Windows 2012 Active Directory Certificate Services
-
Upload
maqsood-ahmad -
Category
Documents
-
view
237 -
download
2
Transcript of Windows 2012 Active Directory Certificate Services
-
8/13/2019 Windows 2012 Active Directory Certificate Services
1/26
Christopher Chapman | MCT
Content PM, Microsoft Learning, PDG Planning , Microsoft
-
8/13/2019 Windows 2012 Active Directory Certificate Services
2/26
MVAActive Directory Certificate Services
(AD CS)
-
8/13/2019 Windows 2012 Active Directory Certificate Services
3/26
What is AD CS?
What does AD CS do/provide?
Module Overview
-
8/13/2019 Windows 2012 Active Directory Certificate Services
4/26
Module Overview
Overview of Active Directory Certificate Services
Understanding Active Directory Certificate Services C
Implementing Certificate Enrollment and Revocation
-
8/13/2019 Windows 2012 Active Directory Certificate Services
5/26
Lesson 1: Overview of Active Directory CertServices
What Is a Certification Authority?
How CA Hierarchies Work
Options for Implementing CAs
Options for Integrating AD CS and AD DS
Demonstration: Tools for Managing AD CS
-
8/13/2019 Windows 2012 Active Directory Certificate Services
6/26
What Is a Certification Authority?
A Certification Authority (CA) is an entity entrusted to issue certificates to: Individuals Computers Organizations Services
These certificates verify the identity and other attributes of the certificate subjec
other entities
-
8/13/2019 Windows 2012 Active Directory Certificate Services
7/26
How CA Hierarchies Work
Reasons for deploying more than a single server CA hierarchy:
Usage
Organizational divisions
Geographic divisions
Load balancing
CA hierarchies include a root CA and one or more levels of subordinate CAs
Restrict administrative access
High availability
-
8/13/2019 Windows 2012 Active Directory Certificate Services
8/26
Options for Implementing Certification Auth
When implementing a CA solution, you can: Use an internal private CA
Use an external public CA
Internal CAs are less expensive and provide more administrative options, but thissued certificates are not trusted by external clients
-
8/13/2019 Windows 2012 Active Directory Certificate Services
9/26
Enterprise Stand-AlCan use without AD DS XUses Group Policy for Trusted Root propagation XPublishes certificates and CRL to AD DS XCan enforce credential checks during enrollment XCan have subject name generated automaticallyfrom logon credentials
XCan use certificate templates XCan be used to generate smart card Windowsdomain authentication certificates
XCan use certificate auto-enrollment X
Options for Integrating AD CS and AD D
-
8/13/2019 Windows 2012 Active Directory Certificate Services
10/26
Demo: Tools for Managing AD CS
Certification Authority
Certificate Templates
Online Responder
Enterprise PKI
Certificates
-
8/13/2019 Windows 2012 Active Directory Certificate Services
11/26
Lesson 2: Understanding Active Directory CeServices Certificates
What Are Digital Certificates?
How Public Keys and Private Keys Work
Demonstration: Using Certificates to Secure Data
What Are Certificate Templates?
-
8/13/2019 Windows 2012 Active Directory Certificate Services
12/26
What Are Digital Certificates?
A certificate is a digital file with two parts
Base certificate information Public Key
Public keys are distributed to all clients who request the key
Private keys are stored only on the computer from which the certificate wasrequested
H P bli K d P i K W k
-
8/13/2019 Windows 2012 Active Directory Certificate Services
13/26
SSL (Encrypted)
WebServer
Web Cli
Plaintext Plaintext
Different keys are
used to encrypt anddecrypt the message
Encrypt Decrypt
Private Key Public Key
How Public Keys and Private Keys Work
-
8/13/2019 Windows 2012 Active Directory Certificate Services
14/26
Demonstration: Using Certificates to Secure
In this demonstration, you will see how to use certific
secure data
h f l
-
8/13/2019 Windows 2012 Active Directory Certificate Services
15/26
What Are Certificate Templates?
Certificate templates: Define what certificates can be issued by the CAs
Define certificates used for various purposes
Define which security principals have permissions to read, enroll, andconfigure the certificate template
3 l C f ll
-
8/13/2019 Windows 2012 Active Directory Certificate Services
16/26
Lesson 3: Implementing Certificate EnrollmeRevocation
Options for Implementing Certificate Enrollment
Demonstration: Using Web Enrollment to Obtain Cer
Administering Certificate Enrollment
Demonstration: Administering Certificate Requests
Options for Automating Certificate Enrollment
What is Certificate Revocation?
Demonstration: Revoking Certificates
O i f I l i C ifi E
-
8/13/2019 Windows 2012 Active Directory Certificate Services
17/26
Options for Implementing Certificate En
What methods are used for certificate
enrollment? Web Enrollment
Manual/Offline Enrollment
Automatic Enrollment
D U i W b E ll t t Obt i C
-
8/13/2019 Windows 2012 Active Directory Certificate Services
18/26
Demo: Using Web Enrollment to Obtain Cer
In this demonstration, you will see how to use Web e
to obtain certificates
Ad i i t i C tifi t E ll t
-
8/13/2019 Windows 2012 Active Directory Certificate Services
19/26
Administering Certificate Enrollment
To obtain a certificate using manual enrollment:
Create a certificate request
Submit certificate request to CA
Obtain administrative approval for certificate
Retrieve certificate from CA and install on client
1
3
4
2
D Ad i i t i C tifi t R
-
8/13/2019 Windows 2012 Active Directory Certificate Services
20/26
Demo: Administering Certificate Reques
In this demonstration, you will see how to administer
requests
O ti f A t ti C tifi t E ll
-
8/13/2019 Windows 2012 Active Directory Certificate Services
21/26
DomainComputer
Enterprise CA
Group
Policy
Group Policy triggers
automatic request
Auto-enroll is enabled on the templatewhich the requested certificate is creat
Options for Automating Certificate Enroll
Wh t I C tifi t R ti ?
-
8/13/2019 Windows 2012 Active Directory Certificate Services
22/26
What Is Certificate Revocation?
Clients can ensure the certificate has not beenrevoked by using the following methods:
Online Certificate Status Protocol responder service (OCSP)
Certificate Revocation Lists (CRLs)
Certificate revocation occurs when a certificate is invalidated before itsexpiration period
Demonstration: Revoking Certificates
-
8/13/2019 Windows 2012 Active Directory Certificate Services
23/26
Demonstration: Revoking Certificates
In this demonstration, you will see how to revoke cer
Module Review and Takeaways
-
8/13/2019 Windows 2012 Active Directory Certificate Services
24/26
Module Review and Takeaways
Review Questions
Summary of AD CS
-
8/13/2019 Windows 2012 Active Directory Certificate Services
25/26
Thanks for Watching
-
8/13/2019 Windows 2012 Active Directory Certificate Services
26/26
2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other produc t names are or may be registered trade
U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this pre
must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.