Configuring and

Troubleshooting Identity and

Access Solutions with
Windows Server® 2008
Active Directory®
Module 3: Deploying and Managing Certificates
• Deploying Certificates by Using AD CS

• Deploying Certificates by Using Autoenrollment

• Revoking Certificates

• Configuring Certificate Templates

• Configuring Certificate Recovery

Lesson 1: Deploying Certificates by Using AD CS
• What Is a Digital Certificate?

• Overview of Certificate Life Cycle

• Certificate Enrollment Methods

• Obtaining Certificates by Using Web Enrollment

• Obtaining Certificates by Using Manual Enrollment

• How To Manually Obtain a Certificate for a Web Service

• What Is NDES?
 What Is a Digital Certificate?

Digital Certificate

Public Cryptographic Key Subject Information CA Information

Overview of Certificate Life Cycle
1
A user, computer, or service
requests a certificate from a
CA.

2
The CA generates a
certificate.

3
The CA distributes the 6
certificate to the user, The certificate is
computer, or service. expired, renewed, or
revoked.
4
The certificate is used with
PKI-enabled applications.

5
The certificate reaches at the
end of its lifetime.
Certificate Enrollment Methods
Method Use

• To automate the request, retrieval, and storage of certificates

for domain-based computers

Autoenrollment

• To request certificates by using the Certificates console or

Certreq.exe, when the requestor cannot communicate
directly with the CA
Manual Enrollment

• To request certificates from a Web site located on a CA

• To issue certificates when autoenrollment is not available
Web Enrollment

• To provide a CA administrator the right to request certificates

on behalf of another user

Enrollment Agents
 Obtaining Certificates by Using Web Enrollment
1 2
Connect to Click Request a certificate.
http://ServerName/certsrv by
using a Web browser.

5 3
Install the certificate. Select the type of certificate
that you want to request.

4
Type or verify your
identification.
Obtaining Certificates by Using Manual Enrollment

Manual Enrollment

Certificates MMC Web Server NDES

Demonstration: How To Manually Obtain a
Certificate for a Web Service
• To use IIS and perform Web site enrollment by using one of the manual
enrollment methods
What Is NDES?

Network Router

CA Network

NDES:

• Uses simple certificate enrollment protocol to communicate with compatible

network devices such as routers and switches

• Functions as an Active Directory® Certificate Services Role Service

• Requires Internet Information Services

Lesson 2: Deploying Certificates by
Using Autoenrollment
• Benefits and Uses of Autoenrollment

• Functioning of Autoenrollment
Discussion: Benefits and Uses of Autoenrollment
• How can autoenrollment simplify certificate management in your
organization?
• What are the examples of applications that can benefit from
autoenrollment?
Functioning of Autoenrollment

A certificate template is configured to allow, enroll,

and autoenroll permissions for users who receive the
certificates.
Certificate Template

The CA is configured to issue the template.

Certificate Authority

An Active Directory® Group Policy Object (GPO) is

created to enable autoenrollment. The GPO is linked
to the appropriate site, domain, or organizational unit.
GPO

The client machine receives the certificates during the

next Group Policy refresh interval.
Client Machine
Lesson 3: Revoking Certificates
• Reason Codes for Revoking a Certificate

• How To Revoke a Certificate

• What Is an Online Responder?

• How Online Responders Work

• Steps to Configure an Online Responder

• How To Configure an Online Responder

Reason Codes for Revoking a Certificate

Reason Code Description

Key Compromise A computer is stolen or a smart card is lost.

CA Compromise A CA certificate is compromised.

Challenge of Affiliation An employee is terminated or suspended.

Superseded An issued certificate is replaced.

A smart card has failed or the legal name of a user

Cease of Operation
has changed.

Certificate Hold A certificate is put on hold temporarily.

Unspecified A certificate is revoked without providing a reason.

Demonstration: How To Revoke a Certificate
• To revoke a certificate that has been issued previously
 What Is an Online Responder?

Uses Online Certificate Status

Protocol validation and
revocation checking using HTTP

Receives and responds

dynamically to individual
requests

Supports only Windows

Server® 2008 and Windows
Vista® computers

Online Responder

Functions as a responder to
multiple CAs
How Online Responders Work

An application verifies a certificate that contains locations

to OCSP responders.

The Online Responder receives a request through HTTP, if

a cached OCSP response is not found.

The Online Responder Web proxy component decodes and

verifies the request.

The Online Responder takes the request and checks a local

CRL.

The Web proxy encodes and sends the response back to

the client.
Steps to Configure an Online Responder

Start

Configure the CA

Install the Online

Responder role service

Create a
Revocation Configuration

Stop
Demonstration: How To Configure an Online Responder
• To configure the CA to support the Online Responder

• To install and configure the Online Responder role service

Lesson 4: Configuring Certificate Templates
• What Are Certificate Templates?

• Certificate Template Versions

• Certificate Template Categories and Purposes

• Configuring Certificate Template Permissions

• Methods for Updating a Certificate Template

• How To Modify and Enable a Certificate Template

What Are Certificate Templates?

Certificate templates define the:

• Format and contents of a certificate

• Process of creating and submitting a valid certificate
request
• Security principles that are allowed to read, enroll, or
autoenroll for a certificate
• Permissions to read, enroll, autoenroll, or modify a
certificate template
Certificate Template Versions

Version 1:

• Provided for backward compatibility

• Created by default when a CA is installed
• Cannot be modified or removed but can be duplicated to become Version 2 or
3 templates

Version 2:

• Allows customization of most settings in the template

• Several preconfigured templates are provided when a CA is installed

Version 3:
• Supports advanced Suite B cryptographic settings
• Includes advanced options for encryption, digital signatures, key exchange,
and hashing
• Only supports Windows Server® 2008 and Windows Vista®
Certificate Template Categories and Purposes

Category Single Purpose Multiple Purpose

Basic EFS Administrator

Authenticated Session User
Smart Card Logon Smart Card User

Users

Web Server Computer

IPSec Domain Controller

Computers
Configuring Certificate Template Permissions

Permission Description

Allows a security principle to modify all attributes

Full Control

Allows a security principle to find the certificate in Active

Directory® when enrolling
Read

Allows a security principle to modify all the attributes

except permissions
Write

Allows a security principle to enroll for a certificate based

on the certificate template
Enroll

Allows a security principle to receive a certificate through

the autoenrollment process
Autoenrollment
Methods for Updating a Certificate Template

Modifying

Modify the original certificate

template to incorporate the new
settings.
Original Updated

Superseding
Smart Card
Smart Cards
Replace one or more certificate
templates with an updated certificate
template.

Smart Card Two-Factor

Demonstration: How To Modify and Enable a
Certificate Template
• To create, modify, and supersede a template

• To issue a certificate to be used by a CA

Lesson 5: Configuring Certificate Recovery
• Importance of Key Archival and Recovery

• Manually Exporting Certificates and Private Keys

• Configuring Automatic Key Archival

• How To Configure Key Archival

• Recovering a Lost Key

• How To Recover a lost key

Importance of Key Archival and Recovery

Keys get lost when:

• User profile is deleted

• Operating system is reinstalled

• Disk is corrupted

• Computer is stolen

Data recovery methods that use:

• Key archival and key recovery agents

• Manual key archival and recovery

Manually Exporting Certificates and Private Keys

You can use the following to export certificates:

• Certificates MMC snap-in

• Certification Authority MMC snap-in

• Certutil.exe

• Outlook®

• Internet Explorer®

The tool used depends upon the certificate template upon which the certificate is based.
Configuring Automatic Key Archival
To configure automatic key archival:

 Configure and issue the Key Recovery Agent


certificate template.

 Designate a person as the Key Recovery Agent

and enroll for the certificate.


Enable Key Archival on the CA.


Modify and enable required certificate templates
for key archival.
Demonstration: How To Configure Key Archival
• To configure and issue the Key Recovery Agent certificate template

• To designate a person to be the Key Recovery Agent and enroll for the
certificate
• To enable Key Archival on the CA

• To modify and enable required certificate templates for Key Archival

Recovering a Lost Key

Serial #: 00AD036 3 The certificate

manager extracts
the number
PKCS#7 from the
2 PKCS#7 CA.
The certificate
1 manager finds
The private key is the serial number
lost or corrupted. of the certificate.

6 4
The user imports The certificate
the private key. 5 manager transfers
The KRA recovers the number PKCS
the private key. #7 to the KRA.
Demonstration: How To Recover a Lost key
• To recover an archived certificate and a key from an Active Directory®
Lab 3: Deploying and Managing Certificates
• Exercise 1: Configuring AD CS Web Enrollment

• Exercise 2: Configuring Certificate Autoenrollment

• Exercise 3: Configuring AD CS Certificate Revocation

• Exercise 4: Configuring AD CS Certificate Templates

• Exercise 5: Managing Key Archival and Recovery

Logon information
Virtual machine 6426A-NYC-DC1-B

User name Administrator

Password Pa$$w0rd

Estimated time: 110 minutes

Lab Review: Deploying and Managing Certificates
In this lab, you have:
• Exercise 1: Configured AD CS Web Enrollment

• Exercise 2: Configured Certificate Autoenrollment

• Exercise 3: Configured AD CS Certificate Revocation

• Exercise 4: Configured AD CS Certificate Templates

• Exercise 5: Managed Key Archival and Recovery