Microsoft Windows 2000 Public Key Infrastructure • Chapter 9 339 message. In the restoring of certificates and key pairs onto any system, the admin- istrator uses the import function of the Certificate Manager. Exercise 9.2 walks you through exporting a certificate and its private key. Exercise 9.2 Exporting a Certificate and a Private Key You must first create a custom console containing the certificate snap-in: 1. Click Start. 2. Click Run. 3. Type MMC in the Open line. 4. Click OK.This will open a blank MMC. 5. You now need to add the Certificate snap-in. Click on Console. 6. Choose Add/Remove Snap-in from the pop-up menu. 7. Click Add. 8. Choose Certificates from the list of available snap-ins. 9. Select My User Account. 10. Click Finish. 11. Click Close on the Add Standalone Snap-in window. 12. Click OK on the Add/Remove Snap-in window. Now you can use your custom console to complete this exercise: 1. Expand Certificates – Current User. 2. Expand Personal. 3. Select Certificates. 4. In the details pane (right side) right-click the certificate that you want to export and choose All Tasks | Export (see Figure 9.18).This will start the Certificate Export Wizard shown in Figure 9.19. 5. Click Next to continue the wizard. 6. Figure 9.20 shows the Export Private Key window. Use this window to choose if you want to export the certificate and its private key, or just the certificate. Select the radio button labeled Yes, export the private key. Click Next to continue.This will give you the window shown in Figure 9.21. www.syngress.com 181_SerSec2e_09 9/5/01 5:41 PM Page 339 340 Chapter 9 • Microsoft Windows 2000 Public Key Infrastructure www.syngress.com Figure 9.18 The Certificate Snap-In Figure 9.19 Starting the Certificate Export Wizard 181_SerSec2e_09 9/5/01 5:41 PM Page 340 Microsoft Windows 2000 Public Key Infrastructure • Chapter 9 341 7. Select the file format that you want to use and click Next. 8. You will now be prompted for a password (as shown in Figure 9.22) to assign to the private key. Enter in the password twice and click Next. 9. You will now be asked to specify the name and path of the file you want to export as shown in Figure 9.23. Enter in the name and click Next to continue.This will give you the window shown in Figure 9.24. www.syngress.com Figure 9.20 Exporting the Private Key Figure 9.21 Choosing an Export File Format 181_SerSec2e_09 9/5/01 5:41 PM Page 341 342 Chapter 9 • Microsoft Windows 2000 Public Key Infrastructure www.syngress.com Figure 9.22 Entering a Password Figure 9.23 Selecting an Export File Name Figure 9.24 Completing the Certificate Export Wizard 181_SerSec2e_09 9/5/01 5:42 PM Page 342 Microsoft Windows 2000 Public Key Infrastructure • Chapter 9 343 10. Verify that the information is correct and click Finish to complete the Certificate Export Wizard. If all is successful, you will be presented with the window shown in Figure 9.25. 11. Click OK. Before doing an export operation of the certificate and public key pairs, the administrator should look at the CSP being used.When the Microsoft CSP is used, the exporting of key pairs will occur only if the exportable flag CRYPT_EXPORTABLE was set at the time the key was created. Some third- party CSPs may not support the backup and the restoration of key pairs and their certificates.When this is the case, only a complete system image backup is possible. Certificate Enrollment The guarantee that the public key is truly owned by the entity lies in the public key–based certificates.The Windows 2000 PKI includes certificate enrollment to the Microsoft Enterprise certificate authority or to other third-party CAs.You can use the Certificate Request Wizard or the Certificate Services Web page to request a certificate.The wizard is only available when requesting a certificate from an Enterprise CA. Exercise 9.3 walks you through requesting a certificate with the Certificate Request Wizard via the Certificate Snap-in. Exercise 9.4 walks you through requesting a certificate with the certificate request Web page. Exercise 9.3 Requesting a User Certificate with the Certificate Request Wizard You must first create a custom console containing the certificate snap-in: 1. Click Start. 2. Click Run. 3. Type MMC in the Open line. 4. Click OK.This will open a blank MMC. www.syngress.com Figure 9.25 The Export Successful Window 181_SerSec2e_09 9/5/01 5:42 PM Page 343 344 Chapter 9 • Microsoft Windows 2000 Public Key Infrastructure 5. You now need to add the Certificate Snap-in. Click on Console. 6. Choose Add/Remove Snap-in from the pop-up menu. 7. Click Add. 8. Choose Certificates from the list of available snap-ins. 9. Select My User Account. 10. Click Finish. 11. Click Close on the Add Standalone Snap-in window. 12. Click OK on the Add/Remove Snap-in window. Now you can use your custom console to complete this exercise: 1. Expand Certificates – Current User. 2. Expand Personal. 3. Right-click on Certificates. 4. Choose All Tasks | Request New Certificate from the pop-up menu (see Figure 9.26).This will start the Certificate Request Wizard shown in Figure 9.27. www.syngress.com Figure 9.26 Requesting New Certificates 181_SerSec2e_09 9/5/01 5:42 PM Page 344 Microsoft Windows 2000 Public Key Infrastructure • Chapter 9 345 5. Click Next to continue the wizard. 6. You will now be prompted for what type of certificate to request as shown in Figure 9.28. Choose the correct certificate type (User for this example) and click Next.This will give you the window shown in Figure 9.29. 7. Choose a CSP and click Next. www.syngress.com Figure 9.27 The Certificate Request Wizard Figure 9.28 Choosing a Certificate Template 181_SerSec2e_09 9/5/01 5:42 PM Page 345 346 Chapter 9 • Microsoft Windows 2000 Public Key Infrastructure 8. You must now select a CA to request from as shown in Figure 9.30. Select your CA and click Next to proceed. 9. You will now be asked to key in a name and description for your cer- tificate as shown in Figure 9.31. Key in your information and click Next to continue. 10. Figure 9.32 shows the final wizard window. Click Finish to finalize the request. www.syngress.com Figure 9.29 Choosing a CSP Figure 9.30 Selecting a Certification Authority 181_SerSec2e_09 9/5/01 5:42 PM Page 346 Microsoft Windows 2000 Public Key Infrastructure • Chapter 9 347 11. You may now view or install the granted certificate (see Figure 9.33). Click Install Certificate to install the certificate. If installation is suc- cessful, you will be given the successful installation window shown in Figure 9.34. 12. Click OK. www.syngress.com Figure 9.31 Entering a Name and Description for a New Certificate Figure 9.32 Completing the Certificate Request Wizard 181_SerSec2e_09 9/5/01 5:42 PM Page 347 348 Chapter 9 • Microsoft Windows 2000 Public Key Infrastructure Exercise 9.4 Requesting an EFS Recovery Agent Certificate from the CA Web Page 1. Open your Web browser. 2. Type in http://server_name/certsrv (where server_name is the name of your certificate server).This will give you the page shown in Figure 9.35. www.syngress.com Figure 9.33 Installing a Certificate Figure 9.34 The Successful Installation Window Figure 9.35 The Certificate Services Request Page 181_SerSec2e_09 9/5/01 5:42 PM Page 348 [...]... Figure 9.59 Selecting the Certificates to Issue 6 Choose New | Certificate to Issue from the pop-up menu.This will give you the window shown in Figure 9 .60 7 Select the certificate template to be available on your CA and click OK www.syngress.com 367 181_SerSec2e_09 368 9/5/01 5:42 PM Page 368 Chapter 9 • Microsoft Windows 2000 Public Key Infrastructure Figure 9 .60 Adding New Templates Table 9.1 Templates... that should issue the certificate and click Next.This will give you the completion window shown in Figure 9.58 17 Click Finish to end the wizard www.syngress.com 365 181_SerSec2e_09 366 9/5/01 5:42 PM Page 366 Chapter 9 • Microsoft Windows 2000 Public Key Infrastructure Figure 9.58 Completing the Automatic Certificate Request Setup Wizard Certificate Enrollment and Renewal Certificate types are templates... will first send a hello message to the server and will then receive the server s certificate.The server is authenticated by the client, using the certificate authority’s public key After the server is guaranteed, the client generates a session key of the appropriate size.The client then secures the session key by encrypting it with the server s public key.When the server receives the encrypted session... the wizard, as shown in Figure 9. 56 15 Choose a certificate template and click Next to continue.You will now be presented with the window shown in Figure 9.57 www.syngress.com 181_SerSec2e_09 9/5/01 5:42 PM Page 365 Microsoft Windows 2000 Public Key Infrastructure • Chapter 9 Figure 9. 56 Choosing a Certificate Template Figure 9.57 Selecting a Certification Authority 16 Choose the CA that should issue... Click Start 2 Go to Programs | Administrative Tools 3 Open Active Directory Users and Computers www.syngress.com 363 181_SerSec2e_09 364 9/5/01 5:42 PM Page 364 Chapter 9 • Microsoft Windows 2000 Public Key Infrastructure 4 Right-click on the domain 5 Choose Properties from the pop-up box 6 Click on the Group Policy tab 7 Select the Default Domain Policy group policy object 8 Click Edit.This will give... Microsoft Windows 2000 Public Key Infrastructure 3 Right-click Certificate and choose Import from the pop-up menu (see Figure 9.45).This will start the Certificate Import Wizard shown in Figure 9. 46 Figure 9.45 Starting the Certificate Import Wizard Figure 9. 46 The Certificate Import Wizard 4 Click Next to continue the wizard www.syngress.com 181_SerSec2e_09 9/5/01 5:42 PM Page 359 Microsoft Windows 2000 Public... Selecting a File to Import Figure 9.48 Selecting a Password 6 Type the password assigned to the file and click Next to continue 7 Choose where to place the certificate (see Figure 9.49) and click Next This will give you the window shown in Figure 9.50 www.syngress.com 359 181_SerSec2e_09 360 9/5/01 5:42 PM Page 360 Chapter 9 • Microsoft Windows 2000 Public Key Infrastructure Figure 9.49 Choosing a Certificate... be given the window shown in Figure 9.52 www.syngress.com 181_SerSec2e_09 9/5/01 5:42 PM Page 361 Microsoft Windows 2000 Public Key Infrastructure • Chapter 9 Figure 9.51 Root Certificate Store Verification Window Figure 9.52 The Import Was Successful Window Public Key Security Policy in Windows 2000 Windows 2000 fully uses the Kerberos security standard, thus providing single point logons at the enterprise... which contains multiple certificate authorities with defined parentchild relationships (see Figure 9.53).The certificate authority at the very top of www.syngress.com 361 181_SerSec2e_09 362 9/5/01 5:42 PM Page 362 Chapter 9 • Microsoft Windows 2000 Public Key Infrastructure the hierarchy is referred to as a root CA.The children are certified by certificates issued for them by their parents One advantage of... 181_SerSec2e_09 9/5/01 5:42 PM Page 369 Microsoft Windows 2000 Public Key Infrastructure • Chapter 9 Table 9.2 Templates Available for Machines Certificate Template Name Certificate Purposes Certification authority Domain controller IPSECIntermediateOffline IPSECIntermediateOnline MachineEnrollmentAgent Machine OfflineRouter SubCA WebServer Exchange user signature All Client authentication, server authentication IP . 9. 26) .This will start the Certificate Request Wizard shown in Figure 9.27. www.syngress.com Figure 9. 26 Requesting New Certificates 181_SerSec2e_09 9/5/01 5:42 PM Page 344 Microsoft Windows 2000. Windows 2000 Public Key Infrastructure Exercise 9.4 Requesting an EFS Recovery Agent Certificate from the CA Web Page 1. Open your Web browser. 2. Type in http:/ /server_ name/certsrv (where server_ name. Wizard Figure 9.28 Choosing a Certificate Template 181_SerSec2e_09 9/5/01 5:42 PM Page 345 3 46 Chapter 9 • Microsoft Windows 2000 Public Key Infrastructure 8. You must now select a CA to request from as shown