Enroll, and Autoenroll, and then click OK.
10. Close the Certificate Templates console.

Entregable 1. Capture la pantalla que muestre las propiedades de la plantilla

creada.
Task 3: Configure the templates so that they can be issued
1. On LON-SVR1, in the Certification Authority console, right-click Certificate Templates,
point to New, and then click Certificate Template to Issue.
2. In the Enable Certificate Templates window, select Adatum User and Adatum WebSrv, and
then click OK.
Task 4: Update the web server certificate on the LON-SVR2 web server
1. Sign in to LON-SVR2 as Adatum\Administrator with the password Pa$$w0rd.
2. From the taskbar, click the Windows PowerShell icon.
3. At the Windows PowerShell prompt, type gpupdate /force, and then press Enter.
4. If prompted, restart the server, and sign in as Adatum\Administrator with the password
Pa$$w0rd.
5. On the taskbar, click the Server Manager icon.
6. From Server Manager, click Tools, and then click Internet Information Services (IIS)
Manager.
7. In the IIS console, click LON-SVR2 (ADATUM\Administrator), at the Internet
Information Services (IIS) Manager prompt, click No, and then in the central pane, double-click
Server Certificates.
8. In the Actions pane, click Create Domain Certificate.
9. On the Distinguished Name Properties page, complete the following fields, and then
click Next:
Common name: lon-svr2.adatum.com
Organization: Adatum
Organizational Unit: IT
City/locality: Seattle
State/province: WA
Country/region: US
1. On the Online Certification Authority page, click Select.
2. Click Adatum-IssuingCA, and then click OK.
3. In the Friendly name text box, type lon-svr2, and then click Finish.
4. Ensure that the certificate displays in the Server Certificates console.
Entregable 1. Capture la pantalla que muestre las propiedades del certificado

asociado al servidor.
1. In the IIS console, expand LON-SVR2, expand Sites, and then click Default Web Site.

2. In the Actions pane, click Bindings.

3. In the Site Bindings window, click Add.
4. In the Type drop-down list box, click https.
5. In the SSL certificate drop-down list box, click lon-svr2, click OK, and then click Close.
6. Close the IIS console.
Results: After completing this exercise, you will have created and published new certificate templates.

EJERCICIO 4: Configuracin de la inscripcin de certificados
Escenario
El siguiente paso en la implementacin del PKI en A. Datum es configurar la inscripcin de

certificados. A. Datum desea habilitar diferentes opciones para la distribucin de certificados. Los
usuarios deberan ser capaces de inscribirse automticamente, y los usuarios de tarjetas inteligentes
deben ser capaces de obtener sus tarjetas inteligentes desde un agente de inscripcin. A. Datum ha
delegado los derechos de agente de inscripcin para el grupo del departamento de Marketing a la
usuaria Alli Bellew.

Configurar la auto inscripcin para los usuarios
Verificar la auto inscripcin
Configurar el agente de inscripcin para los certificados de tarjetas inteligentes
Task 1: Configure autoenrollment for users

1. On LON-DC1, in the Server Manager, click Tools, and then click Group Policy
Management.
2. Expand Forest: Adatum.com, expand Domains, expand Adatum.com, right-click
Default Domain Policy, and then click Edit.
3. Expand User Configuration, expand Policies, expand Windows Settings, expand Security
Settings, and then click to highlight Public Key Policies.
4. In the right pane, double-click Certificate Services Client - Auto-Enrollment.
5. In the Configuration Model drop-down list box, click Enabled.
6. Select the Renew expired certificates, update pending certificates, and remove
revoked certificates option.
7. Select the Update certificates that use certificate templates option.
8. Click OK to close the properties window.
9. In the right pane, double-click the Certificate Services Client - Certificate
Enrollment Policy object.
10. On the Enrollment Policy tab, set the Configuration Model to Enabled, and ensure that
the certificate enrollment policy list displays the Active Directory Enrollment Policy (it should
have a checkmark next to it, and display a status of Enabled).
11. Click OK to close the window.
12. Close both the Group Policy Management Editor and the Group Policy Management console.
Task 2: Verify autoenrollment

1. On LON-SVR1, from the taskbar, click the Windows PowerShell icon.
2. At the Windows PowerShell prompt, type gpupdate /force, and then press Enter.
3. After the policy refreshes, type mmc.exe, and then press Enter.
4. In Console1, click File, and then in the File menu, click Add/Remove Snap-in.
5. Click Certificates, and then click Add .

6. Click Finish, and then click OK.

7. Expand Certificates - Current User, expand Personal, and then click Certificates.
8. Verify that a certificate based on Adatum User template is issued for Administrator.
9. Close Console1. Click No without saving the changes.
Task 3: Configure the Enrollment Agent for smart card certificates

1. On LON-SVR1, in the Server Manager console, click Tools, and then open Certification
Authority.
2. In the certsrv console, expand Adatum-IssuingCA, right-click Certificate Templates,
and then click Manage.
3. In the Certificate Templates console, double-click Enrollment Agent.
4. Click the Security tab, and then click Add.
5. In the Select Users, Computers, Service Accounts, or Groups window, type Allie, click
Check Names, and then click OK.
6. On the Security tab, click Allie Bellew, select Allow for Read and Enroll permissions,
and then click OK.
8. In the certsrv console, right-click Certificate Templates, point to New, and then click
Certificate Template to Issue.
9. In the list of templates, click Enrollment Agent, and then click OK.
10. Switch to LON-CL1, and sign in as Adatum\Allie with the password Pa$$w0rd.
11. Open a command-prompt window, at the command prompt, type mmc.exe, and then press Enter.
12. In Console1, click File, and then click Add/Remove Snap-in.
13. Click Certificates, click Add, and then click OK.
14. Expand Certificates - Current User, expand Personal, click Certificates, right-click
Certificates, point to All Tasks, and then click Request New Certificate.
15. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next.
16. On the Select Certificate Enrollment Policy page, click Next.
17. On the Request Certificates page, select Enrollment Agent, and then click Enroll.
18. Click Finish.

20. In the Certification Authority console, right-click Adatum-IssuingCA, and then click Properties.
21. Click the Enrollment Agents tab.
22. Click Restrict Enrollment agents.
23. On the pop-up window that displays, click OK.
24. In the Enrollment agents section, click Add.
25. In the Select User, Computer or Group field, type Allie, click Check Names, and then click OK.
26. Click Everyone, and then click Remove.
27. In the certificate templates section, click Add.
28. In the list of templates, select Adatum User, and then click OK.
29. In the Certificate Templates section, click <All>, and then click Remove.
30. In the Permission section, click Add.
31. In the Select User, Computer or Group field, type Marketing, click Check Names,
and then click OK.
32. In the Permission section, click Everyone, and then click Remove.
33. Click OK.
Entregable 1. Capture la pantalla que muestre las propiedades del agente de

inscripcin.
Results: After completing this exercise, you will have configured and verified autoenrollment for users,
and configured an Enrollment Agent for smart cards.

EJERCICIO 5: Configuracin de la revocacin de certificados
Escenario
Como parte de la infraestructura de certificados, A. Datum desea configurar los componentes de

revocacin en los nuevos Cas establecidos. Debe configurar un CRL y los componentes de respuesta
en lnea.

Configurar la distribucin de CRL
Instalar y configurar un respondedor en lnea
Task 1: Configure certified revocation list (CRL) distribution

1. On LON-SVR1, in the Certification Authority console, right-click Revoked Certificates,
and then click Properties.
2. In the Revoked Certificates Properties dialog box, set the CRL publication interval to
1 Days, and the Delta CRL publication interval to 1 Hours, and then click OK.
3. Right-click Adatum-IssuingCA and then click Properties.
4. In the Adatum-IssuingCA Properties dialog box, click the Extensions tab, and review
the values for CDP.
5. Click Cancel.
Task 2: Install and configure an Online Responder

1. On LON-SVR1, on the taskbar, click the Server Manager icon.
3. Click Next three times.
4. On the Select server roles page, expand Active Directory Certificate Services (2 of 6
Installed), and then click Online Responder.
5. Click Add Features.
6. Click Next two times, and then click Install.
7. When the message displays that installation succeeded, click Configure Active
Directory Certificate Services on the destination server.
8. In the Active Directory Certificate Services (AD CS) Configuration Wizard, click Next.
9. Click Online Responder, and then click Next.
10. Click Configure, and then click Close two times.
11. On LON-SVR1, open the Certification Authority console.

12. In the Certification Authority console, right-click Adatum-IssuingCA, and then click
Properties.
13. In the Adatum-IssuingCA Properties dialog box, on the Extensions tab, in the Select
extension list, click Authority Information Access (AIA), and then click Add.
14. In the Add Location dialog box, type http://LON-SVR1/ocsp, and then click OK.
15. Select the Include in the AIA extension of issued certificates check box.
16. Select the Include in the online certificate status protocol (OCSP) extension check
box, and then click OK.
17. In the Certificate Authority dialog box, restart AD CS by clicking Yes.
18. In the certsrv console, expand Adatum-IssuingCA, right-click the Certificate Templates
folder, and then click Manage.
19. In the Certificate Templates console, double-click the OCSP Response Signing
template.
20. In the OCSP Response Signing Properties dialog box, click the Security tab, under
Permissions for Authenticated Users, select Allow for the Enroll check box, and then click
OK.
22. In the Certification Authority console, right-click the Certificate Templates folder, point to
New, and then click Certificate Template to Issue.
23. In the Enable Certificate Templates dialog box, select the OCSP Response Signing
template, and then click OK.
24. On LON-SVR1, in the Server Manager, click Tools, and then click Online Responder
Management.
25. In the OCSP Management console, right-click Revocation Configuration, and then click
Add Revocation Configuration.
26. In the Add Revocation Configuration Wizard, click Next.
27. On the Name the Revocation Configuration page, in the Name box, type AdatumCA
Online Responder, and then click Next.
28. On the Select CA Certificate Location page, click Next.
29. On the Choose CA Certificate page, click Browse, click the Adatum-IssuingCA
certificate, click OK, and then click Next.
30. On the Select Signing Certificate page, verify that Automatically select a signing
certificate is selected and Auto-Enroll for an OCSP signing certificate are both selected,
and then click Next.
31. On the Revocation Provider page, click Finish. The revocation configuration status will
appear as Working.
32. Close the Online Responder console.
Entregable 1. Capture la pantalla que muestre en el OCSP Management

console la rama Revocation Configuration.
Results: After completing this exercise, you will have configured certificate revocation settings.

EJERCICIO 6: Configuracin de la recuperacin de claves
Escenario
Como parte de la implementacin del PKI, se desea configurar y probar los procedimientos para la
recuperacin de claves privadas. Desea asignar un certificado KRA para un administrador y configurar
el CA con plantillas de certificados especficos para permitir el archivado de claves. Adicionalmente,
se desea probar el procedimiento para la recuperacin de claves.

Configurar el CA para problemas con certificados KRA
Adquirir el certificado KRA
Configurar el CA para permitir la recuperacin de claves
Configurar una plantilla para el almacenamiento de claves
Verificar el funcionamiento de claves
Task 1: Configure the CA to issue KRA certificates

2. In the Certification Authority console, expand the Adatum-IssuingCA node, right-click the
Certificates Templates folder, and then click Manage.
3. In the Details pane, right-click the Key Recovery Agent certificate, and then click
Properties.
4. In the Key Recovery Agent Properties dialog box, click the Issuance Requirements
tab.
5. Clear the CA certificate manager approval check box.
6. Click the Security tab. Notice that Domain Admins and Enterprise Admins are the only
groups that have the Enroll permission, and then click OK.
8. In the Certification Authority console, right-click Certificate Templates, point to New, and then
click Certificate Template to Issue.
9. In the Enable Certificate Templates dialog box, click the Key Recovery Agent template,
and then click OK.
10. Close the Certification Authority console.
Task 2: Acquire the KRA certificate

1. On LON-SVR1, on the taskbar, click the Windows PowerShell icon.
2. At the Windows PowerShell prompt, type MMC.exe, and then press Enter.
3. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in.
4. In the Add or Remove Snap-ins dialog box, click Certificates, and then click Add.
5. In the Certificates snap-in dialog box, select My user account click Finish, and then
click OK.
6. Expand the Certificates - Current User node, right-click Personal, point to All Tasks,
and then click Request New Certificate.
7. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next.
8. On the Select Certificate Enrollment Policy page, click Next.
9. On the Request Certificates page, select the Key Recovery Agent check box, click
Enroll, and then click Finish.
10. Refresh the console, and view the Key Recovery Agent (KRA) in the personal store; that
is, scroll across the certificate properties and verify that the Certificate Template Key Recovery
Agent is present.
11. Close Console1 without saving changes.
Task 3: Configure the CA to allow key recovery

2. In the Certification Authority console, right-click Adatum-IssuingCA, and then click
Properties.
3. In the Adatum-IssuingCA Properties dialog box, click the Recovery Agents tab, and
then select Archive the key.
4. Under Key recovery agent certificates, click Add.
5. In the Key Recovery Agent Selection dialog box, click the certificate that is for the Key
Recovery Agent purpose (it will most likely be last on the list, or you can click the link Click here
to view the certificate properties for each certificate on the list to ensure that you select the
right certificate), and then click OK twice.
6. When prompted to restart the CA, click Yes.
Task 4: Configure a custom template for key archival

1. On LON-SVR1, in the Certification Authority console, right-click the Certificates
Templates folder, and then click Manage.
2. In the Certificate Templates console, right-click the User certificate, and then click
Duplicate Template.
3. In the Properties of New Template dialog box, on the General tab, in the Template
display name box, type Archive User.
4. On the Request Handling tab, select the Archive subject's encryption private key
check box.
5. If a pop-up window displays, click OK.
6. Click the Subject Name tab, clear both the E-mail name and Include e-mail name in subject
name check boxes, and then click OK.
8. In the Certification Authority console, right-click the Certificates Templates folder, point
to New, and then click Certificate Template to Issue.
9. In the Enable Certificate Templates dialog box, click the Archive User template, and
then click OK.

10. Close the Certification Authority console.
Task 5: Verify key archival functionality

1. Sign in to LON-CL1 as Adatum\Aidan, using the password Pa$$w0rd.
2. On the Start screen, type mmc.exe, and then press Enter. Click Yes in the User Account
Control dialog box.
3. In the Console1-[Console Root] console, click File, and then click Add/Remove Snap-in.
4. In the Add or Remove Snap-ins dialog box, click Certificates, click Add, click Finish,
and then click OK.
5. Expand the Certificates - Current User node, right-click Personal, click All Tasks, and
then click Request New Certificate.
6. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next twice.
7. On the Request Certificate page, select the Archive User check box, click Enroll, and
then click Finish.
8. Refresh the console, and notice that a certificate is issued to Aidan, based on the Archive
User certificate template.
9. Simulate the loss of a private key by deleting the certificate. In the central pane, right-click
the certificate that you just enrolled, select Delete, and then click Yes to confirm.

11. Open the Certification Authority console, expand Adatum-IssuingCA, and then click the
Issued Certificates store.
12. In the details pane, double-click a certificate with Requestor Name Adatum\Aidan, and
Certificate Template name Archive User.
13. Click the Details tab, copy the Serial Number, and then click OK. (You may either copy the
number to Notepadselect it and press CTRL+C or write it down on paper.)
14. On the taskbar, click the Windows PowerShell icon.
15. At the Windows PowerShell prompt, type the following command (where <serialnumber> is the
serial number that you copied), and then press Enter:
Certutil -getkey <serialnumber> outputblob
Note: If you paste the serial number from Notepad, remove spaces between numbers.
16. Verify that the outputblob file now displays in the C:\Users\Administrator.Adatum folder.
17. To convert the outputblob file into a .pfx file, at the Windows PowerShell prompt, type the
following command, and then press Enter:
Certutil -recoverkey outputblob aidan.pfx

18. When prompted for the new password, type Pa$$w0rd, and then confirm the password.
19. After the command executes, close Windows PowerShell.
20. Browse to C:\Users\Administrator.ADATUM, and then verify that aidan.pfxthe recovered key
is created.
21. Switch to LON-CL1 machine.

22. On the Start screen, type Control Panel and then click Control Panel.
23. In the Control Panel window, click View network status and tasks.
24. In the Network and Sharing Center window, click Change advanced sharing settings.
25. Under Guest or Public (current profile), select the option Turn on file and printer sharing.
26. Click Save changes.
27. If asked for credentials, use Adatum\administrator as the user name, and Pa$$w0rd as the
password.
28. Switch back to the LON-SVR1 machine.

29. Copy the aidan.pfx file to \\lon-cl1\C$.
30. Switch to LON-CL1, and ensure that you are still signed in as Aidan.
31. Browse to drive C, and double-click the aidan.pfx file.
32. On the Welcome to the Certificate Import Wizard page, click Next.
33. On the File to Import page, click Next.
34. On the Password page, enter Pa$$w0rd as the password, and then click Next.
35. On the certificate store page, click Next, click Finish, and then click OK.
36. In the Console1-[Console Root\Certificates - Current User\Personal\Certificates], expand
the Certificates - Current User node, expand Personal, and then click Certificates.
37. Refresh the console, and verify that the certificate for Aidan is restored.
Entregable 1. Capture la pantalla que muestre el certificado recuperado.
Task 6: To Prepare for the Next Module
1. Volver el estado de las mquinas virtuales al snapshot creado antes de iniciar el laboratorio.

Conclusiones:
Indicar las conclusiones que lleg despus de los temas tratados de manera prctica en este
laboratorio.

Redes y Comunicaciones de Datos
Rbrica
1. Los estudiantes, implementan y mantienen Redes de Computadoras y
Resultado
Sistemas de Telecomunicaciones de datos, proporcionando seguridad a
los medios involucrados, aplicando tcnicas y herramientas modernas.
1.3. Desarrolla soluciones de seguridad informtica en ambiente de

Criterio de
procesamiento y transferencia de la informacin.
desempeo
Curso Administracin de Sistemas Operativos Avanzados Periodo 2017-1
Actividad Implementacin de un PKI Semestre 4
Nombre del Alumno <Rellenar> Semana 11
Docente <Rellenar> Fecha <Rellenar> Seccin <A o B>
Requiere No Puntaje
Criterios a Evaluar Excelente Bueno
Mejora Aceptable Logrado
Implementacin de un CA raz aislado 4 3 2 1-0
Implementacin de un CA subordinado de
4 3 2 1-0
nivel empresarial
Configuracin de plantillas de certificados 3 2 1 0
Configuracin de la inscripcin de certificados 3 2 1 0
Configuracin de la revocacin de certificados 3 2 1 0
Configuracin de la recuperacin de claves 3 2 1 0
Total 20-15 14-9 8-3 2-0
Adicionales
Bonificacin +
Penalidad -
Puntaje Final
Comentario al
alumno o alumnos
Descripcin
Demuestra un completo entendimiento del problema o realiza la actividad
Excelente
cumpliendo todos los requerimientos especificados.
Demuestra un considerable entendimiento del problema o realiza la actividad
Bueno
cumpliendo con la mayora de los requerimientos especificados.
Demuestra un bajo entendimiento del problema o realiza la actividad cumpliendo
Requiere mejora
con pocos de los requerimientos especificados.
No Aceptable No demuestra entendimiento del problema o de la actividad.

Lab 11 Implementación de Un PKI (1.3)

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Lab 11 Implementación de Un PKI (1.3)

Hochgeladen von

Copyright:

Verfügbare Formate

Administracin de Sistemas Operativos Avanzado

Laboratorio 11: Implementacin de un PKI

Alumno: <colocar aqu los apellidos y nombres del alumno>

Una computadora con:

Gua de Laboratorio Pg. 1

Como uno de los administradores de red ms experimentados, ser responsable de la

Gua de Laboratorio Pg. 2

EJERCICIO 1: Implementacin de un CA raz aislado

A. Datum ha decidido utilizar certificados para diferentes propsitos. Necesita instalar la

Las principales tareas para este ejercicio son las siguientes:

Task 1: Install and configure Active Directory Certificate Services on LON-CA1

12. In the AD CS Configuration Wizard, on the Credentials page, click Next.

Gua de Laboratorio Pg. 3

22. On the Results page, click Close.

9. In the Certification Authority console, expand AdatumRootCA, right-click Revoked

Entregable 1. Capture la pantalla que muestre el registro DNS creado.

Gua de Laboratorio Pg. 5

EJERCICIO 2: Implementacin de un CA subordinado de nivel empresarial

Despus de implementar un CA raz aislado, el siguiente paso es implementar un CA subordinado

Las principales tareas para este ejercicio son las siguientes:

Task 1: Install and configure AD CS on LON-SVR1

14. In the AD CS Configuration Wizard, on the Credentials page, click Next.

Gua de Laboratorio Pg. 6

22. On the CA Database page, click Next.

Task 2: Install a subordinate CA certificate

16. Switch to the LON-CA1 server.

28. Switch to LON-SVR1.

Task 3: Publish the root CA certificate through Group Policy

Entregable 1. Capture la pantalla que muestre el contenido del GPO

Task 4: Prepare for the next lab

Gua de Laboratorio Pg. 9

Como uno de los administradores de red ms experimentados, ser responsable de la

Gua de Laboratorio Pg. 10

EJERCICIO 3: Configuracin de plantillas de certificados

Despus de implementar la infraestructura de CA, el siguiente paso es implementar las plantillas de

Las principales tareas para este ejercicio son las siguientes:

Task 1: Create a new template based on the web server template

Entregable 1. Capture la pantalla que muestre las propiedades de la plantilla

Gua de Laboratorio Pg. 11

Entregable 1. Capture la pantalla que muestre las propiedades de la plantilla

Entregable 1. Capture la pantalla que muestre las propiedades del certificado

Gua de Laboratorio Pg. 12

2. In the Actions pane, click Bindings.

Gua de Laboratorio Pg. 13

EJERCICIO 4: Configuracin de la inscripcin de certificados

El siguiente paso en la implementacin del PKI en A. Datum es configurar la inscripcin de

Las principales tareas para este ejercicio son las siguientes:

Task 1: Configure autoenrollment for users

Task 2: Verify autoenrollment

Gua de Laboratorio Pg. 14

6. Click Finish, and then click OK.

Task 3: Configure the Enrollment Agent for smart card certificates

19. Switch to LON-SVR1.

Entregable 1. Capture la pantalla que muestre las propiedades del agente de

Gua de Laboratorio Pg. 16

EJERCICIO 5: Configuracin de la revocacin de certificados

Como parte de la infraestructura de certificados, A. Datum desea configurar los componentes de

Las principales tareas para este ejercicio son las siguientes:

Task 1: Configure certified revocation list (CRL) distribution

Task 2: Install and configure an Online Responder

11. On LON-SVR1, open the Certification Authority console.

Entregable 1. Capture la pantalla que muestre en el OCSP Management

Gua de Laboratorio Pg. 18

EJERCICIO 6: Configuracin de la recuperacin de claves