Deploying and Managing Active Directory Certificate Services
Deploying and Managing Active Directory Certificate Services
Deploying and
Managing Active
Directory Certificate
Services
Module Overview
Overview of PKI
Deploying a CA Hierarchy
Installing AD CS
Managing CAs
Using PKI
What Is PKI?
PKI:
Is a standards approach to security-based tools, technologies , processes, and
services used to enhance the security of communications, applications and
business transactions
Relies on the exchange of digital certificates between authenticated users and
trusted resources
to enhance security.
CA
Digital Certificates
Public KeyEnabled
Applications and
Services
Certificate Templates
Certificates and CA
Management Tools
Certificate Discovery
Path Validation
Revocation Checking
AD CS
CA
CA Web Enrollment
Online Responder
NDES
Overview of CA
CA
Issues a Certificate
for Itself
Manages Certificate
Revocation
private CA?
CA?
Types of CAs
Root CA
Is the most trusted type of CA in a PKI
Is a self-signed certificate
Issues certificates to other subordinate CAs
Certificate issuance policy is typically more rigorous
Subordinate CA
Is issued by another CA
Addresses specific usage policies,
hierarchical PKI
Enterprise CAs
Requires the use of AD DS
Root
Subordinate
Subordinate
S/MIME
EFS
RAS
India
Canada
Location
Certificate Use
Root
Root
Subordinate
Subordinate
Manufacturing
Engineering
Departments
USA
Accounting
Employee
Contractor
Partner
Organizational Unit
Organization 1
Root CA
Subordinate
CA
Organization 2
Organization 1
Root CA
Subordinate
CA
Organization 2
Lesson 3: Installing AD CS
Considerations for Installing a Root CA
Demonstration: How to Install AD CS as a Root CA
Considerations for Installing a Subordinate CA
How the CAPolicy.inf File Is Used for Installation
Demonstration: Overview of the CA Administrative Console
Name and
Configuration
Certificate Database
and Log Location
Validity Period
Planning a Root CA
#
CSP
Default: 2048
Key Character Length
Certificate
Hash Algorithm
Name and
Configuration
Certificate Database
and Log Location
Validity Period
Planning a Root CA
#
CSP
Default: 2048
Certificate
Hash Algorithm
CA Renewal Settings
Key Size
All Revoked
Certificates
Large Size
Delta CRLs
-
Small Size
Delta CRL#2
Cert5
Cert7
Cert5
Revoke
Cert5
Revoke
Cert7
Time
Cert3
Cert3
Cert5
Cert7
Base CRL#1
Base CRL#2
Offline
Root CA
File servers
FTP Server
Active Directory
Internet
Firewall
Firewall
File Server
location
Logon information
Virtual machine
6426B-HQDC01
6426B-HQSRV01
User name
Contoso\Administrator
Password
Pa$$w0rd
Lab Scenario
Building upon the blueprint that was created in the previous lab,
Lab Review
In this lab, you have:
Installed the AD CS Server role with just the CA role service and
service