DESIGNING A PUBLIC KEY INFRASTRUCTURE

1
DESIGNING A PUBLIC KEY INFRASTRUCTURE

• Chapter 9

2
OVERVIEW

• Describe the elements and functions of a public
  key infrastructure (PKI).
• Understand the functions of certificates and
  certification authorities (CAs).
• Describe the structure of a CA hierarchy.
• List the differences between enterprise and
  stand-alone CAs.
• Install and configure a CA.
• Understand the certificate enrollment process.
• Publish certificate revocation lists.

3
INTRODUCING THE PUBLIC KEY INFRASTRUCTURE

• A public key infrastructure is a collection of
  software components and operational policies that
  govern the distribution and use of public and
  private keys using digital certificates.

4
UNDERSTANDING SECRET KEY ENCRYPTION

• Encryption is a system in which one character is
  substituted for another.
• Encryption on a data network typically uses a
  form of public key encryption.
• In public key encryption, every user has two
  keys, a public key and a private key.
• Data encrypted with the public key can be
  decrypted using the private key, and vice versa.

5
ENCRYPTING DATA
6
DIGITALLY SIGNING DATA

• Digital signing refers to the process of using
  your private key to encrypt all or part of a
  piece of data.
• Digitally signed data, encrypted with your
  private key, can only be decrypted with your
  public key.
• Digital signing prevents other users from
  impersonating you by sending data in your name.

7
VERIFYING DATA

• Hash values, or checksums, are used to guarantee
  the data has not been modified since the checksum
  was created.
• The receiving system verifies the checksum to
  determine whether or not the data has been
  altered.

8
USING CERTIFICATES

• Digital certificates are documents that
  verifiably associate a public key with a
  particular person or organization.
• Certificates are obtained from an administrative
  entity called a certification authority (CA).
• The CA issues a public key and a private key as a
  matched pair. The private key is stored on the
  users computer, and the public key is issued as
  part of a certificate.

9
UNDERSTANDING CERTIFICATE CONTENTS

• Digital certificates contain the public key for a
  particular entity plus information about the
  entity.
• Almost all certificates conform to the ITU-T
  standard X.509 (03/00), The Directory
  Public-Key and Attribute Certificate Frameworks.
• Standardization of certificate format is
  important, otherwise exchange of certifications
  and keys would be difficult.

10
DOWNLOADING CERTIFICATES FROM THE INTERNET
11
USING INTERNAL AND EXTERNAL CAs

• For a certificate to be useful, it must be issued
  by an authority that both parties trust to
  verify each others identities.
• Within an organization, you can use Windows
  Server 2003 Certificate Services, a service that
  enables the computer to function as a CA.
• When communicating with external entities, a
  trusted third-party certificate issuer can be
  used.

12
UNDERSTANDING PKI FUNCTIONS

• Having a PKI in place provides additional
  security on a Windows Server 2003 network.
• Using the management tools provided,
  administrators can publish, use, renew, and
  revoke certificates. They can also enroll clients
  in the PKI.
• Users can use certificates to provide additional
  security.

13
DESIGNING A PUBLIC KEY INFRASTRUCTURE

• Planning a PKI typically consists of the
  following basic steps
• Defining certificate requirements
• Creating a CA infrastructure
• Configuring certificates

14
DEFINING CERTIFICATE REQUIREMENTS

• When designing a PKI, you must determine the
  clients security needs and how certificates can
  help provide that security.
• You must determine which users, computers,
  services, and applications will use certificates,
  and what kinds of certificates will be needed.
• Best practice dictates that a small set of
  security definitions are created, and then
  applied to users and computers as needed.

15
CREATING A CA INFRASTRUCTURE

• Planning the creation of certification
  authorities requires an understanding of CA
  hierarchy.
• A CA hierarchy refers to a structure in which
  each CA is validated by a CA at a higher level.
• The root CA is considered the ultimate
  authorityfor the organization.

16
WHEN TO USE INTERNAL AND EXTERNAL CAs
17
HOW MANY CAs?

• A single CA running on Windows Server 2003 can
  support as many as 35 million certificates and
  can issue two million or more a day depending on
  the system specifications.
• System performance is a factor in determining
  how many CAs should be implemented. Issuing
  certificates can be disk and processor intensive.
• Multiple CAs can be implemented for
  fault-tolerant or load-distribution reasons.

18
CREATING A CA HIERARCHY
19
UNDERSTANDING WINDOWS SERVER 2003 CA TYPES

• Enterprise CAs
• Are integrated into Active Directory
• Can only be used by Active Directory clients
• Stand-Alone CAs
• Do not automatically respond to certificate
  enrollment requests
• Are intended for users outside the enterprise
  that submit requests for certificates

20
CONFIGURING CERTIFICATES

• Criteria to consider when configuring
  certificates include
• Certificate type
• Encryption key length and algorithm
• Certificate lifetime
• Renewal policies

21
USING CERTIFICATE TEMPLATES

• Certificate templates determine what attributes
  are available or required for a given type of
  certificate.
• Windows Server 2003 includes a large number of
  certificate templates designed to satisfy most
  certificate requirements.

22
INSTALLING CERTIFICATE SERVICES

• Install through Add/Remove Windows Components in
  Control Panel.
• Can be installed on either a domain controller or
  a member server running Windows Server 2003.
• When installing an enterprise CA, a DNS server
  must be available that supports service location
  (SRV) resource records.
• During installation, the desired CSP can be
  selected.

23
PROTECTING A CA

• CAs should be considered critical network
  services.
• Protection measures and plans should include
• Physical protection
• Key management
• Restoration

24
CONFIGURING A CA
25
THE GENERAL TAB
26
THE POLICY MODULE TAB
27
THE EXIT MODULE TAB
28
THE EXTENSIONS TAB
29
THE STORAGE TAB
30
THE CERTIFICATE MANAGERSRESTRICTIONS TAB
31
THE AUDITING TAB
32
THE RECOVERY AGENTS TAB
33
THE SECURITY TAB
34
BACKING UP AND RESTORING A CA

• The Certificate Services database is always open,
  making it difficult to back up.
• Special software can be used to back up the
  files, or the Certification Authority console
  can provide a backup feature.
• The backup CA function of the Certification
  Authority console causes the Certificate Services
  database to be momentarily closed while a copy of
  the database is made.

35
UNDERSTANDING CERTIFICATE ENROLLMENT AND RENEWAL

• Auto-enrollment The CA determines whether or
  not a certificate request is valid and issues or
  denies a certificate accordingly.
• Manual enrollment An administrator must monitor
  the CA for incoming requests and determine if a
  certificate should be issued on a
  request-by-request basis.

36
USING AUTO-ENROLLMENT
37
USING MANUAL ENROLLMENT

• When using stand-alone CAs, the administrator
  must grant or deny requests for certificates.
• Incoming certificate enrollment requests appear
  in the Pending Requests folder.
• The administrator must check the folder on a
  regular basis.

38
MANUALLY REQUESTING CERTIFICATES

• Applications can request certificates and receive
  them in the background.
• Alternately, users can explicitly request
  certificates.

39
USING THE CERTIFICATES SNAP-IN
40
USING WEB ENROLLMENT
41
REVOKING CERTIFICATES
42
CHAPTER SUMMARY

• Public key encryption uses two keys, a public key
  and a private key. Data encrypted with the public
  key can only be decrypted using the private key.
  Data encrypted using the private key can only be
  decrypted with the public key.
• A PKI is a collection of software components and
  operational policies that governs the
  distribution and use of public and private keys.
• Certificates are issued by a CA. You can run your
  own CA using Windows Server 2003 or obtain your
  certificates from a third-party commercial CA.

43
CHAPTER SUMMARY (continued)

• The first step in planning a PKI is to review the
  security enhancements the certificates can
  provide and determine which of your
  organizations security requirements you can
  satisfy with the certificates.
• When running multiple CAs in an enterprise, you
  configure them in a hierarchy.
• The configuration parameters of certificates
  themselves include the certificate type, the
  encryption algorithm and key length the
  certificates use, the certificates lifetime, and
  the renewal policies.

44
CHAPTER SUMMARY (continued)

• Only enterprise CAs can use auto-enrollment, in
  which clients send certificate requests to a
  CAand the CA automatically issues or denies the
  certificate.
• For a client to receive certificates using
  auto-enrollment, it must have permission to use
  the certificate template for the type of
  certificate it is requesting.

45
CHAPTER SUMMARY (continued)

• Stand-alone CAs do not use certificates or
  auto-enrollment. Certificate requests are stored
  in a queue on the CA until an administrator
  approves or denies them.
• CAs publish CRLs at regular intervals to inform
  authenticating computers of certificates they
  should no longer honor.