11-12 Chapter 11 Creating and Managing Digital Certificates When creating a CA infrastructure for your organization, you must decide how many CAs you need, who is going to provide them, where to locate them, and what the trust relationships between them should be. Using Internal or External CAs You can use either internal CAs running on your own computers or external CAs pro- vided by a commercial service for all your certificate needs. Some applications (such as software code signing) clearly call for one or the other, but in many cases, the choice depends on the needs and capabilities of your organization. The advantages and dis- advantages of using internal and external CAs are summarized in Table 11-2. Table 11-2 Advantages and Disadvantages of Internal and External CAs Advantages of Disadvantages of Advantages of Disadvantages of an Internal CA an Internal CA an External CA an External CA Direct control Increased certificate Instills customers with High cost per certificate over certificates management greater confidence in overhead the organization No per-certificate Longer, more com- Provider liable for PKI No autoenrollment fees plex deployment failures possible Can be integrated Organization must Expertise in the techni- Less flexibility in into Active Directory accept liability for cal and legal ramifica- configuring and man- PKI failures tions of certificate use aging certificates Allows configuring Limited trust by Reduced management Limited integration with and expanding PKI external customers overhead the organization’s for minimal cost infrastructure In many cases, organizations use a combination of internal and external CAs. They use their own CAs to secure their internal communications and use external CAs when they must secure communications with outside parties, such as customers. How Many CAs? If you decide to use internal CAs for your network, the next step is to determine how many CAs you need and where to locate them. A single CA running on Windows Server 2003 can support as many as 35 million certificates, issuing two million or more a day. As a result, most organizations use multiple CAs due to logistical factors other than the number of certificates required. Lesson 2 Designing a Public Key Infrastructure 11-13 A variety of factors affect the performance of a CA, and can influence your decision as to how many CAs you need. Some of these factors are as follows: ■ Number and speed of processors The CPU performance of a server is the sin- gle most influential factor in that server’s performance as a CA. A server with mul- tiple processors or faster processors will perform better as a CA, particularly when issuing certificates with long encryption keys. ■ Key length The length of the encryption keys in your certificates is a major fac- tor in the impact of CA service on the computer’s CPU. Longer keys require more processing time and can slow down the certificate enrollment process. ■ Disk performance A high-performance disk subsystem in a CA can influence the certificate enrollment rate; however, the degree of influence depends on other factors, such as the CPU performance and key length. If the CA issues certificates with unusually long keys, processing time for each certificate increases, slowing down the enrollment rate and lessening the impact on the disk subsystem. With shorter keys, disk performance is more critical, because the disk subsystem can more easily become the bottleneck slowing down the enrollment rate. Based on these criteria, many organizations would be adequately served by a single CA, but there are several reasons implementing multiple CAs anyway. One reason is fault tolerance. Having two or more CAs enables the PKI to service clients even if one of the servers fails. Another reason is load distribution when servicing an organization spread out over multiple locations. A corporation with several offices might want a CA in each office to reduce wide area network (WAN) traffic and to keep the certificate enrollment process local. It might also be necessary to deploy multiple CAs so that dif- ferent servers can issue certificates for different purposes. Creating a CA Hierarchy When you deploy multiple CAs in a single organization, the relationships between them are hierarchical, based on a network of parent/child relationships. Every CA in a PKI is either a root CA or a subordinate CA. A root CA is the parent that issues certifi- cates to the subordinate CAs beneath it. If a client trusts the root CA, it must also trust all the subordinate CAs that have been issued certificates by the root CA. Note Root CAs are the only CAs that do not have a certificate issued by a higher authority. A root CA issues its own self-signed certificate, which functions as the top of the certificate chain for all the certificates issued by all the CAs subordinate to the root. Subordinate CAs can also issue certificates to other subordinate CAs. In this case, the CA in the middle is called an intermediate CA. An intermediate CA is subordinate to the root CA but higher than the other subordinate CAs to which it issues certificates. 11-14 Chapter 11 Creating and Managing Digital Certificates Every certificate issued by every CA in the hierarchy can trace its trust relationships back to a root CA. The CA that issues your certificate might possess a certificate issued by another CA, which in turn might possess a certificate issued by a root CA. This hier- archy of relationships is called a certificate chain. In Windows Server 2003, you can display the certificate chain for any certificate by clicking the Certification Path tab in the Certificate dialog box, as shown in Figure 11-2. Figure 11-2 The Certification Path tab in the Certificate dialog box In a large PKI implementation, a three-layer CA hierarchy like the one in Figure 11-1 is typical. The root CA exists only to issue certificates to the intermediate CAs, thereby functioning as the ultimate authority for the PKI. Beneath the CA are one or more inter- mediate CAs, which issue certificates to the subordinate CAs at the next level. Gener- ally speaking, you create multiple intermediate CAs to separate different classes of certificates, for example, one intermediate CA for internal user certificates and one for external certificates. At the bottom layer of the hierarchy are the subordinate CAs, also known as issuing CAs because these servers actually enroll client users and applica- tions. Intermediate and root CAs usually do not issue certificates directly to clients, only to subordinate CAs. Tip The security of the higher-level CAs in a PKI hierarchy is critical, because if an intruder penetrates the security of one high-level CA, all its subordinates are compromised as well. For this reason, it is common practice to leave root and intermediate CAs offline after they issue certificates to their subordinates. You can take a CA offline by shutting down Certificate Ser- vices, by disconnecting the Windows Server 2003 CA server from the network, or by shutting the server down completely. Lesson 2 Designing a Public Key Infrastructure 11-15 Understanding Windows Server 2003 CA Types When you configure a server running Windows Server 2003 to function as a CA, you can configure it to be either a root CA or a subordinate CA. In addition, you select one of the following two types for the CA: ■ Enterprise Enterprise CAs are integrated into the Active Directory directory ser- vice. They use certificate templates, publish their certificates and CRLs to Active Directory, and use the information in the Active Directory database to approve or deny certificate enrollment requests automatically. Because the clients of an enter- prise CA must have access to Active Directory to receive certificates, enterprise CAs are not suitable for issuing certificates to clients outside the enterprise. ■ Stand-alone Stand-alone CAs do not use certificate templates or Active Direc- tory; they store their information locally. In addition, by default, stand-alone CAs do not automatically respond to certificate enrollment requests, as enterprise CAs do. Requests wait in a queue for an administrator to manually approve or deny them. Stand-alone CAs are intended for situations in which users outside the enter- prise submit requests for certificates. Whether you choose to create an enterprise CA or a stand-alone CA, you can also spec- ify that the CA be a root or a subordinate. An enterprise root CA is the top of the hier- archy. There can only be one enterprise root in any CA hierarchy. All the other CAs in the hierarchy must be enterprise subordinate CAs. Stand-alone CAs can function in the same type of hierarchy as enterprise CAs; you can create a stand-alone root CA with stand-alone subordinate CAs beneath it. If you want to create only one stand-alone CA for your PKI, it must be a root CA, because every CA hierarchy must be traceable back to a root. Tip If you plan to use smart cards to authenticate users on your network, you must create enterprise CAs, because smart card certificates must be associated with Active Directory user accounts to be functional. Exam Tip Be sure to understand the differences between enterprise root CAs, enterprise subordinate CAs, stand-alone root CAs, and stand-alone subordinate CAs. ! 11-16 Chapter 11 Creating and Managing Digital Certificates Configuring Certificates With your security requirements and your CA hierarchy design in place, you can decide on a configuration for the certificates that the CA will issue to your clients. Some of the criteria to consider when planning certificate configurations are as follows: ■ Certificate type Specifies the function of the certificate. Windows Server 2003 includes a collection of certificate templates that enable you to easily configure a CA to issue specific types of certificates. ■ Encryption key length and algorithm The length of the encryption keys included in your certificates and the encryption algorithm the certificates use dic- tate how difficult certificates are to penetrate and how secure the information they protect is. Longer keys provide greater security, but also require more processor time when creating and processing certificates. Different algorithms provide vari- ous degrees of security, also at the expense of processor time. ■ Certificate lifetime The lifetime of a certificate specifies how long the client can use it before it must be renewed. Longer lifetimes increase the chances that a certificate can be compromised. For certificates with longer encryption keys and stronger algorithms, however, longer lifetimes are often justified. Shorter lifetimes increase the number of certificates your CAs must issue, affecting network traffic and the server processing load. The default certificate lifetime for enterprise and stand-alone root CAs is two years. ■ Renewal policies You can configure a CA to issue new public and private keys when renewing a certificate or to re-use the existing keys. Issuing new keys increases the security the certificate provides, but also increases the processing load on the CA. Practice: Installing a Windows Server 2003 Certification Authority In this practice, you install Certificate Services on a computer running Windows Server 2003 and configure it to function as a stand-alone root CA. Important Make sure that you have Internet Information Services (IIS) installed on the computer before you install Certificate Services. 1. Log on to Windows Server 2003 as Administrator. 2. Click Start, point to Control Panel, and then click Add Or Remove Programs. The Add Or Remove Programs dialog box appears. 3. Click Add/Remove Windows Components. The Windows Components Wizard appears. Lesson 2 Designing a Public Key Infrastructure 11-17 4. Click Certificate Services (without selecting the check box), and then click Details. The Certificate Services dialog box appears. 5. Select the Certificate Services CA and the Certificate Services Web Enrollment Sup- port check boxes, and then click OK. A Microsoft Certificate Services message box appears, warning you that once you install Certificate Services, you cannot change the computer’s machine name or domain membership without affecting the function of the CA. Click Yes to continue. 6. Click OK in the Certificate Services dialog box. 7. In the Windows Components Wizard, click Next. The CA Type page appears. 8. Click the Stand-alone Root CA option button, and then click Next. The CA Identi- fying Information page appears. 9. In the Common Name For This CA text box, type Issuing, and then click Next. The Certificate Database Settings page appears. 10. Click Next to accept the default database settings. 11. A Microsoft Certificate Services message box appears, stating that the system must temporarily stop the IIS service to complete the installation. Click Yes to proceed. The Configuring Components page appears, displaying a progress indicator as the wizard installs Certificate Services. 12. Another Microsoft Certificate Services message box appears, stating that the sys- tem must activate Active Server Pages (ASP) in IIS. Click Yes to proceed. The Con- figuring Components page finishes showing the progress of the installation. 13. When the Completing the Windows Components Wizard page appears, click Finish. 14. Close the Add Or Remove Programs dialog box. Lesson Review The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the “Questions and Answers” section at the end of this chapter. 1. Which of the following types of certificates can be issued only by an enterprise certification authority? a. IPSec b. Smart card logon c. Software code signing d. Wireless network authentication 11-18 Chapter 11 Creating and Managing Digital Certificates 2. Which of the following modifications to a certificate configuration does not increase the burden on the CA’s processor? a. Increasing the key length b. Increasing the certificate’s lifetime c. Issuing new keys with each certificate renewal d. Changing the certificate type 3. Where does a root CA obtain its own certificate? a. From a third-party certification authority b. From a subordinate CA c. From another root CA d. From itself Lesson Summary ■ The first step in planning a PKI is to study what the security enhancements certif- icates can provide and determine which of your organization’s security require- ments you can satisfy with certificates. ■ Certificates are issued by certification authorities, which you can run on your own computers or obtain from third-party providers. ■ When running multiple CAs in an enterprise, you configure them in a hierarchy, with a root CA at the top, intermediate CAs at the second level, and subordinate (or issuing) CAs at the bottom. ■ Every certificate has a chain of trust relationships running from the CA that issued it all the way up to a root CA. ■ The configuration parameters of certificates themselves include the certificate type, the encryption algorithm and key length the certificates use, the certificate’s lifetime, and the renewal policies that dictate how the CA behaves when process- ing certificate renewal requests. Lesson 3 Managing Certificates 11-19 Lesson 3: Managing Certificates Once you have completed your PKI design and installed your CAs, the next step in deploying PKI to consider is the ongoing management of your CAs and their certifi- cates. This includes administering certificate enrollment, managing the certificates themselves, and publishing certificate revocation lists. After this lesson, you will be able to ■ Control auto-enrollment in enterprise CAs ■ Submit certificate requests to a CA using the Certificates console or the pages created by the Certificate Services Web Enrollment Support interface ■ Publish certificate revocation lists Estimated lesson time: 0 minutes 3 Understanding Certificate Enrollment and Renewal The actual process by which CAs issue certificates to clients varies, depending on the types of CAs you have installed. If you have installed enterprise CAs, you can use auto- enrollment, in which the CA receives certificate requests from clients, evaluates them, and automatically determines whether to issue the certificate or deny the request. If you have installed stand-alone CAs, you cannot use auto-enrollment, so you must arrange for an administrator to monitor the CA (using the Certification Authority console) for incoming requests and to make decisions about whether to issue or deny the requests. Exam Tip Be sure to understand the circumstances in which clients use auto-enrollment and manual enrollment, and to be familiar with the Microsoft Management Console (MMC) snap-ins used to manage certificates and certification authorities. ! Using Auto-Enrollment Auto-enrollment enables clients to automatically request and receive certificates from a CA with no manual intervention from administrators. To use auto-enrollment, you must have domain controllers running Windows Server 2003, an enterprise CA running on Windows Server 2003, and clients running Microsoft Windows XP Professional. You control the auto-enrollment process using a combination of group policy settings and certificate templates. By default, Group Policy Objects (GPOs) contain settings that enable auto-enrollment for all user and computer objects in a domain. You configure these settings by opening 11-20 Chapter 11 Creating and Managing Digital Certificates the Autoenrollment Settings policy, located in the Windows Settings\Security Set- tings\Public Key Policies folder in both the Computer Configuration and User Config- uration nodes in the Group Policy Object Editor. In the Autoenrollment Settings Properties dialog box (see Figure 11-3), you can disable auto-enrollment entirely for the objects receiving these GPO settings. You can also enable the objects to renew and update their certificates automatically. Figure 11-3 The Autoenrollment Settings Properties dialog box The other mechanism you can use to control auto-enrollment is built into the certificate templates that define the properties of specific certificate types. To manage certificate templates, you use the Certificate Templates snap-in, as shown in Figure 11-4. Using this tool, you can specify the validity and renewal periods of specific certificate types and choose cryptographic service providers for them. Using the Security tab for a par- ticular template, you can also specify which users and groups are allowed to request certificates using that template. Figure 11-4 The Certificate Templates snap-in Lesson 3 Managing Certificates 11-21 When a client requests a particular type of certificate, the CA checks the properties of the client’s Active Directory object to determine if the client has the permissions needed to receive the certificate. If the client has the appropriate permissions, the CA issues the certificate automatically. Using Manual Enrollment Stand-alone CAs cannot use auto-enrollment, so when a stand-alone CA receives a cer- tificate request from a client, it stores the request in a queue until an administrator decides whether to issue the certificate. To monitor and process incoming requests, administrators use the Certification Authority console, as shown in Figure 11-5. Figure 11-5 The Certification Authority console In the Certification Authority console, incoming certificate enrollment requests appear in the Pending Requests folder. After evaluating the information in each request, an administrator can choose to issue or deny each request. Administrators can also view the properties of issued certificates and revoke certificates as needed. Manually Requesting Certificates In some cases, the process of requesting a certificate and receiving it from a CA is invis- ible to both the client and the administrator. Certain applications might request certifi- cates and receive them in the background, then proceed to function in the normal manner. In other cases, however, users must explicitly request certificates, using one of the tools that Windows Server 2003 provides. [...]... appears 4 Click Add The Add Standalone Snap-in dialog box appears 5 In the Available Standalone Snap-ins list, select Certificates 6 Click Add The Certificates Snap-in dialog box appears 7 Click Finish to accept the default My User Account option button, and then click Close The Certificates—Current User snap-in appears in the Add/Remove Snap-in dialog box 1 1-2 8 Chapter 11 Creating and Managing Digital... running the CA (see Figure 1 1 -7 ); these pages enable users to submit requests for particular types of certificates Tip You can also install the Certificate Services Web Enrollment Support module on a server running Windows Server 2003 that is not a CA, enabling you to integrate this module into existing Web servers Lesson 3 Managing Certificates 1 1-2 3 Figure 1 1 -7 The Microsoft Certificate Services... the Certificates snap-in also enables you to request and renew certificates using the Certificate Request Wizard and Certificate Renewal Wizard Figure 1 1-6 The Certificates snap-in Off the Record The Certificates snap-in is limited to use with enterprise CAs because the snap-in reads certificate information for the user or computer from Active Directory, and cli­ ents of stand-alone CAs are not expected... type d 1 1-3 4 Chapter 11 Creating and Managing Digital Certificates 3 Where does a root CA obtain its own certificate? a From a third-party certification authority b From a subordinate CA c From another root CA d From itself d Page 1 1-2 8 Lesson 3 Review 1 Which of the following tools does an administrator use to manually issue certifi­ cates to clients of a stand-alone CA? a The Certificates snap-in b... they arise 1 2-1 1 2-2 Chapter 12 Securing Network Communications Using IPSec Lessons in this Chapter: ■ Lesson 1: Securing Internetwork Communications 1 2-3 ■ Lesson 2: Planning an IPSec Implementation 1 2-1 4 ■ Lesson 3: Deploying IPSec 1 2-2 5 ■ Lesson 4: Troubleshooting Data Transmission Security 1 2-3 5 Before You... called an ephemeral port Some of the most commonly used well-known ports are listed in Table 1 2-1 (For the complete, updated list, refer to the IANA Port Numbers online database at http://www.iana.org/assignments/port-numbers.) Table 1 2-1 Well-Known Port Numbers Application Abbreviation Protocol Port Number File Transfer Protocol (Control) ftp-control TCP 21 File Transfer Protocol (Default Data) TCP... dhcps bootps UDP 67 Dynamic Host Configuration Protocol (Client) Bootstrap Protocol Client (nondynamic) dhcpc bootpc UDP 68 World Wide Web HTTP http TCP 80 Post Office Protocol - Version 3 pop3 TCP 110 Simple Network Management Protocol snmp UDP 161 Simple Network Management Protocol Trap ! ftp-default data Telnet snmptrap UDP 162 Exam Tip Be sure to familiarize yourself with the well-known port numbers... should receive the packet For example, a data-link layer protocol, such as Ethernet, has an Ethertype value in its header that specifies which network-layer protocol should process the packet In the same way, at the network layer, the Internet Protocol (IP) has a Protocol field that specifies the transport-layer protocol that should receive the packet, and each transport-layer protocol has a Port field...1 1-2 2 Chapter 11 Creating and Managing Digital Certificates Using the Certificates Snap-in The Certificates snap-in (see Figure 1 1-6 ) is a tool that you can use to view and manage the certificates of a specific user or computer The snap-in’s main display consists of folders that contain categories for all the certificates... Certificates snap-in Lesson 3 Managing Certificates 1 1-2 9 Lesson Summary ■ Only enterprise CAs can use auto-enrollment, in which clients send certificate requests to a CA and the CA automatically issues or denies the certificate ■ For a client to receive certificates using auto-enrollment, it must have permission to use the certificate template for the type of certificate it is requesting ■ Stand-alone CAs . shown in Figure 1 1-2 . Figure 1 1-2 The Certification Path tab in the Certificate dialog box In a large PKI implementation, a three-layer CA hierarchy like the one in Figure 1 1-1 is typical. The. functional. Exam Tip Be sure to understand the differences between enterprise root CAs, enterprise subordinate CAs, stand-alone root CAs, and stand-alone subordinate CAs. ! 1 1-1 6 Chapter 11. requests. Exam Tip Be sure to understand the circumstances in which clients use auto-enrollment and manual enrollment, and to be familiar with the Microsoft Management Console (MMC) snap-ins used