Professional Documents
Culture Documents
• Revoking Certificates
• What Is NDES?
What Is a Digital Certificate?
Digital Certificate
2
The CA generates a
certificate.
3
The CA distributes the 6
certificate to the user, The certificate is
computer, or service. expired, renewed, or
revoked.
4
The certificate is used with
PKI-enabled applications.
5
The certificate reaches at the
end of its lifetime.
Certificate Enrollment Methods
Method Use
Autoenrollment
Enrollment Agents
Obtaining Certificates by Using Web Enrollment
1 2
Connect to Click Request a certificate.
http://ServerName/certsrv by
using a Web browser.
5 3
Install the certificate. Select the type of certificate
that you want to request.
4
Type or verify your
identification.
Obtaining Certificates by Using Manual Enrollment
Manual Enrollment
Network Router
CA Network
NDES:
• Functioning of Autoenrollment
Discussion: Benefits and Uses of Autoenrollment
• How can autoenrollment simplify certificate management in your
organization?
• What are the examples of applications that can benefit from
autoenrollment?
Functioning of Autoenrollment
Certificate Authority
Online Responder
Functions as a responder to
multiple CAs
How Online Responders Work
Start
Configure the CA
Create a
Revocation Configuration
Stop
Demonstration: How To Configure an Online Responder
• To configure the CA to support the Online Responder
Version 1:
Version 2:
Version 3:
• Supports advanced Suite B cryptographic settings
• Includes advanced options for encryption, digital signatures, key exchange,
and hashing
• Only supports Windows Server® 2008 and Windows Vista®
Certificate Template Categories and Purposes
Users
Computers
Configuring Certificate Template Permissions
Permission Description
Full Control
Modifying
Superseding
Smart Card
Smart Cards
Replace one or more certificate
templates with an updated certificate
template.
• Disk is corrupted
• Computer is stolen
• Certutil.exe
• Outlook®
• Internet Explorer®
The tool used depends upon the certificate template upon which the certificate is based.
Configuring Automatic Key Archival
To configure automatic key archival:
Enable Key Archival on the CA.
Modify and enable required certificate templates
for key archival.
Demonstration: How To Configure Key Archival
• To configure and issue the Key Recovery Agent certificate template
• To designate a person to be the Key Recovery Agent and enroll for the
certificate
• To enable Key Archival on the CA
6 4
The user imports The certificate
the private key. 5 manager transfers
The KRA recovers the number PKCS
the private key. #7 to the KRA.
Demonstration: How To Recover a Lost key
• To recover an archived certificate and a key from an Active Directory®
Lab 3: Deploying and Managing Certificates
• Exercise 1: Configuring AD CS Web Enrollment
Logon information
Virtual machine 6426A-NYC-DC1-B