Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The new rocket science stuff in microsoft pki

5,593 views

Published on

Roger Grimes

Published in: Technology
  • Be the first to comment

The new rocket science stuff in microsoft pki

  1. 1. Roger A. Grimes Microsoft
  2. 2. Presenter BIO <ul><ul><li>Roger A. Grimes </li></ul></ul><ul><ul><li>CPA, CISSP, CEH, CISA, TICSA, MCSE: Security, yada, yada </li></ul></ul><ul><ul><li>PKI installer for over 1o years </li></ul></ul><ul><ul><li>Taught Microsoft PKI to Verisign </li></ul></ul><ul><ul><li>Principal Security Architect for Microsoft InfoSec ACE Team </li></ul></ul><ul><ul><li>InfoWorld Contributing Editor, Security Columnist, Product Reviewer, and Blogger </li></ul></ul><ul><ul><li>23-year Windows security consultant, instructor, and author </li></ul></ul><ul><ul><li>Author of seven books on computer security, including: </li></ul></ul><ul><ul><ul><li>Windows Vista Security: Security Vista Against Malicious Attacks (Wiley, 2007) </li></ul></ul></ul><ul><ul><ul><li>Professional Windows Desktop and Server Hardening (Dec. 2005) </li></ul></ul></ul><ul><ul><ul><li>Malicious Mobile Code: Virus Protection for Windows (O’Reilly, 2001) </li></ul></ul></ul><ul><ul><ul><li>Honeypots for Windows (Apress, December 2004) </li></ul></ul></ul><ul><ul><li>Author of over 300 national magazine articles on computer security </li></ul></ul>
  3. 3. <ul><ul><li>Roger’s Books </li></ul></ul>
  4. 4. Presentation Summary <ul><ul><li>Quick PKI Terminology Overview </li></ul></ul><ul><ul><li>W2K8R2 New Features Summary </li></ul></ul><ul><ul><li>Installing a W2K8 PKI CA </li></ul></ul><ul><ul><li>New Features Review </li></ul></ul><ul><ul><ul><li>New Ciphers </li></ul></ul></ul><ul><ul><ul><li>Version 3 Templates </li></ul></ul></ul><ul><ul><ul><li>Restricted KRA and Enrollment Agents </li></ul></ul></ul><ul><ul><ul><li>OCSP </li></ul></ul></ul><ul><ul><ul><li>NDES </li></ul></ul></ul><ul><ul><ul><li>Web Enrollment Service </li></ul></ul></ul><ul><ul><ul><li>Cross-Forest Enrollment </li></ul></ul></ul><ul><ul><ul><li>Clustering </li></ul></ul></ul>
  5. 5. Public Key Infrastructure Quick Primer
  6. 6. <ul><li>Why PKI? </li></ul><ul><li>Primarily, PKI exists to authenticate the i dentities and their cryptographic keys involved in cryptographic transactions </li></ul><ul><li>PKI says to the consumer of PKI certs: If you trust me, then the certificate is who it says it is from and that is their encryption key </li></ul><ul><ul><li>Principal=subject=user, computer, device, or service </li></ul></ul>Public Key Infrastructure Primer
  7. 7. <ul><li>Signed by Trusted CA Self Signed </li></ul>Public Key Infrastructure Primer
  8. 8. Components of a PKI Certificate and CA Management Tools Certification Authority Certificate and CRL Distribution Points Certificate Template Digital Certificate Certificate Revocation List Public Key-Enabled Applications and Services
  9. 9. <ul><li>Certification Authority (CA) Duties: </li></ul><ul><li>Main: Confirm identity of certificate requestor </li></ul><ul><li>Configure Templates and Publish For subjects to enroll against (i.e. request) </li></ul><ul><li>Issue Certificates </li></ul><ul><li>Revoke Certificates </li></ul>Public Key Infrastructure Primer
  10. 10. <ul><li>Digital encryption keys are just a series of binary bits (1’s and 0’s) used (i.e. mathematically applied) to obscure plaintext content </li></ul><ul><ul><li>Computers often represent keys as ASCII or hexadecimal characters </li></ul></ul><ul><li>Today, a typical key size ranges from a few dozen bits to thousands </li></ul><ul><ul><li>128-bit to 4096-bit keys are very normal </li></ul></ul><ul><li>Why can’t a hacker just guess the key? </li></ul><ul><ul><li>Because with good crypto, brute force guessing would take more than “atoms in the known universe” </li></ul></ul>Public Key Infrastructure Primer
  11. 11. <ul><li>Example Digital Encryption Key </li></ul>Public Key Infrastructure Primer
  12. 12. <ul><li>Two major types of encryption keys: </li></ul><ul><li>Symmetric – same key used to lock and unlock </li></ul><ul><li>Asymmetric – diff key used to lock and unlock </li></ul><ul><ul><li>Called PrivatePublic Key Cryptography </li></ul></ul><ul><li>Most programs using asymmetric ciphers also use symmetric ciphers as part of their encryption process </li></ul>Public Key Infrastructure Primer
  13. 13. <ul><li>Popular Public Symmetric Encryption Ciphers </li></ul><ul><li>Data Encryption Standard (DES) </li></ul><ul><ul><li>56-bit strength (64-bit key) </li></ul></ul><ul><ul><li>Improved versions: 3DES, DESX (DES Extended) </li></ul></ul><ul><li>Advanced Encryption Standard (AES) </li></ul><ul><ul><li>Became U.S. gov’t standard in 2002 </li></ul></ul><ul><ul><li>Windows (and nearly every other OS) standard today </li></ul></ul><ul><ul><li>128-bit keys or larger. 256-bit or larger is normal </li></ul></ul><ul><li>IDEA </li></ul><ul><li>Blowfish </li></ul><ul><li>RC4, RC5, CAST-128 </li></ul>Public Key Infrastructure Primer
  14. 14. <ul><li>Popular Public Symmetric Encryption Ciphers </li></ul><ul><li>Most applications should strive to use AES for symmetric encryption </li></ul><ul><li>Windows XP SP1 and later supports AES </li></ul><ul><ul><li>If you have XP and don’t have SP1 or later installed, you probably don’t have AES </li></ul></ul><ul><li>If you can’t use AES: </li></ul><ul><ul><li>Use 3DES (168-bit key, 112 effective bit length, still FIPS certified); or </li></ul></ul><ul><ul><li>DESX (184-bit key, 118 effective bits) </li></ul></ul><ul><li>Don’t use DES (64-bit key, 56-bit effective) anymore </li></ul>Public Key Infrastructure Primer
  15. 15. <ul><li>Symmetric key encryption has several benefits over asymmetric encryption: </li></ul><ul><ul><li>Faster </li></ul></ul><ul><ul><li>More secure for a stated key size </li></ul></ul><ul><ul><li>Better tested over time </li></ul></ul>Public Key Infrastructure Primer
  16. 16. <ul><li>Asymmetric Cryptography </li></ul><ul><ul><li>Solves the problem of how to securely transmit the secret key(s) between source and destination, plus adds non-repudiation (when used with hash/signature) </li></ul></ul><ul><ul><li>Private/public key pair </li></ul></ul><ul><ul><ul><li>One key is used to encrypt </li></ul></ul></ul><ul><ul><ul><li>Another key is used to decrypt </li></ul></ul></ul><ul><ul><ul><li>Keys are mathematically related and unique to each other </li></ul></ul></ul>Public Key Infrastructure Primer
  17. 17. <ul><li>Asymmetric Cryptography </li></ul><ul><ul><li>Private/public key pair </li></ul></ul><ul><ul><ul><li>Central Point: What one key can encrypt, the other can decrypt </li></ul></ul></ul><ul><ul><ul><li>Besides the key pair, no other key can decrypt what the other key encrypted </li></ul></ul></ul><ul><ul><ul><li>All participating parties should have their own key pairs </li></ul></ul></ul>Public Key Infrastructure Primer
  18. 18. <ul><li>Asymmetric Cryptography </li></ul><ul><ul><li>Private key </li></ul></ul><ul><ul><ul><li>Only single owner/user should possess </li></ul></ul></ul><ul><ul><ul><li>No one else should ever see </li></ul></ul></ul><ul><ul><ul><li>Needs to be protected against unauthorized use/viewing/change </li></ul></ul></ul><ul><ul><li>Public key </li></ul></ul><ul><ul><ul><li>The “world” can possess and see </li></ul></ul></ul>Public Key Infrastructure Primer
  19. 19. <ul><li>Asymmetric crypto </li></ul><ul><ul><li>Whatever the public key encrypts, the private key can decrypt </li></ul></ul><ul><ul><ul><li>Encryption </li></ul></ul></ul><ul><ul><li>Whatever the private key encrypts, the public key can decrypt </li></ul></ul><ul><ul><ul><li>Signing/Authentication </li></ul></ul></ul>Public Key Infrastructure Primer
  20. 20. <ul><li>Popular Public Asymmetric Encryption Ciphers </li></ul><ul><li>RSA </li></ul><ul><li>Diffie-Hellman </li></ul><ul><li>ElGamal </li></ul><ul><li>DSS/DSA </li></ul><ul><li>Elliptical Curve Cryptography (ECC) </li></ul><ul><li>RSA and Diffie-Hellman most popular, but ECC gaining </li></ul><ul><li>All are supported in today’s Windows OSs by default except ElGamal (which can be added by 3 rd party) </li></ul>Public Key Infrastructure Primer
  21. 21. <ul><li>Asymmetric Encryption Example-TLS/SSL </li></ul>Public Key Infrastructure Primer
  22. 22. Public Key Infrastructure Primer <ul><li>Mixed Cipher Usage </li></ul><ul><li>Supported IE Ciphers (XP and before) </li></ul><ul><li>TLS_RSA_WITH_DES_CBC_SHA </li></ul><ul><li>TLS_DHE_DSS_WITH_DES_CBC_SHA </li></ul><ul><li>TLS_RSA_EXPORT1024_WITH_RC4_56_SHA </li></ul><ul><li>TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA </li></ul><ul><li>TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA </li></ul><ul><li>TLS_RSA_EXPORT_WITH_RC4_40_MD5 </li></ul><ul><li>SSL_CK_DES_64_CBC_WITH_MD5 </li></ul><ul><li>SSL_CK_RC4_128_EXPORT40_WITH_MD5 </li></ul>
  23. 23. <ul><li>Mixed Cipher Usage </li></ul><ul><li>Supported IE Ciphers (Vista and later), in preference order </li></ul><ul><li>TLS w/RSA w/128-bit AES, then 256-bit AES </li></ul><ul><li>TLS w/RSA w/RC4, then 3DES </li></ul><ul><li>TLS w/ECC w/128-bit AES, then 256-bit AES </li></ul><ul><ul><li>SHA 256-bit to 521-bit </li></ul></ul><ul><li>TLS w/ECC/RSA w/AES and SHA </li></ul><ul><li>TLS w/DSS w/128-bit AES, then 256-bit AES </li></ul><ul><li>Mixture of (mostly) TLS intermingled with SSL </li></ul>
  24. 24. <ul><li>Crypto Providers </li></ul><ul><li>Crypto Providers are software programs that provide cryptographic services, ciphers, and generate cryptographic keys </li></ul><ul><li>Crypto providers which use the legacy Cryptographic API (CAPI) are called Cryptographic Service Providers (CSPs) </li></ul><ul><li>Crypto providers that use Cryptographic Next Generation (CNG) API are called Key Storage Providers (KSPs) </li></ul><ul><ul><li>KSPs appear in Vista and later </li></ul></ul>Public Key Infrastructure Primer
  25. 25. <ul><li>Crypto Providers (CSP/KSP) </li></ul><ul><li>CSPs/KSPs determine what cipher algorithms (e.g. AES, RSA, sizes, etc.) are available to use </li></ul><ul><li>Windows comes with many default CSPs </li></ul><ul><ul><li>Prior to Vista, only CSPs by default </li></ul></ul><ul><ul><li>With Vista and later, both CSPs and KSPs can be used </li></ul></ul><ul><ul><li>Only Vista and later recognizes KSPs </li></ul></ul><ul><ul><li>Can use the default ones in Windows or 3 rd party vendors can install their own </li></ul></ul><ul><li>Often you can choose between Windows defaults or vendor supplied CSPKSP </li></ul>Public Key Infrastructure Primer
  26. 26. <ul><li>Crypto Provider Example </li></ul><ul><li>To use a smart card: </li></ul><ul><li>You need a smart card </li></ul><ul><li>PKI to issue certs to smart card </li></ul><ul><li>Smart card reader </li></ul><ul><li>KSP/CSP that works with smart cards </li></ul><ul><li>Smart card reader and KSP/CSP must be installed where ever you plan to use smart card plus on CA where templates are created or published </li></ul>Public Key Infrastructure Primer
  27. 27. <ul><li>Crypto in Microsoft Certificate Services </li></ul><ul><li>Can use any cipher provided by a Crypto Provider (KSPCSP) module installed </li></ul><ul><li>Defaults are: </li></ul><ul><ul><li>Diffie-Hellman, RSA, ECC </li></ul></ul><ul><ul><li>DSS </li></ul></ul><ul><ul><li>MD5, SHA1 </li></ul></ul><ul><ul><li>AES, DES, 3DES, DESX </li></ul></ul>Public Key Infrastructure Primer
  28. 28. <ul><li>Suite B </li></ul><ul><li>Set of algorithms required by US gov’t starting in 2007 </li></ul><ul><ul><li>AES 128 and 256, </li></ul></ul><ul><ul><li>SHA-2 (SHA-256, SHA-384, SHA-512) </li></ul></ul><ul><ul><li>ECC </li></ul></ul><ul><li>Vista and later is Suite B compliant </li></ul>Public Key Infrastructure Primer
  29. 29. Certificates in Windows <ul><li>Ways to Request Certificates </li></ul><ul><li>Autoenrollment (XP and above) </li></ul><ul><li>Automatic Certificate Requests (Windows 2000 machine certs) </li></ul><ul><li>Certificate Manager (certmgr.msc) GUI </li></ul><ul><li>Web Enrollment </li></ul><ul><li>Certreq.exe </li></ul><ul><li>Programmatically </li></ul><ul><li>Email (manual process, can be automated) </li></ul><ul><li>Network Device Enrollment Service (NDES) </li></ul><ul><li>Manually (sneaker net) </li></ul><ul><li>Registration Authority (eg. CLM/ILM/FIM) </li></ul>
  30. 30. Certificates in Windows <ul><li>PKI Security Statements </li></ul><ul><li>(In most scenarios) You should have at least two CAs </li></ul><ul><ul><li>Offline Root and one or more online issuing CAs </li></ul></ul><ul><li>No other server roles on any CA </li></ul><ul><li>If your root CA has been connected to your network, it should be considered compromised, and the entire PKI and every valid issued cert replaced </li></ul>
  31. 31. W2K8R2 Certificate Services New Feature Summary
  32. 32. Certificate Services 2008 vs. 2003 <ul><li>Main New “Feature” </li></ul><ul><li>Now known as ADCS </li></ul><ul><ul><li>Active Directory Certificate Services </li></ul></ul>
  33. 33. Certificate Services 2008 vs. 2003 <ul><li>Certificate Services is 90% the same between versions. An admin on one can easily do most of the basics on the other </li></ul><ul><li>Certificate Services is now a W2K8 server “role” </li></ul><ul><li>Uses Cryptographic Next Generation API </li></ul><ul><ul><li>CryptoAPI is legacy (also present) </li></ul></ul><ul><li>Supports Suite B ciphers </li></ul><ul><li>Supports version 3 certificate templates </li></ul><ul><ul><li>With new KSPs and Suite B ciphers </li></ul></ul>
  34. 34. Certificate Services 2008 vs. 2003 <ul><li>More Secure </li></ul><ul><li>W2K8 and Certificate Services is more secure </li></ul><ul><ul><li>W2K8 is significantly more secure </li></ul></ul><ul><ul><li>More secure defaults </li></ul></ul><ul><ul><li>Windows Firewall (enabled by default) </li></ul></ul><ul><ul><li>Improved ciphers </li></ul></ul><ul><ul><li>Improved key protection, not that keys were ever compromised in the wild anyway </li></ul></ul>
  35. 35. Certificate Services 2008 vs. 2003 <ul><li>Online Certificate Status Protocol </li></ul><ul><li>Improved revocation checking protocol </li></ul><ul><li>W2K8 can be an OCSP Responder </li></ul><ul><ul><li>New CA role service </li></ul></ul><ul><ul><li>Deployed as an IIS ISAPI application </li></ul></ul><ul><li>W2K8 is an OCSP client, too, along with Vista and later </li></ul><ul><li>New OCSP tools </li></ul>
  36. 36. Certificate Services 2008 vs. 2003 <ul><li>Restricted KRAs and Enrollment Agents </li></ul><ul><li>Restricted KRAs </li></ul><ul><li>Restricted Enrollment Agents </li></ul><ul><ul><li>In W2K3 KRAs and Enrollment agents were global </li></ul></ul><ul><ul><li>In W2K8, they can be restricted by template or security group </li></ul></ul><ul><ul><li>Not available on Standard CA </li></ul></ul>
  37. 37. Certificate Services 2008 vs. 2003 <ul><li>Template Changes </li></ul><ul><li>2 new default templates </li></ul><ul><ul><li>Kerberos Authentication (supercedes DC certs) </li></ul></ul><ul><ul><li>OCSP Response Signing </li></ul></ul><ul><li>LoadDefaultTemplates=0 </li></ul><ul><ul><li>Put in CApolicy.inf to prevent auto-publishing of default templates </li></ul></ul><ul><ul><li>In W2K3 SP1, too (Standalone CAs only) </li></ul></ul>
  38. 38. Certificate Services 2008 vs. 2003 <ul><li>Template Changes (con’t) </li></ul><ul><li>Version 3 Certificate Templates </li></ul><ul><ul><li>For Vista and later (don’t use with XP and W2K3) </li></ul></ul><ul><ul><li>Uses new CSPs -CryptoNextGeneration (CNG) </li></ul></ul><ul><li>New Cryptography tab for detailing crypto </li></ul><ul><ul><li>V.2.0 templates have a CSP button with less choices </li></ul></ul><ul><li>Uses AES-256 to transport private key to and from enrollment client (instead of 3DES) </li></ul><ul><li>New field to allow Network Service to have Read permission to templates </li></ul><ul><ul><li>Helps machine-based certs in certain scenarios </li></ul></ul>
  39. 39. Certificate Services 2008 vs. 2003 <ul><li>Network Device Enrollment Service (NDES) </li></ul><ul><li>For issuing certs to SCEP-compatible devices </li></ul><ul><ul><li>Simple Certificate Enrollment Protocol </li></ul></ul><ul><ul><li>Invented by Cisco </li></ul></ul><ul><li>Receives and processes SCEP enrollment requests on behalf of software running on network devices. </li></ul><ul><li>Retrieves pending requests from the CA </li></ul><ul><li>Generates and provides one-time enrollment passwords to administrators. </li></ul>
  40. 40. Certificate Services 2008 vs. 2003 <ul><li>Network Device Enrollment Service (NDES) </li></ul><ul><li>(con’t) </li></ul><ul><li>Now a built-in role </li></ul><ul><ul><li>Was a W2K3 add-on called MSCEP </li></ul></ul><ul><li>Runs as an IIS ISAPI app </li></ul><ul><li>Can run on non-CA servers </li></ul><ul><li>Enhanced security </li></ul><ul><ul><li>For example, can require a password </li></ul></ul><ul><li>Wide range of template use </li></ul><ul><li>Can now renew NDES certs </li></ul>
  41. 41. Certificate Services 2008 vs. 2003 <ul><li>Web Enrollment Website Updated </li></ul><ul><li>Some good and interesting changes </li></ul><ul><li>Now easier to put on non-CA server </li></ul><ul><li>Uses Certenroll.dll instead of xenroll.dll </li></ul><ul><ul><li>Pre-Vista OS must use older dll </li></ul></ul><ul><ul><li>Can install both on web enrollment server </li></ul></ul><ul><li>Unfortunately, does not support some new features (like KSP, v.3 templates, Suite B, etc.) </li></ul><ul><li>Web enrollment web site included by Microsoft is probably being discontinued </li></ul>
  42. 42. Certificate Services 2008 vs. 2003 <ul><li>Supports Issuer Distribution Point (IDP) for partitioned CRLs </li></ul><ul><li>Credential Roaming built-in (client-side) </li></ul><ul><ul><li>Requires schema updates on older domains </li></ul></ul><ul><li>Supports clustering (W2K3 and earlier didn’t) </li></ul><ul><li>Replaceable random number generator </li></ul><ul><li>Better auditing </li></ul>
  43. 43. Certificate Services 2008 vs. 2003 <ul><li>  Client-can enroll on behalf of someone else </li></ul><ul><li>You can rename CA servers now </li></ul><ul><li>New template field to allow Network Service to have Read permission to templates </li></ul><ul><ul><li>Helps machine-based certs in certain scenarios </li></ul></ul>
  44. 44. Certificate Services 2008 vs. 2003 <ul><li>DiscreteSignatureAlgorithm </li></ul><ul><ul><li>Support for newer PKCS#1 V2.1 signature format for CA certificate (Vista and later) </li></ul></ul><ul><li>3 new assurance levels besides low, medium, and high </li></ul><ul><li>KRA-archived keys can be protected by AES instead of 3DES </li></ul><ul><li>New Microsoft smart card KSP (in Vista, too) </li></ul><ul><li>Supports date setting during revocation </li></ul>
  45. 45. Certificate Services 2008 vs. 2003 <ul><li>Tools </li></ul><ul><li>Supports Powershell </li></ul><ul><li>PKIView.msc built-in now </li></ul><ul><ul><li>Used to have to install separately </li></ul></ul><ul><ul><li>Improved functionality and bug fixes </li></ul></ul><ul><li>Supports CAPI2 diagnostics </li></ul><ul><li>More tools, more scripts available </li></ul><ul><li>Bad: Key Recovery Tool gui gone </li></ul><ul><ul><li>Use certutil.exe instead </li></ul></ul>
  46. 46. Certificate Services 2008 vs. 2003 <ul><li>Pushing Certs Using GPO </li></ul><ul><li>Trusted root CA certificates (W2K3 too) </li></ul><ul><li>Enterprise trust certificates (W2K3 too) </li></ul><ul><li>Intermediate CA certificates </li></ul><ul><li>Trusted publisher certificates </li></ul><ul><li>Untrusted certificates </li></ul><ul><li>Trusted people (peer trust certificates) </li></ul>
  47. 47. New W2K8 R2 Features
  48. 48. Certificate Services 2008 vs. 2003 <ul><li>W2K8R2 Certificate Enrollment Services (CES) </li></ul><ul><li>Don’t confuse with web enrollment web site! </li></ul><ul><li>Website enrollment is for browser interactive sessions </li></ul><ul><li>Problem to Solve: All legacy enrollment services required RPC and DCOM, and lots of open RPC ports </li></ul><ul><ul><li>Even web enrollment web site uses DCOM to back-end CA </li></ul></ul><ul><ul><li>Firewall nightmare </li></ul></ul><ul><ul><li>Didn’t work well across the Internet, forests, non-domain joined machines, etc. </li></ul></ul>
  49. 49. Certificate Services 2008 vs. 2003 <ul><li>W2k8 R2 Certificate Enrollment Services (con’t) </li></ul><ul><li>New method is a web service, less interactive </li></ul><ul><li>Uses TLS over 443 </li></ul><ul><li>New method works well in almost all scenarios (if the client enrollment process uses the new enrollment method) </li></ul><ul><ul><li>Windows 7W2K8R2 and later </li></ul></ul><ul><li>Uses two new services: </li></ul><ul><li>Certificate Enrollment Policy Web Service </li></ul><ul><ul><li>the policy service </li></ul></ul><ul><li>Certificate Enrollment Web Service </li></ul><ul><ul><li>the enrollment service </li></ul></ul>
  50. 50. Certificate Services 2008 vs. 2003 <ul><li>W2k8 R2 Certificate Enrollment Services (con’t) </li></ul><ul><li>Certificate Enrollment Web Service </li></ul><ul><ul><li>Provides enrollment services, main service </li></ul></ul><ul><li>Certificate Enrollment Policy Web Service </li></ul><ul><ul><li>Client contacts to get certificate policy information consisting of the types of certificates it can enroll for, which enrollment services to contact to enroll for them, and what type of authentication to use for each service. The client must first be configured with information about which policy server(s) to contact and how to authenticate to them </li></ul></ul>
  51. 51. Certificate Services 2008 vs. 2003 <ul><li>W2k8 R2 Enrollment Services (con’t) </li></ul><ul><li>Once configured, during interactive enrollments, you’ll see this </li></ul>
  52. 52. Certificate Services 2008 vs. 2003 <ul><li>W2k8 R2 Enrollment Services (con’t) </li></ul><ul><li>CES are server roles </li></ul>
  53. 53. Certificate Services 2008 vs. 2003 <ul><li>W2k8 R2 Enrollment Services (con’t) </li></ul><ul><li>Service Uses SSLTLS </li></ul>
  54. 54. Certificate Services 2008 vs. 2003 <ul><li>W2k8 R2 Enrollment Services (con’t) </li></ul><ul><li>Service Uses SSLTLS </li></ul>
  55. 55. Certificate Services 2008 vs. 2003 <ul><li>W2k8 R2 Enrollment Services (con’t) </li></ul><ul><li>Clients must be configured to connect to web site </li></ul>
  56. 56. Certificate Services 2008 vs. 2003 <ul><li>W2k8 R2 Enrollment Services (con’t) </li></ul><ul><li>CES must be linked to issuing CA </li></ul>
  57. 57. Certificate Services 2008 vs. 2003 <ul><li>W2k8 R2 Enrollment Services (con’t) </li></ul><ul><li>CES web site(s) </li></ul>
  58. 58. Common Web Service Scenario
  59. 59. Certificate Services 2008 vs. 2003 <ul><li>W2k8 R2 Enrollment Services (con’t) </li></ul><ul><li>Can configure client auth method </li></ul>
  60. 60. Certificate Services 2008 vs. 2003 <ul><li>New R2 Stuff </li></ul><ul><li>Support cross-forest servicing </li></ul><ul><li>Old CA versions required separate PKI per forest; or limited service using cross-forest trusts and lots of pre-work </li></ul><ul><ul><li>Didn’t work well off-intranet </li></ul></ul><ul><li>New version can support multiple forests with one PKI </li></ul><ul><ul><li>Works well off-net </li></ul></ul><ul><ul><li>But requires cross-forest trusts, Kerberos auth, and Win7W2K8R2 or later clients </li></ul></ul>
  61. 61. Cross Forest Servicing
  62. 62. Certificate Services 2008 vs. 2003 <ul><li>New R2 Stuff </li></ul><ul><li>Supports “renewal-only” mode for Internet-facing CAs </li></ul><ul><ul><li>Using Certificate Enrollment Service </li></ul></ul><ul><li>Supports static port 80 CA interactions (Enrollment/renewal/revocation) </li></ul><ul><li>Supports internet clients for enrollment/renewal/revocation when off the corporate network (great for mobile users) </li></ul>
  63. 63. Certificate Services 2008 vs. 2003 <ul><li>Is A Schema Update Needed for W2K8 CAs? </li></ul><ul><li>Schema update not needed to use almost all functionality of W2K8 CA </li></ul><ul><li>Schema update needed for Credential Roaming support, or CLM/ILM/FIM </li></ul><ul><li>ACL update (using adprep /forestprep) on Domain Controller template to let RODC get issued DC certs) </li></ul>
  64. 64. Installing ADCS
  65. 65. <ul><li>Install W2K8 CA </li></ul><ul><li>Unfortunately, still need to place a CAPolicy.inf file on CA server before installing </li></ul>Microsoft Certificate Services
  66. 66. CAPolicy.inf File <ul><li>Example - Bare Minimum for Issuing CA </li></ul><ul><li>[Version] </li></ul><ul><li>Signature= &quot;$Windows NT$&quot; </li></ul><ul><li>[Certsrv_Server] </li></ul><ul><li>RenewalKeyLength=4096 </li></ul><ul><li>RenewalValidityPeriod=Years </li></ul><ul><li>RenewalValidityPeriodUnits=10 </li></ul><ul><li>[CRLDistributionPoint] </li></ul><ul><li>URL = “LDAP:///CN=%7,CN=CDP,CN=Public Key Services, CN=Services,%6,%10” </li></ul><ul><li>URL = http://W2K8IssuingCA1.contoso.ad/PKI/IssuingCA1.crl </li></ul><ul><li>URL = “http://www.contoso.com/PKI/IssuingCA1.crl” </li></ul><ul><li>[AuthorityInformationAccess] </li></ul><ul><li>URL = “LDAP:///CN=%7,CN=AIA,CN=Public Key Services, CN=Services,%6,%11” </li></ul><ul><li>URL = “http://www.contoso.ad/PKI/ContosoCA.cer” </li></ul>
  67. 67. <ul><li>Install W2K8 CA </li></ul><ul><li>In Configuration Task wizard and click on Add roles </li></ul>Microsoft Certificate Services
  68. 68. Installing Microsoft Certificate Services <ul><li>Install W2K8 CA </li></ul><ul><li>Click Next </li></ul>Microsoft Certificate Services
  69. 69. Installing Microsoft Certificate Services <ul><li>Install W2K8 CA </li></ul><ul><li>Click on Active Directory Certificate Server and Next </li></ul>Microsoft Certificate Services
  70. 70. Installing Microsoft Certificate Services <ul><li>Install W2K8 CA </li></ul><ul><li>Click on Next </li></ul>Microsoft Certificate Services
  71. 71. Installing Microsoft Certificate Services <ul><li>Install W2K8 CA </li></ul><ul><li>Keep default of Certification Authority and Next </li></ul>Microsoft Certificate Services
  72. 72. Installing Microsoft Certificate Services <ul><li>Install W2K8 CA </li></ul><ul><li>Accept default of Standalone and click on Next </li></ul>Microsoft Certificate Services
  73. 73. Installing Microsoft Certificate Services <ul><li>Install W2K8 CA </li></ul><ul><li>Accept default of Root CA and click on Next </li></ul>Microsoft Certificate Services
  74. 74. Installing Microsoft Certificate Services <ul><li>Install W2K8 CA </li></ul><ul><li>Accept default and click on Next </li></ul>Microsoft Certificate Services
  75. 75. Installing Microsoft Certificate Services <ul><li>Install W2K8 CA </li></ul><ul><li>Use the options shown here and click on Next </li></ul>Microsoft Certificate Services
  76. 76. Installing Microsoft Certificate Services <ul><li>Install W2K8 CA </li></ul><ul><li>Type in a better Common Name and then Next </li></ul>Microsoft Certificate Services
  77. 77. Installing Microsoft Certificate Services <ul><li>Install W2K8 CA </li></ul><ul><li>Change validity period to 20 years and then Next </li></ul>Microsoft Certificate Services
  78. 78. Installing Microsoft Certificate Services <ul><li>Install W2K8 CA </li></ul><ul><li>Accept the default locations and click on Next </li></ul>Microsoft Certificate Services
  79. 79. Installing Microsoft Certificate Services <ul><li>Install W2K8 CA </li></ul><ul><li>Select Install </li></ul>Microsoft Certificate Services
  80. 80. Installing Microsoft Certificate Services <ul><li>Install W2K8 CA </li></ul><ul><li>Wait while it installs... </li></ul>Microsoft Certificate Services
  81. 81. Installing Microsoft Certificate Services <ul><li>Install W2K8 CA </li></ul><ul><li>Click Close to end install </li></ul>Microsoft Certificate Services
  82. 82. Installing Microsoft Certificate Services <ul><li>Install W2K8 CA </li></ul><ul><li>Confirm new and only role is installed, then Close </li></ul>Microsoft Certificate Services
  83. 83. Installing Microsoft Certificate Services <ul><li>Open the Certification Authority console under Administrative Tools to verify the install. </li></ul>Microsoft Certificate Services
  84. 84. Version 3.0 Templates
  85. 85. <ul><li>Certificate Template Version 3 </li></ul><ul><li>A certificate based on a version 3 certificate template can only be issued by an enterprise CA running on Windows Server 2008 (or later), Enterprise Edition. </li></ul><ul><li>Version 3 templates contain more options, and stronger crypto </li></ul><ul><li>Version 3 templates can only be published on W2K8 CAs </li></ul><ul><li>V3 templates do not work with Windows OSs prior to Windows Vista </li></ul>Microsoft Certificate Services
  86. 86. <ul><li>Certificate Template Version 3 </li></ul><ul><li>Windows 2000, XP, and 2003 will not enroll against V3 templates </li></ul><ul><li>Only Vista and later understands SHA-2 hashes and ECC ciphers </li></ul><ul><li>XP SP3 can verify certificates containing SHA-256 ciphers, but not all applications can, so be careful in using any cipher above SHA-1 </li></ul><ul><li>V3 templates will not show up on web enroll site </li></ul><ul><li>**To be safe, only use V3 templates with Windows Vista and later </li></ul>Microsoft Certificate Services
  87. 87. <ul><li>Creating Certificate Templates </li></ul><ul><li>Choose what version template you want to create </li></ul>Version 2 Version 3
  88. 88. <ul><li>New Certificate Template Attribute </li></ul><ul><li>Add Read permissions to Network Service on the private key... (version 3.0 and later templates only) </li></ul>
  89. 89. <ul><li>New Certificate Template Attribute </li></ul><ul><li>Cryptography tab (version 3.0 templates and later) </li></ul>
  90. 90. Certificate Revocation CRLs and OCSP
  91. 91. Certificate Revocation <ul><li>Certificate Revocation </li></ul><ul><li>Used to indicate digital certificate is invalid </li></ul><ul><li>Any revoked certificate is to be considered (very) untrusted </li></ul><ul><li>App may “break” if it can’t find revocation point or revocation is negative </li></ul><ul><li>Unfortunately, certificate revocation doesn’t always work (not all applications or users check for revocation) </li></ul>
  92. 92. Certificate Revocation <ul><li>Certificate Revocation </li></ul><ul><li>Certificates are revoked when: </li></ul><ul><li>CA or other CAs in path (e.g. issuing) have been compromised </li></ul><ul><li>Entity issued certificate is discovered to be a fraud </li></ul><ul><li>To prematurely end certificate’s useful life </li></ul><ul><li>For any other reason the CA wants (e.g. customer didn’t pay their bill) </li></ul>
  93. 93. Certificate Revocation <ul><li>Checking Certificate Revocation </li></ul><ul><li>In order for revocation to be checked, the certificate being verified must include valid revocation information (e.g. revocation list location, etc.) and the resulting information must be reachable by the client/application investigating </li></ul><ul><li>Called certificate chaining </li></ul><ul><li>Certificate information is usually checked back to just before Root CA (root is offline) </li></ul>
  94. 94. Certificate Revocation <ul><li>Certificate Revocation </li></ul><ul><li>Revocation checking not always done, depends on the PKI-participating application and/or its settings </li></ul><ul><li>Sometimes even when it is done/required, application only reports if certificate is revoked (and not, unfortunately, if the revocation information can’t be confirmed) </li></ul><ul><li>But can also cripple your organization if revocation is not working!!! </li></ul>
  95. 95. Certificate Revocation <ul><li>Certificate Revocation </li></ul><ul><li>Some Apps Allow Turning On and Off </li></ul>
  96. 96. Certificate Revocation <ul><li>Certificate Revocation </li></ul><ul><li>In IE (with revocation checking enabled), if the cert’s revocation information isn’t valid or reachable, IE won’t report an error by default </li></ul><ul><li>Although when using Secure Socket Tunneling Protocol (SSTP), IE will check and absolutely require correct revocation information in the VPN server’s cert </li></ul>
  97. 97. Certificate Revocation <ul><li>Checking Certificate Revocation </li></ul><ul><li>Ways Revocation Can Be Checked </li></ul><ul><li>Certificate Revocation List (CRL) </li></ul><ul><ul><li>Full and deltas </li></ul></ul><ul><li>Online Certificate Status Protocol (OCSP) </li></ul><ul><li>Application checks (depends on app) </li></ul><ul><li>Manually using Certutil.exe </li></ul><ul><li>Programmatically </li></ul><ul><li>Stored locally in revocation database </li></ul>
  98. 98. Certificate Revocation <ul><li>Certificate Revocation List (CRL) </li></ul><ul><li>List of revoked certificates ( revocation ). </li></ul><ul><li>CRL is placed at CDP ( CRL distribution point) so clients can check. </li></ul><ul><li>CDP is hard wired into certificate </li></ul><ul><li>CRL’s can be published to Active Directory so it is available to everyone. </li></ul><ul><li>CRLs can be full base or delta . </li></ul><ul><li>HTTP references should not be HTTPS-enabled </li></ul>Microsoft Certificate Services
  99. 99. OCSP <ul><li>OCSP (RFC 2560) </li></ul><ul><li>Online Certificate Status Protocol </li></ul><ul><li>Replacement for older CRL revocation checking method </li></ul><ul><li>OCSP Responder collects CRL entries and stores them in a database </li></ul><ul><li>Can be queried for a particular cert </li></ul><ul><li>Allows OCSP clients (Vista and later) to quickly query/verify certificate status, instead of relying on and downloading entire CDP/CRL. </li></ul>
  100. 100. OCSP <ul><li>OCSP (RFC 2560) </li></ul><ul><li>Online Certificate Status Protocol </li></ul><ul><li>OCSP Online Responder Service can be installed stand-alone or on CA W2K8 server </li></ul><ul><li>OCSP Responder available for Windows Server 2008, but can respond for W2K3 also </li></ul>
  101. 101. OCSP <ul><li>Basic OCSP Setup </li></ul>
  102. 102. <ul><li>OCSP Process </li></ul><ul><li>Bob gets certificate/public key from Alice </li></ul><ul><li>Alice’s digital certificate contains OCSP extension </li></ul><ul><li>Bob sends fingerprint of Alice’s public key to Alice’s defined OCSP responder </li></ul><ul><li>OCSP responder confirms status (success or revoked) or sends backup unknown message </li></ul><ul><li>OCSP sends back signed OCSP response </li></ul><ul><li>Bob reads status and handles accordingly </li></ul>
  103. 103. OCSP <ul><li>More Complex OCSP Setup </li></ul>
  104. 104. <ul><li>OCSP (RFC 2560) con’t </li></ul><ul><li>OCSP uses HTTP </li></ul><ul><li>OCSP Responder location should be hardcoded into OCSP-enabled digital certificates in AIA location </li></ul><ul><li>OCSP Standard can connect directly to CA database or use CRLs </li></ul><ul><ul><li>Windows OCSP relies on CA CRLs </li></ul></ul><ul><li>Client must be OCSP-aware and be able to reach OCSP responder </li></ul>
  105. 105. <ul><li>OCSP (RFC 2560) con’t </li></ul><ul><li>Vista/W2K8 and later has OCSP client built in and will resolve using OCSP first vs. CRLs </li></ul><ul><ul><li>Legacy clients will need to use 3 rd party OCSP client </li></ul></ul><ul><li>W2K8 can serve as an OCSP Responder for W2K8/W2K3 servers </li></ul><ul><li>OCSP Responder was a separate download in W2K3 </li></ul>
  106. 106. OCSP <ul><li>Online Certificate Status Protocol </li></ul><ul><li>Application must be coded to look for OCSP extension in certificate </li></ul><ul><li>IE 7 and later, on Vista and later </li></ul><ul><li>All versions of Firefox support OCSP, v.3.0 turns it on by default </li></ul><ul><li>Safari and Opera support it </li></ul><ul><li>Google’s Chrome does not (as of 3/09) </li></ul>
  107. 107. OCSP <ul><li>Online Certificate Status Protocol </li></ul><ul><li>By default: </li></ul><ul><li>OCSP will be checked first if OCSP extension is found </li></ul><ul><li>If no OCSP response, then CRL tried </li></ul><ul><li>Default behavior can be reversed </li></ul>
  108. 108. OCSP <ul><li>Online Certificate Status Protocol </li></ul><ul><li>Computer ConfigurationPoliciesWindows SettingsSecurity SettingsPublic Key PoliciesCertificate Path Validation Settings </li></ul>Microsoft Certificate Services
  109. 109. OCSP <ul><li>Installing OCSP </li></ul><ul><li>Configure OCSP Response Signing Certificate Template and Publish </li></ul><ul><li>Modify AIA on Issuing CA to point to OCSP Responder virtual directory </li></ul><ul><li>Install OCSP Responder and configure </li></ul><ul><li>Test </li></ul>
  110. 110. OCSP <ul><li>Publish OCSP Response Signing Certificate </li></ul><ul><li>Logon to W2K8IssuingCA1 as local Administrator and start Certification Authority console </li></ul>
  111. 111. OCSP <ul><li>Publish OCSP Response Signing Certificate </li></ul><ul><li>Right-click Certificate Templates and choose Manage </li></ul>
  112. 112. OCSP <ul><li>Publish OCSP Response Signing Certificate </li></ul><ul><li>Right-click the OCSP Response Signing template and choose Duplicate Template </li></ul>
  113. 113. OCSP <ul><li>Publish OCSP Response Signing Certificate </li></ul><ul><li>Choose Windows Server 2008, Enterprise Edition and then select OK </li></ul>
  114. 114. OCSP <ul><li>Publish OCSP Response Signing Certificate </li></ul><ul><li>Type in a new template name and then click on the Security tab. </li></ul>
  115. 115. OCSP <ul><li>Publish OCSP Response Signing Certificate </li></ul><ul><li>On the security tab, add the W2K8IssuingCA1 computer account (as OCSP Responder) </li></ul>
  116. 116. OCSP <ul><li>Publish OCSP Response Signing Certificate </li></ul><ul><li>Give Read and Enroll permissions to the W2K8IssuingCA1 computer account, OK, then Close </li></ul>
  117. 117. OCSP <ul><li>Publish OCSP Response Signing Certificate </li></ul><ul><li>In the Certification Authority console, right-click Certificate Templates , New , Certificate Template to Issue </li></ul>
  118. 118. OCSP <ul><li>Publish OCSP Response Signing Certificate </li></ul><ul><li>Select the new OCSP certificate template and then OK </li></ul>
  119. 119. OCSP <ul><li>Publish OCSP Response Signing Certificate </li></ul><ul><li>Minimize or close the Certification Authority console </li></ul>
  120. 120. OCSP <ul><li>Publish OCSP Response Signing Certificate </li></ul><ul><li>At the command prompt on the CA server, type: </li></ul><ul><li>certutil –setreg CAUseDefinedCACertInRequest 1 </li></ul><ul><li>Close prompt </li></ul><ul><li>Restart the CA service </li></ul>
  121. 121. OCSP <ul><li>Installing OCSP </li></ul><ul><li>You need to install OCSP Responder service, and then configure a Revocation Provider Configuration entry for each Revocation Provider that you want the OCSP Responder to respond for </li></ul>
  122. 122. OCSP <ul><li>Installing OCSP </li></ul><ul><li>Logon to W2K8IssuingCA1 as local Administrator and start Server Manager . Choose Add Role Services </li></ul>
  123. 123. OCSP <ul><li>Installing OCSP </li></ul><ul><li>Select Online Responder and then Next </li></ul>
  124. 124. OCSP <ul><li>Installing OCSP </li></ul><ul><li>Choose Install </li></ul>
  125. 125. OCSP <ul><li>Installing OCSP </li></ul><ul><li>If you install IIS 7 separately, the following IIS/Web Server components are required: </li></ul>Common HTTP Features: Static Content, ,Default Document, Directory Browsing, Http Errors, Http Redirection Application Development: .NET Extensibility, ISAPI Extensions Health and Diagnostics: Http Logging, Logging Tools, Request Monitor, Tracing Security: Request Filtering Performance: Static Content Compression Management Tools: IIS Management Console, IIS 6 Management Compatibility, IIS Metabase Compatibility
  126. 126. OCSP <ul><li>Installing OCSP </li></ul><ul><li>Choose Close and close Server Manager </li></ul>
  127. 127. OCSP <ul><li>Installing OCSP </li></ul><ul><li>Choose Start , Administrative Tools and Online Responder Management </li></ul>Microsoft Certificate Services
  128. 128. OCSP <ul><li>Installing OCSP </li></ul><ul><li>Right-click Revocation Configuration </li></ul>
  129. 129. OCSP <ul><li>Installing OCSP </li></ul><ul><li>And choose Add Revocation Configuration </li></ul>
  130. 130. OCSP <ul><li>Installing OCSP </li></ul><ul><li>Click on the Next button </li></ul>
  131. 131. OCSP <ul><li>Installing OCSP </li></ul><ul><li>Type in a name and then the Next button </li></ul>
  132. 132. OCSP <ul><li>Installing OCSP </li></ul><ul><li>Keep the default option and then choose Next </li></ul>
  133. 133. OCSP <ul><li>Installing OCSP </li></ul><ul><li>Keep the default option and then choose Browse </li></ul>
  134. 134. OCSP <ul><li>Installing OCSP </li></ul><ul><li>Select W2K8IssuingCA1 and then choose OK </li></ul>
  135. 135. OCSP <ul><li>Installing OCSP </li></ul><ul><li>Click on Next </li></ul>Microsoft Certificate Services
  136. 136. OCSP <ul><li>Installing OCSP </li></ul><ul><li>Select correct template and the click on Next </li></ul>
  137. 137. OCSP <ul><li>Installing OCSP </li></ul><ul><li>Click on Finish </li></ul>
  138. 138. OCSP <ul><li>Installing OCSP </li></ul><ul><li>Confirm Revocation Configuration Status by clicking on revocation configuration object and choosing Edit Properties </li></ul>
  139. 139. OCSP <ul><li>Installing OCSP </li></ul><ul><li>Review Revocation Configuration, confirm Base CRLs and then click OK. (No need to define deltas) </li></ul>
  140. 140. OCSP <ul><li>Installing OCSP </li></ul><ul><li>Example Certificate with OCSP Extension </li></ul>
  141. 141. OCSP <ul><li>Installing OCSP </li></ul><ul><li>Right-click OCSP server name and choose Responder Properties </li></ul>
  142. 142. OCSP <ul><li>Installing OCSP </li></ul><ul><li>On the Audit tab, enable all auditing options, OK </li></ul>
  143. 143. OCSP <ul><li>Installing OCSP </li></ul><ul><li>Give Enterprise PKI Publishers Manage Online Responder and Read permissions, then OK </li></ul>Microsoft Certificate Services
  144. 144. OCSP <ul><li>Installing OCSP </li></ul><ul><li>Close the OCSP Responder console </li></ul>
  145. 145. OCSP <ul><li>Installing OCSP </li></ul><ul><li>Confirm Windows Firewall has inbound rules for OCSP </li></ul>
  146. 146. OCSP <ul><li>Configure OCSP Extensions </li></ul><ul><li>Open up Certification Authority console </li></ul>
  147. 147. OCSP <ul><li>Configure OCSP Extensions </li></ul><ul><li>Right-click on CA name and choose Properties </li></ul>
  148. 148. OCSP <ul><li>Configure OCSP Extensions </li></ul><ul><li>Click on the Add button under the Extensions tab and choose the AIA extension option </li></ul>
  149. 149. OCSP <ul><li>Configure OCSP Extensions </li></ul><ul><li>Add http://W2K8IssuingCA1.contoso.ad/ocsp and enable both AIA and OCSP options, then OK </li></ul>
  150. 150. OCSP <ul><li>Configure OCSP Extensions </li></ul><ul><li>Close or minimize the Certification Authority console </li></ul>
  151. 151. OCSP <ul><li>Testing OCSP </li></ul><ul><li>PKIView.msc (W2K8 or later) </li></ul><ul><li>Generate a new cert and verify correct http path in OCSP extension in the AIA extension </li></ul><ul><li>Force CRL checking in application using certificate </li></ul><ul><li>Certutil –verify <certname> </li></ul>
  152. 152. OCSP <ul><li>OCSP Arrays </li></ul><ul><li>It is easy to create a fault-tolerant array of OCSP Responders </li></ul><ul><li>Enable Network Load Balance (NLB) service </li></ul><ul><li>Define OCSP extension with a name that will resolve with the NLB’s cluster IP address </li></ul><ul><li>Then defined in the Array Configuration option in the OCSP Responder gui </li></ul>
  153. 153. OCSP <ul><li>Is Schema Update Needed? </li></ul><ul><li>W2K3 AD schema or later is needed for OCSP </li></ul><ul><ul><li>W2K8 schema update is not needed if schema has been updated to W2K3 </li></ul></ul><ul><li>A Windows 2000 domain is OK, as long as the AD schema has been upgraded to Windows 2003 AD schema. </li></ul><ul><li>Need at least one W2K8 server joined to the domain, and to have a domain admin execute the template snap-in from the Windows 2008 server to get the new OCSP Responder Signing template(s) installed in AD. </li></ul>
  154. 154. OCSP <ul><li>For More Reading </li></ul><ul><li>http://technet.microsoft.com/en-us/library/cc770413.aspx </li></ul><ul><li>Questions? </li></ul>
  155. 155. Fault Tolerance, Backup and Disaster Recovery
  156. 156. Fault Tolerance <ul><li>When would end-users notice a problem? </li></ul><ul><li>If Issuing CAs are down: </li></ul><ul><li>When users request new cert or try to renew expiring cert </li></ul><ul><li>If AIA or CDP publication points are down: </li></ul><ul><li>When application end-user is using checks certificate revocation </li></ul>
  157. 157. Fault Tolerance <ul><li>Required </li></ul><ul><li>Always have a minimum of two issuing CAs with same templates published </li></ul><ul><li>CAs should have fault-tolerant disks </li></ul><ul><li>CRLs should be redundant </li></ul><ul><ul><li>Internally redundant </li></ul></ul><ul><ul><ul><li>LDAP, and multiple http locations? </li></ul></ul></ul><ul><ul><li>Externally redundant, if certs used externally </li></ul></ul><ul><li>OCSP Responders should be redundant </li></ul>Microsoft Certificate Services
  158. 158. Fault Tolerance <ul><li>Optional </li></ul><ul><li>Clustering </li></ul><ul><li>Redundant hardware? </li></ul><ul><li>Cold standby? </li></ul><ul><li>Virtual machine standby? </li></ul>Microsoft Certificate Services
  159. 159. Fault Tolerance <ul><li>CA Clustering </li></ul>Microsoft Certificate Services
  160. 160. Fault Tolerance <ul><li>CA Clustering </li></ul><ul><li>Available in Windows Server 2008 Enterprise edition </li></ul><ul><li>Only supports two-node Active/Passive cluster </li></ul><ul><li>Must share same database and log files </li></ul><ul><li>Can’t mix W2K8 and W2K3 </li></ul><ul><li>Many HSMs support clustering </li></ul><ul><li>Must load balance (using NLB, etc.) other things: CDP, OCSP Responders, NDES, web enrollment, etc. </li></ul>Microsoft Certificate Services
  161. 161. Fault Tolerance <ul><li>Why Clustering? </li></ul><ul><li>If multiple issuing CA servers can issue the same types of certs, why cluster CA servers? </li></ul><ul><li>Answer: </li></ul><ul><li>They don’t issue the same certs or share the same database </li></ul><ul><li>Can’t revoke a cert you can’t “find” </li></ul><ul><li>If one goes down, there can be problems when base or delta CRLs expire (can break the revocation chain and break applications that depend on revocation checking </li></ul>Microsoft Certificate Services
  162. 162. Enrolling on Behalf of Another User
  163. 163. <ul><li>Certificate Request Wizard </li></ul><ul><li>Enrolling on Behalf of Another User </li></ul><ul><li>Useful for: </li></ul><ul><li>Smart card certificates </li></ul><ul><li>S/MIME certificates </li></ul><ul><li>Enrolling for offline users and computers </li></ul>Certificate Services
  164. 164. <ul><li>Certificate Request Wizard </li></ul><ul><li>Enrolling on Behalf of Another User </li></ul><ul><li>Must already have Enrollment Agent cert </li></ul><ul><li>Can also issue Enrollment Workstation certificate and require that Enrollment Agents be logged on at approved Enrollment workstations to enroll on the behalf of others </li></ul>Certificate Services
  165. 165. <ul><li>Certificate Request Wizard </li></ul><ul><li>Enrolling on Behalf of Another User </li></ul><ul><li>Must already have Enrollment Agent cert </li></ul>Certificate Services
  166. 166. <ul><li>Certificate Request Wizard </li></ul><ul><li>Enrolling on Behalf of Another User </li></ul><ul><li>Must already have Enrollment Agent cert </li></ul>Certificate Services
  167. 167. <ul><li>Certificate Request Wizard </li></ul><ul><li>Enrolling on Behalf of Another User </li></ul>Certificate Services
  168. 168. <ul><li>Certificate Request Wizard </li></ul><ul><li>Enrolling on Behalf of Another User </li></ul>Certificate Services
  169. 169. <ul><li>Certificate Request Wizard </li></ul><ul><li>Enrolling on Behalf of Another User </li></ul>Certificate Services
  170. 170. <ul><li>Certificate Request Wizard </li></ul><ul><li>Enrolling on Behalf of Another User </li></ul>Certificate Services
  171. 171. <ul><li>Certificate Request Wizard </li></ul><ul><li>Enrolling on Behalf of Another User </li></ul>Certificate Services
  172. 172. <ul><li>Certificate Request Wizard </li></ul><ul><li>Enrolling on Behalf of Another User </li></ul>Certificate Services
  173. 173. <ul><li>Certificate Request Wizard </li></ul><ul><li>Enrolling on Behalf of Another User </li></ul>Certificate Services
  174. 174. <ul><li>Certificate Request Wizard </li></ul><ul><li>Enrolling on Behalf of Another User </li></ul>Certificate Services
  175. 175. <ul><li>e: rogrim@microsoft.com </li></ul>New PKI Features Questions

×