70-293: MCSE Guide to

Planning a Microsoft Windows

Server 2003 Network
Chapter 9:
Planning and Managing
Certificate Services
 Objectives
• Describe the types of cryptography
• Understand how cryptography is used for encryption
and digital signatures
• Understand the components of Certificate Services
• Install and manage Certificate Services
• Manage certificates
• Implement smart card authentication

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 2

 Cryptography
• Cryptography: encrypting/decrypting data to ensure
they are read only by the intended recipient
• Encrypted messages are unreadable
• Decryption
• Reverse of encryption
• Makes the data readable again

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 3

 Cryptography (continued)
• Four objectives of cryptography
• Confidentiality
• Integrity
• Nonrepudiation
• Authentication

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 4

 Cryptography (continued)
• Cryptography uses keys:
• A large number (a series of numbers, letters, and symbols)
• Large and difficult to guess
• Used with an algorithm to encrypt and decrypt data
• Three types of encryption
• Symmetric
• Asymmetric
• Hash

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 5

 Symmetric Encryption
• Uses a single key
• A computer can symmetrically encrypt large amounts
of data quickly
• Used when encrypting files and large amounts of data
across network transmissions

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 6

 Asymmetric Encryption
• Uses two keys: public key and private key
• Anything encrypted by the public key can be
decrypted with the private key and vice versa

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 7

 Hash Encryption
• Hash encryption is unique because it is one-way
• Hash algorithm uses a single key to convert data to a
hash value
• The hash value is a summary of the data
• The purpose of a hash value is to be a unique
identifier, not to secure data

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 8

 Uses for Cryptography

• Three common tasks that use different types of

encryption are:
• Encrypting e-mail
• Ensuring data integrity with digital signatures
• Securing data communication with Secure Sockets Layer
(SSL)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 9

 Encrypting E-mail
• Encrypting e-mail ensures that a message in transit
cannot be read by unauthorized people
• Uses the public and private keys of the recipient:
• Sender creates an e-mail message
• E-mail software encrypts using the recipient’s public key
• Recipient’s public key may be published in a directory or
given to the sender via e-mail before encryption
• Encrypted message is then sent to the recipient
• Recipient’s e-mail software decrypts the message using the
recipient’s private key

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 10

Encrypting E-mail (continued)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 11

 Digital Signatures
• A digital signature is a hash value that is encrypted
and attached to a message
• Ensures that a message has not been modified in
transit and that it truly came from the named sender
• This is important when electronically delivering
information such as contracts and agreements
• The public and private keys of the sender are used for
a digital signature

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 12

Digital Signatures (continued)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 13

 Secure Sockets Layer
• Secure Sockets Layer (SSL) is a Transport Layer
protocol that can be used with any application
protocol that is designed to communicate with it
• SSL secures communication between Web servers
and Web browsers, e-mail clients and e-mail servers,
and other service combinations
• Servers are the only participants in SSL that must be
configured with a public key and a private key

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 14

Secure Sockets Layer (continued)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 15

Certificate Services Components
• Certificate Services is the Microsoft implementation
of PKI (Public Key Infrastructure)
• PKI creates and manages public keys, private keys, and
certificates
• PKI using Certificate Services is composed of:
• Certificates
• Certification authority (also known as certificate authority)
• A Certificate Revocation List (CRL)
• Certificate-enabled applications

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 16

 Certificates
• A certificate contains information about a user or
computer and a public key
• A certificate defined by the X.509 standard has fields:
• Subject (or user name)
• Serial number
• Validity period
• Public key
• Issuer name
• Issuer signature

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 17

 Certification Authority
• A certification authority (CA) is a server that issues
certificates to client computers, applications, or users
• The CA is responsible for taking certificate-signing
requests from clients and approving them
• As part of the approval process, the identity of the
requester is verified

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 18

 Activity 9-1: Viewing Trusted
Root Certification Authorities
• The purpose of this activity is to view the trusted root
certification authorities installed by default on
Windows Server 2003

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 19

 Certificate Revocation List
• The certification authority maintains a Certificate
Revocation List (CRL), which is a list of certificates
issued by the CA that are no longer valid
• The administrator adds certificates to this list
• It is not created automatically
• Each certificate issued by the CA has an expiration date

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 20

 Certificate-enabled Applications
• Windows client computers can store certificates in a
place that can be used by multiple applications
• Many certificate-enabled applications running on
Windows use this central windows store, but other
applications store certificates in a private database
• Common applications for certificates include:
• e-mail clients
• Web browsers
• smart cards

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 21

 Installing and Managing
Certificate Services
• Two classes of CAs
• Enterprise
• Stand-alone
• An enterprise CA
• Integrates with Active Directory
• Has an expanded feature set
• Can use certificate templates
• Certificate creation process is entirely automated

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 22

 Installing and Managing
Certificate Services (continued)
• A stand-alone certification:
• Does not integrate with Active Directory
• Unable to issue certificates automatically based on a user
object in Active Directory
• All certificate requests must be manually approved by an
administrator
• Certificate templates cannot be used by a stand-alone
certification authority
• Cannot issue certificates used for smart card authentication

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 23

 Certificate Hierarchy
• Chain of trust where client computers and
applications are assured that a certificate is valid
• The hierarchy is either a root certification authority or
a subordinate certification authority
• A subordinate certification authority is certified by
another certification authority
• After certification, subordinate can issue certificates
based on the trusted status of the certification
authority that certified it

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 24

Certificate Hierarchy (continued)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 25

 Installing Certificate Services
• When installing a CA you must choose which type:
• Enterprise root CA
• Standalone root CA
• Enterprise subordinate CA
• Stand-alone subordinate CA.
• Can configure custom settings for the key pair and
CA certificate

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 26

 Activity 9-2: Installing
Certificate Services
• The purpose of this activity is to install Certificate
Services and configure your server as an enterprise
root certification authority

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 27

Back Up and Restore Certificate
Services
• Certificate Services is normally backed up as part of
the daily backup process on Windows Server 2003
• Certificate Services is included with the backup of
system state data
• Can back up and restore manually just Certificate
Services using the CA snap-in

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 28

 Activity 9-3: Backing Up
Certificate Services
• The purpose of this activity is to perform a manual
backup of Certificate Services

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 29

 Activity 9-4: Restoring the
Certificate Services Database
• The purpose of this activity is to perform a manual
restore of Certificate Services

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 30

 Managing Certificates
• Tasks related to issuing and managing certificates are:
• Issuing certificates
• Renewing certificates
• Revoking certificates
• Publishing a Certificate Revocation List
• Importing and exporting certificates
• Mapping accounts to certificates
• A command-line utility, CERTUTIL, can be used to
manage both certificates and Certificate Services

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 31

 Issuing Certificates
• Certificates can be requested using
• Certificate Request Wizard
• Certificate Services Web pages
• Autoenrollment
• The Certificate Request Wizard and autoenrollment
are available only for enterprise certification
authorities
• Certificate Services Web pages can be used by both
stand-alone and enterprise certificate authorities

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 32

 The Certificate Request Wizard
• The Certificate Request Wizard is run by users to
create certificates
• The types of certificates that can be created are
controlled by certificate templates
• The administrator can create, configure, and control
access to these templates
• Users can create certificates based on the templates to
which they have either read or enroll permissions

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 33

 Activity 9-5: Requesting a
Certificate
• The purpose of this activity is to request a user
certificate using the Certificate Request Wizard

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 34

 Certificate Services Web Pages
• The Certificate Services Web pages can be used to
request certificates from both enterprise certification
authorities and stand-alone certification authorities
• IIS is required for the Certificate Services Web pages

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 35

 Autoenrollment
• Autoenrollment issues certificates automatically
• To enable autoenrollment:
• Duplicate an existing certificate using Certificate
Templates snap-in
• Select Publish certificate in Active Directory
• On the Security tab, add the required users or groups, and
assign them the enroll and autoenroll permissions
• Enable the new certificate template in the CA snap-in
• Configure a group policy to enable Enroll certificates
automatically

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 36

 Renewing Certificates
• All certificates are issued with an expiration date
• If a certificate becomes compromised, it is not a security
risk for an extended period of time
• If an employee unexpectedly leaves, employee won’t have
access to company resources after expiration
• To avoid an interruption in service, a user must renew
a certificate before it expires

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 37

 Revoking Certificates
• When a certificate has been compromised or a user
has left the company, you need to revoke it
• This places the certificate on the CRL of the
certification authority
• Windows 2000 and newer clients automatically
download the CRL for Active Directory
• A CRL has a default lifetime of seven days

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 38

 Activity 9-6: Revoking a
Certificate
• The purpose of this activity is to revoke a certificate
and publish a new CRL

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 39

 Importing and Exporting
Certificates
• If you want to move or copy certificates from one
computer to another, you can choose from these
standard formats:
• DER encoded binary X.509
• Base-64 encoded X.509
• Cryptographic Message Standard
• Personal Information Exchange

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 40

Activity 9-7: Moving a Certificate

• The purpose of this activity is to move a user

certificate from one computer to another

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 41

 Smart Card Authentication
• Smart cards are the strongest form of authentication
supported by Windows Server 2003
• Users are required to have the device (the smart card)
and enter a personal identification number (PIN)
• When smart cards are implemented, users are issued a
physical card that contains a certificate
• The PIN decrypts the certificate stored on the card

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 42

 Preparing the Certification
Authority to Issue Smart Card
Certificates
• Two types of certificates are required to implement
smart card authentication:
• One type is placed on the smart card for authentication
• The second type is an enrollment agent certificate

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 43

 Preparing a Smart Card
Certificate Enrollment Station
• A smart card certificate enrollment station is a
computer that is used to configure smart cards
• It must have a properly configured smart card reader
• A smart card reader is a device that smart cards are
inserted into to read their contents

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 44

 Configuring a Smart Card for
User Logon
• An enrollment agent configures smart cards for users
through the Certificate Services Web pages on a CA
• Select the following:
• Template that will be used to create the certificate
• CA that will issue the certificate
• Cryptographic service provider of the smart card
• Enrollment agent certificate that will sign the request
• The user the certificate is for

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 45

 Configuring a Smart Card for
User Logon (continued)

• To create the smart card, click the Enroll button and

place the smart card in the smart card reader
• Enter the PIN to be used on the smart card
• If a certificate already exists on the smart card, you are
prompted to overwrite it

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 46

 Mapping the Smart Card
Certificate to a User Account
• There are three ways to map certificates to user
accounts:
• One-to-one mapping
• Many-to-one mapping (subject)
• Many-to-one mapping (CA)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 47

 Attaching a Smart Card Reader
to the Client Workstation
• Each computer using smart cards must have a smart
card reader
• Many computers have these available as an option
• Also commonly available as USB devices

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 48

 Summary
• Encryption makes data unreadable
• Decryption is the reverse of encryption
• Cryptography can ensure or perform confidentiality,
integrity, nonrepudiation, and authentication
• Types of encryption include:
• Symmetric
• Asymmetric
• Hash

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 49

 Summary (continued)
• Certificate Services is the Microsoft implementation
of a certification authority for PKI
• Enterprise certification authorities integrate with
Active Directory
• A stand-alone CA does not integrate with Active
Directory
• The Certificate Request Wizard, the Certificate
Services Web pages, and autoenrollment can be used
to issue certificates
• Smart cards are the most secure form of
authentication
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network 50