Installing and Configuring Certificate Services

Certificate Services can be installed during the installation of Windows 2000 or later using the Add/Remove Programs applet within the Control Panel. If you are installing a root CA, a certificate is automatically generated during the installation process and signed with the server's public and private keys. The process is slightly different if you are installing a subordinate CA. Instead of generating a self-signed certificate, a certificate request must be submitted to a root CA for authorization. Before the subordinate CA can be used, the certificate must be issued and installed by the root.

To install Certificate Services, follow these steps:

  1. Click Start, point to Settings, and click Control Panel.

  2. Double-click the Add/Remove Programs applet.

  3. Click Add/Remove Windows Components. From the list of components , select Certificate Services. As shown in Figure 9.1, a window appears warning you that once the service is installed, the computer name and current domain membership cannot be changed. Click Yes to confirm and click Next.

    Figure 9.1. Microsoft Certificate Services warning message.

    graphics/09fig01.jpg

  4. Select the type of Certificate Authority you want to configure (see Figure 9.2). If the server is not a member of an Active Directory domain, you will have only the options to configure a Standalone Root CA or a Standalone Subordinate CA. Click Next.

    Figure 9.2. Selecting the Certificate Authority type.

    graphics/09fig02.jpg

  5. If you selected the Advanced Options, the Public and Private key Pair window appears, as shown in Figure 9.3. The options are summarized in Table 9.1. Click Next.

    Figure 9.3. Configuring public and private key pair settings.

    graphics/09fig03.jpg

  6. From the CA Identifying Information window shown in Figure 9.4, type the appropriate information. Click Next.

    Figure 9.4. CA Identifying Information.

    graphics/09fig04.jpg

  7. Specify the location of the configuration data, database, and logs. You can specify a shared folder for the configuration information if Active Directory is not used. Click Next.

  8. A warning message appears stating that IIS must be stopped before proceeding. Click OK.

  9. Click Finish.

Table 9.1. CA Identifying Information

Field

Description

CSP

Select the cryptographic service provider used to generate the public and private keys.

Hash Algorithm

The algorithm used to produce a hash value.

Key Length

Specifies the length of the keys.

Use Existing Keys

Select this option to use an existing key pair instead of generating a new one.

graphics/alert_icon.gif

Be prepared to encounter exam questions pertaining to renaming or changing the domain membership of a CA. Remember that once certificate services is installed, the computer cannot be renamed nor can its domain membership be changed.


Configuring Certificate Services

After Certificate Services are installed, you can use the Certificate Authority to perform most management tasks and to configure the CA. You can open the Certificate Authority snap-in from the Administrative Tools menu. As shown in Figure 9.5, each CA has a set of configurable options available through its Properties window. The General tab provides some basic information about the CA, such as the name assigned to it, the CSP, and the hash algorithm. These settings were initially configured during the installation of Certificate Services.

Figure 9.5. Configuring the properties for a CA.

graphics/09fig05.jpg

Policy modules enable an administrator to control the behavior of a certificate authority and determine the action that a CA will take when it receives a certificate request. These modules determine whether certificate requests should be issued, denied , or marked as pending when they are received. By selecting the Configure button from the Policy Module tab, you can change the default behavior when a request is received (see Figure 9.6). Keep in mind that the policy module cannot be changed for an enterprise CA because it uses Active Directory to determine the identity of requestors and whether they have permission to request the certificate type. However, on a Standalone CA, the policy module can be changed. The certificate requests will most often be set to pending.

Figure 9.6. Configuring the policy module.

graphics/09fig06.jpg

The exit module is used to control any post processing of issued certificates, such as publishing them to Active Directory or to a file system. By selecting the Configure button from the Exit Module tab, you can configure a certificate authority to publish issued certificates to Active Directory and/or a file system (see Figure 9.7). It also determines where the Certificate Revocation List is published.

Figure 9.7. Configuring the exit module.

graphics/09fig07.jpg

As shown in Figure 9.8, the Storage tab provides information about where the Configuration data is stored. This data can be stored in Active Directory or on a shared folder; it is configured during the installation of Certificate Services. Remember, with an Enterprise CA, the configuration information is stored in Active Directory by default, whereas on a Standalone CA, the information is stored locally.

Figure 9.8. Viewing the Configuration data storage location.

graphics/09fig08.jpg

The Security tab allows you to configure CA access privileges. By default, Authenticated Users are assigned the enroll and read permission. These permissions are enabled for all users who are logged on to the domain to request certificates allowing them to request certificates from the CA. The local Administrators group, Domain Admins, and Enterprise Admins group are also granted the Manage permission, which gives them full control of the CA. If the default permissions do not meet your requirements, you can use the Security tab shown in Figure 9.9 to modify them.

Figure 9.9. Configuring security for a CA.

graphics/09fig09.jpg

Certificate Templates

Certificate templates outline a certificate based on its intended use. They contain preset configurations for common types of certificates and outline the intended use of the certificate. The preset configurations are used to issue certificates, thereby simplifying the process of requesting and issuing certificates. When a user attempts to request a certificate from a CA, the user might be able to choose from a number of certificate templates, depending on the configured permissions.

Several certificate templates are included with Windows 2000. The templates that are available depend on the type of CA being installed. For example, when an Enterprise CA is configured, the following templates are installed:

  • Administrator

  • Domain Controller

  • Computer

  • Basic EFS

  • EFS Recovery Agent

  • User

  • Subordinate Certification Authority

  • Web Server

The templates listed within the Policy Settings container are the default templates that the CA can issue. Other templates can be added within the Certificate Authority Manager if necessary. For example, if your organization deploys SmartCards, you can add the SmartCard Logon and SmartCard User certificates to the Policy Settings container. To do so, right-click the Policy Settings container, point to New, and click Certificate to issue. From the Select Certificate Template window shown in Figure 9.10, select the template you want to add and click OK.

Figure 9.10. Configuring additional templates.

graphics/09fig10.jpg

A template's ACL (access control list) controls which users can enroll for that type of certificate. The ACL determines the type of access a user has to an object. Each template has default permissions that can be edited if necessary. Certificate requests are granted only for those users and computers who have been assigned the enroll permission.

To edit the ACL of a certificate template, follow these steps:

  1. Click Start, point to Programs, Administrative Tools, and click Active Directory Sites and Services.

  2. Click the View menu and select the Show Services Node option.

  3. Expand the Services container and expand Public key Services.

  4. Click the Certificate Templates folder.

  5. Right-click the appropriate template, click Properties, and select the Security tab shown in Figure 9.11.

    Figure 9.11. Configuring certificate template security.

    graphics/09fig11.jpg

  6. Ensure the appropriate users or groups have the Enroll permission to request the certificate type.



Windows 2000 Network Infrastructure Exam Cram 2 (Exam 70-216)
MCSE Windows 2000 Network Infrastructure Exam Cram 2 (Exam Cram 70-216)
ISBN: 078972863X
EAN: 2147483647
Year: 2005
Pages: 167

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net