9: Planning and Managing Certificate Services

Download Report

Transcript 9: Planning and Managing Certificate Services

70-293: MCSE Guide to
Planning a Microsoft Windows
Server 2003 Network,
Enhanced
Chapter 9:
Planning and Managing
Certificate Services
Objectives
• Describe the types of cryptography
• Understand how cryptography is used for encryption
and digital signatures
• Understand the components of Certificate Services
• Install and manage Certificate Services
• Manage certificates
• Implement smart card authentication
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
2
Cryptography
• Cryptography: encrypting/decrypting data to ensure
they are read only by the intended recipient
• Encrypted messages are unreadable
• Decryption
• Reverse of encryption
• Makes the data readable again
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
3
Cryptography (continued)
• Four objectives of cryptography
•
•
•
•
Confidentiality
Integrity
Nonrepudiation
Authentication
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
4
Cryptography (continued)
• Cryptography uses keys:
• A large number (a series of numbers, letters, and symbols)
• Large and difficult to guess
• Used with an algorithm to encrypt and decrypt data
• Three types of encryption
• Symmetric
• Asymmetric
• Hash
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
5
Symmetric Encryption
• Uses a single key
• A computer can symmetrically encrypt large amounts
of data quickly
• Used when encrypting files and large amounts of data
across network transmissions
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
6
Asymmetric Encryption
• Uses two keys: public key and private key
• Anything encrypted by the public key can be
decrypted with the private key and vice versa
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
7
Hash Encryption
• Hash encryption is unique because it is one-way
• Hash algorithm uses a single key to convert data to a
hash value
• The hash value is a summary of the data
• The purpose of a hash value is to be a unique
identifier, not to secure data
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
8
Uses for Cryptography
• Three common tasks that use different types of
encryption are:
• Encrypting e-mail
• Ensuring data integrity with digital signatures
• Securing data communication with Secure Sockets Layer
(SSL)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
9
Encrypting E-mail
• Encrypting e-mail ensures that a message in transit
cannot be read by unauthorized people
• Uses the public and private keys of the recipient:
• Sender creates an e-mail message
• E-mail software encrypts using the recipient’s public key
• Recipient’s public key may be published in a directory or
given to the sender via e-mail before encryption
• Encrypted message is then sent to the recipient
• Recipient’s e-mail software decrypts the message using the
recipient’s private key
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
10
Encrypting E-mail (continued)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
11
Digital Signatures
• A digital signature is a hash value that is encrypted
and attached to a message
• Ensures that a message has not been modified in
transit and that it truly came from the named sender
• This is important when electronically delivering
information such as contracts and agreements
• The public and private keys of the sender are used for
a digital signature
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
12
Digital Signatures (continued)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
13
Secure Sockets Layer
• Secure Sockets Layer (SSL) is a Transport Layer
protocol that can be used with any application
protocol that is designed to communicate with it
• SSL secures communication between Web servers
and Web browsers, e-mail clients and e-mail servers,
and other service combinations
• Servers are the only participants in SSL that must be
configured with a public key and a private key
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
14
Secure Sockets Layer (continued)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
15
Certificate Services Components
• Certificate Services is the Microsoft implementation
of PKI (Public Key Infrastructure)
• PKI creates and manages public keys, private keys, and
certificates
• PKI using Certificate Services is composed of:
•
•
•
•
Certificates
Certification authority (also known as certificate authority)
A Certificate Revocation List (CRL)
Certificate-enabled applications
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
16
Certificates
• A certificate contains information about a user or
computer and a public key
• A certificate defined by the X.509 standard has fields:
•
•
•
•
•
•
Subject (or user name)
Serial number
Validity period
Public key
Issuer name
Issuer signature
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
17
Certification Authority
• A certification authority (CA) is a server that issues
certificates to client computers, applications, or users
• The CA is responsible for taking certificate-signing
requests from clients and approving them
• As part of the approval process, the identity of the
requester is verified
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
18
Activity 9-1: Viewing Trusted
Root Certification Authorities
• The purpose of this activity is to view the trusted root
certification authorities installed by default on
Windows Server 2003
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
19
Certificate Revocation List
• The certification authority maintains a Certificate
Revocation List (CRL), which is a list of certificates
issued by the CA that are no longer valid
• The administrator adds certificates to this list
• It is not created automatically
• Each certificate issued by the CA has an expiration date
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
20
Certificate-enabled Applications
• Windows client computers can store certificates in a
place that can be used by multiple applications
• Many certificate-enabled applications running on
Windows use this central windows store, but other
applications store certificates in a private database
• Common applications for certificates include:
• e-mail clients
• Web browsers
• smart cards
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
21
Installing and Managing
Certificate Services
• Two classes of CAs
• Enterprise
• Stand-alone
• An enterprise CA
•
•
•
•
Integrates with Active Directory
Has an expanded feature set
Can use certificate templates
Certificate creation process is entirely automated
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
22
Installing and Managing
Certificate Services (continued)
• A stand-alone certification:
• Does not integrate with Active Directory
• Unable to issue certificates automatically based on a user
object in Active Directory
• All certificate requests must be manually approved by an
administrator
• Certificate templates cannot be used by a stand-alone
certification authority
• Cannot issue certificates used for smart card authentication
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
23
Certificate Hierarchy
• Chain of trust where client computers and
applications are assured that a certificate is valid
• The hierarchy is either a root certification authority or
a subordinate certification authority
• A subordinate certification authority is certified by
another certification authority
• After certification, subordinate can issue certificates
based on the trusted status of the certification
authority that certified it
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
24
Certificate Hierarchy (continued)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
25
Installing Certificate Services
• When installing a CA you must choose which type:
•
•
•
•
Enterprise root CA
Standalone root CA
Enterprise subordinate CA
Stand-alone subordinate CA.
• Can configure custom settings for the key pair and
CA certificate
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
26
Activity 9-2: Installing
Certificate Services
• The purpose of this activity is to install Certificate
Services and configure your server as an enterprise
root certification authority
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
27
Back Up and Restore Certificate
Services
• Certificate Services is normally backed up as part of
the daily backup process on Windows Server 2003
• Certificate Services is included with the backup of
system state data
• Can back up and restore manually just Certificate
Services using the CA snap-in
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
28
Activity 9-3: Backing Up
Certificate Services
• The purpose of this activity is to perform a manual
backup of Certificate Services
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
29
Activity 9-4: Restoring the
Certificate Services Database
• The purpose of this activity is to perform a manual
restore of Certificate Services
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
30
Managing Certificates
• Tasks related to issuing and managing certificates are:
•
•
•
•
•
•
Issuing certificates
Renewing certificates
Revoking certificates
Publishing a Certificate Revocation List
Importing and exporting certificates
Mapping accounts to certificates
• A command-line utility, CERTUTIL, can be used to
manage both certificates and Certificate Services
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
31
Issuing Certificates
• Certificates can be requested using
• Certificate Request Wizard
• Certificate Services Web pages
• Autoenrollment
• The Certificate Request Wizard and autoenrollment
are available only for enterprise certification
authorities
• Certificate Services Web pages can be used by both
stand-alone and enterprise certificate authorities
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
32
The Certificate Request Wizard
• The Certificate Request Wizard is run by users to
create certificates
• The types of certificates that can be created are
controlled by certificate templates
• The administrator can create, configure, and control
access to these templates
• Users can create certificates based on the templates to
which they have either read or enroll permissions
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
33
Activity 9-5: Requesting a
Certificate
• The purpose of this activity is to request a user
certificate using the Certificate Request Wizard
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
34
Certificate Services Web Pages
• The Certificate Services Web pages can be used to
request certificates from both enterprise certification
authorities and stand-alone certification authorities
• IIS is required for the Certificate Services Web pages
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
35
Autoenrollment
• Autoenrollment issues certificates automatically
• To enable autoenrollment:
• Duplicate an existing certificate using Certificate Templates
snap-in
• Select Publish certificate in Active Directory
• On the Security tab, add the required users or groups, and
assign them the enroll and autoenroll permissions
• Enable the new certificate template in the CA snap-in
• Configure a group policy to enable Enroll certificates
automatically
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
36
Renewing Certificates
• All certificates are issued with an expiration date
• If a certificate becomes compromised, it is not a security
risk for an extended period of time
• If an employee unexpectedly leaves, employee won’t have
access to company resources after expiration
• To avoid an interruption in service, a user must renew
a certificate before it expires
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
37
Revoking Certificates
• When a certificate has been compromised or a user
has left the company, you need to revoke it
• This places the certificate on the CRL of the
certification authority
• Windows 2000 and newer clients automatically
download the CRL for Active Directory
• A CRL has a default lifetime of seven days
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
38
Activity 9-6: Revoking a
Certificate
• The purpose of this activity is to revoke a certificate
and publish a new CRL
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
39
Importing and Exporting
Certificates
• If you want to move or copy certificates from one
computer to another, you can choose from these
standard formats:
•
•
•
•
DER encoded binary X.509
Base-64 encoded X.509
Cryptographic Message Standard
Personal Information Exchange
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
40
Activity 9-7: Moving a Certificate
• The purpose of this activity is to move a user
certificate from one computer to another
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
41
Smart Card Authentication
• Smart cards are the strongest form of authentication
supported by Windows Server 2003
• Users are required to have the device (the smart card)
and enter a personal identification number (PIN)
• When smart cards are implemented, users are issued a
physical card that contains a certificate
• The PIN decrypts the certificate stored on the card
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
42
Preparing the Certification
Authority to Issue Smart Card
Certificates
• Two types of certificates are required to implement
smart card authentication:
• One type is placed on the smart card for authentication
• The second type is an enrollment agent certificate
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
43
Preparing a Smart Card
Certificate Enrollment Station
• A smart card certificate enrollment station is a
computer that is used to configure smart cards
• It must have a properly configured smart card reader
• A smart card reader is a device that smart cards are
inserted into to read their contents
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
44
Configuring a Smart Card for
User Logon
• An enrollment agent configures smart cards for users
through the Certificate Services Web pages on a CA
• Select the following:
•
•
•
•
•
Template that will be used to create the certificate
CA that will issue the certificate
Cryptographic service provider of the smart card
Enrollment agent certificate that will sign the request
The user the certificate is for
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
45
Configuring a Smart Card for
User Logon (continued)
• To create the smart card, click the Enroll button and
place the smart card in the smart card reader
• Enter the PIN to be used on the smart card
• If a certificate already exists on the smart card, you are
prompted to overwrite it
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
46
Mapping the Smart Card
Certificate to a User Account
• There are three ways to map certificates to user
accounts:
• One-to-one mapping
• Many-to-one mapping (subject)
• Many-to-one mapping (CA)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
47
Attaching a Smart Card Reader
to the Client Workstation
• Each computer using smart cards must have a smart
card reader
• Many computers have these available as an option
• Also commonly available as USB devices
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
48
Summary
• Encryption makes data unreadable
• Decryption is the reverse of encryption
• Cryptography can ensure or perform confidentiality,
integrity, nonrepudiation, and authentication
• Types of encryption include:
• Symmetric
• Asymmetric
• Hash
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
49
Summary (continued)
• Certificate Services is the Microsoft implementation
of a certification authority for PKI
• Enterprise certification authorities integrate with
Active Directory
• A stand-alone CA does not integrate with Active
Directory
• The Certificate Request Wizard, the Certificate
Services Web pages, and autoenrollment can be used
to issue certificates
• Smart cards are the most secure form of
authentication
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network
50