Windows 2012 Active Directory Certificate Services

8/13/2019 Windows 2012 Active Directory Certificate Services

1/26

Christopher Chapman | MCT

Content PM, Microsoft Learning, PDG Planning , Microsoft


2/26

MVAActive Directory Certificate Services

(AD CS)


3/26

What is AD CS?

What does AD CS do/provide?

Module Overview


4/26

Module Overview

Overview of Active Directory Certificate Services

Understanding Active Directory Certificate Services C

Implementing Certificate Enrollment and Revocation


5/26

Lesson 1: Overview of Active Directory CertServices

What Is a Certification Authority?

How CA Hierarchies Work

Options for Implementing CAs

Options for Integrating AD CS and AD DS

Demonstration: Tools for Managing AD CS


6/26

What Is a Certification Authority?

A Certification Authority (CA) is an entity entrusted to issue certificates to: Individuals Computers Organizations Services

These certificates verify the identity and other attributes of the certificate subjec

other entities


7/26

How CA Hierarchies Work

Reasons for deploying more than a single server CA hierarchy:

Usage

Organizational divisions

Geographic divisions

Load balancing

CA hierarchies include a root CA and one or more levels of subordinate CAs

Restrict administrative access

High availability


8/26

Options for Implementing Certification Auth

When implementing a CA solution, you can: Use an internal private CA

Use an external public CA

Internal CAs are less expensive and provide more administrative options, but thissued certificates are not trusted by external clients


9/26

Enterprise Stand-AlCan use without AD DS XUses Group Policy for Trusted Root propagation XPublishes certificates and CRL to AD DS XCan enforce credential checks during enrollment XCan have subject name generated automaticallyfrom logon credentials

XCan use certificate templates XCan be used to generate smart card Windowsdomain authentication certificates

XCan use certificate auto-enrollment X

Options for Integrating AD CS and AD D


10/26

Demo: Tools for Managing AD CS

Certification Authority

Certificate Templates

Online Responder

Enterprise PKI

Certificates


11/26

Lesson 2: Understanding Active Directory CeServices Certificates

What Are Digital Certificates?

How Public Keys and Private Keys Work

Demonstration: Using Certificates to Secure Data

What Are Certificate Templates?


12/26

What Are Digital Certificates?

A certificate is a digital file with two parts

Base certificate information Public Key

Public keys are distributed to all clients who request the key

Private keys are stored only on the computer from which the certificate wasrequested

H P bli K d P i K W k


13/26

SSL (Encrypted)

WebServer

Web Cli

Plaintext Plaintext

Different keys are

used to encrypt anddecrypt the message

Encrypt Decrypt

Private Key Public Key

How Public Keys and Private Keys Work


14/26

Demonstration: Using Certificates to Secure

In this demonstration, you will see how to use certific

secure data

h f l


15/26

What Are Certificate Templates?

Certificate templates: Define what certificates can be issued by the CAs

Define certificates used for various purposes

Define which security principals have permissions to read, enroll, andconfigure the certificate template

3 l C f ll


16/26

Lesson 3: Implementing Certificate EnrollmeRevocation

Options for Implementing Certificate Enrollment

Demonstration: Using Web Enrollment to Obtain Cer

Administering Certificate Enrollment

Demonstration: Administering Certificate Requests

Options for Automating Certificate Enrollment

What is Certificate Revocation?

Demonstration: Revoking Certificates

O i f I l i C ifi E


17/26

Options for Implementing Certificate En

What methods are used for certificate

enrollment? Web Enrollment

Manual/Offline Enrollment

Automatic Enrollment

D U i W b E ll t t Obt i C


18/26

Demo: Using Web Enrollment to Obtain Cer

In this demonstration, you will see how to use Web e

to obtain certificates

Ad i i t i C tifi t E ll t


19/26

Administering Certificate Enrollment

To obtain a certificate using manual enrollment:

Create a certificate request

Submit certificate request to CA

Obtain administrative approval for certificate

Retrieve certificate from CA and install on client

1

3

4

2

D Ad i i t i C tifi t R


20/26

Demo: Administering Certificate Reques

In this demonstration, you will see how to administer

requests

O ti f A t ti C tifi t E ll


21/26

DomainComputer

Enterprise CA

Group

Policy

Group Policy triggers

automatic request

Auto-enroll is enabled on the templatewhich the requested certificate is creat

Options for Automating Certificate Enroll

Wh t I C tifi t R ti ?


22/26

What Is Certificate Revocation?

Clients can ensure the certificate has not beenrevoked by using the following methods:

Online Certificate Status Protocol responder service (OCSP)

Certificate Revocation Lists (CRLs)

Certificate revocation occurs when a certificate is invalidated before itsexpiration period



23/26


In this demonstration, you will see how to revoke cer

Module Review and Takeaways


24/26

Module Review and Takeaways

Review Questions

Summary of AD CS


25/26

Thanks for Watching


26/26

2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other produc t names are or may be registered trade

U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this pre

must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Windows 2012 Active Directory Certificate Services

Documents

Transcript of Windows 2012 Active Directory Certificate Services