This lab prepares you to design a PKI by meeting the following objectives:
- Design a Certification Authority (CA) structure
- Design a PKI to support the certificate life cycle
- Design certificate-based authentication
About This Lab
This lab explores the design decisions you face when implementing a PKI in a Windows 2000 network.
Before You Begin
Make sure that you've completed reading the chapter material before starting the lab. Pay close attention to the sections where the design decisions were applied throughout the chapter for information on building your administrative structure.
Scenario: Contoso Ltd.
Contoso Ltd., an international magazine sales company, wants to deploy its own PKI to support certificate-based authentication and encryption on its network. Contoso wants to develop a CA hierarchy that matches its current administrative structure.
Defining the CA Requirements
Contoso wants to develop a CA structure that allows management of the certificate deployment at each of its regional offices in Lima, London, and Seattle. At each office, separate CAs will be established to support ongoing projects. Separate CAs must be established for each project to ensure that the CA design decisions for one project don't affect the availability of the CA associated with a different project.
Contoso doesn't want the actions of one regional office to affect the others. Likewise, the actions in one project's CA shouldn't affect the security of another project's CA. If the need arises to redeploy Certificate Services for one office, the redeployment shouldn't affect the others.
Contoso wants to ensure that the root CA is protected from attackers. The PKI design should provide protection from both hackers and natural disaster.
PKI-Aware Projects at Contoso
Contoso requires a PKI for three separate projects:
- The Contoso Web site will start to sell magazine subscriptions online. Each office will be responsible for allowing certificate-based authentication to its region's subscription Web site. The office's IIS server hosting the subscription Web site should be configured to allow both user-entered authentication and certificate-based authentication when someone places an online order. Customers will obtain their certificates for authentication by completing a Web-based form. A certificate administrator will review the form and either issue or deny the certificate.
- Contoso wants to allow employees of a partner organization named Northwind Traders to access data stored on an IIS server located in the Contoso extranet at the London office. The Northwind Traders employees involved in the project will acquire their certificates from a CA in the Northwind Traders CA hierarchy named Cooperation. Contoso has decided that all employees who are issued certificates from the Cooperation CA will have the same level of access to the project data. The Northwind Traders users will simply have to provide a certificate issued by the Cooperation CA to prove their identity before gaining access to the project Web site. Figure 10.25 shows the CA hierarchy for Northwind Traders.
Figure 10.25 The Northwind Traders CA hierarchy
Exercise 1: Designing a CA Hierarchy for Contoso Ltd.
This exercise has you design a CA hierarchy that meets the design requirements defined by Contoso Ltd. Answers to these questions can be found in the appendix.
- How many separate CA hierarchies does the Contoso Ltd. PKI deployment need?
- What can you do to protect the root CA from attackers?
- What can you do to protect the root CA from natural disaster?
- To meet design requirements, what structure should you define for the second level of CAs in the Contoso CA hierarchy?
- To meet design requirements, what structure should you define for the third level of CAs in the Contoso CA hierarchy?
- To meet the security requirements, which levels of CAs should be offline CAs? Would the offline CAs be Standalone or Enterprise CAs?
- What must you do to ensure the availability of the certificate revocation list for the root CA?
- In the space below, draw a CA hierarchy for Contoso CA that meets all design requirements.
Exercise 2: Planning Security for Web-Based Subscriptions to Magazines
This exercise looks at the design required to secure subscriptions to Contoso's magazines using the subscription Web site. Answers to these questions can be found in the appendix.
- From what type of CA should Contoso acquire the certificate for the Web servers hosting the subscription Web site? What purpose will the keys associated with this certificate be used for?
- What must you do to allow customers to choose either certificate-based or user-entered authentication to the subscription Web site?
- What type of CA should be used to allocate certificates to customers for accessing the subscription Web site?
- Assuming that customers will connect only to the Web site in their locale, what type of certificate mapping must be defined to allow certificate-based authentication to the subscription Web site?
- Would one-to-one or many-to-one certificate mappings be used for the subscription Web site project?
- Assume that in an average day the WebSeattle CA certificate administrator revokes 10 certificates. What would you recommend as a CRL publication schedule if Contoso wants all certificate revocations to be effective within one business day of the revocation?
- What problems would arise if the CRL publication schedule for the WebLondon CA were set to be one hour?
Exercise 3: Planning Partner Access
The following exercise looks at the design decisions that Contoso will face in providing certificate-based authentication to Northwind Traders' employees involved in the project shared by Contoso and Northwind Traders. Answers to these questions can be found in the appendix.
- What type of hierarchy must be established to allow certificates issued by the Northwind Traders CA to be recognized by clients in the Contoso Ltd. forest?
- If cross-certification is defined between the root CAs of the Contoso and Northwind Traders CA hierarchies, will the security requirements defined for the project shared by Northwind Traders and Contoso be met?
- What can you do to trust only certificates issued by the Cooperation CA for the purpose of authenticating with the Web server and to reject all certificates issued from the Northwind Traders CA hierarchy?
- What type of certificate mapping must you configure to allow Northwind Trader users access to the Project Web site?
- Where should you define the account mapping? In Active Directory or in IIS?
- What risks are there when a many-to-one mapping is defined and the certificates used in the many-to-one mapping aren't issued by a CA in your management control?