Configuring Directory

Certificate Services
Lesson 13

Skills Matrix
Technology Skill

Objective Domain

Objective #

Installing Active Directory

Certificate Services

Install Active Directory

Certificate Services

6.1

Configuring CA Server
Settings

Configure CA server settings 6.2

Configuring Certificate
Templates

Manage certificate templates 6.3

Managing Certificate
Enrollments

Manage enrollments

6.4

Configuring Certificate
Revocation

Manage certificate
revocations

6.5

Public Key Infrastructure

Public key infrastructure (PKI) consists of
a number of elements that allow two
parties to communicate securely, without
any previous communication, through the
use of a mathematical algorithm called
public key cryptography.
Public key cryptography, as the name
implies, stores a piece of information
called a public key for each user,
computer, and so on that is participating in
a PKI.

Public Key Infrastructure

Each user, computer, and so on also possesses
a private key, a piece of information that is
known only to the individual user or computer.
By combining the well-known and easily
obtainable public key with the hidden and wellsecured private key, one entity (you, for
example) can communicate with another entity
(a secured Web site, for example) in a secure
fashion without exchanging any sort of shared
secret key beforehand.
A shared secret key is a secret piece of
information that is shared between two parties
prior to being able to communicate securely.

Certificate Authority (CA)

A Certificate Authority (CA) is an entity, such as
a Windows Server 2008 server running the AD
CS server role, that issues and manages digital
certificates for use in a PKI.
CAs are hierarchical, which means that many
subordinate CAs within an organization can
chain upwards to a single root CA that is
authoritative for all Certificate Services within a
given network.
Many organizations use a three-tier hierarchy,
where a single root CA issues certificates to a
number of intermediate CAs, allowing the
intermediate CAs to issue certificates to users or
computers.

Digital Certificate
Sometimes just called a certificate.
This digital document contains identifying
information about a particular user,
computer, service, and so on.
The digital certificate contains the
certificate holders name and public key,
the digital signature of the Certificate
Authority that issued the certificate, as well
as the certificates expiration date.

Digital Signature
This electronic signature (created by a
mathematical equation) proves the identity of the
entity that has signed a particular document.
Like a personal signature on a paper document,
when an entity signs a document electronically it
certifies that the document originated from the
person or entity in question.
In cases where a digital signature is used to sign
something like an email message, a digital
signature also indicates that the message is
authentic and has not been tampered with since
it left the senders Outbox.

Certificate Practice Statement and Certificate

Revocation List
Certificate Practice Statement (CPS)
Provides a detailed explanation of how a
particular CA manages certificates and keys.

Certificate Revocation List (CRL)

This list identifies certificates that have been
revoked or terminated, as well as the
corresponding user, computer, or service.
Services that utilize PKI should reference the
CRL to confirm that a particular certificate has not
been revoked prior to its expiration date.

Certificate Templates
Templates used by a CA to simplify the
administration and issuance of digital
certificates.
This is similar to how templates can be
used in other applications, such as office
productivity suites, or when creating
objects within Active Directory.

Self-Enrollment and Enrollment Agents

Self-Enrollment
As the name suggests, this feature enables users
to request their own PKI certificates, typically
through a Web browser.

Enrollment agents
These are used to request certificates on behalf
of a user, computer, or service if self-enrollment
is not practical or is otherwise an undesirable
solution for reasons of security, auditing, and so
on.
An enrollment agent typically consists of a
dedicated workstation that is used to install
certificates onto smart cards, thus preconfiguring
a smart card for each persons use.

Autoenrollment
This PKI feature supported by Windows
Server 2003 and later allows users and
computers to automatically enroll for
certificates based on one or more
certificate templates, as well as using
Group Policy settings in Active Directory.
Because this feature is only supported in
Windows Server 2003 or later, certificate
templates that are based on Windows
2000 will not allow autoenrollment to
maintain backwards compatibility.

Recovery Agent
These agents are configured within a CA
to allow one or more users (typically
administrators) to recover private keys for
users, computers, or services if their keys
are lost.
For example, if a users hard drive
crashes and the user has not backed up
the private key, any information that the
user has encrypted using the certificate
will be inaccessible until a recovery agent
retrieves the users private key.

Key Archival
This is the process by which private keys are
maintained by the CA for retrieval by a recovery
agent, if at all.
Most commercial CAs do not allow key archival;
if a customer loses a private key and has not
taken a backup, the user needs to purchase a
new certificate.
In a Windows PKI implementation, users private
keys can be stored within Active Directory to
simplify and automate both the enrollment and
retrieval processes.

Windows Server 2008 and Certificate

Services
Within Windows Server 2008, the Active
Directory Certificate Services server role
consists of the following services and
features:
Web enrollment.
Online Responder.
Online Certificate Status Protocol (OCSP).

Types of CAs
When deploying a Windows-based PKI,
two different types of CAs can be
deployed:
Standalone CA.
Enterprise CA.

Stand-alone CA
A standalone CA is not integrated with
Active Directory.
It requires administrator intervention to
respond to certificate requests.
You can use a standalone CA as both a
root and a subordinate CA in any PKI
infrastructure.

Enterprise CA
An enterprise CA integrates with an
Active Directory domain.
It can use certificate templates to allow
autoenrollment of digital certificates, as
well as store the certificates themselves
within the Active Directory database.
You can use an enterprise CA as both a
root and a subordinate CA in any PKI
infrastructure.

Summary
The Active Directory Certificate Services
(AD CS) role in Windows Server 2008 is a
component within Microsofts larger
Identity Lifecycle Management (ILM)
strategy.
The role of AD CS in ILM is to provide
services for managing a Windows public
key infrastructure (PKI) for authentication
and authorization of users and devices.

Summary
A PKI allows two parties to communicate
securely, without any previous
communication with each other, through
the use of a mathematical algorithm called
public key cryptography.
PKI certificates are managed through
certificate authorities that are hierarchical,
which means that many subordinate CAs
within an organization can chain upwards
to a single root CA.

Summary
Certificate templates are used by a
certificate authority to simplify the
administration and issuance of digital
certificates.
A Certificate Revocation List (CRL)
identifies certificates that have been
revoked or terminated.

Summary
Autoenrollment is a feature of PKI that is
supported by Windows Server 2003 and
later, which allows users and computers to
automatically enroll for certificates based
on one or more certificate templates, as
well as using Group Policy settings in
Active Directory.
Key archival is the process by which
private keys are maintained by the CA for
retrieval by a recovery agent.

Summary
Web enrollment enables users to connect
to a Windows Server 2008 CA through a
Web browser to request certificates and
obtain an up-to-date CRL.
The Network Device Enrollment Service
(NDES) enables network devices to enroll
for certificates within a Windows Server
2008 PKI using the Simple Certificate
Enrollment Protocol (SCEP).

Summary
When deploying a Windows-based PKI, two
different types of CAs can be deployed:
enterprise CAs and standalone CAs.
A standalone CA is not integrated with Active
Directory and relies on administrator intervention
to respond to certificate requests.
An enterprise CA integrates with Active Directory.
It can use certificate templates as well as Group
Policy Objects to allow autoenrollment of digital
certificates, as well as storing digital certificates
within the Active Directory database for easy
retrieval by users and devices.