Chapter Deploying Certificates
1. Assume that a custom version 2 certificate template is created for code signing that requires CA certificate manager approval. What enrollment method should you use for deploying the custom code signing certificates to the three members of the Quality Assurance team The Certificate Services Web Enrollment site method is recommended because the Web site implements cookies to allow the user to return and complete a pending certificate request. 2. Assume that a custom version 2 certificate...
Backup Operator
Performs backups of the CA database, the CA configuration, and the CA's private and public key pair also known as a key pair . Note If the CA's private and public key pair is stored on a hardware secu rity module HSM , backup operators can only back up the CA key pair if the HSM's security context allows this ability. You can use one of the following methods to perform the backup of CA information Windows Server 2003 backup utility. By including the System State in the backup set, you ensure...
Publishing to Active Directory
The certificate object is published automatically into the CN AIA,CN Public Key container as a CrossCA object. The certificate is never distributed to the target CA in the other organization's CA hierarchy. Instead, it is downloaded via autoenrollment to all domain member computers so that the Cross Certification Authority certificate can be used to build certificate chains between the two CA hierarchies. This allows recognition of the partner CA's certificates that meet the qualified...
Enabling ActiveX Controls
The Certificate Services Web Enrollment site must be defined as a Local intranet site for all computers in the forest. This allows the automatic passing of authentication credentials to the CA by using Windows Integrated authentication. In addition, the download settings for ActiveX controls must be modified to allow the activation and use of required ActiveX controls. Note For smart card deployment, the ActiveX control settings are only required at the smart card enrollment station. But, if...
Chapter Primer to PKI
1. What version is the certificate The certificate is an X.509 version 3 certificate. You can verify this by viewing the Version field on the Details tab. 2. What is the name of the issuing CA The name of the issuing CA is CN adatumCA,DC adatum,DC msft. You can verify this by viewing the Issuer field on the Details tab. 3. What is the subject name of the certificate The subject name of the certificate is CN SCUser1, OU Module09, OU Labs, DC adatum, DC msft. You can verify this by viewing the...
Choosing Deployment Methods
Whether you choose to deploy a single e-mail certificate or to implement separate e-mail signing and e-mail encryption certificates, it is recommended that you enable autoenrollment for the deployed certificate template s . Autoenrollment allows the automated enrollment of the e-mail certificates to all users that have a Windows XP computer that is a member of the domain. Important Automated enrollment requires the user's input if you enable a smart card for the signing certificate or implement...
Defining Application Policies
When you issue a Cross Certification Authority certificate, you can configure a Policy.inf file to specify which application policy OIDs are permitted in partner-issued certificates. Likewise, you can define a CAPolicy.inf file to specify which application policy OIDs are permitted in root certification authority certificates. To configure application policies in a Policy.inf or CAPolicy.inf file, create the following sections Policies AppCodeSign, AppCTL, AppClientAuth CRITICAL FALSE OID...
Contents
1 Basics of C ryptography 3 Encryption Algorithms and Data Symmetric Asymmetric Combining Symmetric and Asymmetric Encryption 10 Digital Signing of The Hash Hash Combining Asymmetric Signing and Hash Algorithms 13 Case Study Microsoft Applications and Their Encryption Algorithms 14 Opening the EFS White Case Study Additional X.509 Version X.509 Version X.509 Version Certification Root Intermediate Policy Issuing Certificate Revocation Types of What Uo ynn think of thic hnnk Microsoft is...
Chapter Role Separation
1. The backup software implemented by Tailspin Toys uses a centralized backup services account. When reviewing the event logs, the backup operator notices that the backup fails every night on the two issuing CAs. On inspecting the event logs further, the backup software reports that the failed backup item is the System State backup. What is the likely cause of the error The backup services account is assigned two or more of the Common Criteria roles. Typically, the issue is that the account is...
Resource Kit Support Policy
Microsoft does not support the tools and scripts supplied on the Microsoft Windows Server 2003 PKI and Certificate Security companion CD. Microsoft does not guarantee the performance of the tools or scripting examples, or any bug fixes for these tools and scripts. However, Microsoft Press provides a way for customers who purchase this book to report any problems with the software and receive feedback on such issues just send e-mail to mspinput microsoft.com. This e-mail address is only for...
Enabling Outlook
Both Outlook 2002 and Outlook 2003 automatically use available e-mail signing and e-mail encryption certificates if the certificates exist in the user's profile. You can verify the existence of the certificates, and define the encryption and signing algorithms using the following procedure 2. On the Tools menu, click Options. 3. In the Options dialog box, on the Security tab, click Settings. 4. In the Change Security Settings dialog box see Figure 18-4 , ensure that the following settings are...
Export the Exchange KMS Database
Once you have enabled the enterprise CA for foreign certificate import, you can start the export process Warning The export of data from the KMS database is a destructive process that removes the certificate and private keys from the KMS database. To protect against accidental loss of data, ensure that you perform and verify a backup of the KMS server before starting the export process. 1. If the KMS is configured to request certificates from an existing enterprise or standalone CA, stop...
Smart Cards and Kerberos
Smart cards allow Kerberos authentication through Public Key Initialization PKINIT extensions to the Kerberos protocol. PKINIT extensions allow a public private key pair to be used to authenticate users when they log on to the network. The Kerberos authentication process is comprised of three related message exchanges 1. Authentication Service AS Exchange. This initial message exchange is used by a domain controller to provide a user with a logon session key and a Kerberos ticket-granting...
Chapter Code Signing
Does the Code Signing certificate template meet the design requirements What must you do to meet the design requirements No. The Code Signing certificate template has a one-year validity period and does not implement any issuance requirements. You must create a custom version 2 certificate template based on the Code Signing certificate template. In the following table, define the settings on the General tab to meet the design requirements for your custom Code Signing certificate template....
Chapter Designing Certificate Templates
1. What MMC console do you use to perform certificate template management The Certificate Templates certtmpl.msc console. 2. Does the default Code Signing certificate template meet the design requirements No. The Code Signing certificate template has a one-year validity period and does not implement any issuance requirements. 3. Can you modify the default Code Signing certificate template If not, what would you do No. The Code Signing certificate template is a version 1 certificate template....
Publishing Certificates at the Issuing CA
If you have not published the root and policy CA certificates into Active Directory or to the HTTP URLs included in the certificates issued by the root and policy CAs, you can manually publish the certificates into the issuing CA's local machine store. This process is similar to the one used to publish the root CA certificate and CRL at the policy CA. The difference is that both root and intermediate CA certificates are published at an issuing CA. The following script publishes the root CA...
Planning Deployment of Code Signing Certificates
The deployment of a Code Signing certificate within an organization involves designing the Code Signing certificate template and planning how to deploy the certificates to the developers who perform the code signing operations. Important If you are signing applications or code that will be used by peo ple outside of your organization, it is recommended that you obtain the Code Signing certificate from a commercial vendor, such as VeriSign. This increases the amount of confidence in your...
Building Certificate Chains
The certificate chaining engine builds chains by inspecting specific extensions in a presented certificate. There are different processes the certificate chaining engine uses to determine the issuing CA's correct certificate. The actual selection is based on the current certificate's attributes. Specifically, the certificate chaining engine examines a combination of the following certificate fields and X.509 version 3 certificate extensions Authority Key Identifier AKI extension. The matching...
Case Study Questions Gkj
1. The backup software implemented by Tailspin Toys uses a centralized backup services account. When reviewing the event logs, the backup operator notices that the backup fails every night on the two issuing CAs. On inspecting the event logs further, the backup software reports that the failed backup item is the System State backup. What is the likely cause of the error 2. When inspecting the security permission assignments at the Tailspin Toys Infrastructure CA, you accidentally assign the CA...
Choosing Publication Points
Once you choose the publication protocols, you must choose where to publish the CA certificates and CRLs. The location decision includes the physical servers where you publish the files and the servers on the corporate network intranet or extranet. Choose publication points according to the following rules If most computers are running Windows 2000 or later and are members of the forest, you should include an LDAP URL that references the Active Directory Configuration naming context. This...
Custom Certificate Policies
In many cases, an organization creates its own custom OIDs for certificate policies. This allows the organization to define certificate policy OIDs in its organization's OID space rather than use the default Microsoft OIDs. Note For more information on obtaining an OID tree for your organization, review Chapter 6, Implementing a CA Hierarchy. Custom certificate policies also allow an organization to programmatically define the exact issuance process and certificate usage. For example, an...
Key Recovery Tool
The Key Recovery Tool provides a graphical front end for the certutil command. Certification authority CA .Search Criteria ALL CERTIFICATION AUTHORITIES 3 Requester name domairAuser 3 S elect the search criteria, enter appropriate value, then click InwtradersVadministrator Search to display a list of archived keys S elect the search criteria, enter appropriate value, then click InwtradersVadministrator Search to display a list of archived keys To recover an encryption private key, select the...
Version Certificate Templates
Version 1 certificate templates were introduced with Windows 2000 Certificate Services and are available for Windows Server 2003 enterprise CAs. Attributes of version 1 cer tificate templates cannot be modified, except for the permissions assignments. When you install an enterprise CA or launch the Certificate Templates console, the following version 1 certificate templates are automatically installed in Active Directory Administrator. Allows a holder to perform trust list signing, send secure...
Case Study Questions Urc
1. Which CA should issue the Web Server certificate for the customer billing system Web site 2. Which CA should issue the Web Server certificate for the employee benefits Web site 3. Where should the Web server certificate s be deployed for the customer billing system Web site 4. Where should the Web Server certificate s be deployed for the employee benefits Web site 5. How do you implement certificate mapping for the customer billing Web site 6. If you perform an implicit certificate mapping,...
Enabling Key Archival in a Certificate Template
Once the CA is enabled for archival, you can create and publish certificate templates that enable key archival. To enable key archival in a certificate template, the first thing that you must do is set the purpose of the certificate template to either Encryption or Signature and Encryption. Key archival is only possible for certificate templates with these purposes. In fact, if the certificate template's purpose is Signature or Signature and Smart Card Logon, it is not possible to enable key...
EFS Decryption
When an EFS-encrypted file is opened by a user with access to the FEK in the DDF information, EFS decryption see Figure 16-2 takes place, as follows Figure 16-2 The EFS decryption process Figure 16-2 The EFS decryption process 1. When the user attempts to open the encrypted file, the computer retrieves the private key of the certificate used to encrypt the FEK in the DDF. The private key is retrieved from the current user's personal store. Note As long a user has access to a private key...
Dual Certificates for EMail
Due to the risks of archiving the private key associated with a S MIME signing cer tificate, many organizations choose to implement separate certificates for e-mail signing and encryption. Deploying separate certificates ensures that only the private key associated with the e-mail encryption certificate is archived. If you implement a separate certificate template for e-mail signing, it is recom mended that you duplicate the Exchange Signature Only certificate template. When you separate the...
Defining the Mapping in Active Directory
You might have to define certificate mappings in Active Directory. The decision on whether to define a mapping in Active Directory is often based on the answers to the following questions Is the certificate issued by an enterprise CA in your forest If so, the certificate contains the user's UPN in the Subject Alternative Name extension and the CA's certificate is included in the NTAuth store of Active Directory. This enables the ability to use implicit mappings. Is the certificate issued by a...
The General Tab
On the General tab see Figure 8-3 , you can configure the following attributes of the certificate template Template Display Name. The display name of the version 2 certificate tem plate shown in the MMC, the Certificate Services Web Enrollment pages, and the Certificate Services Enrollment Wizard. Template Name. The name of the PKI-Certificate-Template object created in the CN Certificate Templates,CN Public Key Validity Period. Defines the certificate template's validity period. Renewal...
Certificate Policy Example
An excellent example of certificate policy is the X.509 Certificate Policy for the United States Department of Defense DoD , available at www.defenselink.mil nii The DoD defines five classes of certificates in its certificate policy document. The distinction between the various classes is based on the following variables The measures taken to validate the subject's identity The value of transactions allowed for a certificate class The type of storage required for the private key material A...
Users
To connect to a wireless network, a user must acquire a certificate based on the cus tom version 2 certificate template discussed earlier in this chapter. To minimize the risks involved with deploying certificates, it is recommended to use autoenrollment for Windows XP computers and scripted enrollment for Windows 2000 computers. To enable certificate autoenrollment for the user certificate template for Win dows XP and Windows Server 2003 computers, you must do the following 1. Modify the...
Determining Certificate Validity Periods
A certificate has a predefined validity period that comprises a start date and time and an end date and time. An issued certificate's validity period cannot be changed after certificate issuance. Determining the validity period at each tier of the CA hierarchy, including the validity period of the certificates issued to users, computers, services, or network devices, is a primary step when defining a CA hierarchy. The recommended strategy for determining certificate validity periods is to start...
Requesting the Key Recovery Agent Certificate
The following process performs the initial certificate request for the Key Recovery Agent certificate. The process assumes that the certificate template has the default settings, though the permissions are defined to allow a custom global or universal group Read and Enroll permissions 1. Log on to the domain from a Windows 2000 or Windows XP computer with an account assigned Read and Enroll permissions for the Key Recovery Agent certificate template. 2. Open Microsoft Internet Explorer. Note...
Reinstalling Certificate Services
The first step in restoring the CA computer is to ensure that Certificate Services is installed correctly and can be started and stopped. If you have a good backup of Certificate Services, whether the backup is a System State backup or a manual backup, you must first reinstall Certificate Services using the same certificate and key pair. To reinstall Certificate Services, ensure that the CA certificate and private key are available to the CA. For a software-based CSP, a local administrator of...
Extending the Schema
A Windows 2000 domain must be upgraded to the Windows Server 2003 schema to support some of the new features in a Windows Server 2003 PKI. These features include Support for version 2 certificate templates. The Windows Server 2003 schema includes the definition of the version 2 certificate template object. Version 2 certificate templates allow customization of certificate content. Support for delta certificate revocation lists CRLs . A delta CRL contains the certificates revoked since the...
NetworkAttached HSMs on Each CA
With the introduction of network-attached HSMs, it is now possible for an organization to deploy a single HSM for the entire network or at each location that hosts CA computers, sharing the HSM among multiple CAs. One possible deployment scenario is to connect the HSM to a corporate network. See Figure 7-7. Figure 7-7 Implementing a network-attached HSM for all CAs in the hierarchy Figure 7-7 Implementing a network-attached HSM for all CAs in the hierarchy When you implement a network-attached...
Local EFS Encryption
Once an EFS encryption certificate is designated, the EFS encryption process can begin. See Figure 16-1. Figure 16-1 The EFS encryption process 1. A user must choose to encrypt a file. This can be done by enabling an individual file for EFS encryption or by creating a file in a folder that is enabled for EFS encryption. 2. The user's computer generates a random encryption key, called a File Encryption Key FEK , used to encrypt the file. The symmetric encryption algorithm used by the FEK depends...
Revocation Reasons
When a certificate is revoked, the CRL entry can contain further information about the revocation. The reason codes can include Key Compromise. The private key associated with the certificate has been stolen or otherwise acquired by an unauthorized person, such as when a com puter is stolen or a smart card is lost. CA Compromise. The private key of a CA has been compromised. This can occur when the computer running Certificate Services or the physical device that stores the CA's private key is...
Enforcing Common Criteria Role Separation
Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, allow you to enforce Common Criteria role separation. By enforcing role separation, Certificate Services blocks any user account assigned two or more Common Criteria roles from all Certificate Services management activities. For example, if a user is assigned both the CA administrator and certificate manager roles, the user cannot perform the tasks defined for either role. If a user is assigned multiple roles,...
Case Study Adventure Works
You manage the network for Adventure Works, a travel agency in New York that specializes in radical vacation trips. The organization implements the CA hierarchy shown in Figure 18-6. OU c 1998 VeriSign, Inc. - For authorized use only OU Class 3 Public Primary Certification Authority - G2 O VeriSign, Inc. C US CA Type Enterprise Subordinate CA CA Name Adventure Works Issuing CA CA Computer Name ADVCA01 CA Validity Period 10 Years Figure 18-6 The Adventure Works CA hierarchy To provide increased...
Private Key Stored in the Local Machine Store
If the CA's private key is stored in the Local Machine store of the CA computer, by default it is possible for any member of the local Administrators group to export the CA's private key to a PKCS 12 file. If the CA is a domain member, as is typical for online CAs, the local Administrators group of the CA computer will also include the Domain Admins group from the domain where the CA's computer account exists and could also contain the forest root domain's Enterprise Admins group and other...
PostInstallation Configuration Acb
Once the issuing CA is installed, you must ensure that the issuing CA's registry settings are configured correctly. The following assumptions are made regarding the Fabrikam network All client and server computers are running Windows 2000, Windows XP, or Windows Server 2003 and are members of the Fabrikam.com domain. The issuing CA's certificate and CRL are published in Active Directory, on the issuing CA's Web service, and at an externally accessible Web server. There is a Web server named...
Implementing an Enterprise Root CA
Some organizations do not require the security enhancements of a multi-tier CA hierarchy. They only use a CA to issue certificates for the computers, users, services, and network devices on their network. There is no need for redundancy or to provide a high-assurance trust model. In these circumstances, a CA hierarchy consisting of a single CA can be deployed. An example of this is the CA hierarchy for Margie's Travel. See Figure 6-2. Note It is always recommend to use Windows Server 2003,...
Modifying Version Certificate Template Permissions
Version 1 certificate templates allow the permission settings for the certificate tem plate to be modified. You cannot modify the contents of a version 1 certificate tem plate, however. Figure 8-1 shows the Security tab for a version 1 certificate template. eneral Request Handling Subject Name Extensions Corp_Enrollment_agents REDMOND Corp_Enrollment_agents j Enterprise Admins CORPVEnterprise Admins j OU-ITGCA-Admin REDMOND OU-ITGCA-Admin Peimissions for Authenticated Users Allow or special...
Name Constraints
Name constraints define the namespaces that are allowed or disallowed in certificates issued by CAs subordinate to the CA that issues the Cross Certification Authority certificate. For example, if you want to implement name constraints on a CA owned by A Datum Corporation, you can define allowed namespaces for all forms of the Adatum.msft domain used in certificates you wish to recognize. This can include the following formats DirectoryName DC Adatum,DC msft Note You must define each name...
Submitting the Cross Certification Authority Request
Once the CMC certificate request file is generated, it must be submitted to an enterprise CA to request the Cross Certification Authority certificate. The Cross Certification Authority certificate template must be published at the CA where the request is submitted. Use the following procedure to submit the request 1. Open the Certification Authority console. 2. In the console tree, right-click CAName where CAName is the name of the enterprise CA , point to All Tasks, and click Submit New...
Revoking a Certificate
To revoke a certificate, a user must be designated as a certificate manager by assigning the user or a group the user is a member of the Issue and Manage Certificates permission at the issuing CA. The permission assignment is performed by a CA Administrator or a user assigned the Manage CA permissions. You can use the following process to verify the permission assignment 2. From Administrative Tools, open the Certification Authority console. 3. In the console tree, right-click CAName where...
Case Study Lucerne Publishing 1
CA Name Lucerne Publishing Americas CA CA Validity Period 10 Years CA Name Lucerne Publishing EMEA CA CA Validity Period 10 Years CA Name Lucerne Publishing EMEA CA CA Validity Period 10 Years Figure 16-4 The Lucerne Publishing CA hierarchy Figure 16-4 The Lucerne Publishing CA hierarchy
Designing CA Configuration Security Measures
CA configuration security measures refer the configuration of Certificate Services or the configuration of the Microsoft Windows Server 2003 operating system. Measures you can take to configure CA configuration security include Defining security templates for both offline and online CAs. Security templates allow you to define baseline security configuration for a category of server computers, such as CAs. Settings that should be considered for inclusion in a CA security template are Disable...
Choosing Publication Protocols
Determining the protocols used for CA certificate and CRL retrieval is the first step in choosing publication points. The following protocols are available with Windows Server 2003 PKI HTTP. The Hypertext Transfer Protocol HTTP provides the most flexibility. Almost all client computers have a Web browser installed that allows access to HTTP URLs. The HTTP protocol is also useful when computers that are not members of the forest require access to the CA certificate or CRL. The CA certificate and...