Training Guide Configuring Advanced Windows Server 2012 R2 Services(2014)
Chapter 4. Active Directory Certificate Services
Active Directory Certificate Services (AD CS) can be as important to your organization’s network infrastructure as Domain Name System (DNS) and Dynamic Host Control Protocol (DHCP). This is because an increasing number of network services are reliant upon certificate services for authorization and identification, from the smart cards used to sign on to the network, to computer certificates used to identify servers and remote clients. In this chapter you find out how to configure and deploy Active Directory Certificate Services in a variety of ways. You also discover how to configure certificate templates to best meet the needs of your organization.
Lessons in this chapter:
Lesson 1: Installing and configuring Active Directory Certificate Services
Lesson 2: Managing certificates
Before you begin
To complete the practice exercises in this chapter, you need to have deployed computers SYD-DC, MEL-DC, CBR-DC, and ADL-DC as described in the Introduction, using the evaluation edition of Windows Server 2012 R2.
Lesson 1: Installing and configuring Active Directory Certificate Services
Active Directory Certificate Services is the role that you install on a computer running the Windows Server 2012 or Windows Server 2012 R2 operating system when you want it to function as a certificate authority. In this lesson you find out how to deploy Active Directory Certificate Services in either enterprise root, or subordinate, or standalone root, or subordinate configurations. You also discover how to configure certificate revocation list distribution points, online responders, and administrative role separation, and how to back up and recover a certificate authority.
After this lesson, you will be able to:
Install an enterprise certificate authority (CA)
Configure CRL distribution points
Deploy and manage an online responder
Configure administrative role separation
Configure CA backup and recovery
Estimated lesson time: 45 minutes
Installing certificate authorities
Certificates play an increasingly important role on Windows networks. A certificate authority (CA), also known as a certificate server, is a Windows Server 2012 and Windows Server 2012 R2 role service responsible for issuing, revoking, verifying, and managing digital certificates.
You deploy a CA by installing the Active Directory Certificate Services role as shown in Figure 4-1. It is important to remember that even when you are deploying a CA on a computer that is not a member of an Active Directory domain, you install the Active Directory Certificate Services role.
FIGURE 4-1 Install the Active Directory Certificate Services
Active Directory Certificate Services role services
Active Directory Certificate Services is comprised of the following role services as shown in Figure 4-2.
FIGURE 4-2 Active Directory Certificate Services
Certification authority The core component responsible for issuing certificates to computers, users, and services. You can deploy four types of CA: enterprise root, standalone root, enterprise subordinate, and standalone subordinate.
Certification Authority Web Enrollment Provides a web-based interface through which enrollment tasks can be performed. You can use this to perform certificate tasks for computers that are not members of the same forest as the certificate server, including computers running third-party operating systems.
Online Responder A web service that makes the CRL (certificate revocation list) check process more efficient by enabling clients to check the status of a specific certificate without having to download CRLs and delta CRLs in their entirety.
Network Device Enrollment Service (NDES) A service that enables network devices such as routers, switches, firewalls, and hardware-based virtual private network (VPN) gateways to obtain certificates from the CA.
Certificate Enrollment Policy Web Service A service that enables users in a forest running at the Windows Server 2008 R2 or higher functional level to obtain certificate enrollment policy information when enrolling on computers that are not members of the Active Directory domain.
Certificate Enrollment Web Service A service that enables users in a forest running at the Windows Server 2008 R2 or higher functional level to interact with the CA through a web browser to request and renew certificates, retrieve CRLs, and enroll across forest boundaries and the Internet.
CA hierarchies
The CA hierarchy determines how CAs are deployed in your organization. A CA hierarchy has two or more CAs. A root CA sits at the top, or apex, of a hierarchy. An issuing CA sits at the base of the hierarchy. You can configure an issuing CA to issue any type of certificate, or configure an issuing CA to only issue certificates from specific templates. For example, you might have an enterprise subordinate CA that issues computer certificates used to authenticate Internet Protocol security (IPSec) communication between domain members and a standalone subordinate CA used to issue web server certificates to computers on your organization’s perimeter network. Some organizations use three tiers as shown in Figure 4-3, with a policy tier in between the root CA and the issuing CA. These policy CAs are configured to implement specific certificate policies, such as certificate lifetime, encryption algorithm, key length, and approval requirements on issuing CAs at the third tier of the hierarchy.
FIGURE 4-3 The CA hierarchy
Cross certification trusts exist where a CA in one hierarchy issues the signing certificate to the root CA of another hierarchy. This usually happens in organizations that have multiple forests. It enables all clients in the organization to trust each other’s certificates even though the users, computers, and services enrolled in those certificates might be located in separate forests.
More Info: CA hierarchies
To learn more about multilevel certification hierarchies, consult the following article: http://technet.microsoft.com/en-us/library/cc962078.aspx.
Enterprise root CA
An enterprise root CA is a certificate server that has signed its own certificate, is installed on a computer that is a member of the domain, and can issue certificates based on templates stored in Active Directory. Members of the same Active Directory forest automatically trust the certificates issued from an enterprise CA. The advantage of enterprise CAs is that you can configure issuance policies based on Active Directory properties. This means that an enterprise CA can automatically issue a specific type of certificate to a user, computer, or service without requiring the manual approval of an administrator. Because of the way they integrate into Active Directory, enterprise CAs need to remain online. Enterprise root CAs are suitable for organizations with fewer than 300 users who only need a single CA and do not need to deploy a complex CA hierarchy. You choose whether a CA is a root or subordinate, enterprise or standalone, during setup as shown in Figure 4-4. After you’ve configured a CA, you can’t change its type without removing and reinstalling the role service.
FIGURE 4-4 Configure the CA
Although it is technically possible to deploy multiple enterprise root CAs in an Active Directory forest, Microsoft does not recommend this configuration. Microsoft’s guidance is that you don’t use an enterprise root CA except in small environments, but instead use an offline root CA as the apex of the CA hierarchy and use enterprise subordinate CAs for the day-to-day deployment and management of certificates. You find out about offline root CAs later in this lesson. A user needs to be a member of both the Enterprise Admins and the root domain’s Domain Admins groups to deploy an enterprise root or enterprise subordinate CA.
Enterprise subordinate CA
An enterprise subordinate CA can obtain its signing certificate from a standalone root CA or an enterprise root CA. Enterprise subordinate CAs are able to issue certificates based on certificate templates that are stored in Active Directory. This means that enterprise subordinate CAs are able to automatically issue certificates based on certificate template permission and don’t require that an administrator approve each certificate request. Enterprise subordinate CAs can be configured as policy CAs or issuing CAs. You read more about certificate templates in Lesson 2, “Manage certificates.”
Although it’s possible to purchase a signing certificate from a trusted third-party CA, in most cases you should use a certificate from a root CA managed by your organization. You should do this because signing certificates from third-party CAs are expensive and because the vast majority of the certificates issued from an enterprise subordinate CA are used by computers, users, and services that are parts of your environment. You only need to use third-party CAs when certificates need to be trusted by usaers, services, and computers external to your organization—for example, if you want to provide e-commerce services to customers on the Internet.
Standalone root CA
Standalone CAs are not directly integrated into Active Directory, and you need to take special steps to configure all clients in a forest to trust the certificates issued by a specific standalone CA. Standalone CAs have a limited set of templates and aren’t able to issue certificates based on the templates that enterprise CAs store in Active Directory. It’s also necessary for an administrator to manually approve certificate requests issued to a standalone CA.
Although the lack of direct Active Directory integration might make standalone CAs seem inappropriate for enterprise deployment, there is a specific type of standalone CA deployment that can enhance the security of a large organization’s certificate service deployment.
To function, enterprise CAs must remain online. A computer that is online is more likely to be compromised than a computer that is offline. If a CA is compromised, all of the certificates that it has issued are automatically suspect, as are the certificates issued by its subordinates. With its tight integration into Active Directory, it takes a significant amount of work to resolve a situation where you have good reason to believe that the enterprise root CA has been compromised and certificates issued from that CA are suspect. For that reason, larger organizations deploy offline root CAs.
Real World: Back up offline root CA
Ensure that you back up your offline root CA. One of the participants at the user group I run in Melbourne worked at a company that had a physically deployed offline root CA. When they attempted to bring the CA up after a long period of it being offline, they found that the hard disk that hosted the operating system and the certificate services database had failed. Although they were able to migrate to a new offline standalone root, having a good backup of the original would have saved them a lot of time.
An offline root CA is a standalone CA that you only bring online when you want to perform specific tasks, such as issuing a signing certificate to a subordinate CA or publishing a certificate revocation list (CRL). An offline root CA might be a computer that is not connected to a network and where certificates are transferred using removable media. Offline root CAs have the following properties:
Deployed as a standalone root CA You use this type of CA because its CRL can be published to a location separate from the server, and the CA doesn’t need to be online for revocation checks to be successful.
Deployed on a computer that is not a member of the domain As a security precaution, the offline root CA is powered down most of the time. Any computer that spends the vast majority of time powered off is likely to encounter problems retaining domain membership due to synchronization problems.
In addition, you need to configure the CRL and AIA (Authority Information Access) distribution points for offline access. The AIA extension specifies the location of up-to-date certificates for the CA. You also need to export the CA certificate so that it is accessible while the CA is offline. This is because it is necessary for clients to perform successful CRL checks even though the CA is offline. The CRL and AIA distribution points and CA certificate for an offline root CA can be, and usually are, hosted on a computer that is a member of the forest. The CA certificate is usually published to the Active Directory enterprise root store.
More Info: Offline root CA
To learn more about offline root CAs, consult the following article: http://social.technet.microsoft.com/wiki/contents/articles/2900.offline-root-certification-authority-ca.aspx.
Standalone subordinate CA
You can deploy a standalone subordinate CA on a computer that is a member of a domain or a computer that is not domain joined. Standalone subordinate CAs are often deployed on perimeter networks. Rather than deploy to a perimeter network, you can also deploy a standalone subordinate CA to a virtual machine running on a cloud provider, such as Windows Azure. The properties of a certificate issued by a standalone CA are dependent on the contents of the request file. By default all certificate requests made to a standalone CA must be processed manually by an administrator. From an administrative perspective, you should only use standalone CAs where it makes sense that each request must be processed manually. Although it is possible to configure a standalone subordinate to function as an offline CA, it is simpler to revoke the CA’s signing certificate if you suspect the CA has become compromised.
More Info: CA Types
To learn more about the CA types, consult the following article: http://technet.microsoft.com/en-us/library/cc732368.aspx.
Hardware security module
A hardware security module (HSM) is a special hardware device that is specially designed to improve the performance and security of certificate server operations. HSMs contain special hardware for storing CA keys. They also have special hardware that speeds up signature and encryption operations. HSMs are optional components, and you are only likely to see them in environments that have stringent security requirements. HSMs can be attached as Peripheral Component Interconnect (PCI) devices, but are more commonly attached to universal serial bus (USB) ports.
More Info: Hardware security module
To learn more about hardware security modules, consult the following article: http://social.technet.microsoft.com/wiki/contents/articles/10576.hardware-security-module-hsm.aspx.
CRL distribution points
When a new certificate is encountered, the operating system performs a check against the certificate server that issued the certificate to determine if the certificate has been revoked. This check is performed against a CRL. As the name suggests, this is a list of all the certificates issued by the CA that have been revoked. A CRL distribution point (also known as a CDP) hosts the following lists:
CRL A list of all certificates that have been revoked on a specific CA. The older the CA, the longer this list is likely to be. By default, a CA publishes a new CRL every 7 days.
Delta CRL This is a list of all certificates that have been revoked on a specific CA since the publication of the last CRL. By default, these are published daily.
A CA can have multiple CDPs. You specify the CRL distribution points on the Extensions tab of the CA’s Properties dialog box as shown in Figure 4-5. By default, CRLs are published to the following locations:
C:\Windows\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
Ldap:///CN=<CATruncadedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer> <CDPObjectClass>
http://<ServerDNSName>/CertEnroll<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
File://<ServerDNSName>/CertEnroll<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
FIGURE 4-5 CLR distribution points
Consider the following when configuring CDPs:
If you are publishing certificates that will be used by third parties, ensure that a CDP is in a location that is accessible to those third parties.
You need to configure an alternative AIA point if you are implementing an online responder.
Consider publishing the CDP to a Distributed File System (DFS) share, especially in distributed environments with a lot of sites.
More Info: CRL distribution points
To learn more about CDPs, consult the following article: http://technet.microsoft.com/en-us/library/cc753296.aspx.
Online Responders
Online Responders allow certificate revocation checks to occur without requiring that the client download the entire CRL and delta CRL. As a CRL stores the details of all certificates that have been revoked on a particular CA, they can become very large over time. Even though they have a lifetime of 7 days, and a delta CRL 1 day, requiring the client to view a list of all revoked certificates to determine if a specific certificate is valid is less efficient than sending a request to the Online Responder service querying whether a specific certificate is valid. Rather than check the whole list, the client sends a certificate-specific query. This reduces traffic load on both the CA and the client. Online Responders are supported on client computers running the Windows Vista and later client operating systems and Windows Server 2008, and later server operating systems.
An Online Responder can service more than one CA, and Online Responders can be deployed in an array configuration to ensure high availability. A single CA can publish revocation information to multiple Online Responders.
More Info: Online Responders
To learn more about Online Responders, consult the following article: http://technet.microsoft.com/en-us/library/045d2a97-1bff-43bd-8dea-f2df7e270e1f.
To deploy an Online Responder, you need to complete the following tasks:
The computer hosting the Online Responder also needs to host Internet Information Server (IIS). Windows Server 2012 and Windows Server 2012 R2 install and configure IIS automatically when you install an Online Responder using the Add Roles And Features Wizard.
You need to configure the OCSP (Online Certificate Status Protocol) Response Signing Certificate template so that the computer hosting the Online Responder is able to request this certificate. You can request this certificate manually, or you can configure auto enrollment.
You must configure the CA that will use the Online Responder so that the AIA extension points to the Online Responder. Only certificates issued after the AIA extension points have been configured will be able to use the Online Responder.
Although optional, you should make the Online Responder highly available.
Quick check
What modification do you need to make on the CA if you want to use an Online Responder?
Quick check answer
You need to modify the AIA extensions to point to the Online Responder URL if you want to use an Online Responder.
Administrative role separation
By default, a user that is a member of the Domain Admins or Enterprise Admins group is able to manage a CA. By default, a user that is a member of the local Administrators group is also able to manage a CA. If you are responsible for managing a larger organization, it is likely that you will want to use role-based administration to provide information technology (IT) professionals with specific permissions, such as the ability to revoke permissions or configure CA properties, without making them local, domain, or enterprise administrators.
You configure CA role separation by assigning one of the following permissions on the Security tab of the CA’s Properties as shown in Figure 4-6:
Read This permission allows the user to view the configuration of the CA. This includes CA settings, the list of issued and revoked certificates, and the list of CA templates.
Issue and Manage Certificates This permission allows the user to approve certificate requests, revoke issued certificates, and trigger CRL publication.
Manage CA This permission allows the user to manage CA settings, including configuring security, altering recovery agents, and changing certificate server extensions. Users assigned this permission are able to alter security permissions and can delegate themselves the Issue and Manage Certificates permission.
Request Certificates Users assigned this permission are able to request certificates from the CA. In secure environments, you might want to allow only specific users to request certificates. By default, members of the authenticated users group are able to request certificates.
FIGURE 4-6 Configure the CA separation
You can restrict which security principals are able to perform certificate management tasks on the Certificate Managers tab as shown in Figure 4-7. When you restrict certificate managers, any users assigned the Issue and Manage Certificates permission will be listed as certificate managers. You can go further when configuring certificate managers and assign permissions so that specific security groups only have the right to issue certificates based on specific templates. You should use this to ensure that certificates based off sensitive templates (such as those used for key and data recovery) can only be managed by a small group of users.
FIGURE 4-7 Restrict the security principals
More Info: Role-based administration
To learn more about role-based administration, consult the following article: http://technet.microsoft.com/en-us/library/cc732590.aspx.
CA backup and recovery
Although you automatically back up a CA when you perform a full server or system state backup, you can also perform a backup and recovery of a certificate server from the Certification Authority console. A user needs to be assigned the Manage CA permission or be a member of the Backup Operators group, to be able to back up a CA.
To back up a CA using the Certification Authority console, perform the following steps:
1. In the Certification Authority console, click the CA that you want to back up. On the Action menu, click All Tasks and click Back Up CA.
2. On the Welcome To The Certification Authority Backup Wizard page of the Certification Authority Backup Wizard, click Next.
3. On the Items To Backup page, choose from the following options as shown in Figure 4-8:
Private Key and CA Certificate Backs up the CA’s private and public keys. Enables you to restore the CA on a different computer in the event that the CA fails.
Certificate Database and Certificate Database Log Enables you to recover the public keys of the certificates that the CA has issued. If key archiving is enabled, this option enables you to recover private keys of these certificates.
Location Enables you to specify a directory to back up the files.
FIGURE 4-8 Select CA keys to back up
4. On the Select A Password page, enter a password. This password will be used to encrypt the backed up data. The password will be required to recover the backup data.
You can also perform a backup using the certutil command. For example, to back up the private key, CA certificate, certificate database, and database log to the C:\backup directory, issue the command:
Certutil –backup c:\backup
Restoring a CA involves using the Certification Authority Restore Wizard as shown in Figure 4-9. You can choose to restore the private key and CA Certificate, and the certificate database and certificate database log. You can also use the certutil command with the restore option to restore a backup.
FIGURE 4-9 Restore a CA
More Info: CA backup and recovery
To learn more about backing up and recovering a CA, consult the following article: http://technet.microsoft.com/en-us/library/cc770552.aspx.
Lesson summary
Enterprise CAs are integrated into Active Directory. You can configure them to automatically enroll certificates based on the requestor’s attributes in Active Directory.
You can install standalone CAs on computers that are both domain joined and not joined to a domain.
Root CAs are the apex of a certificate services hierarchy. Root CAs use self-signed CA certificates.
Subordinate CAs must have their CA certificate signed by another CA.
CDPs host lists of revoked certificates.
Online Responders provide certificate revocation data that do not require the client to access the whole CRL.
By configuring CA security, you can allow users to approve and revoke certificates without giving them the permission to manage the CA.
You can use the Certificate Services console to back up the CA certificate, private key, certificate database, and certificate database log.
Lesson review
Answer the following questions to test your knowledge of the information in this lesson. You can find the answers to these questions and explanations of each answer choice in the “Answers” section at the end of this chapter.
1. You want to deploy an offline CA as the apex of your organization’s certificate services hierarchy. You should only bring this CA online to sign the certificates of subordinate CAs. Which of the following solutions should you implement to accomplish this goal?
A. Enterprise root CA
B. Enterprise subordinate CA
C. Standalone root CA
D. Standalone subordinate CA
2. You have deployed a standalone computer running Windows Server 2012 R2 to Windows Azure. You want to use this computer to provide certificates to partner organizations without having the certificate authority joined to your organization’s Active Directory domain. Which of the following CA types could you deploy in this scenario? (Choose all that apply.)
A. Enterprise root CA
B. Enterprise subordinate CA
C. Standalone root CA
D. Standalone subordinate CA
3. You want to minimize the amount of network traffic caused by clients accessing the CRL of your organization’s CA. Which of the following role services could you install to accomplish this goal?
A. CA Web Enrollment
B. Online Responder
C. Network Device Enrollment Service
D. Certificate Enrollment Policy Web Service
4. You want to allow computers running third-party operating systems to be able to obtain certificates by accessing a web page and submitting a certificate request. Which of the following role services could you install to accomplish this goal?
A. Certificate Enrollment Policy Web Service
B. Network Device Enrollment Service
C. Online Responder
D. CA Web Enrollment
5. You are in the process of deploying authenticating switches in your organization. You need to provision these switches with certificates. Which of the following role services should you install to support this type of certificate deployment?
A. Online Responder
B. Certificate Enrollment Policy Web Service
C. Network Device Enrollment Service
D. CA Web Enrollment
6. You are in the process of configuring the permissions on a specific issuing CA. To improve security, you want to limit which users are able to obtain certificates from the CA. Which of the following permissions would you assign to accomplish this goal?
A. Read
B. Issue and Manage Certificates
C. Manage CA
D. Request Certificates
7. You want to delegate the ability to issue and revoke certificates from a specific certificate server to a specific group of users without giving them permission to modify certificate server settings. Which of the following permissions would you assign to accomplish this goal?
A. Manage CA
B. Issue and Manage Certificates
C. Request Certificates
D. Read
8. You want to delegate the ability to manage a specific certificate server to a certain group of users. Which of the following permissions would you assign to accomplish this goal?
A. Request Certificates
B. Read
C. Issue and Manage Certificates
D. Manage CA
Lesson 2: Manage certificates
Certificate templates enable you to configure the properties of certificates, such as how they can be used, who can enroll in the certificate, the validity period of the certificate, and whether the private key is archived on the certificate server. In this lesson you find out how to manage certificate templates, configure certificate autoenrollment, as well as how to archive and recover private keys.
After this lesson, you will be able to:
Manage certificate templates
Configure certificate revocation
Manage certificate renewal
Configure autoenrollment
Manage key archiving and recovery
Estimated lesson time: 45 minutes
Certificate templates
Certificate templates enable you to configure the properties of certificates that are issued by enterprise CAs. Certificate templates are stored in Active Directory and replicate throughout the forest. You can edit the properties of certificate templates through the Certificate Templates console.
Important certificate template settings include:
Validity Period Determines how long the certificate is valid once issued.
Renewal Period Specifies the amount of time before the validity period expires where the certificate might be automatically renewed.
Publish Certificate In Active Directory Determines whether the public key of the certificate is stored in Active Directory.
Compatibility Determines minimum CA and client operating system that can issue and use the certificate.
Archive Subject’s Encryption Private Key Makes it possible for the private key to be recovered.
Allow Private Key To Be Exported Enables the certificate holder to export their private key.
Superseded Templates Specifies which existing templates the current template supersedes.
Security Determines which security principals can enroll or use autoenroll with the certificate.
Although a large number of certificate templates are stored within Active Directory, a newly installed enterprise CA only issues certificates based on a subset of these templates. To configure an enterprise CA to issue a certificate off of a template, right-click the Certificate Templates node in the Certification Authority console, click New, and click Certificate Template To Issue. From the list of available templates, shown in Figure 4-10, select the certificate template that you want the CA to be able to issue. When you create a new certificate template, remember to use this method to configure the CA to issue certificates based on that template.
FIGURE 4-10 List of CA templates
More Info: Certificate templates
To learn more about certificate templates, consult the following article: http://technet.microsoft.com/en-us/library/cc730826(v=ws.10).aspx.
Certificate revocation
Revoking a certificate cancels it and makes it invalid. You can revoke a certificate by locating it in the list of issued certificates and then choosing Revoke Certificate on the All Tasks menu of the Action menu. When you revoke a certificate, you need to specify a reason code as well as a date and time as shown in Figure 4-11. You can specify one of the following reasons when revoking a certificate:
Unspecified Doesn’t provide a revocation code. The drawback of selecting this code is that it does not provide auditors with a reason as to why you chose to revoke the certificate.
Key Compromise Choose this reason when you believe a key might have been compromised, such as when a user loses their smart card.
CA Compromise Use this reason when you suspect the CA’s private key has been compromised. For example, if you have reason to believe that someone has gained remote access to the server that hosts the CA.
Change of Affiliation Use this reason when a person’s departure from the organization or change in role requires existing certificates to be revoked.
Superseded Use this reason when you have issued a new certificate and want to revoke the existing certificate.
Cease of Operation The device that the certificate was issued to is no longer in use.
Certificate Hold A temporary state that revokes the certificate but allows you to unrevoke the certificate. Use this when you need to temporarily suspend a certificate. For example, when someone suspects that they have lost their smartcard but might have left it at home.
FIGURE 4-11 Revoke a certificate
More Info: Certificate revocation
To learn more about certificate revocation, consult the following article: http://technet.microsoft.com/en-us/library/cc771079.aspx.
After you revoke the certificate, you need to publish a new CRL or delta CRL. You can trigger this manually by right-clicking the Revoked Certificates node, clicking All Tasks, and clicking Publish. You then choose to publish either a CRL or a delta CRL as shown in Figure 4-12.
FIGURE 4-12 Choose the type of CRL to publish
It is important to realize that even when you publish a new CRL or a delta CRL, there will be a period before clients will access the new revocation data. This is because each CRL and delta CRL has a validity period, and clients don’t check for a new CRL or delta CRL until that validity period has expired. You configure the CRL validity period on the Revoked Certificates Properties dialog box, shown in Figure 4-13. Although it’s possible to clear the cache on a client manually using the certutil command, when revoking a certificate you should assume that clients will consider the certificate to be valid for the delta CRL publication interval. If you are in a high security environment where the status change of a certificate needs to propagate quickly, reduce the publication interval and ensure that you have configured an Online Responder. The minimum publication interval for delta CRLs is 30 minutes.
FIGURE 4-13 Configure the CRL validity period
Quick check
What step do you need to take after revoking a certificate if you want clients to be aware of the certificate’s new status?
Quick check answer
You need to publish either a CRL or delta CRL.
Certificate renewal
Automatic certificate renewal makes it possible for a certificate to be reissued with a new expiry date after a certain period of enrollment has expired. Automatic renewal ensures that certificates are updated and don’t expire because someone forgot to manually renew them. You need to enable certificate renewal by enabling the Certificate Services Client – Auto-Enrollment group policy item.
Automatic certificate renewal occurs whenever one of the following occurs:
80 percent of the certificate’s lifetime has passed.
The renewal period specified on the template has passed.
You configure the validity period and renewal period on the General tab of the certificate template’s properties. The renewal period is specified in terms of the certificate’s expiration date. In the case of Figure 4-14, the renewal period is 6 weeks before the certificate would expire, which, given the certificate validity of 1 year, would be 46 weeks. However, given that 80 percent of 52 weeks is just under 42 weeks, the 80 percent renewal trigger will occur before the specified renewal period trigger.
FIGURE 4-14 Configure the validity and renewal period
You can also reenroll certificates that have been distributed from an enterprise CA to clients that are subject to Group Policy by selecting the Reenroll All Certificate Holders option on the Certificate Templates console. Certificates that have been revoked will not be renewed.
Real World: Remember your enterprise root CA’s signing certificate
In many organizations, the person who originally set up the CA is long gone by the time the CA signing certificate expires. This can lead to mayhem when every certificate used in an organization expires because their lifetime can’t exceed that of the CA signing certificate. If you’re responsible for managing the CA infrastructure in your organization, regularly ensure that there is plenty of time left on the CA signing certificate.
Autoenrollment
Autoenrollment allows certificates to be automatically deployed to users, services, and computers from an enterprise CA without requiring the client requesting the certificate. Autoenrollment vastly simplifies the certificate deployment process, especially given the complexity of the certificate request process, which must either be done through an arcane console or through a web interface. With autoenrollment, you can automatically provision users, computers, and services with certificates without them being aware that this has occurred.
To support autoenrollment,key a certificate template must be configured so that the user, computer, or service to be enrolled is assigned the Enroll and Autoenroll permissions as shown in Figure 4-15.
FIGURE 4-15 Assign the Enroll and Autoenroll permissions
After the certificate template is configured for autoenrollment, it’s also necessary to configure the Certificate Services Client – Auto-Enrollment Group Policy item in a GPO that applies to the user, service, or computer that you want to automatically enroll in the certificate. This Group Policy item is shown in Figure 4-16. When both the policy and an enterprise CA are configured to deploy an appropriately configured template, autoenrollment will occur the next time the policy refreshes. The simplest way to verify that autoenrollment is working properly is to look at the Issued Certificates node of the CA, and sort by Certificate Template.
FIGURE 4-16 Configure the Certificate Services Client – Auto-Enrollment Group Policy
More Info: Certificate autoenrollment
To learn more about certificate autoenrollment, consult the following article: http://technet.microsoft.com/en-us/library/cc731522.aspx.
Key archiving and recovery
Key archiving enables you to recover private keys from the certificate server if key archiving is enabled and you know the serial number of the certificate. For example, if you need to recover data that a user has encrypted using Encrypting File System (EFS) and a data recovery agent hasn’t been configured. In this scenario, you could use key recovery to recover the user’s private key, which would allow you to access the encrypted data.
Key archiving is not enabled by default. You need to enable key archiving on the CA and also on each certificate template that you want to use it with. Before you can enable key archiving on a CA, you need to enroll at least one user with a certificate issued from the key recovery agent template. You need to configure an enterprise CA to issue this template, as this is not a template that is available by default. After you’ve issued a certificate based on this template to a user, you can configure the user as a recovery agent as shown in Figure 4-17. When a user is configured as a recovery agent, they are able to extract and recover private keys. As private keys allow access to sensitive information, you should limit the distribution of key recovery agents and create a policy for their use.
FIGURE 4-17 Configure the user as a recovery agent
When key archiving is enabled on the CA, you need to enable the archive subject’s encryption private key on each certificate template where you want to allow for private key recovery. You do this on the Request Handling tab as show in Figure 4-18. In some cases you need to create a new template as only templates that have a minimum compatibility of Windows Server 2008 support key archiving. Only certificates issued off a template with this option enabled will have keys archived. If existing users have certificates issued off this template, you need to reenroll them before the keys for their certificate are archived.
FIGURE 4-18 Enable the Archive Subject’s Encryption Private Key
A user that has the private key associated with the key recovery agent (KRA) certificate configured on the certificate server is able to perform recovery from an elevated command prompt using the certutil command. To perform recovery, it’s necessary to use the certutil command with the getkey option and to have the serial number of the certificate that needs to be recovered as shown in Figure 4-19.
FIGURE 4-19 Recover a certificate with the certutil command
After the certificate blob has been extracted from the database, you can recover the key using certutil with the recoverkey option as shown in Figure 4-20. When recovering the key, the user with the recovery agent certificate needs to specify a password. This password is required when importing the private certificate for use.
FIGURE 4-20 Recover the key using certutil
More Info: Key archiving and recovery
To learn more about key archiving and recovery, consult the following article: http://technet.microsoft.com/en-us/library/cc730721(v=ws.10).aspx.
Lesson summary
Certificate templates enable you to configure the properties of certificates.
Certificate template compatibility settings determine the minimum CA and certificate recipient that can be used with the certificate. The more stringent the requirement, the more options available on the template.
Certificate revocation enables you to deem an existing certificate invalid. The certificate hold option is the only one that allows you to unrevoke a certificate.
Certificate renewal properties determine the frequency at which the certificate is renewed. You can force renewal on certificates issued by enterprise CAs by reenrolling all certificate holders
Autoenrollment allows certificates to be automatically requested and deployed.
Autoenrollment must be enabled through permissions on the certificate template and through the Certificate Services Client – Auto-Enrollment policy.
You can configure private key recovery if a user has been enrolled in a key recovery agent certificate and the certificate template has been configured so that the private key is archived.
Lesson review
Answer the following questions to test your knowledge of the information in this lesson. You can find the answers to these questions and explanations of each answer choice in the “Answers” section at the end of this chapter.
1. You want to allow specific users the ability to recover private keys, such as those used for encryption. Which certificate template can you use to issue keys to these users so that they can recover private keys from the certificate services database?
A. Administrator
B. EFS recovery agent
C. Key recovery agent
D. OCSP Response Signing
2. You want to ensure that clients will always recognize that a certificate has been revoked within 30 minutes of an administrator performing the revocation. Which of the following settings must you configure to accomplish this goal?
A. CRL publication interval
B. Key recovery agent
C. Delta CRL publication interval
D. Certificate templates
3. You want to configure a certificate so that users are automatically in the certificate. Which of the following steps do you need to take to accomplish this goal? (Choose all that apply.)
A. Configure the users with the Enroll and Autoenroll permissions on the certificate template.
B. Configure an enterprise CA to issue the template.
C. Configure the Certificate Services Client – Auto-Enrollment Group Policy item.
D. Configure a standalone CA to issue the template.
4. On Monday morning, Don rings you and tells you that he doesn’t have his smart card and might have lost it at the coffee shop, but he suspects that he might have left it at home. He’s travelling interstate today and won’t get home until Friday. He won’t know until then if it is lost or sitting on the kitchen table at home. Policy dictates that you should revoke his smart card certificate. Which of the following reasons should you specify when revoking his certificate to minimize the effort required if the smart card is found at home on Friday?
A. Certificate Hold
B. CA compromise
C. Key compromise
D. Change of Affiliation
5. You have located Trojan software that allows remote access to a standalone certificate server located on your organization’s perimeter network. The CA certificate for the perimeter network CA was issued from your organization’s enterprise root CA. You are in the process of revoking the CA certificate of the perimeter network CA. Which of the following reasons should you use when revoking this certificate?
A. Certificate Hold
B. Change of Affiliation
C. CA compromise
D. Key compromise
6. You have just modified an existing template so that it supports key recovery. The CA already supports key recovery. A large number of users are enrolled in certificates issued based on the template prior to you making this modification. How can you ensure that it will be possible to recover the private keys of these users?
A. Use the Certificate Templates console to reenroll all certificate holders
B. Delete the certificate template
C. Create a new certificate template and configure supersedence
D. Change the certificate template name
Practice exercises
The goal of this section is to provide you with hands-on practice with the following:
Deploying an enterprise root CA
Deploying an enterprise subordinate CA
Deploying a standalone subordinate CA
Configuring a CRL distribution point
Configuring an Online Responder
Configuring administrative role separation
Configuring a KRA and key recovery
Configuring autoenrollment
Performing certificate revocation
Performing private key recovery
To perform the exercises in this section, you need access to an evaluation version of Windows Server 2012 R2. You should also have access to virtual machines SYD-DC, MEL-DC, CBR-DC, and ADL-DC, the setup instructions for which are described in the Introduction. You should ensure that you have a checkpoint of these virtual machines that you can revert to at the end of the practice exercises. You should revert the virtual machines to this initial state prior to beginning these exercises.
Exercise 1: Deploy and configure an enterprise root CA
In this exercise, you deploy an enterprise root CA on SYD-DC and perform initial configuration tasks. To complete this exercise, perform the following steps:
1. Sign on to SYD-DC as contoso\don_funk with the password Pa$$w0rd.
2. On the Manage menu of the Server Manager console, click Add Roles And Features.
3. On the Before You Begin page of the Add Roles And Features Wizard, click Next three times.
4. On the Select Server Roles page, click the Active Directory Certificate Services check box as shown in Figure 4-21.
FIGURE 4-21 Choose the Active Directory Certificate Services option
5. On the Add Roles And Features Wizard dialog box, click Add Features, and then click Next three times.
6. On the Select Role Services page, ensure that the following are selected as shown in Figure 4-22, clicking Add Features as necessary on the Add Roles And Features Wizard dialog box, and then click Next three times.
Certification Authority
Certificate Enrollment Policy Web Service
Certificate Enrollment Web Service
Certification Authority Web Enrollment
FIGURE 4-22 Select Role Services
7. On the Confirm Installation Selections page, click Install. When the installation completes, click Close.
8. On the Notification menu, click Configure Active Directory Certificate Services on the Destination Computer.
9. On the Credentials page of the AD CS Configuration Wizard, ensure that Contoso\don_funk is selected as shown in Figure 4-23 and click Next.
FIGURE 4-23 Set credentials to CONTOSO\don_funk
10. On the Select Role Services To Configure page, select both Certification Authority and Certification Authority Web Enrollment as shown in Figure 4-24, and click Next.
FIGURE 4-24 Select Role Services
11. On the Setup Type page, select Enterprise CA and click Next.
12. On the CA Type page, select Root CA as shown in Figure 4-25, and click Next.
FIGURE 4-25 Select Root CA
13. On the Private Key page, click Create A New Private Key, and click Next.
14. On the Cryptography For CA page, set the Key Length to 4096 and click Next.
15. On the CA Name page, ensure that the name is set to contoso-SYD-DC-CA as shown in Figure 4-26, and click Next.
FIGURE 4-26 Set the CA Name
16. On the Validity Period page, set the validity to 10 years and click Next twice.
17. On the Confirmation page, click Configure and then click Close.
18. On the AD CS Configuration dialog box click Yes.
19. On the Credentials dialog box, verify that the credential of CONTOSO\don_funk has been configured and then click Next.
20. On the Select Role Services To Configure page, click Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service as shown in Figure 4-27, and click Next.
FIGURE 4-27 Select the Certificate Enrollment Web Service and Certificate Enrollment Policy Web Service
21. On the CA For CES page, ensure that CA Name is selected, and click Next.
22. On the Authentication Type For CES page, ensure that Windows Integrated Authentication is selected as shown in Figure 4-28 and click Next.
FIGURE 4-28 Select Windows Integrated Authentication
23. On the Service Account For CES page, select Use The Built-In Application Pool Identity, and click Next.
24. On the Authentication Type For CES page, click Next.
25. On the Specify A Server Authentication Certificate page, click Contoso-SYD-DC-CA as shown in Figure 4-29, and click Next.
FIGURE 4-29 Click Contoso-SYD-DC-CA
26. On the Confirmation page, click Configure, and when configuration is complete, click Close.
Exercise 2: Deploy an enterprise subordinate CA
In this exercise, you join MEL-DC to the domain and configure the computer as an enterprise subordinate CA. To complete this exercise, perform the following steps:
1. Ensure that SYD-DC is powered on. Sign in to MEL-DC as Administrator with the password Pa$$w0rd.
2. On the taskbar, click on the Windows PowerShell icon.
3. In the Windows PowerShell Window, type the following command:
Add-computer –Credential contoso\don_funk –DomainName contoso.com
4. In the Windows PowerShell Credential pop-up dialog box, ensure that contoso\administrator is listed as the username as shown in Figure 4-30, type the password Pa$$word, and click OK.
FIGURE 4-30 Listing contoso\administrator as the user name.
5. Type the following command and press Enter to restart the computer:
restart-computer
6. Sign in to MEL-DC as contoso\don_funk with the password Pa$$w0rd.
7. On the Manage menu of the Server Manager console, click Add Roles And Features.
8. On the Before You Begin page of the Add Roles And Features Wizard, click Next three times.
9. On the Select Server Roles page, click Active Directory Certificate Services as shown in Figure 4-31.
FIGURE 4-31 Select Active Directory Certificate Services
10. On the Add Roles And Features Wizard dialog box, click Add Features, and then click Next four times and click Install. When the installation completes, click Close.
11. Click the Notification item on Server Manager, and click Configure Active Directory Certificate Services on the Destination Computer.
12. On the Credentials page of the AD CS Configuration Wizard, verify that CONTOSO\don_funk is listed as shown in Figure 4-32, and click Next.
FIGURE 4-32 Verify that CONTOSO\don_funk is listed on the Credentials page
13. On the Role Services page, click Certification Authority and click Next.
14. On the Setup Type, select Enterprise CA, and click Next.
15. On the CA Type page, click Subordinate CA as shown in Figure 4-33, and click Next.
FIGURE 4-33 Click Subordinate CA
16. On the Private Key page, click Create A New Private Key, and click Next three times.
17. On the Certificate Request page, click Send A Certificate Request To A Parent CA, and click Select.
18. In the Select Certification Authority dialog box, click Contoso-SYD-DC-CA and click OK.
19. Verify that the Parent CA text box is set to SYD-DC.contoso.com\contoso-SYD-DC-CA as shown in Figure 4-34, and click Next twice.
FIGURE 4-34 Send a certificate request from a parent CA
20. On the Confirmation page, click Configure.
21. On the Results page, click Close.
22. On the Tools menu of the Server Manager console, click Certification Authority.
23. In the Certification Authority console, right-click Contoso-MEL-DC-CA and click Properties.
24. On the General tab of the Contoso-MEL-DC-CA Properties dialog box, click Certificate #0 and click View Certificate.
25. On the Certificate dialog box, verify that the certificate is issued by Contoso-SYD-DC-CA as shown in Figure 4-35, and then click OK twice.
FIGURE 4-35 Verify the certificate is issued by Contoso-SYD-DC-CA
Exercise 3: Install a standalone subordinate CA
In this exercise, you install a standalone subordinate CA on ADL-DC. You obtain the CA certificate using a web browser. To complete this exercise, perform the following steps:
1. Sign on to ADL-DC as Administrator with the password Pa$$w0rd.
2. On the taskbar, click the Windows PowerShell icon.
3. In the Windows PowerShell Window, type the following command:
Add-computer –Credential contoso\don_funk –DomainName contoso.com
4. In the Windows PowerShell Credential pop-up dialog box, ensure that contoso\administrator is listed as the username as shown in Figure 4-36, type the password Pa$$word, and click OK.
FIGURE 4-36 Verify that Contoso\administrator is listed as the user name
5. Type the following command and press Enter to restart the computer:
restart-computer
6. Sign on to ADL-DC as contoso\don_funk with the password Pa$$w0rd.
7. On the Manage menu of the Server Manager console, click Add Roles And Features.
8. On the Before You Begin page of the Add Roles And Features Wizard, click Next three times.
9. On the Select Server Roles page, click Active Directory Certificate Services, click Add Features in the Add Roles And Features Wizard dialog box, shown in Figure 4-37, and then click Next four times.
FIGURE 4-37 Click Add Features
10. Click Install on the Confirm Installation Selections page of the Add Roles And Features Wizard, and then click Close.
11. Click the Notifications area and click Configure Active Directory Certificate Services on the Destination Server
12. On the Credentials page of the AD CS Configuration Wizard, ensure that CONTOSO\don_funk is set in the Credentials text box and click Next.
13. On the Role Services page, click Certification Authority in the list of roles to configure and click Next.
14. On the Setup Type page, verify that Standalone CA is selected and click Next.
15. On the Specify The Type Of The CA page, click Subordinate CA as shown in Figure 4-38 and click Next.
FIGURE 4-38 Click Subordinate CA
16. On the Private Key page, select Create A New Private Key and click Next.
17. On the Cryptography For CA page, set the Key Length to 4096 and click Next.
18. On the CA Name page, verify that the Common Name For This CA is listed as Contoso-ADL-DC-CA as shown in Figure 4-39 and click Next.
FIGURE 4-39 Verify the common name for the CA
19. On the Certificate Request page, verify that the certificate request will be saved to C:\ADL-DC.contoso.com_contoso-ADL-DC-CA.req as shown in Figure 4-40 and click Next twice.
FIGURE 4-40 Verify the certificate request
20. On the Confirmation page, click Configure and then click Close.
Exercise 4: Configure a standalone CA
In this exercise, you complete the standalone CA configuration process. To complete this exercise, perform the following steps:
1. In the Server Manager console of ADL-DC, click the Local Server node.
2. In the Properties area, click the On link next to IE Enhanced Security Configuration. In the Internet Explorer Enhanced Security Configuration dialog box, click Off as shown in Figure 4-41 and then click OK.
FIGURE 4-41 Set the IE Enhanced Security Configuration
3. In the Search charm, type Internet Explorer.
4. In the list of results for Internet Explorer, click Internet Explorer.
5. In the Windows Internet Explorer 11 dialog box, shown in Figure 4-42, click Use Recommended Security And Compatibility Settings and then click OK.
FIGURE 4-42 Choose the IE Use Recommended Security And Compatibility Settings
6. In the address bar, type http://SYD-DC/certsrv and press Enter.
7. On the Welcome webpage, shown in Figure 4-43, click Request A Certificate.
FIGURE 4-43 Request a certificate
8. On the Request A Certificate page, click Advanced Certificate Request.
9. On the Advanced Certificate Request page, click Submit A Request By Using A Base-64-Encoded CMC Or PKCS #10 File, Or Submit A Renewal Request By Using A Base-64-Encoded PKCS #7 File.
10. In the Search charm, type notepad c:\ADL-DC.contoso.com_contoso-ADL-DC-CA.req.
11. On the Edit menu of Notepad, click Select All.
12. On the Edit menu of Notepad, click Copy.
13. In Internet Explorer, in the Saved Request text box, right-click and click Paste.
14. On the Certificate Template drop-down menu, select Subordinate Certification Authority as shown in Figure 4-44, scroll down, and click Submit.
FIGURE 4-44 Select the Subordinate Certification Authority
15. On the Certificate Issued page, click Download Certificate.
16. On the Do You Want To Open Or Save Certnew.cer page, click Save.
17. On the Tools menu of the Server Manager console, click Certification Authority.
18. On the Certsrv – [Certification Authority (Local)] console, click ADL-DC-CA. On the Action menu, click All Tasks and then click Install CA Certificate.
19. On the Select File To Complete CA Installation dialog box, set the file type to X.509 Certificate (*.cer,*.crt), click the Downloads folder, click Certnew, and click Open.
20. Click ADL-DC-CA, and then on the Action menu click All Tasks, and click Start Service.
Exercise 5: Configure a CRL distribution point
In this exercise, you configure a CRL distribution point on SYD-DC. To complete this exercise, perform the following steps:
1. Sign on to MEL-DC as contoso\don_funk with the password Pa$$word.
2. On the Taskbar, click File Explorer.
3. In the Libraries window, expand the Computer node and click the Local Disk (C:) node.
4. On the Home ribbon, click New Folder and type the name as ALT-CDP.
5. On the Share ribbon, click Specific People as shown in Figure 4-45.
FIGURE 4-45 Click Specific People on the Share Ribbon
6. On the File Sharing dialog box, click the drop-down arrow, click Everyone, and click Add. On the drop-down menu next to Everyone, select Read/Write. Click Share, and click Done.
Real World: Different CDP permissions
In a real-world scenario, you would configure permissions on a share that hosts the CRL so that only the CA would be able to write data to this location.
7. Switch to SYD-DC as contoso\don_funk with the password Pa$$w0rd.
8. In the Certification Authority console, click Contoso-SYD-DC-CA, and on the Action menu, click Properties.
9. On the Extensions tab, ensure that CRL Distribution Point (CDP) is selected as shown in Figure 4-46, and click Add.
FIGURE 4-46 Verify the CRL Distribution Point (CDP) is selected on the Extensions tab
10. In the Add Location dialog box, type file://mel-dc/alt_cdp/.
11. Ensure that <CaName> is selected as a Variable and click Insert.
12. Ensure that <CRLNameSuffix> is selected as a Variable and click Insert.
13. Ensure that <DeltaCRLAllowed> is selected as a Variable and click Insert
14. Append the location with .crl as shown in Figure 4-47 and click OK.
FIGURE 4-47 Append the location with CRL
15. On the Extensions tab, select the following options as shown in Figure 4-48 and click OK.
Publish CRLs To This Location.
Include In CRLs. Clients Use This To Find Delta CRL Locations.
Include In The CDP Extension Of Issued Certificates.
Publish Delta CRLs To This Location.
FIGURE 4-48 Select Extension options
16. When prompted to restart the Certification Authority, click Yes.
17. In the Certification Authority console, click the Revoked Certificates node. On the Action menu, click All Tasks and then click Publish.
18. On the Publish CRL dialog box, select New CRL as shown in Figure 4-49 and click OK.
FIGURE 4-49 Select the New CRL option
19. In the Search charm, type \\MEL-DC\ALT-CDP and verify that two files are present as shown in Figure 4-50.
FIGURE 4-50 Verify CA files
Exercise 6: Configure an Online Responder
In this exercise, you configure an Online Responder. To complete this exercise, perform the following steps:
1. On SYD-DC, while signed on as contoso\don_funk, switch to the Certification Authority console.
2. In the Certification Authority console, expand Contoso-SYD-DC-CA and click Certificate Templates.
3. On the Action menu, click Manage.
4. In the Certificate Template console, right-click OCSP Response Signing, and then click Properties.
5. On the Security tab of the OCSP Response Signing Properties dialog box, click Add.
6. In the Select Users, Computers, Service Accounts, Or Groups dialog box, click Object Types, select Computers, click OK, type SYD-DC, click Check Names, and then click OK.
7. On the Security tab of the OCSP Response Signing Properties dialog box, set the permissions for SYD-DC$ to Read (Allow), Enroll (Allow), and Autoenroll (Allow) as shown in Figure 4-51. Click OK.
FIGURE 4-51 Set SYD-DC$ permissions
8. Close the Certificate Templates console.
9. In the Certification Authority console, expand Contoso-SYD-DC-CA and click Certificate Templates.
10. On the Action menu, click New, and click Certificate Template To Issue.
11. On the Enable Certificate Templates dialog box, click OCSP Response Signing as shown in Figure 4-52 and click OK.
FIGURE 4-52 Click OCSP Response Signing
12. Click Add Roles And Features on the Manage menu of the Server Manager console.
13. On the Before You Begin page of the Add Roles And Features Wizard, click Next three times.
14. On the Select Server Roles page, expand the Active Directory Certificate Services (Installed) node and click Online Responder as shown in Figure 4-53.
FIGURE 4-53 Click Online Responder
15. On the Add Features That Are Required For Online Responder dialog box, click Add Features, and then click Next twice.
16. On the Confirm Installation Selections page, click Install.
17. When the installation completes, click Close.
18. Click the Notifications menu and then click Configure Active Directory Certificate Services on the Destination Server.
19. On the Credentials page, ensure that CONTOSO\don_funk is selected and then click Next.
20. On the Role Services page, select Online Responder as shown in Figure 4-54, and then click Next.
FIGURE 4-54 Select Online Responder
21. On the Confirmation page, click Configure.
22. On the Results page, click Close.
23. On the Tools menu of the Server Manager console, click OCSP Responder.
24. In the OCSP console, click Revocation Configuration. In the Actions pane, click Add Revocation Configuration.
25. On the Getting Started With Adding A Revocation Configuration page of the Add Revocation Configuration Wizard, click Next.
26. On the Name The Revocation Configuration page, type the name Contoso_OCSP and click Next.
27. On the Select CA Certificate Location page, click Select A Certificate For An Existing Enterprise CA as shown in Figure 4-55, and click Next.
FIGURE 4-55 Select A Certificate For An Existing Enterprise CA location
28. In the Select Certification Authority dialog box, click Contoso-SYD-DC-CA and click OK.
29. On the Choose CA Certificate page, click Next.
30. On the Select Signing Certificate page, select Auto-Enroll For An OCSP Signing Certificate, click Browse, click Contoso-SYD-DC-CA, and click OK. Verify that the Select Signing Certificate page matches Figure 4-56, and then click Next.
FIGURE 4-56 Autoenroll for an OCSP signing certificate
31. On the Revocation Provider page, click Provider.
32. Verify that the provider is configured as shown in Figure 4-57, click OK and click Finish.
FIGURE 4-57 Configure the Revocation Provider page
33. Verify in the OCSP console that the Revocation Configuration Status is set to Working as shown in Figure 4-58.
FIGURE 4-58 Check the Revocation Configuration Status
34. In the Certification Authority console, right-click Contoso-SYD-DC-CA and click Properties.
35. On the Extensions tab of the Contoso-SYD-DC-CA Properties dialog box, set the Extension drop-down menu to Authority Information Access (AIA) and click Add.
36. In the Location text box, type http://syd-dc.contoso.com/ocsp and click OK.
37. On the Extensions tab of the Contoso-SYD-DC-CA Properties dialog box, click http://syd-dc.contoso.com/ocsp, select Include In The Online Certificate Status Protocol (OCSP) Extension as shown in Figure 4-59, and click OK.
FIGURE 4-59 Set certificate locations
38. When prompted to restart certificate services, click Yes.
Exercise 7: Configure administrative role separation
In this exercise, you configure administrative role separation by delegating different certificate services permissions to different security groups. To complete this exercise, perform the following steps:
1. When signed on to SYD-DC as contoso\don_funk, click Active Directory Administrative Center on the Tools menu of the Server Manager console.
2. In Active Directory Administrative Center, click the Contoso (Local) node and then click the Users container.
3. In the Tasks menu, click New, and click Group.
4. In the Create Group dialog box, type the name Certificate_Managers, ensuring that the group type is set to Security and the Group Scope is set to Global as shown in Figure 4-60, and click OK.
FIGURE 4-60 Set Security and Global group types
5. In the Tasks menu, click New and click Group.
6. In the Create Group dialog box, type the name CertAuthority_Admins, ensuring that the group type is set to Security, and the Group Scope is set to Global. Click OK.
7. In the Certification Authority console, click Contoso-SYD-DC-CA and in the Action menu click Properties.
8. On the Security tab of the Contoso-SYD-DC-CA Properties dialog box, click Add.
9. On the Select Users, Computers, Service Accounts, Or Groups dialog box, type Certificate_Managers; CertAuthority_Admins as shown in Figure 4-61 and click OK.
FIGURE 4-61 Type Certificate_Managers; CertAuthority_Admins
10. On the Security tab, click CertAuthority_Admins (CONTOSO\CertAuthority_Admins) and configure permissions so that only the Manage CA (Allow) permission is selected as shown in Figure 4-62. Click Apply.
FIGURE 4-62 Configure security permissions
11. On the Security tab, click Certificate_Managers (CONTOSO\Certificate_Managers) and configure permissions so that only the Issue And Manage Certificates (Allow) permission is selected as shown in Figure 4-63 and click Apply.
FIGURE 4-63 Select the Issue And Manage Certificates (Allow) permission
12. On the Certificate Managers tab, click Restrict Certificate Managers as shown in Figure 4-64 and click OK.
FIGURE 4-64 Click Restrict Certificate Managers
Exercise 8: Configure a key recovery agent certificate template
In this exercise, you configure a key recovery agent certificate. To complete this exercise, perform the following steps:
1. On SYD-DC while signed in as contoso\don_funk, open the Certification Authority console.
2. In the Certification Authority console, click Certificate Templates. On the Action menu, click Manage to open the Certificate Templates console.
3. In the Certificate Templates console, click the Key Recovery Agent template. On the Action menu, click Duplicate Template.
4. On the Compatibility tab of the Properties Of New Template dialog box, set the Certification Authority to Windows Server 2012 R2.
5. On the Resulting Changes dialog box, click OK.
6. On the Compatibility tab of the Properties Of New Template dialog box, set the Certificate Recipient to Windows 8.1 / Windows Server 2012 R2 as shown in Figure 4-65.
FIGURE 4-65 Set the Certificate Recipient to Windows 8.1 / Windows Server 2012 R2
7. On the Resulting Changes dialog box, shown in Figure 4-66, click OK.
FIGURE 4-66 The Resulting Changes dialog box
8. On the General tab, set the Template Display Name to New Key Recovery Agent and the template name to NewKeyRecoveryAgent. Select the Publish Certificate In Active Directory option as shown in Figure 4-67 and click Apply.
FIGURE 4-67 The Publish Certificate In Active Directory option
9. On the Superseded Templates tab, click Add.
10. In the Add Superseded Template dialog box, click Key Recovery Agent, and click OK.
11. On the Superseded Templates tab, verify that Key Recovery Agent is listed as shown in Figure 4-68, and click Apply.
FIGURE 4-68 The Key Recovery Agent
12. On the Security tab, ensure that Domain Admins (CONTOSO\Domain Admins) has the Read (Allow), Write (Allow), and Enroll (Allow) permissions as shown in Figure 4-69 and then click OK.
FIGURE 4-69 Ensure that the Domain Admins (CONTOSO\Domain Admins) has the Read (Allow), Write (Allow), and Enroll (Allow) permissions set
13. Close the Certificate Templates console.
14. In the Certification Authority console, click Certificate Templates.
15. On the Action menu, click New and click Certificate Template To Issue.
16. On the Enable Certificate Templates dialog box, click New Key Recovery Agent as shown in Figure 4-70 and click OK.
FIGURE 4-70 Click New Key Recovery Agent
17. In the Certification Authority console, refresh the list of Certificate Templates and verify that the New Key Recovery Agent template is visible, as shown in Figure 4-71.
FIGURE 4-71 Verify that the New Key Recovery Agent template is visible
Exercise 9: Request a key recovery agent certificate
In this exercise, you create a user account to be used as a key recovery agent. To complete this exercise, perform the following steps:
1. When signed on to SYD-DC as contoso\don_funk, click Active Directory Users And Computers on the Tools menu of the Server Manager console.
2. In the Users container, click Don Funk. In the Action menu, click Copy.
3. On the Copy Object – User dialog box, enter the following information as shown in Figure 4-72 and click Next:
Full Name: Keymaster
User Logon Name: keymaster
FIGURE 4-72 Fill out the Copy Object - User dialog box
4. Enter the password Pa$$w0rd twice. Ensure that only Password Never Expires is selected, click Next, and click Finish.
5. Sign off SYD-DC and sign on as contoso\keymaster with the password Pa$$w0rd.
6. In the Search charm, type MMC. Click Mmc in the list of results.
7. On the User Account Control dialog box, click Yes.
8. On the File menu of the Console1 window, click Add/Remove Snap-In.
9. On the Add Or Remove Snap-Ins dialog box, click Certificates as shown in Figure 4-73 and click Add.
FIGURE 4-73 Click Certificates in the Add Or Remove Snap-Ins dialog box
10. In the Certificates Snap-In dialog box, click My User Account, click Finish, and click OK.
11. In Console1, expand Certificates – Current User and click the Personal node.
12. On the Action menu, click All Tasks and click Request New Certificate.
13. On the Before You Begin page of the Certificate Enrollment Wizard, click Next twice.
14. On the Request Certificates page, select New Key Recovery Agent as shown in Figure 4-74, click Enroll, and click Finish.
FIGURE 4-74 Select New Key Recovery Agent on the Request Certificates page
15. On the Tools menu of the Server Manager console, click Certification Authority.
16. In the Certification Authority console, expand the Contoso-SYD-DC-CA node and click the Pending Requests node.
17. Click the certificate request listed as shown in Figure 4-75. On the Action menu, click All Tasks and click Issue.
FIGURE 4-75 Pending requests on the Certification Authority
18. Switch back to Console1 and expand the Active Directory User Object node, click the Certificates node, and double-click the certificate listed.
19. Verify that the certificate is intended for the purpose of Key Recovery Agent as shown in Figure 4-76 and click OK.
FIGURE 4-76 Verify the certificate
20. Sign off SYD-DC and sign back on as contoso\don_funk with the password Pa$$w0rd.
Exercise 10: Configure key recovery
In this exercise, you configure key recovery on SYD-DC. To complete this exercise, perform the following steps:
1. While signed on to SYD-DC as contoso\don_funk, open the Certification Authority console from the Tools menu of the Server Manager console.
2. In the Certification Authority console, click Contoso-SYD-DC-CA. In the Action menu, click Properties.
3. On the Recovery Agents tab of the Contoso-SYD-DC-CA Properties dialog box, click Archive The Key and click Add.
4. In the Key Recovery Agent Selection dialog box, click Keymaster as shown in Figure 4-77 and click OK.
FIGURE 4-77 Select Keymaster in the Key Recovery Agent Selection dialog box
5. On the Contoso-SYD-DC-CA Properties dialog box, click Apply.
6. When prompted to restart Active Directory Certificate Services, click Yes.
7. After Active Directory Certificate Services has restarted, on the Recovery Agents tab, verify that the Keymaster Key Recovery Agent Certificate has the status of Valid as shown in Figure 4-78.
FIGURE 4-78 Verify that the Keymaster Key Recovery Agent Certificate has the status of Valid
8. Click OK to close the Contoso-SYD-DC-CA Properties dialog box.
Exercise 11: Configure a certificate template for autoenrollment and key recovery
In this exercise, you configure a certificate so that it can be configured for automatic enrollment and certificate recovery. To complete this exercise, perform the following steps:
1. On SYD-DC when signed on as contoso\don_funk, switch to the Certification Authority console and click the Certificate Templates node.
2. On the Action menu, click Manage.
3. In the Certificate Templates console, click the Basic EFS template. On the Action menu, click Duplicate Template.
4. On the Compatibility tab of the Properties Of New Template dialog box, set the Certification Authority drop-menu down to Windows Server 2012 R2.
5. On the Resulting Changes dialog box, click OK.
6. On the Compatibility tab, set the Certificate Recipient to Windows 8.1 / Windows Server 2012 R2.
7. On the Resulting Changes dialog box, click OK.
8. Verify that the Properties Of New Template dialog box matches Figure 4-79 and click the General tab.
FIGURE 4-79 Verify that the Properties Of New Template dialog box matches
9. On the General tab, set the following properties as shown in Figure 4-80 and click Apply:
Template Display Name: Advanced EFS
Template Name: AdvancedEFS
Publish Certificate in Active Directory: Enabled
FIGURE 4-80 Set properties on the General tab
10. On the Security tab, click Authenticated Users and assign them the Enroll (Allow) and Autoenroll (Allow) permissions and retain the Read (Allow) permission as shown in Figure 4-81. Click OK.
FIGURE 4-81 Click Authenticated Users and assign them the Enroll (Allow) and Autoenroll (Allow) permissions as well as retain the Read (Allow) permission
11. Close the Certificate Templates console.
12. On the Certification Authority console, click the Certificate Templates node. On the Action menu, click New and click Certificate Template To Issue.
13. On the Enable Certificate Templates dialog box, click Advanced EFS as shown in Figure 4-82 and click OK.
FIGURE 4-82 Clicking Advanced EFS
14. Verify that the Advanced EFS template is listed when the Certificate Templates node of the Certification Authority console is selected as shown in Figure 4-83.
FIGURE 4-83 Verify that the Advanced EFS template is listed when the Certificate Templates node of the Certification Authority console is selected
Exercise 12: Configure Group Policy to support autoenrollment, credential roaming, and automatic renewal
In this exercise, you configure the default domain policy to support autoenrollment and automatic certificate renewal. To complete this exercise, perform the following steps:
1. On SYD-DC when signed in as contoso\don_funk, click Group Policy Management on the Tools menu of the Server Manager console.
2. In the Group Policy Management console, expand Forest: Contoso.com, expand Domains, expand Contoso.com, and click Default Domain Policy.
3. On the Group Policy Management Console dialog box, click OK.
4. On the Action menu, click Edit.
5. In the Group Policy Management Editor, expand User Configuration\Policies\Windows Settings\Security Settings and click the Public Key Policies node as shown in Figure 4-84.
FIGURE 4-84 Expand User Configuration\Policies\Windows Settings\Security Settings and click the Public Key Policies node
6. Click the Certificate Services Client – Auto-Enrollment policy. On the Action menu, click Properties.
7. Set the Configuration Model drop-down menu to Enabled.
8. Select the following options as shown in Figure 4-85 and click OK.
FIGURE 4-85 Configuring the CA Enrollment Policy
Renew Expired Certificates, Update Pending Certificates, And Remove Revoked Certificates.
Update Certificates That Use Certificate Templates.
9. In the Group Policy Management Editor, click the Certificate Services Client – Certificate Enrollment Policy item. On the Action menu, click Properties.
10. On the Certificate Services Client – Certificate Enrollment Policy dialog box, set the Configuration Model to Enabled and ensure that Active Directory Enrollment Policy is selected as shown in Figure 4-86. Click OK.
FIGURE 4-86 Set the Configuration Model to Enabled and ensure that the Active Directory Enrollment Policy is selected
11. In the Group Policy Management Editor, click the Certificate Services Client – Credential Roaming policy. On the Action menu, click Properties.
12. On the Certificate Services Client – Credential Roaming Properties dialog box, click Enabled as shown in Figure 4-87 and click OK.
FIGURE 4-87 Enable the Certificate Services Client – Credential Roaming Properties dialog box
13. Click OK on the Changing RUP Exclusion List dialog box, close the Group Policy Management Editor, and then close the Group Policy Management console.
14. Click the Windows PowerShell icon on the taskbar.
15. In the Windows PowerShell window, type the following command and press Enter:
Gpupdate /force
16. Close the Windows PowerShell window when both policies have updated.
17. In the Certification Authority console, click the Issued Certificates node.
18. Verify that a certificate using the Advanced EFS template has been issued to CONTOSO\don_funk as shown in Figure 4-88.
FIGURE 4-88 Verify that a certificate using the Advanced EFS template has been issued to CONTOSO\don_funk
Exercise 13: Configure a certificate template to support private key archival and recovery and reenroll all certificate holders
In this exercise, you modify the properties of the Advanced EFS template so that the private key is automatically archived and then reenroll all certificate holders. To complete this exercise, perform the following steps:
1. On SYD-DC when signed in as contoso\don_funk, select the Certificate Templates node of the Certification Authority console. On the Action menu, click Manage.
2. In the Certificate Templates console, click the Advanced EFS template. In the Action menu, click Properties.
3. On the Request Handling tab of the Advanced EFS Properties dialog box, select Archive Subject’s Encryption Private Key.
4. On the Changing Key Archival Property dialog box, click OK.
5. Ensure that the Request Handling tab of the Advanced EFS Properties dialog box is configured as shown in Figure 4-89 and click OK.
FIGURE 4-89 Ensure that the Request Handling tab of the Advanced EFS Properties dialog box is configured
6. Click the Advanced EFS template and on the Action menu click Reenroll All Certificate Holders.
7. Open a Windows PowerShell window by clicking the Windows PowerShell icon on the taskbar.
8. In the Windows PowerShell window, type the following command and press Enter:
9. Gpupdate /force
10. Switch to the Certificate Authority console and select the Issued Certificates node.
11. Verify that a new certificate using the Advanced EFS certificate template has been issued to CONTOSO\don_funk as shown in Figure 4-90.
FIGURE 4-90 Use the Advanced EFS certificate template
Exercise 14: Perform certificate revocation
In this exercise, you revoke the certificate issued to the subordinate CA hosted on ADL-DC. You would do this if the computer hosting the CA had been compromised by malware and might have been exploited by nefarious third parties. To complete this exercise, perform the following steps:
1. On SYD-DC when signed in as CONTOSO\don_funk, open the Certification Authority console and select the Issued Certificates node.
2. Select the second certificate issued or the one with the higher number in the Request ID column that uses the Subordinate Certification Authority template.
3. On the Action menu, click Open and verify that this certificate has been issued to Contoso-ADL-DC-CA as shown in Figure 4-91. Click OK to close the Certificate Properties dialog box.
FIGURE 4-91 Certificate information
4. With the correct certificate selected, click All Tasks on the Action menu and then click Revoke Certificate.
5. In the Certificate Revocation dialog box, choose Certificate Hold as the reason for the certificate revocation as shown in Figure 4-92 and click Yes.
FIGURE 4-92 The Certificate Revocation dialog box
6. In the Certification Authority console, click the Revoked Certificates node and verify that the certificate is listed with the Revocation Reason set to Certificate Hold as shown in Figure 4-93.
FIGURE 4-93 Verify that the certificate is listed
7. Ensure that the Revoked Certificates node is selected. On the Action menu, click All Tasks and click Publish.
8. In the Publish CRL dialog box, click New CRL as shown in Figure 4-94 and then click OK.
FIGURE 4-94 Select New CRL in the Publish CRL dialog box
9. Switch to ADL-DC and sign in as contoso\don_funk with the password Pa$$w0rd.
10. On the Taskbar, click the Windows PowerShell icon.
11. In the Windows PowerShell window, type the following commands and press Enter after each command:
Gpupdate /force
Certutil –urlcache crl delete
Certutil –urlcache ocsp delete
12. On the Tools menu of the Server Manager console, click Certification Authority.
13. In the Certification Authority console, click the Contoso-ADL-DC-CA node.
14. On the Action menu, click Properties.
15. On the General tab of the Contoso-ADL-DC-CA Properties dialog box, click View Certificate.
16. Verify that the certificate is listed as revoked, as shown in Figure 4-95, and click OK twice.
FIGURE 4-95 Verify that the certificate is listed as revoked
Exercise 15: Perform certificate recovery
In this exercise, you delete the Advanced EFS certificate that has been assigned to Don Funk and then use the keymaster user account to perform key recovery. To complete this exercise, perform the following steps:
1. When signed on to SYD-DC as contoso\don_funk, type mmc.exe in the Search charm and click Mmc in the list of results.
2. On the User Account Control dialog box, click Yes.
3. On the File menu of the Console1 console, click Add/Remove Snap-In.
4. On the Add Or Remove Snap-Ins dialog box, click Certificates and click Add.
5. On the Certificates Snap-In dialog box, click My User Account as shown in Figure 4-96, click Finish, and then click OK.
FIGURE 4-96 The Certificates Snap-In dialog box
6. In the Console1 console, expand the Certificates – Current User\Personal\Certificates node and click the certificate with the intended purpose listed as Encrypting File System as shown in Figure 4-97.
FIGURE 4-97 Click the certificate with the intended purpose of the Encrypting File System
7. On the Action menu, click Delete.
8. On the Certificates dialog box, click Yes.
9. On the File menu, click Save. Save the console on the desktop as console1.msc.
10. Sign off SYD-DC and sign on as contoso\keymaster with the password Pa$$w0rd.
11. On the Tools menu of the Server Manager console, click Certification Authority.
12. On the Certification Authority console, expand Contoso-SYD-DC-CA and click the Issued Certificates node.
13. Click the most recently issued certificate to CONTOSO\don_funk that uses the Advanced EFS certificate template as shown in Figure 4-98.
FIGURE 4-98 Click the most recently issued certificate to CONTOSO\don_funk that uses the Advanced EFS certificate template
14. On the Action menu, click Open.
15. On the Details tab of the Certificate dialog box, highlight the Serial Number as shown in Figure 4-99.
FIGURE 4-99 Highlighting the Serial Number on the Details pane of the Certificate dialog box
16. While the text is highlighted, press Ctrl+C to copy the text.
17. On the Search charm, type Notepad and then click Notepad in the results pane.
18. On the Edit menu of Notepad, click Paste.
19. In Notepad, remove all of the spaces in the serial number so that it appears in a manner similar to that of Figure 4-100.
FIGURE 4-100 Remove all of the spaces in the serial number in Notepad
20. In Notepad, select the serial number on the Edit menu, and then click Copy.
21. Open an elevated Windows PowerShell window and type the following command where <serial number> is the pasted serial number from Notepad as shown in Figure 4-101:
Certutil –getkey <serial number> outputblob
FIGURE 4-101 An elevated Windows PowerShell window
22. Type the following command and press Enter to convert the outputblob to a PFX file. Type the password Pa$$w0rd when prompted as shown in Figure 4-102.
Certutil –recoverkey outputblob c:\don-recovery.pfx
FIGURE 4-102 Convert the outputblob to a PFX file
23. Sign off and sign back on to SYD-DC as contoso\don_funk.
24. Click the File Explorer icon on the taskbar and navigate to Local Disk (C:).
25. Double-click the Don-recovery file.
26. On the Welcome To The Certificate Import Wizard page of the Certificate Import Wizard, click Current User and then click Next twice.
27. On the Private Key Protection page, enter the password Pa$$w0rd as shown in Figure 4-103, click Next twice, click Finish, and then click OK.
FIGURE 4-103 Enter the password on the Private Key Protection page
28. On the Desktop, double-click Console1. Click Yes on the User Account Control dialog box.
29. Verify that the certificate has been recovered.
Real World: Autoenrollment policy
Because of the autoenrollment policy applied to the Advanced EFS certificate template, a second certificate may also be present. This second certificate will have a different serial number. You can verify that an additional certificate was issued by checking the list of issued certificates in the Certification Authority console.
Suggested practice exercises
The following additional practice exercises are designed to give you more opportunities to practice what you’ve learned and to help you successfully master the lessons presented in this chapter.
Exercise 1 Join CBR-DC to the domain and deploy an enterprise subordinate CA on this computer. Obtain the CA certificate from the enterprise subordinate CA hosted on MEL-DC.
Exercise 2 Remove the certificate hold placed on the ADL-DC CA’s certificate. Publish a new CRL and then verify that the certificate is now valid.
Answers
This section contains the answers to the lesson review questions in this chapter.
Lesson 1
1. Correct answer: C
A. Incorrect. Enterprise root CAs are integrated into Active Directory and cannot be configured as offline root CAs.
B. Incorrect. Enterprise subordinate CAs cannot serve as the apex of a CA hierarchy as they are subordinate to another CA.
C. Correct. Offline root CAs are always standalone root CAs that are only brought online to perform tasks such as renewing the CA certificate of subordinate CAs.
D. Incorrect. Standalone subordinate CAs cannot serve as the apex of a CA hierarchy as they are subordinate to another CA.
2. Correct answer: C
A. Incorrect. Enterprise CAs can only be deployed on computers that are members of an Active Directory domain.
B. Incorrect. Enterprise CAs can only be deployed on computers that are members of an Active Directory domain.
C. Correct. You can deploy standalone CAs on computers that are not members of an Active Directory domain, including computers running as virtual machines on Windows Azure.
D. Correct. You can deploy standalone CAs on computers that are not members of an Active Directory domain, including computers running as virtual machines on Windows Azure.
3. Correct answer: B
A. Incorrect. This component is a web interface that enables computers that are not members of the Active Directory forest, including those running third-party operating systems, to request and obtain certificates from the CA.
B. Correct. This component publishes certificate revocation data based on published CRLs and delta CRLs. Online Responders enable clients to perform revocation checks without requiring them to download the entire CRL and delta CRL.
C. Incorrect. This component enables network devices such as routers and switches to obtain certificates from the CA.
D. Incorrect. This component enables policy-based certificate enrollment when a computer is not a member of the Active Directory forest.
4. Correct answer: D
A. Incorrect. This component enables policy-based certificate enrollment when a computer is not a member of the Active Directory forest.
B. Incorrect. This component enables network devices such as routers and switches to obtain certificates from the CA.
C. Incorrect. This component publishes certificate revocation data based on published CRLs and delta CRLs.
D. Correct. This component is a web interface that enables computers that are not members of the Active Directory forest, including those running third-party operating systems, to request and obtain certificates from the CA.
5. Correct answer: C
A. Incorrect. This component publishes certificate revocation data based on published CRLs and delta CRLs.
B. Incorrect. This component enables policy-based certificate enrollment when a computer is not a member of the Active Directory forest.
C. Correct. This component enables network devices such as routers and switches to obtain certificates from the CA.
D. Incorrect. This component is a web interface that enables computers that are not members of the Active Directory forest, including those running third-party operating systems, to request and obtain certificates from the CA.
6. Correct answer: D
A. Incorrect. Security principals assigned the Read permission are able to view CA settings.
B. Incorrect. Security principals assigned the Issue And Mange Certificates permission are able to approve certificate requests and revoke issued certificates.
C. Incorrect. Security principals assigned the Manage CA permission are able to modify CA settings.
D. Correct. Security principals assigned the Request Certificates permission are able to request certificates from the CA.
7. Correct answer: B
A. Incorrect. Security principals assigned the Manage CA permission are able to modify CA settings.
B. Correct. Security principals assigned the Issue And Mange Certificates permission are able to approve certificate requests and revoke issued certificates.
C. Incorrect. Security principals assigned the Request Certificates permission are able to request certificates from the CA.
D. Incorrect. Security principals assigned the Read permission are able to view CA settings.
8. Correct answer: D
A. Incorrect. Security principals assigned the Request Certificates permission are able to request certificates from the CA.
B. Incorrect. Security principals assigned the Read permission are able to view CA settings.
C. Incorrect. Security principals assigned the Issue And Mange Certificates permission are able to approve certificate requests and revoke issued certificates.
D. Correct. Security principals assigned the Manage CA permission are able to modify CA settings.
Lesson 2
1. Correct answer: C
A. Incorrect. You cannot use an Administrator certificate to allow private key recovery from the certificate services database.
B. Incorrect. An EFS recovery agent certificate allows for the recovery of EFS encrypted data. You cannot use a certificate based off of this template to perform private key recovery from the certificate services database.
C. Correct. You can configure a certificate server so that users who are enrolled in a specific key recovery agent certificate are able to recover private keys from the certificate services database.
D. Incorrect. The OCSP Response Signing certificate template is used when configuring an Online Responder.
2. Correct answer: C
A. Incorrect. The minimum CRL publication interval is 1 hour. You need to configure the delta CRL publication interval to accomplish this goal.
B. Incorrect. Key recovery agents aren’t related to certificate revocation but are related to private key recovery.
C. Correct. By configuring the delta CRL publication interval, clients will seek a new delta CRL that will contain the details of the revoked certificate within 30 minutes of the revocation occurring.
D. Incorrect. Although you can configure a renewal period of 1 hour for a certificate, this setting would mean that the previous certificate would expire without renewal without direct client recognition of its revocation.
3. Correct answers: A, B, and C
A. Correct. A user must be assigned the Enroll and Autoenroll permissions on the certificate template before they can be issued a certificate based on that template through autoenrollment.
B. Correct. Autoenrollment is only supported from enterprise CAs.
C. Correct. You must configure autoenrollment in Group Policy using the Certificate Services Client – Auto-Enrollment Group Policy item.
D. Incorrect. Standalone CAs don’t support autoenrollment.
4. Correct answer: A
A. Correct. This reason enables you to unrevoke the certificate if Don finds it at home.
B. Incorrect. Use this reason when you suspect that the certificate server has been compromised, not when a user loses their smart card.
C. Incorrect. Use this reason when you know that Don’s card has been lost.
D. Incorrect. Use this reason when someone leaves the organization or when their role has changed in such a way that you need to revoke their existing certificates.
5. Correct answer: D
A. Incorrect. This reason enables you to unrevoke a certificate when you are unsure if the reason for the revocation might change in future.
B. Incorrect. Use this reason when someone leaves the organization or when their role has changed in such a way that you need to revoke their existing certificates.
C. Incorrect. Use this reason when you suspect that the certificate server that issued the CA signing certificate has been compromised. In this case the issuing CA is fine; it’s the perimeter network CA that’s been compromised.
D. Correct. Use this reason when you know that a specific certificate might have been compromised. In this case, the certificate issued by your enterprise root CA to the perimeter network CA is suspect.
6. Correct answer: A
A. Correct. Using the certificate templates console to reenroll all certificate holders would trigger the issuance of new certificates based on the updated templates. These newly reissued certificates would have their private keys archived.
B. Incorrect. Performing this step would not ensure that users’ private keys would be archived.
C. Incorrect. Although you could do this, it wouldn’t trigger reenrollment of all certificate holders, which would mean that until certificate reenrollment needed to occur, the private keys would not be archived.
D. Incorrect. Performing this step would not ensure that users’ private keys would be archived.