Professional Documents
Culture Documents
Public Key Infrastructure
Public Key Infrastructure
What is PKI?
PKI is an ISO authentication framework that uses public key cryptography and the X.509
standard.
CA
Bob Alice
External CAs
Internal CAs
Enterprise-specific certification authority.
Intranet sites
VPN
Wireless authentication (802.1X)
Secure communications between internal services
Free
Scalable
Lab Setup
Virtualization Platform: Hyper-V
Network: 10.0.0.0/24
Network Setup
Network: 10.0.0.0/24
Domain: evilcorp.org Alice
Domain Controller
10.0.0.1
Gateway
Web Server 10.0.0.254
10.0.0.4
Enterprise CA
10.0.0.3
Root CA
10.0.0.2 Bob
Server Roles
Domain Controller:
Active Directory
DNS
DHCP
C\Windows\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
http://pki.evilcorp.org/pki/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
AIA
C\Windows\system32\CertSrv\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt
http://pki.evilcorp.org/pki /<ServerDNSName>_<CaName><CertificateName>.crt
IIS Setup
C:\pki pki Virtual Directory
Root CA Distribution:
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted
Root Certification Authorities
Auto-Enrollment:
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate
Services Client – Certificate Enrollment Policy
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate
Services Client – Auto-Enrollment
User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate
Services Client – Certificate Enrollment Policy
User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate
Services Client – Auto-Enrollment
Enterprise CA Setup
CDP
C\Windows\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
file://pki.evilcorp.org/pki/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
http://pki.evilcorp.org/pki/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
AIA
C\Windows\system32\CertSrv\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt
http://pki.evilcorp.org/pki /<ServerDNSName>_<CaName><CertificateName>.crt
Certificate Templates
PowerShell Code Signing
Domain Computer
Domain User
SSL
Lab Demo