Module 9

Deploying and managing

certificates
Module Overview

Deploying and managing certificate templates

Managing certificate deployment, revocation, and
recovery
Using certificates in a business environment
• Implementing and managing smart cards
Lesson 1: Deploying and managing certificate
templates

What are certificates and certificate templates?

Certificate template versions in Windows Server
2016
Configuring certificate template permissions
Configuring certificate template settings
Options for updating a certificate template
• Demonstration: Modifying and enabling a
certificate template
What are certificates and certificate templates?

A certificate contains information about users,

devices, usage, validity, and a key pair

A certificate template defines:

• The format and contents of a certificate
• The process for creating and submitting a valid
certificate request
• The security principals that are allowed to read, enroll, or
use autoenrollment for a certificate that will be based on
the template
• The permissions that are required to modify a certificate
template
Certificate template versions in Windows Server 2016

• Version 1
• Created by default when CA is installed
• Cannot be modified (except for permissions) or removed
• Can be duplicated to create version 2 or version 3 templates
• Version 2
• Allows customization of most settings in the template
• Supports autoenrollment
• Version 3
• Supports advanced Suite B cryptographic settings
• Includes advanced options for encryption, digital signatures, key
exchange, and hashing
• Version 4
• Supports both CSPs and key storage providers
• Supports renewal with the same key
Configuring certificate template permissions

Permission Description
Allows a designated user, group, or computer to
Full Control modify all attributes—including ownership and
permissions
Allows a designated user, group, or computer to
Read
read the certificate in AD DS when enrolling
Allows a designated user, group, or computer to
Write
modify all attributes except permissions
Allows a designated user, group, or computer to
Enroll
enroll for the certificate template
Allows a designated user, group, or computer to
Autoenroll receive a certificate through the autoenrollment
process
Configuring certificate template settings

For each certificate template, you can customize several

settings, such as validity time, purpose, CSP, private key
exportability, and issuance requirements

Category Example of single Example of

purpose multipurpose
• Basic EFS • Administrator
• Authenticated session • User
Users
• Smart card sign in • Smart card user
• Web server • Computer
Computers • IPsec • Domain
controller
Options for updating a certificate template

Modifying
Modify the original certificate
template to incorporate the new
Original Updated settings

Superseding

Smart card 1
Replace one or more certificate
templates with an updated
certificate template
Smart cards
(new)

Smart card 2
Demonstration: Modifying and enabling a
certificate template

In this demonstration, you will see how to modify

and enable a certificate template
Lesson 2: Managing certificate deployment,
revocation, and recovery

Certificate enrollment methods

Overview of certificate autoenrollment
What is an enrollment agent?
How does certificate revocation work?
Overview of key archival and recovery
Configuring automatic key archival
• Demonstration: Configuring a CA for key archival
Certificate enrollment methods

Method Use
• To automate the request, retrieval, and
Autoenrollment storage of certificates for domain-based
computers
• To request certificates by using the
Certificates console or Certreq.exe
Manual enrollment
when the requestor cannot
communicate directly with the CA
• To request certificates from a website
that is located on a CA
CA Web enrollment
• To issue certificates when
autoenrollment is not available
• To provide IT staff with the right to
Enroll on behalf request certificates on behalf of another
user (Enrollment Agent)
Overview of certificate autoenrollment

• A certificate template is configured for Allow,

Enroll, and Autoenroll permissions for users who
receive the certificates
• The CA is configured to issue the template

• An AD DS Group Policy Object (GPO) should be

created to enable autoenrollment
• The GPO should be linked to the appropriate site,
domain, or Organizational Unit (OU)
• The user or computer receives the certificates
during the next Group Policy refresh interval
What is an enrollment agent?

• An Enrollment Agent is a user account used to

request certificates on behalf of another user
account
• An enrollment agent must possess a certificate
based on the Enrollment Agent template
• Enrollment agents are typically members of
corporate or IT security departments
• The scope of an enrollment agent can be limited
to:
• Specific users or security groups
• Specific certificate templates
How does certificate revocation work?

The following are steps to revoke a certificate:

1. A certificate is revoked
2. A CRL is published
3. A client computer verifies certificate validity and
revocation
Overview of key archival and recovery
• Private keys can get lost when:
• A user profile is deleted
• An operating system is reinstalled
• A disk is corrupted
• A computer is lost or stolen
• It is critical that you archive private keys for certificates
that are used for encryption
• The KRA is needed for key recovery
• Key archival must be configured on the CA and on the
certificate template
• Key recovery is a two-phase process:
1. Key retrieval
2. Key recovery
• The KRA certificate must be protected
Configuring automatic key archival

Steps to configure automatic key archival:

1. Configure the KRA certificate template
2. Designated key recovery agents enroll for a KRA
certificate
3. Enable key recovery agents on the CA
4. Configure necessary certificate templates for key
archival
Demonstration: Configuring a CA for key archival

In this demonstration, you will see how to configure

a CA for key archival
Lesson 3: Using certificates in a business environment

Using certificates for SSL

Using certificates for digital signatures
Demonstration: Signing a document digitally
Using certificates for content encryption
Demonstration: Encrypting a file with EFS
• Using certificates for authentication
Using certificates for SSL

• The purpose of securing a connection with SSL is to

protect data during communication
• For SSL, a certificate must be installed on the server
• Be aware of trust issues
• SSL works in the following steps:
1. The user types an HTTPS URL
2. The web server sends its SSL certificate
3. The client performs a check of the server certificate
4. The client generates a symmetric encryption key
5. The client encrypts this key with the server’s public key
6. The server uses its private key to decrypt the
encrypted symmetric key
 Using certificates for digital signatures

• Digital signatures ensure that:

• Content is not modified during transport
• The identity of the author is verifiable

• Digital signatures work in the following steps:

1. When an author digitally signs a document or a message, the operating
system on his or her computer creates a message cryptographic digest
2. The cryptographic digest is then encrypted by using the author’s
private key and added to the end of the document or message
3. The recipient uses the author’s public key to decrypt the cryptographic
digest and compare it to the cryptographic digest created on the
recipient’s computer

• Users need to have a certificate that is based on a User

template to use digital signatures
Demonstration: Signing a document digitally

In this demonstration, you will see how to sign a

document digitally
 Using certificates for content encryption

• Encryption protects
data from unauthorized File encryption key: Data
access Encrypted with the file owner’s Decryption
public key Field
• EFS uses certificates for
File encryption key:
file encryption Encrypted with the public key of
Recovery agent 1

Header
File encryption key: Data
Encrypted with the public key of Recovery
Recovery agent 2 (optional) Fields

Encrypted Data
• To send an encrypted
message, you must
possess the recipient’s
public key
Demonstration: Encrypting a file with EFS

In this demonstration, you will see how to encrypt a

file with EFS
Using certificates for authentication

You can use certificates for user and device

authentication and also in network and application
access scenarios such as:
• L2TP/IPsec VPN
• EAP-TLS
• PEAP
• NAP with IPsec
• Outlook Web App
• Mobile device authentication
Lesson 4: Implementing and managing smart cards

What is a smart card?

How does smart card authentication work?
What is a virtual smart card?
Enrolling certificates for smart cards
• Smart card management
What is a smart card?

• A smart card is a miniature computer, with limited

storage and processing capabilities, embedded in
plastic card about the size of a credit card

• Smart cards:
• Provide options for multifactor authentication
• Provide enhanced security over passwords

• A valid smart card and PIN must be used together

How does smart card authentication work?

• Smart cards can be used for:

• Interactive sign in to AD DS
• Client authentication
• Remote sign in
• Offline sign in

• Interactive sign in steps:

1. The sign-in request goes to the LSA, which is forwarded to the
Kerberos package
2. KDC verifies the certificate
3. KDC verifies the digital signature on the authentication service
4. KDC performs an AD DS query to locate the user account
5. KDC generates a random encryption key to encrypt the TGT
6. KDC signs the reply with its private key and sends it to the user
What is a virtual smart card?

• A smart card infrastructure might be expensive

• Windows Server 2012 AD CS introduced virtual
smart cards
• Virtual smart cards use the capabilities of the TPM
chip
• No cost for buying smart cards and smart card
readers
• The computer acts like a smart card
• Private keys are protected by the cryptographic
capabilities of the TPM
Enrolling certificates for smart cards

• Before you issue smart cards, define the method of

enrolling smart card certificates
• Smart card certificate enrollment requires some
manual intervention
• For smart card enrollment:
• Define the certificate template for the smart cards
• Enroll one or more users for the Enrollment Agent
certificate
• Configure the enrollment station
• Start the Enroll On Behalf Of wizard

• Ensure that users change their personal PINs

Smart card management
• Smart card management tasks:
• Issuance
• Revocation
• Renewal
• Blocking and unblocking
• Duplication
• Suspension
• Use MIM to:
• Issue smart cards to users
• Store information in a SQL database
• Manage revocation, renewal, unblocking, suspension, and
reinstatement procedures
• Provide users and administrators with a web-based, self-service smart
card management interface
• Manage smart card printing with appropriate hardware
• Implement workflows for each management task
Lab: Deploying and using certificates

Exercise 1: Configuring certificate templates

Exercise 2: Enrolling and using certificates
• Exercise 3: Configuring and implementing key
recovery
Logon Information
Virtual machines: 20742A-LON-DC1
20742A-LON-SVR1
20742A-LON-SVR2
20742A-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd

Estimated Time: 50 minutes

Lab Scenario
You are working as an administrator at A. Datum
Corporation. As A. Datum expands, its security requirements
are also increasing. The Security department particularly is
interested in enabling secure access to critical websites and
in providing additional security for features such as EFS,
digital signatures, smart cards, and the DirectAccess feature
in Windows 8.1 and Windows 10. The Security department
especially wants to evaluate digital signatures in Microsoft
Office documents. To address these and other security
requirements, A. Datum has decided to use certificates that
are issued by the AD CS role in Windows Server 2016.
As a senior network administrator at A. Datum, you are
responsible for implementing certificate enrollment. You also
will be developing the procedures and process for managing
certificate templates and for deploying and revoking
certificates.
Lab Review

What must you do to recover private keys?

• What is the benefit of using a restricted
Enrollment Agent?
Module Review and Takeaways

Review Questions
Real-world Issues and Scenarios
Tools
Best Practices
• Common Issues and Troubleshooting Tips