Title: DESIGNING A PUBLIC KEY INFRASTRUCTURE
1DESIGNING A PUBLIC KEY INFRASTRUCTURE
2OVERVIEW
- Describe the elements and functions of a public
key infrastructure (PKI). - Understand the functions of certificates and
certification authorities (CAs). - Describe the structure of a CA hierarchy.
- List the differences between enterprise and
stand-alone CAs. - Install and configure a CA.
- Understand the certificate enrollment process.
- Publish certificate revocation lists.
3INTRODUCING THE PUBLIC KEY INFRASTRUCTURE
- A public key infrastructure is a collection of
software components and operational policies that
govern the distribution and use of public and
private keys using digital certificates.
4UNDERSTANDING SECRET KEY ENCRYPTION
- Encryption is a system in which one character is
substituted for another. - Encryption on a data network typically uses a
form of public key encryption. - In public key encryption, every user has two
keys, a public key and a private key. - Data encrypted with the public key can be
decrypted using the private key, and vice versa.
5ENCRYPTING DATA
6DIGITALLY SIGNING DATA
- Digital signing refers to the process of using
your private key to encrypt all or part of a
piece of data. - Digitally signed data, encrypted with your
private key, can only be decrypted with your
public key. - Digital signing prevents other users from
impersonating you by sending data in your name.
7VERIFYING DATA
- Hash values, or checksums, are used to guarantee
the data has not been modified since the checksum
was created. - The receiving system verifies the checksum to
determine whether or not the data has been
altered.
8USING CERTIFICATES
- Digital certificates are documents that
verifiably associate a public key with a
particular person or organization. - Certificates are obtained from an administrative
entity called a certification authority (CA). - The CA issues a public key and a private key as a
matched pair. The private key is stored on the
users computer, and the public key is issued as
part of a certificate.
9UNDERSTANDING CERTIFICATE CONTENTS
- Digital certificates contain the public key for a
particular entity plus information about the
entity. - Almost all certificates conform to the ITU-T
standard X.509 (03/00), The Directory
Public-Key and Attribute Certificate Frameworks. - Standardization of certificate format is
important, otherwise exchange of certifications
and keys would be difficult.
10DOWNLOADING CERTIFICATES FROM THE INTERNET
11USING INTERNAL AND EXTERNAL CAs
- For a certificate to be useful, it must be issued
by an authority that both parties trust to
verify each others identities. - Within an organization, you can use Windows
Server 2003 Certificate Services, a service that
enables the computer to function as a CA. - When communicating with external entities, a
trusted third-party certificate issuer can be
used.
12UNDERSTANDING PKI FUNCTIONS
- Having a PKI in place provides additional
security on a Windows Server 2003 network. - Using the management tools provided,
administrators can publish, use, renew, and
revoke certificates. They can also enroll clients
in the PKI. - Users can use certificates to provide additional
security.
13DESIGNING A PUBLIC KEY INFRASTRUCTURE
- Planning a PKI typically consists of the
following basic steps - Defining certificate requirements
- Creating a CA infrastructure
- Configuring certificates
14DEFINING CERTIFICATE REQUIREMENTS
- When designing a PKI, you must determine the
clients security needs and how certificates can
help provide that security. - You must determine which users, computers,
services, and applications will use certificates,
and what kinds of certificates will be needed. - Best practice dictates that a small set of
security definitions are created, and then
applied to users and computers as needed.
15CREATING A CA INFRASTRUCTURE
- Planning the creation of certification
authorities requires an understanding of CA
hierarchy. - A CA hierarchy refers to a structure in which
each CA is validated by a CA at a higher level. - The root CA is considered the ultimate
authorityfor the organization.
16WHEN TO USE INTERNAL AND EXTERNAL CAs
17HOW MANY CAs?
- A single CA running on Windows Server 2003 can
support as many as 35 million certificates and
can issue two million or more a day depending on
the system specifications. - System performance is a factor in determining
how many CAs should be implemented. Issuing
certificates can be disk and processor intensive. - Multiple CAs can be implemented for
fault-tolerant or load-distribution reasons.
18CREATING A CA HIERARCHY
19UNDERSTANDING WINDOWS SERVER 2003 CA TYPES
- Enterprise CAs
- Are integrated into Active Directory
- Can only be used by Active Directory clients
- Stand-Alone CAs
- Do not automatically respond to certificate
enrollment requests - Are intended for users outside the enterprise
that submit requests for certificates
20CONFIGURING CERTIFICATES
- Criteria to consider when configuring
certificates include - Certificate type
- Encryption key length and algorithm
- Certificate lifetime
- Renewal policies
21USING CERTIFICATE TEMPLATES
- Certificate templates determine what attributes
are available or required for a given type of
certificate. - Windows Server 2003 includes a large number of
certificate templates designed to satisfy most
certificate requirements.
22INSTALLING CERTIFICATE SERVICES
- Install through Add/Remove Windows Components in
Control Panel. - Can be installed on either a domain controller or
a member server running Windows Server 2003. - When installing an enterprise CA, a DNS server
must be available that supports service location
(SRV) resource records. - During installation, the desired CSP can be
selected.
23PROTECTING A CA
- CAs should be considered critical network
services. - Protection measures and plans should include
- Physical protection
- Key management
- Restoration
24CONFIGURING A CA
25THE GENERAL TAB
26THE POLICY MODULE TAB
27THE EXIT MODULE TAB
28THE EXTENSIONS TAB
29THE STORAGE TAB
30THE CERTIFICATE MANAGERSRESTRICTIONS TAB
31THE AUDITING TAB
32THE RECOVERY AGENTS TAB
33THE SECURITY TAB
34BACKING UP AND RESTORING A CA
- The Certificate Services database is always open,
making it difficult to back up. - Special software can be used to back up the
files, or the Certification Authority console
can provide a backup feature. - The backup CA function of the Certification
Authority console causes the Certificate Services
database to be momentarily closed while a copy of
the database is made.
35UNDERSTANDING CERTIFICATE ENROLLMENT AND RENEWAL
- Auto-enrollment The CA determines whether or
not a certificate request is valid and issues or
denies a certificate accordingly. - Manual enrollment An administrator must monitor
the CA for incoming requests and determine if a
certificate should be issued on a
request-by-request basis.
36USING AUTO-ENROLLMENT
37USING MANUAL ENROLLMENT
- When using stand-alone CAs, the administrator
must grant or deny requests for certificates. - Incoming certificate enrollment requests appear
in the Pending Requests folder. - The administrator must check the folder on a
regular basis.
38MANUALLY REQUESTING CERTIFICATES
- Applications can request certificates and receive
them in the background. - Alternately, users can explicitly request
certificates.
39USING THE CERTIFICATES SNAP-IN
40USING WEB ENROLLMENT
41REVOKING CERTIFICATES
42CHAPTER SUMMARY
- Public key encryption uses two keys, a public key
and a private key. Data encrypted with the public
key can only be decrypted using the private key.
Data encrypted using the private key can only be
decrypted with the public key. - A PKI is a collection of software components and
operational policies that governs the
distribution and use of public and private keys. - Certificates are issued by a CA. You can run your
own CA using Windows Server 2003 or obtain your
certificates from a third-party commercial CA.
43CHAPTER SUMMARY (continued)
- The first step in planning a PKI is to review the
security enhancements the certificates can
provide and determine which of your
organizations security requirements you can
satisfy with the certificates. - When running multiple CAs in an enterprise, you
configure them in a hierarchy. - The configuration parameters of certificates
themselves include the certificate type, the
encryption algorithm and key length the
certificates use, the certificates lifetime, and
the renewal policies.
44CHAPTER SUMMARY (continued)
- Only enterprise CAs can use auto-enrollment, in
which clients send certificate requests to a
CAand the CA automatically issues or denies the
certificate. - For a client to receive certificates using
auto-enrollment, it must have permission to use
the certificate template for the type of
certificate it is requesting.
45CHAPTER SUMMARY (continued)
- Stand-alone CAs do not use certificates or
auto-enrollment. Certificate requests are stored
in a queue on the CA until an administrator
approves or denies them. - CAs publish CRLs at regular intervals to inform
authenticating computers of certificates they
should no longer honor.