Microsoft PKI and Certificate

Services

Shane Hartman, GCIA, GREM, CISSP

Secure Info Systems
• What are Certificates for
• Certificate Services Overview
• Requirements
• Certification Hierarchy
– One Tier
– Two Tier
– Multi Tier
• Server Setup
• Managing Certificates
• Requesting and Issuing Certificates
What can you use certificates for

• SSL for Internal Web Servers

• Encrypting file system
• Authentication with Smart Cards
• Securing Email (Encrypting / Signing)
• VPN Authentication
• 802.1x Authentication (Wireless, NAP)
• Document and Code Signing
Overview

• Certificate Authorities are used to issue

certificates to users, computers, and services
• CA Services
– Web Enrollment
– The Online Responder
– Network Device Enrollment Service
Web Enrollment

• Web Enrollment: Allows users to users to connect

to a CA by a web browser to:
– Request certificates and review certificate requests
– Retrieve Certificate Revocation Lists (CRLs)
– Perform Smart Card certificate enrollment
Online Responder

• The Online Responder implements the Online

Certificate Status Protocol (OCSP) which
– Checks revocation status and sending back
responses
Network Device Enrollment

• Network Device Enrollment allows routers and

other network devices to obtain certificates
• It uses (SCEP), or Simple Certificate Enrollment
Protocol
 Requirements (Windows 2008)

Componets Web Standard Enterprise Datacenter

CA X X X

Network Device Enrollment X X

Online Responder X X

Version 2 and 3 certificates X X

Templates X X
Key archival X X
Role Separation X X
Certificate Manager Restrictions X X

Delegates Enrollment Agent

Restrictions X X
Certification Hierarchy – One Tier

• Easy to manage
• Lacks redundancy – If CA Fails
– Can’t process incoming certificate requests or
renewals
– Can’t process certificate revocation lists
Certification Hierarchy – Two Tier

• Usually contains an off-line root

• One or more policy/issuing CA’s for redundancy
• Secures the root CA from compromise
Certification Hierarchy – Multi-Tier
• Multi-Tier involves three of more levels
• Distribution can be organized by
– Geography, Function, etc.
Installing Certificate Server
Things to note before starting
Select which roles for the CA
Select the CA Server Type
Set the CA role in the cert chain
Choose Key Type
Configure Encryption Type
Select key length and hash for certs
Name the CA
Set the CA validity period – Default is 5
Set the CA database
Confirm Settings
Managing Certificates

• Now that you have a server setup what can you

do
• Manage and Issue certificates
• Managing certificates involves:
– Determining if you want to use the canned templates
or copy and modify the templates
– Telling the certificate server what certificates it is
allowed to issue
Determine if you want to use canned templates
• Certificate server comes with series of canned templates
allowing for authentication, encryption, etc.
Which certificates allowed to issue

• Just because you have the template doesn’t mean you can
issue its cert type.
• You have to publish it for issue
Requesting and Issuing Certificates

• Three ways to get certificates issues

– Request it through web site
– Request it through certificates MMC
– Get it requested on your behalf
Request through website

• If installed an IIS website at

– http://<server name>/certsvr
Request through website II
Request it through certificates MMC

• On the client machine run MMC and add

certificates snap-in
Request it through certificates MMC
Request it through certificates MMC

• Finally you will be able to see the certificate in

your repository