The document provides an overview of new features in Windows Server 2008 Certificate Services compared to Windows Server 2003 Certificate Services. Key changes include Certificate Services now being called Active Directory Certificate Services (ADCS), support for newer cryptographic standards like Suite B, improved revocation checking with OCSP, and the ability to restrict key recovery agents and enrollment agents by template or security group. Overall, Certificate Services is largely the same between versions but Windows Server 2008 and ADCS have additional security improvements and features.

1. Roger A. Grimes Microsoft

2. Presenter BIO Roger A. Grimes CPA, CISSP, CEH, CISA, TICSA, MCSE: Security, yada, yada PKI installer for over 1o years Taught Microsoft PKI to Verisign Principal Security Architect for Microsoft InfoSec ACE Team InfoWorld Contributing Editor, Security Columnist, Product Reviewer, and Blogger 23-year Windows security consultant, instructor, and author Author of seven books on computer security, including: Windows Vista Security: Security Vista Against Malicious Attacks (Wiley, 2007) Professional Windows Desktop and Server Hardening (Dec. 2005) Malicious Mobile Code: Virus Protection for Windows (O’Reilly, 2001) Honeypots for Windows (Apress, December 2004) Author of over 300 national magazine articles on computer security

3. Roger’s Books

4. Presentation Summary Quick PKI Terminology Overview W2K8\R2 New Features Summary Installing a W2K8 PKI CA New Features Review New Ciphers Version 3 Templates Restricted KRA and Enrollment Agents OCSP NDES Web Enrollment Service Cross-Forest Enrollment Clustering

5. Public Key Infrastructure Quick Primer

6. Why PKI? Primarily, PKI exists to authenticate the i dentities and their cryptographic keys involved in cryptographic transactions PKI says to the consumer of PKI certs: If you trust me, then the certificate is who it says it is from and that is their encryption key Principal=subject=user, computer, device, or service Public Key Infrastructure Primer

7. Signed by Trusted CA Self Signed Public Key Infrastructure Primer

8. Components of a PKI Certificate and CA Management Tools Certification Authority Certificate and CRL Distribution Points Certificate Template Digital Certificate Certificate Revocation List Public Key-Enabled Applications and Services

9. Certification Authority (CA) Duties: Main: Confirm identity of certificate requestor Configure Templates and Publish For subjects to enroll against (i.e. request) Issue Certificates Revoke Certificates Public Key Infrastructure Primer

10. Digital encryption keys are just a series of binary bits (1’s and 0’s) used (i.e. mathematically applied) to obscure plaintext content Computers often represent keys as ASCII or hexadecimal characters Today, a typical key size ranges from a few dozen bits to thousands 128-bit to 4096-bit keys are very normal Why can’t a hacker just guess the key? Because with good crypto, brute force guessing would take more than “atoms in the known universe” Public Key Infrastructure Primer

11. Example Digital Encryption Key Public Key Infrastructure Primer

12. Two major types of encryption keys: Symmetric – same key used to lock and unlock Asymmetric – diff key used to lock and unlock Called Private\Public Key Cryptography Most programs using asymmetric ciphers also use symmetric ciphers as part of their encryption process Public Key Infrastructure Primer

13. Popular Public Symmetric Encryption Ciphers Data Encryption Standard (DES) 56-bit strength (64-bit key) Improved versions: 3DES, DESX (DES Extended) Advanced Encryption Standard (AES) Became U.S. gov’t standard in 2002 Windows (and nearly every other OS) standard today 128-bit keys or larger. 256-bit or larger is normal IDEA Blowfish RC4, RC5, CAST-128 Public Key Infrastructure Primer

14. Popular Public Symmetric Encryption Ciphers Most applications should strive to use AES for symmetric encryption Windows XP SP1 and later supports AES If you have XP and don’t have SP1 or later installed, you probably don’t have AES If you can’t use AES: Use 3DES (168-bit key, 112 effective bit length, still FIPS certified); or DESX (184-bit key, 118 effective bits) Don’t use DES (64-bit key, 56-bit effective) anymore Public Key Infrastructure Primer

15. Symmetric key encryption has several benefits over asymmetric encryption: Faster More secure for a stated key size Better tested over time Public Key Infrastructure Primer

16. Asymmetric Cryptography Solves the problem of how to securely transmit the secret key(s) between source and destination, plus adds non-repudiation (when used with hash/signature) Private/public key pair One key is used to encrypt Another key is used to decrypt Keys are mathematically related and unique to each other Public Key Infrastructure Primer

17. Asymmetric Cryptography Private/public key pair Central Point: What one key can encrypt, the other can decrypt Besides the key pair, no other key can decrypt what the other key encrypted All participating parties should have their own key pairs Public Key Infrastructure Primer

18. Asymmetric Cryptography Private key Only single owner/user should possess No one else should ever see Needs to be protected against unauthorized use/viewing/change Public key The “world” can possess and see Public Key Infrastructure Primer

19. Asymmetric crypto Whatever the public key encrypts, the private key can decrypt Encryption Whatever the private key encrypts, the public key can decrypt Signing/Authentication Public Key Infrastructure Primer

20. Popular Public Asymmetric Encryption Ciphers RSA Diffie-Hellman ElGamal DSS/DSA Elliptical Curve Cryptography (ECC) RSA and Diffie-Hellman most popular, but ECC gaining All are supported in today’s Windows OSs by default except ElGamal (which can be added by 3 rd party) Public Key Infrastructure Primer

21. Asymmetric Encryption Example-TLS/SSL Public Key Infrastructure Primer

22. Public Key Infrastructure Primer Mixed Cipher Usage Supported IE Ciphers (XP and before) TLS_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 SSL_CK_DES_64_CBC_WITH_MD5 SSL_CK_RC4_128_EXPORT40_WITH_MD5

23. Mixed Cipher Usage Supported IE Ciphers (Vista and later), in preference order TLS w/RSA w/128-bit AES, then 256-bit AES TLS w/RSA w/RC4, then 3DES TLS w/ECC w/128-bit AES, then 256-bit AES SHA 256-bit to 521-bit TLS w/ECC/RSA w/AES and SHA TLS w/DSS w/128-bit AES, then 256-bit AES Mixture of (mostly) TLS intermingled with SSL

24. Crypto Providers Crypto Providers are software programs that provide cryptographic services, ciphers, and generate cryptographic keys Crypto providers which use the legacy Cryptographic API (CAPI) are called Cryptographic Service Providers (CSPs) Crypto providers that use Cryptographic Next Generation (CNG) API are called Key Storage Providers (KSPs) KSPs appear in Vista and later Public Key Infrastructure Primer

25. Crypto Providers (CSP/KSP) CSPs/KSPs determine what cipher algorithms (e.g. AES, RSA, sizes, etc.) are available to use Windows comes with many default CSPs Prior to Vista, only CSPs by default With Vista and later, both CSPs and KSPs can be used Only Vista and later recognizes KSPs Can use the default ones in Windows or 3 rd party vendors can install their own Often you can choose between Windows defaults or vendor supplied CSP\KSP Public Key Infrastructure Primer

26. Crypto Provider Example To use a smart card: You need a smart card PKI to issue certs to smart card Smart card reader KSP/CSP that works with smart cards Smart card reader and KSP/CSP must be installed where ever you plan to use smart card plus on CA where templates are created or published Public Key Infrastructure Primer

27. Crypto in Microsoft Certificate Services Can use any cipher provided by a Crypto Provider (KSP\CSP) module installed Defaults are: Diffie-Hellman, RSA, ECC DSS MD5, SHA1 AES, DES, 3DES, DESX Public Key Infrastructure Primer

28. Suite B Set of algorithms required by US gov’t starting in 2007 AES 128 and 256, SHA-2 (SHA-256, SHA-384, SHA-512) ECC Vista and later is Suite B compliant Public Key Infrastructure Primer

29. Certificates in Windows Ways to Request Certificates Autoenrollment (XP and above) Automatic Certificate Requests (Windows 2000 machine certs) Certificate Manager (certmgr.msc) GUI Web Enrollment Certreq.exe Programmatically Email (manual process, can be automated) Network Device Enrollment Service (NDES) Manually (sneaker net) Registration Authority (eg. CLM/ILM/FIM)

30. Certificates in Windows PKI Security Statements (In most scenarios) You should have at least two CAs Offline Root and one or more online issuing CAs No other server roles on any CA If your root CA has been connected to your network, it should be considered compromised, and the entire PKI and every valid issued cert replaced

31. W2K8\R2 Certificate Services New Feature Summary

32. Certificate Services 2008 vs. 2003 Main New “Feature” Now known as ADCS Active Directory Certificate Services

33. Certificate Services 2008 vs. 2003 Certificate Services is 90% the same between versions. An admin on one can easily do most of the basics on the other Certificate Services is now a W2K8 server “role” Uses Cryptographic Next Generation API CryptoAPI is legacy (also present) Supports Suite B ciphers Supports version 3 certificate templates With new KSPs and Suite B ciphers

34. Certificate Services 2008 vs. 2003 More Secure W2K8 and Certificate Services is more secure W2K8 is significantly more secure More secure defaults Windows Firewall (enabled by default) Improved ciphers Improved key protection, not that keys were ever compromised in the wild anyway

35. Certificate Services 2008 vs. 2003 Online Certificate Status Protocol Improved revocation checking protocol W2K8 can be an OCSP Responder New CA role service Deployed as an IIS ISAPI application W2K8 is an OCSP client, too, along with Vista and later New OCSP tools

36. Certificate Services 2008 vs. 2003 Restricted KRAs and Enrollment Agents Restricted KRAs Restricted Enrollment Agents In W2K3 KRAs and Enrollment agents were global In W2K8, they can be restricted by template or security group Not available on Standard CA

37. Certificate Services 2008 vs. 2003 Template Changes 2 new default templates Kerberos Authentication (supercedes DC certs) OCSP Response Signing LoadDefaultTemplates=0 Put in CApolicy.inf to prevent auto-publishing of default templates In W2K3 SP1, too (Standalone CAs only)

38. Certificate Services 2008 vs. 2003 Template Changes (con’t) Version 3 Certificate Templates For Vista and later (don’t use with XP and W2K3) Uses new CSPs -CryptoNextGeneration (CNG) New Cryptography tab for detailing crypto V.2.0 templates have a CSP button with less choices Uses AES-256 to transport private key to and from enrollment client (instead of 3DES) New field to allow Network Service to have Read permission to templates Helps machine-based certs in certain scenarios

39. Certificate Services 2008 vs. 2003 Network Device Enrollment Service (NDES) For issuing certs to SCEP-compatible devices Simple Certificate Enrollment Protocol Invented by Cisco Receives and processes SCEP enrollment requests on behalf of software running on network devices. Retrieves pending requests from the CA Generates and provides one-time enrollment passwords to administrators.

40. Certificate Services 2008 vs. 2003 Network Device Enrollment Service (NDES) (con’t) Now a built-in role Was a W2K3 add-on called MSCEP Runs as an IIS ISAPI app Can run on non-CA servers Enhanced security For example, can require a password Wide range of template use Can now renew NDES certs

41. Certificate Services 2008 vs. 2003 Web Enrollment Website Updated Some good and interesting changes Now easier to put on non-CA server Uses Certenroll.dll instead of xenroll.dll Pre-Vista OS must use older dll Can install both on web enrollment server Unfortunately, does not support some new features (like KSP, v.3 templates, Suite B, etc.) Web enrollment web site included by Microsoft is probably being discontinued

42. Certificate Services 2008 vs. 2003 Supports Issuer Distribution Point (IDP) for partitioned CRLs Credential Roaming built-in (client-side) Requires schema updates on older domains Supports clustering (W2K3 and earlier didn’t) Replaceable random number generator Better auditing

43. Certificate Services 2008 vs. 2003 Client-can enroll on behalf of someone else You can rename CA servers now New template field to allow Network Service to have Read permission to templates Helps machine-based certs in certain scenarios

44. Certificate Services 2008 vs. 2003 DiscreteSignatureAlgorithm Support for newer PKCS#1 V2.1 signature format for CA certificate (Vista and later) 3 new assurance levels besides low, medium, and high KRA-archived keys can be protected by AES instead of 3DES New Microsoft smart card KSP (in Vista, too) Supports date setting during revocation

45. Certificate Services 2008 vs. 2003 Tools Supports Powershell PKIView.msc built-in now Used to have to install separately Improved functionality and bug fixes Supports CAPI2 diagnostics More tools, more scripts available Bad: Key Recovery Tool gui gone Use certutil.exe instead

46. Certificate Services 2008 vs. 2003 Pushing Certs Using GPO Trusted root CA certificates (W2K3 too) Enterprise trust certificates (W2K3 too) Intermediate CA certificates Trusted publisher certificates Untrusted certificates Trusted people (peer trust certificates)

47. New W2K8 R2 Features

48. Certificate Services 2008 vs. 2003 W2K8R2 Certificate Enrollment Services (CES) Don’t confuse with web enrollment web site! Website enrollment is for browser interactive sessions Problem to Solve: All legacy enrollment services required RPC and DCOM, and lots of open RPC ports Even web enrollment web site uses DCOM to back-end CA Firewall nightmare Didn’t work well across the Internet, forests, non-domain joined machines, etc.

49. Certificate Services 2008 vs. 2003 W2k8 R2 Certificate Enrollment Services (con’t) New method is a web service, less interactive Uses TLS over 443 New method works well in almost all scenarios (if the client enrollment process uses the new enrollment method) Windows 7\W2K8R2 and later Uses two new services: Certificate Enrollment Policy Web Service the policy service Certificate Enrollment Web Service the enrollment service

50. Certificate Services 2008 vs. 2003 W2k8 R2 Certificate Enrollment Services (con’t) Certificate Enrollment Web Service Provides enrollment services, main service Certificate Enrollment Policy Web Service Client contacts to get certificate policy information consisting of the types of certificates it can enroll for, which enrollment services to contact to enroll for them, and what type of authentication to use for each service. The client must first be configured with information about which policy server(s) to contact and how to authenticate to them

51. Certificate Services 2008 vs. 2003 W2k8 R2 Enrollment Services (con’t) Once configured, during interactive enrollments, you’ll see this

52. Certificate Services 2008 vs. 2003 W2k8 R2 Enrollment Services (con’t) CES are server roles

53. Certificate Services 2008 vs. 2003 W2k8 R2 Enrollment Services (con’t) Service Uses SSL\TLS

54. Certificate Services 2008 vs. 2003 W2k8 R2 Enrollment Services (con’t) Service Uses SSL\TLS

55. Certificate Services 2008 vs. 2003 W2k8 R2 Enrollment Services (con’t) Clients must be configured to connect to web site

56. Certificate Services 2008 vs. 2003 W2k8 R2 Enrollment Services (con’t) CES must be linked to issuing CA

57. Certificate Services 2008 vs. 2003 W2k8 R2 Enrollment Services (con’t) CES web site(s)

58. Common Web Service Scenario

59. Certificate Services 2008 vs. 2003 W2k8 R2 Enrollment Services (con’t) Can configure client auth method

60. Certificate Services 2008 vs. 2003 New R2 Stuff Support cross-forest servicing Old CA versions required separate PKI per forest; or limited service using cross-forest trusts and lots of pre-work Didn’t work well off-intranet New version can support multiple forests with one PKI Works well off-net But requires cross-forest trusts, Kerberos auth, and Win7\W2K8R2 or later clients

61. Cross Forest Servicing

62. Certificate Services 2008 vs. 2003 New R2 Stuff Supports “renewal-only” mode for Internet-facing CAs Using Certificate Enrollment Service Supports static port 80 CA interactions (Enrollment/renewal/revocation) Supports internet clients for enrollment/renewal/revocation when off the corporate network (great for mobile users)

63. Certificate Services 2008 vs. 2003 Is A Schema Update Needed for W2K8 CAs? Schema update not needed to use almost all functionality of W2K8 CA Schema update needed for Credential Roaming support, or CLM/ILM/FIM ACL update (using adprep /forestprep) on Domain Controller template to let RODC get issued DC certs)

64. Installing ADCS

65. Install W2K8 CA Unfortunately, still need to place a CAPolicy.inf file on CA server before installing Microsoft Certificate Services

66. CAPolicy.inf File Example - Bare Minimum for Issuing CA [Version] Signature= "$Windows NT$" [Certsrv_Server] RenewalKeyLength=4096 RenewalValidityPeriod=Years RenewalValidityPeriodUnits=10 [CRLDistributionPoint] URL = “LDAP:///CN=%7,CN=CDP,CN=Public Key Services, CN=Services,%6,%10” URL = http://W2K8IssuingCA1.contoso.ad/PKI/IssuingCA1.crl URL = “http://www.contoso.com/PKI/IssuingCA1.crl” [AuthorityInformationAccess] URL = “LDAP:///CN=%7,CN=AIA,CN=Public Key Services, CN=Services,%6,%11” URL = “http://www.contoso.ad/PKI/ContosoCA.cer”

67. Install W2K8 CA In Configuration Task wizard and click on Add roles Microsoft Certificate Services

68. Installing Microsoft Certificate Services Install W2K8 CA Click Next Microsoft Certificate Services

69. Installing Microsoft Certificate Services Install W2K8 CA Click on Active Directory Certificate Server and Next Microsoft Certificate Services

70. Installing Microsoft Certificate Services Install W2K8 CA Click on Next Microsoft Certificate Services

71. Installing Microsoft Certificate Services Install W2K8 CA Keep default of Certification Authority and Next Microsoft Certificate Services

72. Installing Microsoft Certificate Services Install W2K8 CA Accept default of Standalone and click on Next Microsoft Certificate Services

73. Installing Microsoft Certificate Services Install W2K8 CA Accept default of Root CA and click on Next Microsoft Certificate Services

74. Installing Microsoft Certificate Services Install W2K8 CA Accept default and click on Next Microsoft Certificate Services

75. Installing Microsoft Certificate Services Install W2K8 CA Use the options shown here and click on Next Microsoft Certificate Services

76. Installing Microsoft Certificate Services Install W2K8 CA Type in a better Common Name and then Next Microsoft Certificate Services

77. Installing Microsoft Certificate Services Install W2K8 CA Change validity period to 20 years and then Next Microsoft Certificate Services

78. Installing Microsoft Certificate Services Install W2K8 CA Accept the default locations and click on Next Microsoft Certificate Services

79. Installing Microsoft Certificate Services Install W2K8 CA Select Install Microsoft Certificate Services

80. Installing Microsoft Certificate Services Install W2K8 CA Wait while it installs... Microsoft Certificate Services

81. Installing Microsoft Certificate Services Install W2K8 CA Click Close to end install Microsoft Certificate Services

82. Installing Microsoft Certificate Services Install W2K8 CA Confirm new and only role is installed, then Close Microsoft Certificate Services

83. Installing Microsoft Certificate Services Open the Certification Authority console under Administrative Tools to verify the install. Microsoft Certificate Services

84. Version 3.0 Templates

85. Certificate Template Version 3 A certificate based on a version 3 certificate template can only be issued by an enterprise CA running on Windows Server 2008 (or later), Enterprise Edition. Version 3 templates contain more options, and stronger crypto Version 3 templates can only be published on W2K8 CAs V3 templates do not work with Windows OSs prior to Windows Vista Microsoft Certificate Services

86. Certificate Template Version 3 Windows 2000, XP, and 2003 will not enroll against V3 templates Only Vista and later understands SHA-2 hashes and ECC ciphers XP SP3 can verify certificates containing SHA-256 ciphers, but not all applications can, so be careful in using any cipher above SHA-1 V3 templates will not show up on web enroll site **To be safe, only use V3 templates with Windows Vista and later Microsoft Certificate Services

87. Creating Certificate Templates Choose what version template you want to create Version 2 Version 3

88. New Certificate Template Attribute Add Read permissions to Network Service on the private key... (version 3.0 and later templates only)

89. New Certificate Template Attribute Cryptography tab (version 3.0 templates and later)

90. Certificate Revocation CRLs and OCSP

91. Certificate Revocation Certificate Revocation Used to indicate digital certificate is invalid Any revoked certificate is to be considered (very) untrusted App may “break” if it can’t find revocation point or revocation is negative Unfortunately, certificate revocation doesn’t always work (not all applications or users check for revocation)

92. Certificate Revocation Certificate Revocation Certificates are revoked when: CA or other CAs in path (e.g. issuing) have been compromised Entity issued certificate is discovered to be a fraud To prematurely end certificate’s useful life For any other reason the CA wants (e.g. customer didn’t pay their bill)

93. Certificate Revocation Checking Certificate Revocation In order for revocation to be checked, the certificate being verified must include valid revocation information (e.g. revocation list location, etc.) and the resulting information must be reachable by the client/application investigating Called certificate chaining Certificate information is usually checked back to just before Root CA (root is offline)

94. Certificate Revocation Certificate Revocation Revocation checking not always done, depends on the PKI-participating application and/or its settings Sometimes even when it is done/required, application only reports if certificate is revoked (and not, unfortunately, if the revocation information can’t be confirmed) But can also cripple your organization if revocation is not working!!!

95. Certificate Revocation Certificate Revocation Some Apps Allow Turning On and Off

96. Certificate Revocation Certificate Revocation In IE (with revocation checking enabled), if the cert’s revocation information isn’t valid or reachable, IE won’t report an error by default Although when using Secure Socket Tunneling Protocol (SSTP), IE will check and absolutely require correct revocation information in the VPN server’s cert

97. Certificate Revocation Checking Certificate Revocation Ways Revocation Can Be Checked Certificate Revocation List (CRL) Full and deltas Online Certificate Status Protocol (OCSP) Application checks (depends on app) Manually using Certutil.exe Programmatically Stored locally in revocation database

98. Certificate Revocation Certificate Revocation List (CRL) List of revoked certificates ( revocation ). CRL is placed at CDP ( CRL distribution point) so clients can check. CDP is hard wired into certificate CRL’s can be published to Active Directory so it is available to everyone. CRLs can be full base or delta . HTTP references should not be HTTPS-enabled Microsoft Certificate Services

99. OCSP OCSP (RFC 2560) Online Certificate Status Protocol Replacement for older CRL revocation checking method OCSP Responder collects CRL entries and stores them in a database Can be queried for a particular cert Allows OCSP clients (Vista and later) to quickly query/verify certificate status, instead of relying on and downloading entire CDP/CRL.

100. OCSP OCSP (RFC 2560) Online Certificate Status Protocol OCSP Online Responder Service can be installed stand-alone or on CA W2K8 server OCSP Responder available for Windows Server 2008, but can respond for W2K3 also

101. OCSP Basic OCSP Setup

102. OCSP Process Bob gets certificate/public key from Alice Alice’s digital certificate contains OCSP extension Bob sends fingerprint of Alice’s public key to Alice’s defined OCSP responder OCSP responder confirms status (success or revoked) or sends backup unknown message OCSP sends back signed OCSP response Bob reads status and handles accordingly

103. OCSP More Complex OCSP Setup

104. OCSP (RFC 2560) con’t OCSP uses HTTP OCSP Responder location should be hardcoded into OCSP-enabled digital certificates in AIA location OCSP Standard can connect directly to CA database or use CRLs Windows OCSP relies on CA CRLs Client must be OCSP-aware and be able to reach OCSP responder

105. OCSP (RFC 2560) con’t Vista/W2K8 and later has OCSP client built in and will resolve using OCSP first vs. CRLs Legacy clients will need to use 3 rd party OCSP client W2K8 can serve as an OCSP Responder for W2K8/W2K3 servers OCSP Responder was a separate download in W2K3

106. OCSP Online Certificate Status Protocol Application must be coded to look for OCSP extension in certificate IE 7 and later, on Vista and later All versions of Firefox support OCSP, v.3.0 turns it on by default Safari and Opera support it Google’s Chrome does not (as of 3/09)

107. OCSP Online Certificate Status Protocol By default: OCSP will be checked first if OCSP extension is found If no OCSP response, then CRL tried Default behavior can be reversed

108. OCSP Online Certificate Status Protocol Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Certificate Path Validation Settings Microsoft Certificate Services

109. OCSP Installing OCSP Configure OCSP Response Signing Certificate Template and Publish Modify AIA on Issuing CA to point to OCSP Responder virtual directory Install OCSP Responder and configure Test

110. OCSP Publish OCSP Response Signing Certificate Logon to W2K8IssuingCA1 as local Administrator and start Certification Authority console

111. OCSP Publish OCSP Response Signing Certificate Right-click Certificate Templates and choose Manage

112. OCSP Publish OCSP Response Signing Certificate Right-click the OCSP Response Signing template and choose Duplicate Template

113. OCSP Publish OCSP Response Signing Certificate Choose Windows Server 2008, Enterprise Edition and then select OK

114. OCSP Publish OCSP Response Signing Certificate Type in a new template name and then click on the Security tab.

115. OCSP Publish OCSP Response Signing Certificate On the security tab, add the W2K8IssuingCA1 computer account (as OCSP Responder)

116. OCSP Publish OCSP Response Signing Certificate Give Read and Enroll permissions to the W2K8IssuingCA1 computer account, OK, then Close

117. OCSP Publish OCSP Response Signing Certificate In the Certification Authority console, right-click Certificate Templates , New , Certificate Template to Issue

118. OCSP Publish OCSP Response Signing Certificate Select the new OCSP certificate template and then OK

119. OCSP Publish OCSP Response Signing Certificate Minimize or close the Certification Authority console

120. OCSP Publish OCSP Response Signing Certificate At the command prompt on the CA server, type: certutil –setreg CA\UseDefinedCACertInRequest 1 Close prompt Restart the CA service

121. OCSP Installing OCSP You need to install OCSP Responder service, and then configure a Revocation Provider Configuration entry for each Revocation Provider that you want the OCSP Responder to respond for

122. OCSP Installing OCSP Logon to W2K8IssuingCA1 as local Administrator and start Server Manager . Choose Add Role Services

123. OCSP Installing OCSP Select Online Responder and then Next

124. OCSP Installing OCSP Choose Install

125. OCSP Installing OCSP If you install IIS 7 separately, the following IIS/Web Server components are required: Common HTTP Features: Static Content, ,Default Document, Directory Browsing, Http Errors, Http Redirection Application Development: .NET Extensibility, ISAPI Extensions Health and Diagnostics: Http Logging, Logging Tools, Request Monitor, Tracing Security: Request Filtering Performance: Static Content Compression Management Tools: IIS Management Console, IIS 6 Management Compatibility, IIS Metabase Compatibility

126. OCSP Installing OCSP Choose Close and close Server Manager

127. OCSP Installing OCSP Choose Start , Administrative Tools and Online Responder Management Microsoft Certificate Services

128. OCSP Installing OCSP Right-click Revocation Configuration

129. OCSP Installing OCSP And choose Add Revocation Configuration

130. OCSP Installing OCSP Click on the Next button

131. OCSP Installing OCSP Type in a name and then the Next button

132. OCSP Installing OCSP Keep the default option and then choose Next

133. OCSP Installing OCSP Keep the default option and then choose Browse

134. OCSP Installing OCSP Select W2K8IssuingCA1 and then choose OK

135. OCSP Installing OCSP Click on Next Microsoft Certificate Services

136. OCSP Installing OCSP Select correct template and the click on Next

137. OCSP Installing OCSP Click on Finish

138. OCSP Installing OCSP Confirm Revocation Configuration Status by clicking on revocation configuration object and choosing Edit Properties

139. OCSP Installing OCSP Review Revocation Configuration, confirm Base CRLs and then click OK. (No need to define deltas)

140. OCSP Installing OCSP Example Certificate with OCSP Extension

141. OCSP Installing OCSP Right-click OCSP server name and choose Responder Properties

142. OCSP Installing OCSP On the Audit tab, enable all auditing options, OK

143. OCSP Installing OCSP Give Enterprise PKI Publishers Manage Online Responder and Read permissions, then OK Microsoft Certificate Services

144. OCSP Installing OCSP Close the OCSP Responder console

145. OCSP Installing OCSP Confirm Windows Firewall has inbound rules for OCSP

146. OCSP Configure OCSP Extensions Open up Certification Authority console

147. OCSP Configure OCSP Extensions Right-click on CA name and choose Properties

148. OCSP Configure OCSP Extensions Click on the Add button under the Extensions tab and choose the AIA extension option

149. OCSP Configure OCSP Extensions Add http://W2K8IssuingCA1.contoso.ad/ocsp and enable both AIA and OCSP options, then OK

150. OCSP Configure OCSP Extensions Close or minimize the Certification Authority console

151. OCSP Testing OCSP PKIView.msc (W2K8 or later) Generate a new cert and verify correct http path in OCSP extension in the AIA extension Force CRL checking in application using certificate Certutil –verify <certname>

152. OCSP OCSP Arrays It is easy to create a fault-tolerant array of OCSP Responders Enable Network Load Balance (NLB) service Define OCSP extension with a name that will resolve with the NLB’s cluster IP address Then defined in the Array Configuration option in the OCSP Responder gui

153. OCSP Is Schema Update Needed? W2K3 AD schema or later is needed for OCSP W2K8 schema update is not needed if schema has been updated to W2K3 A Windows 2000 domain is OK, as long as the AD schema has been upgraded to Windows 2003 AD schema. Need at least one W2K8 server joined to the domain, and to have a domain admin execute the template snap-in from the Windows 2008 server to get the new OCSP Responder Signing template(s) installed in AD.

154. OCSP For More Reading http://technet.microsoft.com/en-us/library/cc770413.aspx Questions?

155. Fault Tolerance, Backup and Disaster Recovery

156. Fault Tolerance When would end-users notice a problem? If Issuing CAs are down: When users request new cert or try to renew expiring cert If AIA or CDP publication points are down: When application end-user is using checks certificate revocation

157. Fault Tolerance Required Always have a minimum of two issuing CAs with same templates published CAs should have fault-tolerant disks CRLs should be redundant Internally redundant LDAP, and multiple http locations? Externally redundant, if certs used externally OCSP Responders should be redundant Microsoft Certificate Services

158. Fault Tolerance Optional Clustering Redundant hardware? Cold standby? Virtual machine standby? Microsoft Certificate Services

159. Fault Tolerance CA Clustering Microsoft Certificate Services

160. Fault Tolerance CA Clustering Available in Windows Server 2008 Enterprise edition Only supports two-node Active/Passive cluster Must share same database and log files Can’t mix W2K8 and W2K3 Many HSMs support clustering Must load balance (using NLB, etc.) other things: CDP, OCSP Responders, NDES, web enrollment, etc. Microsoft Certificate Services

161. Fault Tolerance Why Clustering? If multiple issuing CA servers can issue the same types of certs, why cluster CA servers? Answer: They don’t issue the same certs or share the same database Can’t revoke a cert you can’t “find” If one goes down, there can be problems when base or delta CRLs expire (can break the revocation chain and break applications that depend on revocation checking Microsoft Certificate Services

162. Enrolling on Behalf of Another User

163. Certificate Request Wizard Enrolling on Behalf of Another User Useful for: Smart card certificates S/MIME certificates Enrolling for offline users and computers Certificate Services

164. Certificate Request Wizard Enrolling on Behalf of Another User Must already have Enrollment Agent cert Can also issue Enrollment Workstation certificate and require that Enrollment Agents be logged on at approved Enrollment workstations to enroll on the behalf of others Certificate Services

165. Certificate Request Wizard Enrolling on Behalf of Another User Must already have Enrollment Agent cert Certificate Services

166. Certificate Request Wizard Enrolling on Behalf of Another User Must already have Enrollment Agent cert Certificate Services

167. Certificate Request Wizard Enrolling on Behalf of Another User Certificate Services

168. Certificate Request Wizard Enrolling on Behalf of Another User Certificate Services

169. Certificate Request Wizard Enrolling on Behalf of Another User Certificate Services

170. Certificate Request Wizard Enrolling on Behalf of Another User Certificate Services

171. Certificate Request Wizard Enrolling on Behalf of Another User Certificate Services

172. Certificate Request Wizard Enrolling on Behalf of Another User Certificate Services

173. Certificate Request Wizard Enrolling on Behalf of Another User Certificate Services

174. Certificate Request Wizard Enrolling on Behalf of Another User Certificate Services

175. e: rogrim@microsoft.com New PKI Features Questions