Module 2

Deploying and
Managing Active
Directory Certificate
Services

Module Overview
Overview of PKI
Deploying a CA Hierarchy
Installing AD CS
Managing CAs

Lesson 1: Overview of PKI

What Is PKI?
Discussion: Managing IDA and Enhancing Security by

Using PKI

Components of a PKI Solution

Validating Certificates by Using PKI Solutions
How AD CS Supports PKI

What Is PKI?
PKI:
Is a standards approach to security-based tools, technologies , processes, and
services used to enhance the security of communications, applications and
business transactions
Relies on the exchange of digital certificates between authenticated users and
trusted resources

PKI enhances infrastructure security by providing:

Confidentiality
Integrity
Authenticity
Non-repudiation

Discussion: Managing IDA and Enhancing

Security by Using PKI
What benefit would a PKI solution provide to your organization?
Give a few examples of applications or services that can use certificates

to enhance security.

How does a PKI solution support IDA management?

Components of a PKI Solution

CA

Digital Certificates

Public KeyEnabled
Applications and
Services

Certificate Templates

Certificates and CA
Management Tools

CRLs and Online

Responders

AIA and CDPs

Validating Certificates by Using PKI Solutions

PKI-enabled applications use CryptoAPI to validate certificates.

Certificate Discovery

Path Validation

Revocation Checking

How AD CS Supports PKI

AD CS

CA

CA Web Enrollment

Online Responder

NDES

Lesson 2: Deploying a CA Hierarchy

Overview of CA
Discussion: Options for Implementing CA
Types of CAs
Stand-Alone Versus Enterprise CAs
Usage Scenarios in a CA Hierarchy
What Is a Cross-Certification Hierarchy?

Overview of CA

CA

Issues a Certificate
for Itself

Verifies the Identity of

the Certificate Requestor

Issues Certificates to Users,

Computers, and Services

Manages Certificate
Revocation

Discussion: Options for Implementing CA

What are the advantages and disadvantages of using an internal

private CA?

What are the advantages and disadvantages of using an external public

CA?

Types of CAs
Root CA
Is the most trusted type of CA in a PKI
Is a self-signed certificate
Issues certificates to other subordinate CAs
Certificate issuance policy is typically more rigorous

than subordinate CAs

Requires physical security policy

Subordinate CA
Is issued by another CA
Addresses specific usage policies,

organizational or geographical boundaries,

load balancing, and fault tolerance

Issues certificates to other CAs to form a

hierarchical PKI

Stand-Alone Versus Enterprise CAs

Stand-Alone CAs

Enterprise CAs
Requires the use of AD DS

Stand-alone CA must be used if

any CA (root or intermediate /
policy) is offline, because a
stand-alone CA is not joined to
an AD DS domain

Can use Group Policy to

propagate certificate to
trusted root CA certificate
store

Users provide identifying

information and specify type of
certificate

Publishes user certificates and

CRLs to AD DS

Does not require certificate

templates

Issues certificates based upon

a certificate template

All certificate requests are kept

pending until administrator
approval

Supports autoenrollment for

issuing certificates

Usage Scenarios in a CA Hierarchy

Root

Root

Subordinate

Subordinate

S/MIME

EFS

RAS

India

Canada

Location

Certificate Use

Root

Root

Subordinate

Subordinate

Manufacturing

Engineering

Departments

USA

Accounting

Employee

Contractor

Partner

Organizational Unit

What Is a Cross-Certification Hierarchy?

Cross-Certification at the Root CA
Level
Root CA
Subordinate
CA

Organization 1

Root CA
Subordinate
CA

Organization 2

Cross-Certification Subordinate CA to Root

CA
Root CA
Subordinate
CA

Organization 1

Root CA
Subordinate
CA

Organization 2

Lesson 3: Installing AD CS
Considerations for Installing a Root CA
Demonstration: How to Install AD CS as a Root CA
Considerations for Installing a Subordinate CA
How the CAPolicy.inf File Is Used for Installation
Demonstration: Overview of the CA Administrative Console

Considerations for Installing a Root CA

Computer Name and

Domain Membership

Name and
Configuration

Certificate Database
and Log Location

Validity Period

Planning a Root CA

#
CSP
Default: 2048
Key Character Length

Certificate

Hash Algorithm

Private Key Configuration

Demonstration: How to Install AD CS As a Root CA

Install the AD CS server role as an Enterprise Root CA

Considerations for Installing a Subordinate CA

Computer Name and

Domain Membership

Name and
Configuration

Certificate Database
and Log Location

Validity Period

Planning a Root CA

#
CSP
Default: 2048

Certificate

Hash Algorithm

Key Character Length

Private Key Configuration

Request Certificate for Subordinate CA

How the CAPolicy.inf File Is Used for Installation

The CAPolicy.inf file is stored in the %Windir% folder of the root or
subordinate CA. This file defines the following:

Certification Practice Statement (CPS)

Object Identifier (OID)

CRL Publication Intervals

CA Renewal Settings

Key Size

Certificate Validity Period

CDP and AIA Paths

Demonstration: Overview of the CA

Administrative Console
Open the CA administrative console and review the available options

Lesson 4: Managing CAs

What Are CRLs?
How CRLs Are Published
Where to Publish AIAs and CDPs
Demonstration: How to Configure AIA and CRL Availability

What Are CRLs?

Base CRLs

All Revoked
Certificates

Lesser Publication Interval

Large Size

Client Computer Using

Any Version of Windows

Delta CRLs
-

Last Base CRL

Certificate

Greater Publication Interval

Small Size

Client Computer Using

Windows XP or
Windows Server 2003

How CRLs Are Published

Delta CRL#3

Delta CRL#2
Cert5
Cert7

Cert5

Revoke
Cert5

Revoke
Cert7

Time

Cert3

Cert3
Cert5
Cert7

Base CRL#1

Base CRL#2

Where to Publish AIAs and CDPs

Publish the root certificate CA and URL to:
Active Directory
Web servers
FTP servers

Offline
Root CA

File servers

External Web Server

FTP Server
Active Directory

Internet

Firewall

Firewall

Internal Web Server

File Server

Demonstration: How to Configure AIA and

CRL Availability
Configure AIA and CDP settings
Publish the latest version of the CRL
Publish the CRL and CA certificate for the offline root CA to an HTTP

location

View the CRL

Publish the CRL and CA certificate to Active Directory

Lab: Installing and Configuring AD CS

Exercise 1: Installing the AD CS Server Role
Exercise 2: Issuing and Installing a Subordinate Certificate
Exercise 3: Publishing the CRL

Logon information

Virtual machine

6426B-HQDC01
6426B-HQSRV01

User name

Contoso\Administrator

Password

Pa$$w0rd

Estimated time: 40 minutes

Lab Scenario
Building upon the blueprint that was created in the previous lab,

you have been asked to implement AD CS within the Contoso

Pharmaceuticals infrastructure. Since this is the first AD CS role installed,
you have been asked to perform the following tasks:

Install and configure the AD CS server role on a Windows Server

2008 server

Configure the server as a root Certification Authority (CA)

Install a subordinate server and configure the server to distribute

certificates by using a Web interface

Change the default CRL publishing metrics, manually publish the

CRL, and then view the CRL for the ContosoCA Certificate Authority

Lab Review
In this lab, you have:
Installed the AD CS Server role with just the CA role service and

configured it as a stand-alone root CA

Installed an enterprise subordinate CA with the Web enrollment role

service

Issued the subordinate certificate

Installed and verified the subordinate certificate
Backed up the subordinate CA
Restored the subordinate CA
Examined the default CDPs and configured the CRL publication interval
Manually published the CRL
Viewed the published CRL

Module Review and Takeaways

Review Questions
Real-World Issues and Scenarios