Microsoft PKI and Certificate

Services

Shane Hartman, GCIA, GREM, CISSP

Secure Info Systems

• What are Certificates for

• Certificate Services Overview

• Requirements

• Certification Hierarchy

– One Tier

– Two Tier

– Multi Tier

• Server Setup

• Managing Certificates

• Requesting and Issuing Certificates

What can you use certificates for

• SSL for Internal Web Servers

• Encrypting file system

• Authentication with Smart Cards

• Securing Email (Encrypting / Signing)

• VPN Authentication

• 802.1x Authentication (Wireless, NAP)

• Document and Code Signing

Overview

• Certificate Authorities are used to issue

certificates to users, computers, and services

• CA Services

– Web Enrollment

– The Online Responder

– Network Device Enrollment Service

Web Enrollment

• Web Enrollment: Allows users to users to connect

to a CA by a web browser to:

– Request certificates and review certificate requests

– Retrieve Certificate Revocation Lists (CRLs)

– Perform Smart Card certificate enrollment

Online Responder

• The Online Responder implements the Online

Certificate Status Protocol (OCSP) which

– Checks revocation status and sending back

responses

Network Device Enrollment

• Network Device Enrollment allows routers and

other network devices to obtain certificates

• It uses (SCEP), or Simple Certificate Enrollment

Protocol

Requirements (Windows 2008)

Componets Web Standard Enterprise Datacenter

CA X X X

Network Device Enrollment X X

Online Responder X X

Version 2 and 3 certificates X X

Templates X X

Key archival X X

Role Separation X X

Certificate Manager Restrictions X X

Delegates Enrollment Agent Restrictions X X

Certification Hierarchy – One Tier

• Easy to manage

• Lacks redundancy – If CA Fails

– Can’t process incoming certificate requests or

renewals

– Can’t process certificate revocation lists

Certification Hierarchy – Two Tier

• Usually contains an off-line root

• One or more policy/issuing CA’s for redundancy

• Secures the root CA from compromise

Certification Hierarchy – Multi-Tier • Multi-Tier involves three of more levels

• Distribution can be organized by

– Geography, Function, etc.

Installing Certificate Server

Things to note before starting

Select which roles for the CA

Select the CA Server Type

Set the CA role in the cert chain

Choose Key Type

Configure Encryption Type

Select key length and hash for certs

Name the CA

Set the CA validity period – Default is 5

Set the CA database

Confirm Settings

Managing Certificates

• Now that you have a server setup what can you

do

• Manage and Issue certificates

• Managing certificates involves:

– Determining if you want to use the canned templates

or copy and modify the templates

– Telling the certificate server what certificates it is

allowed to issue

Determine if you want to use canned templates

• Certificate server comes with series of canned templates

allowing for authentication, encryption, etc.

Which certificates allowed to issue

• Just because you have the template doesn’t mean you can

issue its cert type.

• You have to publish it for issue

Requesting and Issuing Certificates

• Three ways to get certificates issues

– Request it through web site

– Request it through certificates MMC

– Get it requested on your behalf

Request through website

• If installed an IIS website at

– http://<server name>/certsvr

Request through website II

Request it through certificates MMC

• On the client machine run MMC and add

certificates snap-in

Request it through certificates MMC

Request it through certificates MMC

• Finally you will be able to see the certificate in

your repository