Chris Macaulay Program Manager Microsoft Steve Roylance Business Development Director GlobalSign...
-
Upload
dominick-ramsey -
Category
Documents
-
view
221 -
download
0
Transcript of Chris Macaulay Program Manager Microsoft Steve Roylance Business Development Director GlobalSign...
PKI in a Web Services World
Chris MacaulayProgram ManagerMicrosoft
Steve RoylanceBusiness Development DirectorGlobalSignSIA316
Masakazu AsanoManagerGlobalSign K.K.
Business Ready SecurityHelp securely enable business by managing risk and empowering people
Highly Secure and Inter-operable Platform
IdentityIntegrate and extend
security across the enterprise
Protect everywhere,access anywhere
Simplify the security experience and
manage compliance
Block
from:
Enable
Cost Value
Siloed Seamless
to:
Agenda
Session goalsConceptual enrollment architectureUsing enrollment web services with GlobalSignGlobalSign enrollment architectureWindows enrollment architectureUsing enrollment web services in the enterpriseSummary
Session Goals
Provide an architecture overview of Certificate EnrollmentIntroduce the Certificate Enrollment Web ServicesDemonstrate scenarios where you can use Certificate Enrollment Web Services
Automating certificate lifecycle for web serversExtending the reach of the Enterprise PKI beyond the corporate network boundaries
Public Key Infrastructure
Windows 7 Investments
Enrollment using Web
services
Server consolidation
Improve existing
scenarios
Strong Authentication
Agenda
Session goalsConceptual enrollment architectureUsing Enrollment Web Services with GlobalSignGlobalSign enrollment architectureWindows enrollment architectureUsing enrollment web services in the EnterpriseSummary
Conceptual Enrollment ArchitectureProvides certificate enrollment policy to a requestor
Policy Authority
Enrollment Client
Certificate Enrollment policy consists of:• A unique identifier• A collection of certificate templates• A collection of certificate issuers
Certificate Enrollment Policy is the central point of PKI management for administrators
Conceptual Enrollment ArchitectureProvides certificate enrollment policy to a requestor
Receives, processes and responds to certificate requests
Provides or validates authentication information
Provides identity information
Certification Authority
Policy Authority
Enrollment Client
Identity Authority
Authentication Authority
Certification Authority
Policy Authority
LDAP
Legacy Enrollment in Windows
1. Client requests certificate enrollment policy
Authentication Authority: KerberosIdentity Authority: Active Directory
2
1
3
ADCS CA
Enrollment Client
2. Client sends enrollment request
3. CA issues certificate and returns to client
Identity Authority
Authentication Authority Active Directory
DCOM
Certificate Enrollment Web ServicesTwo Web services protocols
Certificate enrollment policy [MS-XCEP]Certificate enrollment [MS-WSTEP]
HTTPS based, so firewall-friendlyPractical to implementIntegrate with non-enterprise issuers
Public Root integration for Web SSL, and Hosted PKI
Make the enterprise betterExtend existing PKI investments with little effort and no additional ongoing cost
Agenda
Session goalsConceptual enrollment architectureUsing enrollment web services with GlobalSignGlobalSign enrollment architectureWindows enrollment architectureUsing enrollment web services in the enterpriseSummary
A Leading Public Certification Authority Steve Roylance Masakazu AsanoBusiness Development Director Technical Team ManagerGlobalSign Limited (UK) GlobalSign KK (Japan)
Who is GlobalSign?Global offices in the US, Europe, Japan and China, part of the GMO Internet (ticker TSE:9449)Certification Authority credentials:
Second longest operational Certification Authority in EuropeOwner of the highly ubiquitous 2048 bit GlobalSign Root CAWebTrust compliant since 2002WebTrust for Extended Validation compliant and CABForum member
Provider of SSL certificates, Digital IDs for people / machines, Code (Kernel) Signing, Document security and compliancy solutions
Directly Issued over 1.4 million digital certificatesIssued over 150,000 SSL Server certificatesOver 20 million certificates worldwide rely on the public trust provided by the GlobalSign root
SSL Certificate deployment continues to grow
Legislation & Compliance (PCI) and best practice to protect consumers/stakeholdersCryptographic technology shift 1024bit-2048bit in readiness to support NIST’s December 31, 2010 guideline Ubiquity, while important, now ranks behind lifecycle management tools as the focus for both the SSL certificate provider and platform vendor
20012002
20032004
20052006
20072008
20092010
20110
500000100000015000002000000
ExtendedDomainOgranizationAll
The SSL Certificate Business
ESTIMATED
Data from Netcraft SSL Survey March 2009 (www.netcraft.com)
Challenges with SSL Certificates
Certificate Signing Request (CSR) Generation (1024bit versus 2048bit) – Industry awareness Inconsistent CSR rules (OIDs, Extensions, Hashing etc)Lack of standard (or user friendly) tools for CSR generation
Limitations in IIS for renewalsLimited flexibility to periodically renew (new CSR needed) Limited flexibility for additional subject alternate names during lifetime
General LimitationsComplicated multi-page web experiencesNo yearly (or periodic) automation for renewalsComplex terminology for non-tech savvy buyers
Create CSR
Install Intermediates
Save as…
Download Certificate
Save as…
Validate
Domain Validation
Organization Validation and authorization
Extended Validation checking
Validation of business registration details, physical existence and a
higher degree of verification of the contract signers authority.
DomainSSL™
OrganizationSSL™
ExtendedSSL™
Challenge Response and/or WHO-IS verification of
domain ownership.
Verification of Organizational existence and authorization of the SSL certificate request.
Register
Install Certificate
Today’s SSL Experience
Validate
GlobalSign's New SSL Enrollment
Register Enroll and Install
Domain Validation
Organization Validation and authorization
Extended Validation checking
Validation of business registration details, physical existence and a
higher degree of verification of the contract signers authority.
DomainSSL™
OrganizationSSL™
ExtendedSSL™
Challenge Response and/or WHO-IS verification of
domain ownership.
Verification of Organizational existence and authorization of the SSL certificate request.
SSL Certificate Purchasing & RegistrationSteve RoylanceBusiness Development DirectorGlobalSign Limited
demo
Validate
GlobalSign's New SSL Enrollment
Register Enroll and Install
Domain Validation
Organization Validation and authorization
Extended Validation checking
Validation of business registration details, physical existence and a
higher degree of verification of the contract signers authority.
DomainSSL™
OrganizationSSL™
ExtendedSSL™
Challenge Response and/or WHO-IS verification of
domain ownership.
Verification of Organizational existence and authorization of the SSL certificate request.
Domain Validation
Validation and Approval
Organization Validation and Authorization
Extended Validation Checking
Validation of business registration details,
physical existence, and a higher degree of
verification of the contract signers authority.
DomainSSL™
OrganizationSSL™
ExtendedSSL™
Challenge Response and/or WHO-IS
verification of domain ownership.
Verification of Organizational existence and
authorization of the SSL certificate
request.
Validate
GlobalSign's New SSL Enrollment
Register Enroll and Install
Domain Validation
Organization Validation and authorization
Extended Validation checking
Validation of business registration details, physical existence and a
higher degree of verification of the contract signers authority.
DomainSSL™
OrganizationSSL™
ExtendedSSL™
Challenge Response and/or WHO-IS verification of
domain ownership.
Verification of Organizational existence and authorization of the SSL certificate request.
Benefits of Windows and Web Services With GlobalSign
New Windows APIs oriented around “in session” issuance for a low friction user experience
No need for CSR generation!Simplifies the purchasing experience with lower requirements from the clientWeb Services configuration and enrollment can happen in a single low prompt interactionRenewals can happen automatically!
Renewal Challenges
Most SSL websites are long lived, but on average certificates are issued for 1 year
65-75% of customers renew (5-10% attrition, 20% stop)
Process for a renewed certificate is the same as a new certificate
Same request generation and web experienceSame validationSame PAIN!
After renewal, must reconfigure the web server
SSL Scenario Summary
SSL certficates are growing in usageConsider SSL and EV certificates to protect your intranet, extranet and internet web assets today
Windows eases the enrollment pain Low friction enrollmentNo and low touch renewal and lifecycle management
GlobalSign and Microsoft provide a better together experience for your certificate needs
Agenda
Session goalsConceptual enrollment architectureUsing enrollment web services with GlobalSignGlobalSign enrollment architectureWindows enrollment architectureUsing enrollment web services in the enterpriseSummary
SSL Scenario Architecture Overview
Two new Certificate Enrollment ProtocolsCertificate Enrollment Policy [MS-XCEP]Certificate Enrollment [MS-WSTEP]
Certificate Enrollment Policy is configured by GlobalSign using Web APIsGlobalSign provides Enrollment Web ServicesWindows autoenrollment retrieves Certificate Enrollment Policy and enrolls for certificatesWindows autoenrollment renews the certificateIIS uses the renewed SSL certificate
Policy Authority
Certification Authority
GlobalSign Enrollment Architecture
1. Client reads certificate enrollment policy
2
1
3
Enrollment Client
2. Client sends enrollment request
3. CA issues certificate and returns to client
HTTPS
Enrollment Policy Web Service
Enrollment Web Service
Configuration
HTTPS
GlobalSign CA
GlobalSign Policy Store
Agenda
Session goalsConceptual enrollment architectureUsing enrollment web services with GlobalSignGlobalSign enrollment architectureWindows enrollment architectureUsing enrollment web services in the enterpriseSummary
ADCS Web Services Architecture
Two new ADCS role featuresCertificate Enrollment Policy Web ServiceCertificate Enrollment Web Service
Certificate Enrollment Policy Web Service uses Active Directory stored certificate templatesCertificate Enrollment Web Service provides the web services for access to a Windows CANew Group Policy controls for Certificate Enrollment Policy management
1
Policy Authority
ADCS Enrollment Policy
Web Service
Certification Authority
2
ADCS Enrollment Web Service
ADCS CA
Active Directory
HTTPS
Windows Architecture
1. Client reads certificate enrollment policy
3
Enrollment Client
2. Client sends enrollment request
3. CA issues certificate and returns to client
HTTPS
Group PolicyConfiguration
1
Certification Authority
2
ADCS Enrollment Web Service
Policy Authority
ADCS Enrollment Policy
Web Service
2. Client sends enrollment request
3. CA issues certificate and returns to client
1. Client reads certificate enrollment policy
Active Directory
Windows CA
Existing PKI Infrastructure
HTTPS
Windows Architecture
3
Enrollment Client
HTTPS
Active Directory
ADCS CA
Available Enrollment Operations
Functional parity with LDAP/DCOM protocolSupports new and renewed certificatesSupports key archival for encryption certificates
Supported authentication typesKerberosUsername/PasswordX.509 Certificate
Windows autoenrollment and CertEnroll APIs support Web Services Enrollment
No application code change required!
Agenda
Session goalsConceptual enrollment architectureUsing enrollment web services with GlobalSignGlobalSign enrollment architectureWindows enrollment architectureUsing enrollment web services in the enterpriseSummary
Challenges in EnterprisePKI Complexity
More complex the AD deployment, the more complex the PKI becomesReaching external users
Mobile and remote workers are not always on the corporate networkManaging non-domain joined machines
Employee home machinesNon-domain workstations and work load servers
Engaging with partnersStrong authentication is desirable
Managing internal and external server workloads that use SSLIn-House PKI expertise
When can I outsource my PKI?
“I need my users to be able to renew certificates automatically, even when disconnected from the corporate network”
Renewal Challenges
A CA in the extranet seems riskyHow do you renew your VPN certificate (SmartCard, etc) when you are on the road?Branch office and mobile workers are increasingly common in the “connected” workplaceThe lifecycle costs are too high today
“Renewal Only” for Windows Server
Windows features a renewal only mode for the Certificate Enrollment Web ServiceRequires the user to have the original certificate
Used to sign the renewal requestSignificant attack footprint reduction
Wire traffic is well defined and scoped to the renewal operationThe CA remains in the intranetNo Kerberos delegation requiredWindows requires authentication in addition to the existing certificate
Windows AutoEnrollment
Support for multiple certificate enrollment policiesFull support of web services enrollmentManages several client tasks
Enrollment policy cacheServer selection for enrollment operations
Adds renewal only request support with web services enrollmentRuns on all Windows 7 and Windows Server 2008 R2 SKUs
Agenda
Session goalsConceptual enrollment architectureUsing enrollment web services with GlobalSignGlobalSign enrollment architectureWindows enrollment architectureUsing enrollment web services in the enterpriseSummary
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learningMicrosoft Certification and Training Resources
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.