1 / 35

Module 8

Module 8. Deploying and Managing Certificates . Module Overview. Deploying and Managing Certificate Templates Managing Certificates Deployment, Revocation, and Recovery Using Certificates in a Business Environment Implementing and Managing Smart Cards.

ganesa
Download Presentation

Module 8

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 8 Deploying and Managing Certificates

  2. Module Overview • Deploying and Managing Certificate Templates Managing Certificates Deployment, Revocation, and Recovery Using Certificates in a Business Environment Implementing and Managing Smart Cards

  3. Lesson 1: Deploying and Managing Certificate Templates • What Are Certificates and Certificate Templates? Certificate Template Versions in Windows Server 2012 Configuring Certificate Template Permissions Configuring Certificate Template Settings Options for Updating a Certificate Template Demonstration: Modifying and Enabling a Certificate Template

  4. What Are Certificates and Certificate Templates? A certificate contains information about users, devices, usage, validity, and a key pair A certificate template defines: • The format and contents of a certificate • The process for creating and submitting a valid certificate request • The security principles that are allowed to read, enroll, or use autoenrollment for a certificate that will be based on the template • The permissions required to modify a certificate template

  5. Certificate Template Versions in Windows Server 2012 Version 1: • Introduced in Windows 2000 Server, provided for backward compatibility in newer versions • Created by default when a CA is installed • Cannot be modified (except for permissions) or removed, but can be duplicated to become version 2 or 3 templates, which can then be modified Version 2: • Default template introduced with Windows Server 2003 • Allows customization of most settings in the template • Several preconfigured templates are provided when a CA is installed Version 3: • Supports advanced Suite B cryptographic settings • Includes advanced options for encryption, digital signatures, key exchange, and hashing • Only supports Windows Server 2008 and Windows Server 2008 R2 servers • Only supports Windows Vista and Windows 7 client computers Version 4: • Available only for Windows Server 2012 and Windows 8 clients • Supports both CSPs and key storage providers • Supports renewal with the same key

  6. Configuring Certificate Template Permissions

  7. Configuring Certificate Template Settings For each certificate template, you can customize several settings, such as validity time, purpose, CSP, private key exportability, and issuance requirements

  8. Options for Updating a Certificate Template Modifying Modify the original certificate template to incorporate the new settings Original Updated Superseding Replace one or more certificate templates with an updated certificate template Smart Card 1 Smart Cards (new) Smart Card 2

  9. Demonstration: Modifying and Enabling a Certificate Template In this demonstration, you will see how to modify and enable a certificate template

  10. Lesson 2: Managing Certificates Deployment, Revocation, and Recovery • Certificate Enrollment Methods Certificate Autoenrollment Overview Enrollment Agent Overview How Does Certificate Revocation Work? Overview of Key Archival and Recovery Configuring Automatic Key Archival Demonstration: Configuring a CA for Key Archival

  11. Certificate Enrollment Methods

  12. Certificate Autoenrollment Overview • A certificate template is configured for Allow, Enroll, and Autoenroll permissions for users who receive the certificates • The CA is configured to issue the template • An AD DS GPO should be created to enable autoenrollment • The GPO should be linked to the appropriate site, domain, or OU • The client machine receives the certificates during the next Group Policy refresh interval

  13. Enrollment Agent Overview • An Enrollment Agent is a user who has the appropriate certificate assigned and and has the ability to request certificates on behalf of other users or computers The restricted Enrollment Agent has limited permissions: • Limits permissions of the enrollment agent: • For specific group of users • For specific certificate templates • Requires Windows Server 2008 Enterprise edition or Windows Server 2012 CA

  14. How Does Certificate Revocation Work? The following are steps to revoke a certificate: • Certificate is revoked • Certificate revocation is published • Client computer verifies certificate validity and revocation

  15. Overview of Key Archival and Recovery • Private keys can get lost when: • A user profile is deleted • An operating system is reinstalled • A disk is corrupted • A computer is lost or stolen • It is critical that you archive private keys for for certificates that are used for encryption • The KRA is needed for key recovery • Key archival must be configured on the CA and on the certificate template • Key recovery is a two-phases process: • Key retrieval • Key recovery • The KRA certificate must be protected

  16. Configuring Automatic Key Archival • Steps to configure automatic key archival: • Configure and issue the KRA certificate template • Designate a person as the KRA and enroll for the certificate • Enable key archival on the CA • Modify and enable certificate templates for key archival

  17. Demonstration: Configuring a CA for Key Archival In this demonstration, you will see how to configure a CA for key archival

  18. Lesson 3: Using Certificates in a Business Environment • Using Certificates for SSL Using Certificates for Digital Signatures Demonstration: Signing a Document Digitally Using Certificates for Content Encryption Demonstration: Encrypting a File with EFS Using Certificates for Authentication

  19. Using Certificates for SSL • The purpose of securing a connection with SSL is to protect data during communication • For SSL,a certificate must be installed on the server • Be aware of trust issues • The SSL works in the following steps: • The user types an HTTPS URL • The web server sends its SSL certificate. • The client performs a check of the server certificate • The client generatesa symmetric encryption key • The client encryptsthis key with the server’s public key • The server uses its private key to decrypt the encrypted symmetric key • Make sure that you configure the SSL certificate properly

  20. Using Certificates for Digital Signatures • Digital signature ensure: • Content is not modified during transport • The identity of the author is verifiable • Digital signatures works in the following steps: • When an author digitally signs a document or a message, the operating system on his or her machine creates a message cryptographic digest • The cryptographic digestis then encrypted by using author’s private key and added to the end of the document or message • The recipient uses the author’s public key to decrypt the cryptographic digest and compare it to the cryptographic digest created on the recipient’smachine • Users need to have certificate based ona User template to use digital signatures

  21. Demonstration: Signing a Document Digitally In this demonstration, you will see how to sign a document digitally

  22. Using Certificates for Content Encryption • Encryption protectsdata from unauthorizedaccess • EFS uses certificates forfile encryption • To send an encryptedmessage, you must bepossess the recipient’spublic key File encryption key: Encrypted with the file owner’spublic key Data Decryption Field File encryption key: Encrypted with the public key of Recovery agent 1 File encryption key: Encrypted with the public key of Recovery agent 2 (optional) Header Data Recovery Fields Encrypted Data

  23. Demonstration: Encrypting a File with EFS In this demonstration, you will see how to encrypt a file with EFS

  24. Using Certificates for Authentication You can use certificatesfor user and device authentication, and in network and application access scenarios such as: • L2TP/IPsecVPN • EAP-TLS • PEAP • NAP with IPsec • Outlook Web App • Mobile device authentication

  25. Lesson 4: Implementing and Managing Smart Cards • What Is a Smart Card? How Does Smart Card Authentication Work? What Is a Virtual Smart Card? Enrolling Certificates for Smart Cards Smart Card Management

  26. What Is a Smart Card? • A smart card is a miniature computer, embedded in plasticwith limited storage and processing capabilities • Smart cards: • Provide options for multifactor authentication • Provide enhanced security over passwords • A valid smart card and PIN must be usedtogether

  27. How Does Smart Card Authentication Work? • Smart cards can be used for: • Interactive logon to AD DS • Client authentication,if you use a certificate that matches an account • Remote logon • Interactive logon steps: • Logon request goes to the LSA, which is forwarded to the Kerberos package • KDCverifies the certificate • KDC verifies the digital signature on the authentication service • KDCperforms an AD DS query to locate user account • KDC generates a random encryption key to encrypt the TGT • KDC signs the reply with its private key and sends it to the user • You can use smart cards for offline logon

  28. What Is a Virtual Smart Card? • A smart card infrastructure might be expensive • Windows Server 2012 AD CS introduces Virtual Smart Cards • Virtual Smart Cards useleverage the capabilities of the TPM chip • No cost for buying smart cards and smart card readers • Computeracts like a smart card • Private keys are protectedby the cryptographic capabilities of the TPM

  29. Enrolling Certificates for Smart Cards • Before issuing smart cards, you should define the method of enrollment for smart card certificates • Smart card enrollment requires certificates require some manual intervention • For smart card enrollment, you should: • Define the certificate template for the smart cards • Enroll one or more users for the Enrollment Agent certificate • Configure the enrollment station • Start the Enroll On Behalf Of wizard • Ensurethatuserschangetheir personal PIN

  30. Smart Card Management • Smart cardmanagementtasks: • Issuance • Revocation • Renewal • Block and Unblock • Duplication • Suspend • FIM 2010 can: • Issue smart cards to users • Store information in a SQL database • Manage revocation, renewal, unblocking, suspension and reinstatement procedures • Provide users and administrators with a web-based, self-service smart card management interface • Manage smart card printing with appropriate hardware • Implement workflows for each management task

  31. Lab: Deploying and Using Certificates • Exercise 1: Configuring Certificate Templates Exercise 2: Enrolling and using certificates Exercise 3: Configuring and Implementing Key Recovery Logon Information Virtual machines: 10969A-LON-DC1, 10969A-LON-SVR1, 10969A-LON-CL1 User name:Adatum\Administrator Password:Pa$$w0rd Estimated Time: 50 minutes

  32. Lab Scenario You are working as an administrator at A. Datum Corporation. As A. Datum expands, its security requirements also are increasing. The Security department particularly is interested in enabling secure access to critical websites, and in providing additional security for features such as EFS, digital signatures, smart cards, and the Windows 7 and Windows 8 DirectAccess feature. The Security department especially wants to evaluate digital signatures in Microsoft Office documents. To address these and other security requirements, A. Datum has decided to use certificates that are issued by the AD CS role in Windows Server 2012.

  33. Lab Scenario As one of the senior network administrators at A. Datum, you are responsible for implementing certificate enrollment. You also will be developing the procedures and process for managing certificate templates, and for deploying and revoking certificates.

  34. Lab Review • What must you do to recover private keys? What is the benefit of using a restricted Enrollment Agent?

  35. Module Review and Takeaways • Review Questions Real-world Issues and Scenarios Tools Best Practice Common Issues and Troubleshooting Tips

More Related