Escolar Documentos
Profissional Documentos
Cultura Documentos
F INA L
Published:
Microsoft Confidential - For Internal and OEM Partner Use Only
DISCLAIMER
2007 Microsoft Corporation. All rights reserved.
Microsoft, and Windows are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other
countries.
The names of actual companies and products mentioned herein may be
the trademarks of their respective owners.
THE CONTENTS OF THIS PACKAGE ARE FOR INFORMATIONAL AND
TRAINING PURPOSES ONLY AND ARE PROVIDED "AS IS" WITHOUT
WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING BUT
NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.
No part of the text or software included in this training package may be
reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or any information storage
and retrieval system, without permission from Microsoft. Because
Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft
cannot guarantee the accuracy of any information presented after the
date of publication. The names of actual companies and products
mentioned herein may be the trademarks of their respective owners.
To obtain authorization for uses other than those specified above, please
visit the Microsoft Copyright Permissions Web page at
http://www.microsoft.com/about/legal/permissions
This content is proprietary and confidential, and is intended only for users
described in the content provided in this document. This content and
information is provided to you under a Non-Disclosure Agreement and
cannot be distributed. Copying, disclosing all or any portion of the content
and/or information included in this document is strictly prohibited.
Table of Contents
Overview -................................................................................1
Lesson1: Whats new Active Directory Certificate Services...........2
Active Directory Certificate Services Role............................................................3
AD CS: Enterprise PKI (PKIView)...........................................................................4
What does Enterprise PKI do?............................................................................... 5
Enterprise PKI Snap-In.......................................................................................... 6
AD CS: Network Device Enrollment Service..........................................................7
Restricted Enrollment Agent.................................................................................8
Restricted Certificate Managers.........................................................................11
Version 3 Certificate Templates..........................................................................12
What does NDES do?.......................................................................................... 14
Enabling CryptoAPI 2.0 Diagnostics....................................................................15
AD CS: Online Certificate Status Protocol Support.............................................17
What does OCSP support do?............................................................................. 18
Preparing for OCSP............................................................................................. 19
OCSP Special Considerations.............................................................................. 20
Understanding the Online Responder's Components.........................................21
OCSP Client...................................................................................................... 22
New Functionality in Online Responder..............................................................23
CRLs and OSCP.................................................................................................. 24
Online Responder Prerequisites..........................................................................25
Responder Arrays............................................................................................... 27
Certificate Management Features available via GPO..........................................28
Managing expiration times for CRLs and OCSP responses.................................29
Tables
Table 1 CA Health States........................................................................................ 5
Table 2 Template Requirments.............................................................................. 12
Figures
Figure 1 Combination of Agents, Templates, and Credentials.................................9
Figure 2 Restrict Enrollment Agents.....................................................................10
Figure 3 Restrict Certificate Managers..................................................................11
Figure 4 Microsoft Online Responder Components...............................................21
0Overview In this module you will learn about the improvements to AD CS (Active
Directory Certificate Services) over that of Windows Server 2003.
CAPI2 logging
OSCP
Upgrade paths
FINAL
1
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
FINAL
3
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
FINAL
5
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
FINAL
7
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
Indicator
CA state
Question mark
Green indicator
Yellow indicator
Red indicator
Red cross over CA icon
CA
CA
CA
CA
CA
FINAL
9
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
FINAL
11
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
FINAL
13
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
FINAL
15
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
FINAL
17
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
FINAL
19
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
FINAL
21
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
Windows version
required to modify a
template
V1
template
n/a
since V1 templates are
static
V2
template
V3
template
Windows Server
Longhorn
FINAL
23
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
For Version 3 templates, these properties are new in the Cryptography tab.
The list of providers is filtered based on the minimum key size that was
chosen.
FINAL
25
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
FINAL
27
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
FINAL
29
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
You can also enable logging and save the logs using the wevtutil.exe tool.
FINAL
31
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
FINAL
33
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
The use of Online Responders that distribute OCSP responses, along with the
use of CRLs, is one of two common methods for conveying information about
the validity of certificates. Unlike CRLs, which are distributed periodically and
contain information about all certificates that have been revoked or suspended,
an Online Responder receives and responds only to requests from clients for
information about the status of a single certificate. The amount of data
retrieved per request remains constant no matter how many revoked
certificates there might be.
In many circumstances, Online Responders can process certificate status
requests more efficiently than by using CRLs. For example:
Clients connect to the network remotely and either do not need nor
have the high-speed connections required to download large CRLs.
A network needs to handle large peaks in revocation checking activity,
such as when large numbers of users log on or send signed e-mail
simultaneously.
An organization needs an efficient means to distribute revocation data
for certificates issued from a non-Microsoft CA.
An organization wants to provide only the revocation checking data
needed to verify individual certificate status requests, rather than make
available information about all revoked or suspended certificates.
FINAL
35
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
FINAL
37
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
FINAL
39
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
Microsoft Online Responders are based on and comply with RFC 2560
for OCSP. For this reason, certificate status responses from Online Responders
are frequently referred to as OCSP responses. For more information about
RFC 2560, see the Internet Engineering Task Force Web site
(http://go.microsoft.com/fwlink/?LinkId=67082).
FINAL
41
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
FINAL
43
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
OCSP Client
The OCSP client is fully integrated into the CryptoAPI 2.0 certificate revocation
infrastructure. It implements the recommendation specified in the draft Internet
Engineering Task Force (IETF) Public Key Infrastructure X.509 (PKIX)
"Lightweight OCSP Profile for High Volume Environment" and is optimized for
high-volume scenarios.
The major difference between the Lightweight OCSP Profile and RFC 2560,
"X.509 Internet Public Key Infrastructure Online Certificate Status Protocol OCSP," can be summarized as follows:
The Lightweight OCSP Profile supports both the Hypertext Transfer Protocol (HTTP) and Secure
Hypertext Transfer Protocol (HTTPS).
Lightweight OCSP Profile responses must specify notBefore and notAfter dates, which are not required
in the full profile.
Signed requests are not supported in the Lightweight OCSP Profile. The client cannot create a signed
request; if a signed request, which can be created by third-party OCSP clients, is sent to the Online
Responder an "Unauthorized" response is returned.
With the Lightweight OCSP Profile, nonce is not supported in the request and ignored in the response.
However, the Online Responder supports the nonce
FINAL
45
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
Two significant new sets of functionality can be derived from the Online
Responder service:
Online Responders. The basic Online Responder functionality provided by
a single computer where the Online Responder service has been installed.
Responder arrays. Multiple linked computers hosting Online Responders
and processing certificate status requests.
Online Responder
An Online Responder is a computer on which the Online Responder service is
running. A computer that hosts a CA can also be configured as an Online
Responder, but it is recommended that you maintain CAs and Online
Responders on separate computers. A single Online Responder can provide
revocation status information for certificates issued by a single CA or multiple
CAs. CA revocation information can be distributed using more than one Online
Responder.
FINAL
47
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
FINAL
49
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
Configuring Revocation
After an Online Responder has been installed, you also need to create a
revocation configuration for each CA and CA certificate served by an Online
Responder.
A revocation configuration includes all of the settings that are needed to
respond to status requests regarding certificates that have been issued using a
specific CA key. These configuration settings include:
CA certificate. This certificate can be located on a domain controller, in
the local certificate store, or imported from a file.
Signing certificate for the Online Responder. This certificate can
be selected automatically for you, selected manually (which involves a
separate import step after you add the revocation configuration), or you
can use the selected CA certificate.
Revocation provider that will provide the revocation data used
by this configuration. This information is entered as one or more URLs
where valid base and delta CRLs can be obtained.
Important
Before you begin to add a new revocation configuration, make sure you have
the information in this list.
FINAL
51
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
FINAL
53
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
Responder Arrays
Multiple Online Responders can be linked in an Online Responder Array. Online
Responders in an Array are referred to as Array members. One member of the
Array must be designated as the Array controller. Although each Online
Responder in an Array can be configured and managed independently, in case
of conflicts the configuration information for the Array controller will override
configuration options set on other Array members.
FINAL
55
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
Stores
Trusted Publishers
Network Retrieval
Revocation
In addition, four new policy stores have been added under Public Key Policies for
use in distributing different types of certificates to clients:
These new policy stores are in addition to the Enterprise Trust and Trusted Root
Certification Authorities stores that were available in Windows Server 2003.
These path validation settings and certificate stores can be used to complete
the following tasks:
Managing the peer trust and trusted root certificate stores
Managing trusted publishers
Blocking certificates that are not trusted according to policy
Managing retrieval of certificate-related data
Managing expiration times for CRLs and Online Certificate Status
Protocol (OCSP) responses
Deploying certificates
FINAL
57
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
FINAL
59
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
FINAL
61
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
Deploying certificates
User and computer certificates can be deployed by using a number of
mechanisms, including autoenrollment, the Certificate Request Wizard, and
Web enrollment. But deploying other types of certificates to a large number of
computers can be challenging. In Windows Server 2003 it was possible to
distribute trusted root CA certificates and enterprise trust certificates by using
Group Policy. In Windows Server 2008 all of the following types of certificates
can be distributed by placing them in the appropriate certificate store in Group
Policy:
FINAL
63
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
FINAL
65
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
FINAL
67
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
FINAL
69
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.
Additional Reading
Active Directory Certificate Services
http://technet2.microsoft.com/windowsserver2008/en/servermanager/acti
vedirectorycertificateservices.mspx
FINAL
71
Microsoft Confidential - For Internal and OEM Partner Use Only Microsoft Corporation. All
rights reserved.