Professional Documents
Culture Documents
Implementing AD CS
Module Overview
What Is PKI?
Components of a PKI Solution
What Are CAs?
Overview of the AD CS Server Role in Windows
Server 2012
New Features of AD CS in Windows Server 2012
Public vs. Private CAs
• What Is a Cross-Certification Hierarchy?
What Is PKI?
PKI :
• Is a standard approach to security-based tools,
technologies, processes, and services that are used to
enhance the security of communications, applications, and
business transactions
• Relies on the exchange of digital certificates between
authenticated users and trusted resources
PKI provides:
• Confidentiality
• Integrity
• Authenticity
• Non-repudiation
Components of a PKI Solution
Root CA
CA
CA Web enrollment
nux
Li
Online Responder
NDES Enrollment
Firew
all
CES
s 7
dow Proxy
in
CEP W
s 7
dow Policy
in
W
New Features of AD CS in Windows Server 2012
Root CA Root CA
Subordinate CA
Subordinate CA
Organization 1 Organization 2
Root CA Root CA
Subordinate CA Subordinate CA
Organization 1 Organization 2
Lesson 3: Deploying CAs
Root CA
Root CA
Policy CAs
Issuing CAs
Root CA Root CA
Policy CA Policy CA
Issuing CA
Root Root
Subordinate Subordinate
Root
Root
Subordinate Subordinate
Permissions Description
Allows a designated user, group, or computer
Full Control to modify all attributes—including ownership
and permissions
Modifying
Modify the original certificate
template to incorporate the new
settings
Original Updated
Superseding
Smart Card 1 Replace one or more certificate
templates with an updated
certificate template
Smart Cards
(new)
Smart Card 2
Demonstration: Modifying and Enabling a
Certificate Template
Method Use
• To automate the request, retrieval, and
Autoenrollment storage of certificates for domain-based
computers
• To request certificates by using the
Certificates Templates console or Certreq.exe
Manual enrollment
when the requestor cannot communicate
directly with the CA
Client machine
Enrollment Agent Overview
Network Router
CA Network
NDES:
• Uses SCEP to communicate with network devices
• Functions as an AD CS role service
• Requires IIS
How Does Certificate Revocation Work?
AD DS
Firewall Firewall
Internet
Functions as a responder to
multiple CAs
Demonstration: Configuring an Online
Responder
ü
ü
Configure and issue the KRA certificate template
ü
Enable key archival on the CA