Microsoft PKI and Certificate Services

Document Sample
Microsoft PKI and Certificate Services Powered By Docstoc
					Microsoft PKI and Certificate

 Shane Hartman, GCIA, GREM, CISSP
                Secure Info Systems
•   What are Certificates for
•   Certificate Services Overview
•   Requirements
•   Certification Hierarchy
    – One Tier
    – Two Tier
    – Multi Tier
• Server Setup
• Managing Certificates
• Requesting and Issuing Certificates
What can you use certificates for

 •   SSL for Internal Web Servers
 •   Encrypting file system
 •   Authentication with Smart Cards
 •   Securing Email (Encrypting / Signing)
 •   VPN Authentication
 •   802.1x Authentication (Wireless, NAP)
 •   Document and Code Signing

 • Certificate Authorities are used to issue
   certificates to users, computers, and services
 • CA Services
    – Web Enrollment
    – The Online Responder
    – Network Device Enrollment Service
Web Enrollment

 • Web Enrollment: Allows users to users to connect
   to a CA by a web browser to:
    – Request certificates and review certificate requests
    – Retrieve Certificate Revocation Lists (CRLs)
    – Perform Smart Card certificate enrollment
Online Responder

 • The Online Responder implements the Online
   Certificate Status Protocol (OCSP) which
   – Checks revocation status and sending back
Network Device Enrollment

 • Network Device Enrollment allows routers and
   other network devices to obtain certificates
 • It uses (SCEP), or Simple Certificate Enrollment
         Requirements (Windows 2008)

Componets                          Web   Standard   Enterprise   Datacenter
CA                                       X          X            X

Network Device Enrollment                           X            X
Online Responder                                    X            X

Version 2 and 3 certificates                        X            X
Templates                                           X            X
Key archival                                        X            X
Role Separation                                     X            X
Certificate Manager Restrictions                    X            X

Delegates Enrollment Agent
Restrictions                                        X            X
Certification Hierarchy – One Tier

 • Easy to manage
 • Lacks redundancy – If CA Fails
    – Can’t process incoming certificate requests or
    – Can’t process certificate revocation lists
Certification Hierarchy – Two Tier

 • Usually contains an off-line root
 • One or more policy/issuing CA’s for redundancy
 • Secures the root CA from compromise
Certification Hierarchy – Multi-Tier
 • Multi-Tier involves three of more levels
 • Distribution can be organized by
    – Geography, Function, etc.
Installing Certificate Server
Things to note before starting
Select which roles for the CA
Select the CA Server Type
Set the CA role in the cert chain
Choose Key Type
Configure Encryption Type
Select key length and hash for certs
Name the CA
Set the CA validity period – Default is 5
Set the CA database
Confirm Settings
Managing Certificates

 • Now that you have a server setup what can you
 • Manage and Issue certificates
 • Managing certificates involves:
    – Determining if you want to use the canned templates
      or copy and modify the templates
    – Telling the certificate server what certificates it is
      allowed to issue
Determine if you want to use canned templates
• Certificate server comes with series of canned templates
  allowing for authentication, encryption, etc.
Which certificates allowed to issue

 • Just because you have the template doesn’t mean you can
   issue its cert type.
 • You have to publish it for issue
Requesting and Issuing Certificates

 • Three ways to get certificates issues
    – Request it through web site
    – Request it through certificates MMC
    – Get it requested on your behalf
Request through website

 • If installed an IIS website at
    – http://<server name>/certsvr
Request through website II
Request it through certificates MMC

 • On the client machine run MMC and add
   certificates snap-in
Request it through certificates MMC
Request it through certificates MMC

 • Finally you will be able to see the certificate in
   your repository

Shared By: