The new rocket science stuff in microsoft pki
-
Upload
nathan-winters -
Category
Technology
-
view
5.121 -
download
5
description
Transcript of The new rocket science stuff in microsoft pki
![Page 1: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/1.jpg)
Roger A. GrimesMicrosoft
![Page 2: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/2.jpg)
Presenter BIORoger A. Grimes CPA, CISSP, CEH, CISA, TICSA, MCSE: Security, yada,
yadaPKI installer for over 1o yearsTaught Microsoft PKI to VerisignPrincipal Security Architect for Microsoft InfoSec ACE
TeamInfoWorld Contributing Editor, Security Columnist,
Product Reviewer, and Blogger23-year Windows security consultant, instructor, and
authorAuthor of seven books on computer security, including:
Windows Vista Security: Security Vista Against Malicious Attacks (Wiley, 2007)
Professional Windows Desktop and Server Hardening (Dec. 2005)
Malicious Mobile Code: Virus Protection for Windows (O’Reilly, 2001)
Honeypots for Windows (Apress, December 2004)Author of over 300 national magazine articles on
computer security
![Page 3: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/3.jpg)
Roger’s Books
![Page 4: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/4.jpg)
Presentation SummaryQuick PKI Terminology OverviewW2K8\R2 New Features SummaryInstalling a W2K8 PKI CANew Features Review
New CiphersVersion 3 TemplatesRestricted KRA and Enrollment AgentsOCSPNDESWeb Enrollment ServiceCross-Forest EnrollmentClustering
![Page 5: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/5.jpg)
Public Key Infrastructure
Quick Primer
![Page 6: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/6.jpg)
Why PKI?Primarily, PKI exists to authenticate the
identities and their cryptographic keys involved in cryptographic transactions
PKI says to the consumer of PKI certs: If you trust me, then the certificate is who it says it is from and that is their encryption key
Principal=subject=user, computer, device, or service
Public Key Infrastructure Primer
![Page 7: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/7.jpg)
Signed by Trusted CA Self Signed
Public Key Infrastructure Primer
![Page 8: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/8.jpg)
Components of a PKICertificate and CAManagement ToolsCertificate and CAManagement Tools
Certification Authority
Certification Authority
Certificate and CRLDistribution PointsCertificate and CRLDistribution Points
Certificate Template
Certificate Template
Digital Certificate
Digital Certificate
Certificate Revocation List
Certificate Revocation List
Public Key-EnabledApplications and Services
Public Key-EnabledApplications and Services
![Page 9: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/9.jpg)
Certification Authority (CA) Duties:Main: Confirm identity of certificate requestorConfigure Templates and Publish For subjects to enroll against (i.e. request)Issue CertificatesRevoke Certificates
Public Key Infrastructure Primer
![Page 10: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/10.jpg)
Digital encryption keys are just a series of binary bits (1’s and 0’s) used (i.e. mathematically applied) to obscure plaintext contentComputers often represent keys as ASCII
or hexadecimal charactersToday, a typical key size ranges from a
few dozen bits to thousands128-bit to 4096-bit keys are very normal
Why can’t a hacker just guess the key?Because with good crypto, brute force
guessing would take more than “atoms in the known universe”
Public Key Infrastructure Primer
![Page 11: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/11.jpg)
Example Digital Encryption Key
Public Key Infrastructure Primer
![Page 12: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/12.jpg)
Two major types of encryption keys:Symmetric – same key used to lock and unlockAsymmetric – diff key used to lock and unlock
Called Private\Public Key Cryptography
Most programs using asymmetric ciphers also use symmetric ciphers as part of their encryption process
Public Key Infrastructure Primer
![Page 13: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/13.jpg)
Popular Public Symmetric Encryption CiphersData Encryption Standard (DES)
56-bit strength (64-bit key)Improved versions: 3DES, DESX (DES Extended)
Advanced Encryption Standard (AES)Became U.S. gov’t standard in 2002Windows (and nearly every other OS) standard
today128-bit keys or larger. 256-bit or larger is normal
IDEABlowfishRC4, RC5, CAST-128
Public Key Infrastructure Primer
![Page 14: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/14.jpg)
Popular Public Symmetric Encryption CiphersMost applications should strive to use
AES for symmetric encryptionWindows XP SP1 and later supports AES
If you have XP and don’t have SP1 or later installed, you probably don’t have AES
If you can’t use AES:Use 3DES (168-bit key, 112 effective bit length,
still FIPS certified); or DESX (184-bit key, 118 effective bits)
Don’t use DES (64-bit key, 56-bit effective) anymore
Public Key Infrastructure Primer
![Page 15: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/15.jpg)
Symmetric key encryption has several benefits over asymmetric encryption:FasterMore secure for a stated key sizeBetter tested over time
Public Key Infrastructure Primer
![Page 16: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/16.jpg)
Asymmetric CryptographySolves the problem of how to securely transmit
the secret key(s) between source and destination, plus adds non-repudiation (when used with hash/signature)
Private/public key pairOne key is used to encryptAnother key is used to decryptKeys are mathematically related and unique to each other
Public Key Infrastructure Primer
![Page 17: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/17.jpg)
Asymmetric Cryptography
Private/public key pairCentral Point: What one key can encrypt, the other can decrypt
Besides the key pair, no other key can decrypt what the other key encrypted
All participating parties should have their own key pairs
Public Key Infrastructure Primer
![Page 18: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/18.jpg)
Asymmetric Cryptography
Private keyOnly single owner/user should possess
No one else should ever seeNeeds to be protected against unauthorized use/viewing/change
Public keyThe “world” can possess and see
Public Key Infrastructure Primer
![Page 19: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/19.jpg)
Asymmetric cryptoWhatever the public key encrypts, the private key can decryptEncryption
Whatever the private key encrypts, the public key can decryptSigning/Authentication
Public Key Infrastructure Primer
![Page 20: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/20.jpg)
Popular Public Asymmetric Encryption CiphersRSADiffie-HellmanElGamalDSS/DSAElliptical Curve Cryptography (ECC)
RSA and Diffie-Hellman most popular, but ECC gaining
All are supported in today’s Windows OSs by default except ElGamal (which can be added by 3rd party)
Public Key Infrastructure Primer
![Page 21: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/21.jpg)
Asymmetric Encryption Example-TLS/SSL
Public Key Infrastructure Primer
![Page 22: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/22.jpg)
Public Key Infrastructure PrimerMixed Cipher Usage
Supported IE Ciphers (XP and before)TLS_RSA_WITH_DES_CBC_SHATLS_DHE_DSS_WITH_DES_CBC_SHATLS_RSA_EXPORT1024_WITH_RC4_56_SHATLS_RSA_EXPORT1024_WITH_DES_CBC_SHATLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SH
ATLS_RSA_EXPORT_WITH_RC4_40_MD5SSL_CK_DES_64_CBC_WITH_MD5SSL_CK_RC4_128_EXPORT40_WITH_MD5
![Page 23: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/23.jpg)
Mixed Cipher Usage
Supported IE Ciphers (Vista and later), in preference order
TLS w/RSA w/128-bit AES, then 256-bit AESTLS w/RSA w/RC4, then 3DESTLS w/ECC w/128-bit AES, then 256-bit AES
SHA 256-bit to 521-bitTLS w/ECC/RSA w/AES and SHATLS w/DSS w/128-bit AES, then 256-bit AESMixture of (mostly) TLS intermingled with SSL
![Page 24: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/24.jpg)
Crypto ProvidersCrypto Providers are software programs
that provide cryptographic services, ciphers, and generate cryptographic keys
Crypto providers which use the legacy Cryptographic API (CAPI) are called Cryptographic Service Providers (CSPs)
Crypto providers that use Cryptographic Next Generation (CNG) API are called Key Storage Providers (KSPs)KSPs appear in Vista and later
Public Key Infrastructure Primer
![Page 25: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/25.jpg)
Crypto Providers (CSP/KSP)CSPs/KSPs determine what cipher algorithms
(e.g. AES, RSA, sizes, etc.) are available to useWindows comes with many default CSPs
Prior to Vista, only CSPs by defaultWith Vista and later, both CSPs and KSPs can be
usedOnly Vista and later recognizes KSPsCan use the default ones in Windows or 3rd party
vendors can install their ownOften you can choose between Windows
defaults or vendor supplied CSP\KSP
Public Key Infrastructure Primer
![Page 26: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/26.jpg)
Crypto Provider ExampleTo use a smart card:You need a smart cardPKI to issue certs to smart cardSmart card readerKSP/CSP that works with smart cardsSmart card reader and KSP/CSP must be
installed where ever you plan to use smart card plus on CA where templates are created or published
Public Key Infrastructure Primer
![Page 27: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/27.jpg)
Crypto in Microsoft Certificate ServicesCan use any cipher provided by a Crypto
Provider (KSP\CSP) module installedDefaults are:
Diffie-Hellman, RSA, ECCDSSMD5, SHA1AES, DES, 3DES, DESX
Public Key Infrastructure Primer
![Page 28: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/28.jpg)
Suite BSet of algorithms required by US gov’t
starting in 2007AES 128 and 256, SHA-2 (SHA-256, SHA-384, SHA-512)ECC
Vista and later is Suite B compliant
Public Key Infrastructure Primer
![Page 29: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/29.jpg)
Certificates in WindowsWays to Request Certificates
• Autoenrollment (XP and above)• Automatic Certificate Requests (Windows
2000 machine certs)• Certificate Manager (certmgr.msc) GUI• Web Enrollment• Certreq.exe• Programmatically• Email (manual process, can be automated)• Network Device Enrollment Service (NDES)• Manually (sneaker net)• Registration Authority (eg. CLM/ILM/FIM)
![Page 30: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/30.jpg)
Certificates in Windows
PKI Security Statements• (In most scenarios) You should have at least
two CAs• Offline Root and one or more online
issuing CAs• No other server roles on any CA• If your root CA has been connected to your
network, it should be considered compromised, and the entire PKI and every valid issued cert replaced
![Page 31: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/31.jpg)
W2K8\R2Certificate Services
New Feature Summary
![Page 32: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/32.jpg)
Certificate Services 2008 vs. 2003
Main New “Feature” Now known as ADCS
Active Directory Certificate Services
![Page 33: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/33.jpg)
Certificate Services 2008 vs. 2003
Certificate Services is 90% the same between versions. An admin on one can easily do most of the basics on the other
Certificate Services is now a W2K8 server “role”
Uses Cryptographic Next Generation API
CryptoAPI is legacy (also present)
Supports Suite B ciphers Supports version 3 certificate templates
With new KSPs and Suite B ciphers
![Page 34: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/34.jpg)
Certificate Services 2008 vs. 2003
More Secure W2K8 and Certificate Services is more
secure W2K8 is significantly more secure More secure defaults Windows Firewall (enabled by default) Improved ciphers Improved key protection, not that keys
were ever compromised in the wild anyway
![Page 35: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/35.jpg)
Certificate Services 2008 vs. 2003
Online Certificate Status Protocol Improved revocation checking protocol W2K8 can be an OCSP Responder
New CA role service Deployed as an IIS ISAPI application
W2K8 is an OCSP client, too, along with Vista and later
New OCSP tools
![Page 36: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/36.jpg)
Certificate Services 2008 vs. 2003
Restricted KRAs and Enrollment Agents Restricted KRAs Restricted Enrollment Agents
In W2K3 KRAs and Enrollment agents were global
In W2K8, they can be restricted by template or security group
Not available on Standard CA
![Page 37: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/37.jpg)
Certificate Services 2008 vs. 2003
Template Changes 2 new default templates
Kerberos Authentication (supercedes DC certs)
OCSP Response Signing LoadDefaultTemplates=0
Put in CApolicy.inf to prevent auto-publishing of default templates
In W2K3 SP1, too (Standalone CAs only)
![Page 38: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/38.jpg)
Certificate Services 2008 vs. 2003
Template Changes (con’t) Version 3 Certificate Templates
For Vista and later (don’t use with XP and W2K3)
Uses new CSPs -CryptoNextGeneration (CNG)
New Cryptography tab for detailing crypto V.2.0 templates have a CSP button with less choices
Uses AES-256 to transport private key to and from enrollment client (instead of 3DES)
New field to allow Network Service to have Read permission to templates
Helps machine-based certs in certain scenarios
![Page 39: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/39.jpg)
Certificate Services 2008 vs. 2003
Network Device Enrollment Service (NDES) For issuing certs to SCEP-compatible
devices Simple Certificate Enrollment Protocol Invented by Cisco
Receives and processes SCEP enrollment requests on behalf of software running on network devices.
Retrieves pending requests from the CA Generates and provides one-time
enrollment passwords to administrators.
![Page 40: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/40.jpg)
Certificate Services 2008 vs. 2003
Network Device Enrollment Service (NDES)
(con’t) Now a built-in role
Was a W2K3 add-on called MSCEP Runs as an IIS ISAPI app Can run on non-CA servers Enhanced security
For example, can require a password Wide range of template use Can now renew NDES certs
![Page 41: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/41.jpg)
Certificate Services 2008 vs. 2003
Web Enrollment Website UpdatedSome good and interesting changesNow easier to put on non-CA serverUses Certenroll.dll instead of xenroll.dll
Pre-Vista OS must use older dll Can install both on web enrollment server
Unfortunately, does not support some new features (like KSP, v.3 templates, Suite B, etc.)Web enrollment web site included by Microsoft is probably being discontinued
![Page 42: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/42.jpg)
Certificate Services 2008 vs. 2003
Supports Issuer Distribution Point (IDP) for partitioned CRLs
Credential Roaming built-in (client-side) Requires schema updates on older domains
Supports clustering (W2K3 and earlier didn’t)
Replaceable random number generator Better auditing
![Page 43: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/43.jpg)
Certificate Services 2008 vs. 2003
Client-can enroll on behalf of someone else
You can rename CA servers nowNew template field to allow Network
Service to have Read permission to templatesHelps machine-based certs in certain
scenarios
![Page 44: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/44.jpg)
Certificate Services 2008 vs. 2003
DiscreteSignatureAlgorithmSupport for newer PKCS#1 V2.1 signature
format for CA certificate (Vista and later)
3 new assurance levels besides low, medium, and high
KRA-archived keys can be protected by AES instead of 3DES
New Microsoft smart card KSP (in Vista, too)
Supports date setting during revocation
![Page 45: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/45.jpg)
Certificate Services 2008 vs. 2003
Tools Supports Powershell PKIView.msc built-in now
Used to have to install separately Improved functionality and bug fixes
Supports CAPI2 diagnostics More tools, more scripts available Bad: Key Recovery Tool gui gone
Use certutil.exe instead
![Page 46: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/46.jpg)
Certificate Services 2008 vs. 2003
Pushing Certs Using GPO Trusted root CA certificates (W2K3 too) Enterprise trust certificates (W2K3 too) Intermediate CA certificates Trusted publisher certificates Untrusted certificates Trusted people (peer trust certificates)
![Page 47: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/47.jpg)
NewW2K8 R2Features
![Page 48: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/48.jpg)
Certificate Services 2008 vs. 2003
W2K8R2 Certificate Enrollment Services (CES)Don’t confuse with web enrollment web site!Website enrollment is for browser interactive sessionsProblem to Solve: All legacy enrollment services required RPC and DCOM, and lots of open RPC ports
Even web enrollment web site uses DCOM to back-end CA
Firewall nightmare Didn’t work well across the Internet,
forests, non-domain joined machines, etc.
![Page 49: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/49.jpg)
Certificate Services 2008 vs. 2003
W2k8 R2 Certificate Enrollment Services (con’t)New method is a web service, less interactiveUses TLS over 443New method works well in almost all scenarios (if the client enrollment process uses the new enrollment method)
Windows 7\W2K8R2 and laterUses two new services:Certificate Enrollment Policy Web Service
the policy serviceCertificate Enrollment Web Service
the enrollment service
![Page 50: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/50.jpg)
Certificate Services 2008 vs. 2003
W2k8 R2 Certificate Enrollment Services (con’t)Certificate Enrollment Web Service
Provides enrollment services, main serviceCertificate Enrollment Policy Web Service
Client contacts to get certificate policy information consisting of the types of certificates it can enroll for, which enrollment services to contact to enroll for them, and what type of authentication to use for each service. The client must first be configured with information about which policy server(s) to contact and how to authenticate to them
![Page 51: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/51.jpg)
Certificate Services 2008 vs. 2003
W2k8 R2 Enrollment Services (con’t)Once configured, during interactive enrollments, you’ll see this
![Page 52: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/52.jpg)
Certificate Services 2008 vs. 2003
W2k8 R2 Enrollment Services (con’t)CES are server roles
![Page 53: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/53.jpg)
Certificate Services 2008 vs. 2003
W2k8 R2 Enrollment Services (con’t)Service Uses SSL\TLS
![Page 54: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/54.jpg)
Certificate Services 2008 vs. 2003
W2k8 R2 Enrollment Services (con’t)Service Uses SSL\TLS
![Page 55: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/55.jpg)
Certificate Services 2008 vs. 2003
W2k8 R2 Enrollment Services (con’t)Clients must be configured to connect to web site
![Page 56: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/56.jpg)
Certificate Services 2008 vs. 2003
W2k8 R2 Enrollment Services (con’t)CES must be linked to issuing CA
![Page 57: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/57.jpg)
Certificate Services 2008 vs. 2003
W2k8 R2 Enrollment Services (con’t)CES web site(s)
![Page 58: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/58.jpg)
Common Web Service Scenario
ca.corp.contoso.com
running ADCS role, but not a CA;
running CES and CEP role services
certificate requests are
‘proxyed’ through CES to
back end CA
corp.contoso.comdmz.contoso.com
get-certs.contoso.com
policy requests are ‘proxyed’
through CEP to back end
Domain Controller
users and computer, both domain joined and not, connect
over HTTPS without a VPN
![Page 59: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/59.jpg)
Certificate Services 2008 vs. 2003
W2k8 R2 Enrollment Services (con’t)Can configure client auth method
![Page 60: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/60.jpg)
Certificate Services 2008 vs. 2003
New R2 StuffSupport cross-forest servicingOld CA versions required separate PKI per forest; or limited service using cross-forest trusts and lots of pre-work
Didn’t work well off-intranetNew version can support multiple forests with one PKI
Works well off-netBut requires cross-forest trusts, Kerberos
auth, and Win7\W2K8R2 or later clients
![Page 61: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/61.jpg)
Cross Forest Servicing
ca.corp.contoso.com
rootca.contoso.com
A single CA in one forest is able to issue certificates to end entities in any trusting forest
corp.contoso.com dev.contoso.com test.contoso.com
![Page 62: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/62.jpg)
Certificate Services 2008 vs. 2003
New R2 StuffSupports “renewal-only” mode for Internet-facing CAs
Using Certificate Enrollment ServiceSupports static port 80 CA interactions (Enrollment/renewal/revocation)Supports internet clients for enrollment/renewal/revocation when off the corporate network (great for mobile users)
![Page 63: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/63.jpg)
Certificate Services 2008 vs. 2003
Is A Schema Update Needed for W2K8 CAs?
Schema update not needed to use almost all functionality of W2K8 CA
Schema update needed for Credential Roaming support, or CLM/ILM/FIM
ACL update (using adprep /forestprep) on Domain Controller template to let RODC get issued DC certs)
![Page 64: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/64.jpg)
Installing ADCS
![Page 65: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/65.jpg)
Install W2K8 CAUnfortunately, still need to place a
CAPolicy.inf file on CA server before installing
Microsoft Certificate Services
![Page 66: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/66.jpg)
CAPolicy.inf FileExample - Bare Minimum for Issuing CA[Version]Signature= "$Windows NT$"[Certsrv_Server]RenewalKeyLength=4096RenewalValidityPeriod=YearsRenewalValidityPeriodUnits=10[CRLDistributionPoint]URL = “LDAP:///CN=%7,CN=CDP,CN=Public Key Services,
CN=Services,%6,%10”URL = http://W2K8IssuingCA1.contoso.ad/PKI/IssuingCA1.crlURL = “http://www.contoso.com/PKI/IssuingCA1.crl”[AuthorityInformationAccess]URL = “LDAP:///CN=%7,CN=AIA,CN=Public Key Services,
CN=Services,%6,%11”URL = “http://www.contoso.ad/PKI/ContosoCA.cer”
![Page 67: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/67.jpg)
Install W2K8 CA13.In Configuration Task wizard and click on Add roles
Microsoft Certificate Services
![Page 68: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/68.jpg)
Installing Microsoft Certificate Services
Install W2K8 CA14.Click Next
Microsoft Certificate Services
![Page 69: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/69.jpg)
Installing Microsoft Certificate Services
Install W2K8 CA15.Click on Active Directory Certificate Server and Next
Microsoft Certificate Services
![Page 70: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/70.jpg)
Installing Microsoft Certificate Services
Install W2K8 CA16.Click on Next
Microsoft Certificate Services
![Page 71: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/71.jpg)
Installing Microsoft Certificate Services
Install W2K8 CA17.Keep default of Certification Authority and Next
Microsoft Certificate Services
![Page 72: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/72.jpg)
Installing Microsoft Certificate Services
Install W2K8 CA18.Accept default of Standalone and click on Next
Microsoft Certificate Services
![Page 73: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/73.jpg)
Installing Microsoft Certificate Services
Install W2K8 CA19.Accept default of Root CA and click on Next
Microsoft Certificate Services
![Page 74: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/74.jpg)
Installing Microsoft Certificate Services
Install W2K8 CA20.Accept default and click on Next
Microsoft Certificate Services
![Page 75: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/75.jpg)
Installing Microsoft Certificate Services
Install W2K8 CA21.Use the options shown here and click on Next
Microsoft Certificate Services
![Page 76: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/76.jpg)
Installing Microsoft Certificate Services
Install W2K8 CA22.Type in a better Common Name and then Next
Microsoft Certificate Services
![Page 77: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/77.jpg)
Installing Microsoft Certificate Services
Install W2K8 CA23.Change validity period to 20 years and then Next
Microsoft Certificate Services
![Page 78: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/78.jpg)
Installing Microsoft Certificate Services
Install W2K8 CA24.Accept the default locations and click on Next
Microsoft Certificate Services
![Page 79: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/79.jpg)
Installing Microsoft Certificate Services
Install W2K8 CA25.Select Install
Microsoft Certificate Services
![Page 80: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/80.jpg)
Installing Microsoft Certificate Services
Install W2K8 CAWait while it installs...
Microsoft Certificate Services
![Page 81: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/81.jpg)
Installing Microsoft Certificate Services
Install W2K8 CA27.Click Close to end install
Microsoft Certificate Services
![Page 82: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/82.jpg)
Installing Microsoft Certificate Services
Install W2K8 CA28.Confirm new and only role is installed, then Close
Microsoft Certificate Services
![Page 83: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/83.jpg)
Installing Microsoft Certificate Services
29.Open the Certification Authority console under Administrative Tools to verify the install.
Microsoft Certificate Services
![Page 84: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/84.jpg)
Version 3.0 Templates
![Page 85: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/85.jpg)
Certificate Template Version 3A certificate based on a version 3
certificate template can only be issued by an enterprise CA running on Windows Server 2008 (or later), Enterprise Edition.
Version 3 templates contain more options, and stronger crypto
Version 3 templates can only be published on W2K8 CAs
V3 templates do not work with Windows OSs prior to Windows Vista
Microsoft Certificate Services
![Page 86: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/86.jpg)
Certificate Template Version 3Windows 2000, XP, and 2003 will not
enroll against V3 templatesOnly Vista and later understands SHA-2
hashes and ECC ciphersXP SP3 can verify certificates containing
SHA-256 ciphers, but not all applications can, so be careful in using any cipher above SHA-1
V3 templates will not show up on web enroll site
**To be safe, only use V3 templates with Windows Vista and later
Microsoft Certificate Services
![Page 87: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/87.jpg)
Creating Certificate Templates Choose what version template you want to create
Version 2Version 3
![Page 88: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/88.jpg)
New Certificate Template AttributeAdd Read permissions to Network Service on the
private key... (version 3.0 and later templates only)
![Page 89: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/89.jpg)
New Certificate Template AttributeCryptography tab (version 3.0 templates and later)
![Page 90: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/90.jpg)
Certificate RevocationCRLsand
OCSP
![Page 91: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/91.jpg)
Certificate RevocationCertificate RevocationUsed to indicate digital certificate is
invalidAny revoked certificate is to be
considered (very) untrustedApp may “break” if it can’t find
revocation point or revocation is negativeUnfortunately, certificate revocation
doesn’t always work (not all applications or users check for revocation)
![Page 92: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/92.jpg)
Certificate RevocationCertificate RevocationCertificates are revoked when:CA or other CAs in path (e.g. issuing)
have been compromisedEntity issued certificate is discovered to
be a fraudTo prematurely end certificate’s useful
lifeFor any other reason the CA wants (e.g.
customer didn’t pay their bill)
![Page 93: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/93.jpg)
Certificate RevocationChecking Certificate RevocationIn order for revocation to be checked, the
certificate being verified must include valid revocation information (e.g. revocation list location, etc.) and the resulting information must be reachable by the client/application investigating
• Called certificate chaining• Certificate information is usually checked
back to just before Root CA (root is offline)
![Page 94: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/94.jpg)
Certificate RevocationCertificate RevocationRevocation checking not always done,
depends on the PKI-participating application and/or its settings
Sometimes even when it is done/required, application only reports if certificate is revoked (and not, unfortunately, if the revocation information can’t be confirmed)
But can also cripple your organization if revocation is not working!!!
![Page 95: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/95.jpg)
Certificate RevocationCertificate RevocationSome Apps Allow Turning On and Off
![Page 96: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/96.jpg)
Certificate RevocationCertificate Revocation• In IE (with revocation checking enabled),
if the cert’s revocation information isn’t valid or reachable, IE won’t report an error by default
• Although when using Secure Socket Tunneling Protocol (SSTP), IE will check and absolutely require correct revocation information in the VPN server’s cert
![Page 97: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/97.jpg)
Certificate RevocationChecking Certificate RevocationWays Revocation Can Be CheckedCertificate Revocation List (CRL)
Full and deltasOnline Certificate Status Protocol (OCSP)Application checks (depends on app)Manually using Certutil.exeProgrammaticallyStored locally in revocation database
![Page 98: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/98.jpg)
Certificate RevocationCertificate Revocation List (CRL)List of revoked certificates (revocation).CRL is placed at CDP (CRL distribution
point) so clients can check. CDP is hard wired into certificateCRL’s can be published to Active Directory
so it is available to everyone.CRLs can be full base or delta.HTTP references should not be HTTPS-
enabled
Microsoft Certificate Services
![Page 99: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/99.jpg)
OCSPOCSP (RFC 2560)
Online Certificate Status ProtocolReplacement for older CRL revocation
checking methodOCSP Responder collects CRL entries
and stores them in a databaseCan be queried for a particular certAllows OCSP clients (Vista and later) to
quickly query/verify certificate status, instead of relying on and downloading entire CDP/CRL.
![Page 100: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/100.jpg)
OCSPOCSP (RFC 2560)
Online Certificate Status ProtocolOCSP Online Responder Service can be
installed stand-alone or on CA W2K8 server
OCSP Responder available for Windows Server 2008, but can respond for W2K3 also
![Page 101: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/101.jpg)
OCSPBasic OCSP Setup
![Page 102: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/102.jpg)
OCSP Process
1.Bob gets certificate/public key from Alice2.Alice’s digital certificate contains OCSP
extension3.Bob sends fingerprint of Alice’s public key to
Alice’s defined OCSP responder4.OCSP responder confirms status (success or
revoked) or sends backup unknown message5.OCSP sends back signed OCSP response6.Bob reads status and handles accordingly
![Page 103: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/103.jpg)
OCSPMore Complex
OCSP Setup
![Page 104: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/104.jpg)
OCSP (RFC 2560) con’tOCSP uses HTTPOCSP Responder location should be
hardcoded into OCSP-enabled digital certificates in AIA location
OCSP Standard can connect directly to CA database or use CRLsWindows OCSP relies on CA CRLs
Client must be OCSP-aware and be able to reach OCSP responder
![Page 105: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/105.jpg)
OCSP (RFC 2560) con’tVista/W2K8 and later has OCSP client
built in and will resolve using OCSP first vs. CRLsLegacy clients will need to use 3rd party
OCSP clientW2K8 can serve as an OCSP Responder
for W2K8/W2K3 serversOCSP Responder was a separate
download in W2K3
![Page 106: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/106.jpg)
OCSP
Online Certificate Status ProtocolApplication must be coded to look for
OCSP extension in certificateIE 7 and later, on Vista and laterAll versions of Firefox support OCSP,
v.3.0 turns it on by defaultSafari and Opera support itGoogle’s Chrome does not (as of 3/09)
![Page 107: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/107.jpg)
OCSP
Online Certificate Status ProtocolBy default:OCSP will be checked first if OCSP
extension is foundIf no OCSP response, then CRL triedDefault behavior can be reversed
![Page 108: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/108.jpg)
OCSPOnline Certificate Status ProtocolComputer Configuration\Policies\Windows Settings\
Security Settings\Public Key Policies\Certificate Path Validation Settings
Microsoft Certificate Services
![Page 109: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/109.jpg)
OCSPInstalling OCSPConfigure OCSP Response Signing
Certificate Template and PublishModify AIA on Issuing CA to point to
OCSP Responder virtual directoryInstall OCSP Responder and configureTest
![Page 110: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/110.jpg)
OCSPPublish OCSP Response Signing Certificate1.Logon to W2K8IssuingCA1 as local Administrator
and start Certification Authority console
![Page 111: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/111.jpg)
OCSPPublish OCSP Response Signing Certificate2.Right-click Certificate Templates and
choose Manage
![Page 112: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/112.jpg)
OCSPPublish OCSP Response Signing Certificate3.Right-click the OCSP Response Signing
template and choose Duplicate Template
![Page 113: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/113.jpg)
OCSPPublish OCSP Response Signing Certificate4.Choose Windows Server 2008, Enterprise
Edition and then select OK
![Page 114: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/114.jpg)
OCSPPublish OCSP Response Signing Certificate5.Type in a new template name and then click
on the Security tab.
![Page 115: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/115.jpg)
OCSPPublish OCSP Response Signing Certificate6.On the security tab, add the W2K8IssuingCA1
computer account (as OCSP Responder)
![Page 116: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/116.jpg)
OCSPPublish OCSP Response Signing Certificate7.Give Read and Enroll permissions to the
W2K8IssuingCA1 computer account, OK, then Close
![Page 117: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/117.jpg)
OCSPPublish OCSP Response Signing Certificate8.In the Certification Authority console,
right-click Certificate Templates, New, Certificate Template to Issue
![Page 118: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/118.jpg)
OCSPPublish OCSP Response Signing Certificate9.Select the new OCSP certificate template
and then OK
![Page 119: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/119.jpg)
OCSPPublish OCSP Response Signing Certificate10.Minimize or close the Certification
Authority console
![Page 120: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/120.jpg)
OCSPPublish OCSP Response Signing Certificate
11.At the command prompt on the CA server, type:certutil –setreg CA\UseDefinedCACertInRequest
1 11.Close prompt12.Restart the CA service
![Page 121: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/121.jpg)
OCSPInstalling OCSPYou need to install OCSP Responder service, and
then configure a Revocation Provider Configuration entry for each Revocation Provider that you want the OCSP Responder to respond for
![Page 122: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/122.jpg)
OCSPInstalling OCSP1.Logon to W2K8IssuingCA1 as local
Administrator and start Server Manager. Choose Add Role Services
![Page 123: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/123.jpg)
OCSPInstalling OCSP
2.Select Online Responder and then Next
![Page 124: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/124.jpg)
OCSPInstalling OCSP
3.Choose Install
![Page 125: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/125.jpg)
OCSPInstalling OCSPIf you install IIS 7 separately, the following
IIS/Web Server components are required:
Common HTTP Features: Static Content, ,Default Document, Directory Browsing, Http Errors, Http RedirectionApplication Development: .NET Extensibility, ISAPI ExtensionsHealth and Diagnostics: Http Logging, Logging Tools, Request Monitor, TracingSecurity: Request FilteringPerformance: Static Content CompressionManagement Tools: IIS Management Console, IIS 6 Management Compatibility, IIS Metabase Compatibility
![Page 126: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/126.jpg)
OCSPInstalling OCSP
4.Choose Close and close Server Manager
![Page 127: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/127.jpg)
OCSPInstalling OCSP5.Choose Start, Administrative Tools and
Online Responder Management
Microsoft Certificate Services
![Page 128: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/128.jpg)
OCSPInstalling OCSP
6.Right-click Revocation Configuration
![Page 129: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/129.jpg)
OCSPInstalling OCSP
7.And choose Add Revocation Configuration
![Page 130: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/130.jpg)
OCSPInstalling OCSP
8.Click on the Next button
![Page 131: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/131.jpg)
OCSPInstalling OCSP
9.Type in a name and then the Next button
![Page 132: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/132.jpg)
OCSPInstalling OCSP
10.Keep the default option and then choose Next
![Page 133: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/133.jpg)
OCSPInstalling OCSP
11.Keep the default option and then choose Browse
![Page 134: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/134.jpg)
OCSPInstalling OCSP
12.Select W2K8IssuingCA1 and then choose OK
![Page 135: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/135.jpg)
OCSPInstalling OCSP
13.Click on Next
Microsoft Certificate Services
![Page 136: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/136.jpg)
OCSPInstalling OCSP
14.Select correct template and the click on Next
![Page 137: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/137.jpg)
OCSPInstalling OCSP
15.Click on Finish
![Page 138: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/138.jpg)
OCSPInstalling OCSP16.Confirm Revocation Configuration Status by
clicking on revocation configuration object and choosing Edit Properties
![Page 139: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/139.jpg)
OCSPInstalling OCSP17.Review Revocation Configuration, confirm Base
CRLs and then click OK. (No need to define deltas)
![Page 140: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/140.jpg)
OCSPInstalling OCSP
Example Certificate with OCSP Extension
![Page 141: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/141.jpg)
OCSPInstalling OCSP18.Right-click OCSP server name and choose
Responder Properties
![Page 142: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/142.jpg)
OCSPInstalling OCSP
19.On the Audit tab, enable all auditing options, OK
![Page 143: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/143.jpg)
OCSPInstalling OCSP20.Give Enterprise PKI Publishers Manage Online
Responder and Read permissions, then OK
Microsoft Certificate Services
![Page 144: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/144.jpg)
OCSPInstalling OCSP
21.Close the OCSP Responder console
![Page 145: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/145.jpg)
OCSPInstalling OCSP22.Confirm Windows Firewall has inbound
rules for OCSP
![Page 146: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/146.jpg)
OCSPConfigure OCSP Extensions
1.Open up Certification Authority console
![Page 147: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/147.jpg)
OCSPConfigure OCSP Extensions
2.Right-click on CA name and choose Properties
![Page 148: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/148.jpg)
OCSPConfigure OCSP Extensions3.Click on the Add button under the Extensions
tab and choose the AIA extension option
![Page 149: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/149.jpg)
OCSPConfigure OCSP Extensions4.Add http://W2K8IssuingCA1.contoso.ad/ocsp
and enable both AIA and OCSP options, then OK
![Page 150: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/150.jpg)
OCSPConfigure OCSP Extensions5.Close or minimize the Certification
Authority console
![Page 151: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/151.jpg)
OCSPTesting OCSPPKIView.msc (W2K8 or later)Generate a new cert and verify correct http
path in OCSP extension in the AIA extensionForce CRL checking in application using
certificateCertutil –verify <certname>
![Page 152: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/152.jpg)
OCSPOCSP ArraysIt is easy to create a fault-tolerant array of
OCSP RespondersEnable Network Load Balance (NLB) serviceDefine OCSP extension with a name that will
resolve with the NLB’s cluster IP addressThen defined in the Array Configuration
option in the OCSP Responder gui
![Page 153: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/153.jpg)
OCSPIs Schema Update Needed?W2K3 AD schema or later is needed for OCSP
W2K8 schema update is not needed if schema has been updated to W2K3
A Windows 2000 domain is OK, as long as the AD schema has been upgraded to Windows 2003 AD schema.
Need at least one W2K8 server joined to the domain, and to have a domain admin execute the template snap-in from the Windows 2008 server to get the new OCSP Responder Signing template(s) installed in AD.
![Page 154: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/154.jpg)
OCSPFor More Readinghttp://technet.microsoft.com/en-us/library/cc770413.aspx
Questions?
![Page 155: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/155.jpg)
Fault Tolerance,Backup
and Disaster Recovery
![Page 156: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/156.jpg)
Fault ToleranceWhen would end-users notice a problem?If Issuing CAs are down:When users request new cert or try to renew
expiring cert
If AIA or CDP publication points are down:When application end-user is using checks
certificate revocation
![Page 157: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/157.jpg)
Fault ToleranceRequiredAlways have a minimum of two issuing CAs
with same templates publishedCAs should have fault-tolerant disksCRLs should be redundant
Internally redundant LDAP, and multiple http locations?
Externally redundant, if certs used externallyOCSP Responders should be redundant
Microsoft Certificate Services
![Page 158: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/158.jpg)
Fault ToleranceOptionalClusteringRedundant hardware?Cold standby?Virtual machine standby?
Microsoft Certificate Services
![Page 159: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/159.jpg)
Fault ToleranceCA Clustering
Microsoft Certificate Services
![Page 160: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/160.jpg)
Fault ToleranceCA ClusteringAvailable in Windows Server 2008
Enterprise editionOnly supports two-node Active/Passive
clusterMust share same database and log filesCan’t mix W2K8 and W2K3Many HSMs support clusteringMust load balance (using NLB, etc.)
other things: CDP, OCSP Responders, NDES, web enrollment, etc.
Microsoft Certificate Services
![Page 161: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/161.jpg)
Fault ToleranceWhy Clustering?If multiple issuing CA servers can issue the
same types of certs, why cluster CA servers?Answer:They don’t issue the same certs or share the
same databaseCan’t revoke a cert you can’t “find”If one goes down, there can be problems
when base or delta CRLs expire (can break the revocation chain and break applications that depend on revocation checking
Microsoft Certificate Services
![Page 162: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/162.jpg)
Enrolling on Behalf of Another User
![Page 163: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/163.jpg)
Certificate Request Wizard
Enrolling on Behalf of Another User
Useful for:• Smart card certificates• S/MIME certificates• Enrolling for offline users and computers
Certificate Services
![Page 164: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/164.jpg)
Certificate Request Wizard
Enrolling on Behalf of Another UserMust already have Enrollment Agent cert
Can also issue Enrollment Workstation certificate and require that Enrollment Agents be logged on at approved Enrollment workstations to enroll on the behalf of others
Certificate Services
![Page 165: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/165.jpg)
Certificate Request Wizard
Enrolling on Behalf of Another UserMust already have Enrollment Agent cert
Certificate Services
![Page 166: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/166.jpg)
Certificate Request Wizard
Enrolling on Behalf of Another UserMust already have Enrollment Agent cert
Certificate Services
![Page 167: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/167.jpg)
Certificate Request Wizard
Enrolling on Behalf of Another User
Certificate Services
![Page 168: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/168.jpg)
Certificate Request Wizard
Enrolling on Behalf of Another User
Certificate Services
![Page 169: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/169.jpg)
Certificate Request Wizard
Enrolling on Behalf of Another User
Certificate Services
![Page 170: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/170.jpg)
Certificate Request Wizard
Enrolling on Behalf of Another User
Certificate Services
![Page 171: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/171.jpg)
Certificate Request Wizard
Enrolling on Behalf of Another User
Certificate Services
![Page 172: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/172.jpg)
Certificate Request Wizard
Enrolling on Behalf of Another User
Certificate Services
![Page 173: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/173.jpg)
Certificate Request Wizard
Enrolling on Behalf of Another User
Certificate Services
![Page 174: The new rocket science stuff in microsoft pki](https://reader038.fdocuments.net/reader038/viewer/2022102621/546509bcaf795978208b60bc/html5/thumbnails/174.jpg)
Certificate Request Wizard
Enrolling on Behalf of Another User
Certificate Services