Certificate services:
Implementing PKI (Public key infrastructure)
What is a certificate:
![clip_image002[4]](http://winadmins.files.wordpress.com/2011/10/clip_image0024_thumb.jpg?w=391&h=269 "clip_image002[4]")
Types of CAs:
a. External CAs (Public CA) – This is commonly used method. Whenever if someone out from organization to be able to validate some entity within the organization, we need to have someone which is not part of organization as trusted 3rd party. The most well known public CA is Verisign
b. Internal Active Directory certificate Services
Below are types of internal AD certificates:
Enterprise Root – used when we are going to functioning within the active directory domain services. It assigns a certificate to itself on root level and further assign certificate to its subordinate.
Enterprise subordinate – It receives a certificate from root CA
Standalone Root – Used to install CA on a server that is not going to co-ordinate with ADS.
Standalone Subordinate
![clip_image004[4]](http://winadmins.files.wordpress.com/2011/10/clip_image0044_thumb.jpg?w=351&h=318 "clip_image004[4]")
In above diagram, 3 level of CA has been shown. The root CA will assign certificates to subordinate CA and further it will pass along to issuing CA and then issuing certificates will issue certificate to clients. The advantage here is, hackers will not be able to directly access root CA. We can also switch off root CA so that it become offline and will be safe from hack.
For example, if someone hack subordinate CAs, bring online root CA, revoke certificates which were issued to subordinate CAs and assign two new certificates.
How to get a certificate:
Auto Enrollment – In internal environment, Certificates are distributed using templates and generally do not require user intervention. This is not available with external certificates.
Web enrollment – User can submit certificate requests to a CA through their web browser.
What is Credential Roaming:
Certificates can be stored in Active Directory to allow for credential roaming. Users can access their certificates from any computer within the domain.
![clip_image006[4]](http://winadmins.files.wordpress.com/2011/10/clip_image0064_thumb.jpg?w=450&h=266 "clip_image006[4]")
What is an online Responder:
Implementing PKI (Public key infrastructure)
What is a certificate:
- Certificates are a form of digital identification.
- Certificates are used to identify an entity such as a user or computer. For example, if you browse a secure
- website, a certificate will be used to validate the identity of website.
- Certificates are issued by a certificate authority (CA)
- Certificates contains information about the entity and about its issuer
- Certificates have an expiration date
- Certificates can be revoked prior to expiration.
- Signatures – Code assigning, drivers, E-mail, tokens, server messages
- Internet – HTTPS, SSL
- Encryption – Network, Data, IPsec, EFS
- Wireless
- Smartcard
![clip_image002[4]](http://winadmins.files.wordpress.com/2011/10/clip_image0024.jpg "clip_image002[4]")
Types of CAs:
a. External CAs (Public CA) – This is commonly used method. Whenever if someone out from organization to be able to validate some entity within the organization, we need to have someone which is not part of organization as trusted 3rd party. The most well known public CA is Verisign
b. Internal Active Directory certificate Services
Below are types of internal AD certificates:
Enterprise Root – used when we are going to functioning within the active directory domain services. It assigns a certificate to itself on root level and further assign certificate to its subordinate.
Enterprise subordinate – It receives a certificate from root CA
Standalone Root – Used to install CA on a server that is not going to co-ordinate with ADS.
Standalone Subordinate
![clip_image004[4]](http://winadmins.files.wordpress.com/2011/10/clip_image0044.jpg "clip_image004[4]")
In above diagram, 3 level of CA has been shown. The root CA will assign certificates to subordinate CA and further it will pass along to issuing CA and then issuing certificates will issue certificate to clients. The advantage here is, hackers will not be able to directly access root CA. We can also switch off root CA so that it become offline and will be safe from hack.
For example, if someone hack subordinate CAs, bring online root CA, revoke certificates which were issued to subordinate CAs and assign two new certificates.
How to get a certificate:
Auto Enrollment – In internal environment, Certificates are distributed using templates and generally do not require user intervention. This is not available with external certificates.
Web enrollment – User can submit certificate requests to a CA through their web browser.
What is Credential Roaming:
Certificates can be stored in Active Directory to allow for credential roaming. Users can access their certificates from any computer within the domain.
![clip_image006[4]](http://winadmins.files.wordpress.com/2011/10/clip_image0064.jpg "clip_image006[4]")
What is an online Responder:
- An online responder is used to help make the process of validating a certificate more efficient
- Previously, the entire CRL would have to be downloaded to the client in order to check the validity of a certificate.
- The online Responder only checks information about the certificate in question
No comments:
Post a Comment