|< Day Day Up >|| |
Public key encryption uses two keys to encrypt and decrypt messages. A message encrypted with one key can only be decrypted with the second key in the key pair, and vice-versa.
To send a private message using public key encryption, encrypt the message with the recipient’s public key. Only the private key can be used to decrypt the message.
Certificates expire at a time specified when the certificate is generated. CRLs are used to revoke a certificate before that specified time.
Root CAs cannot issue certificates that are valid beyond the CA’s certificate’s expiration date. Specifying a long lifetime for the root CA reduces labor, but this might increase your vulnerability to brute force attacks.
Microsoft certification authorities (CAs) support two types of certificate templates: version 1 and version 2. Version 1 templates are provided for backwards compatibility and support many general needs for subject certification. Version 2 templates allow for the customization of most settings in the template.
Version 2 templates require Active Directory. They can be created and duplicated by any member of the Windows Server 2003 family: however, certificates based on Version 2 templates can be issued only by a CA that is running Windows Server 2003, Enterprise Edition or Windows server 2003, Datacenter Edition.
A Windows Server 2003 family CA provides several methods for certificate enrollment: Web-based, the Certificates console, the Certreq.exe command-line utility, and autoenrollment.
If you have a client running an operating system that is earlier than Windows 2000, you must use manual enrollment because it is not aware of Active Directory and Group Policy. Windows 2000 supports autoenrollment of computer certificates, and Windows XP and Windows Server 2003 support autoenrollment of both user and computer certificates.
Autoenrollment enables organizations to automatically deploy public key–based certificates to users and computers. It also supports smart card–based certificates.
If a user loses access to a private key, the user can lose important data. Specifically, EFS-encrypted files will be inaccessible.
Key archival and recovery can scale to meet enterprise requirements. However, it requires version 2 certificates, enterprise CAs, and Active Directory.
Before taking the exam, review the key topics and terms that are presented in this chapter. You need to know this information.
Understand why PKIs are used and know the various components that make up a PKI.
Understand how to create and modify certificate templates, and know the functionality of the different versions of templates.
Understand the restrictions imposed on clients using previous versions of Windows.
Know the advantages and disadvantages of each enrollment method.
Be able to describe the purpose of a CRL, how to configure them, and how to troubleshoot them.
Be able to configure Certificate Services to archive keys, and know how to recover those keys when a private key has been lost.
application policies Application policies, also known as extended key usage or enhanced key usage, give you the ability to specify which certificates can be used for specific purposes. This allows you to issue certificates widely without being concerned that they will be used for an unintended purpose.
certificate revocation list (CRL) A CRL is a document maintained and published by a CA that lists certificates that have been revoked. A CRL is signed with the private key of the CA to ensure its integrity.
digital certificate A digital certificate provides information about the subject of the certificate, the validity of the certificate, and what applications and services will use the certificate. A digital certificate also provides a way to identify the holder of the certificate.
digital certificate life cycle When a certificate is issued, it passes through various phases and remains valid for a certain period of time. This is called certificate lifetime.
certificate templates Certificate templates are the sets of rules and settings that define the format and content of a certificate based on its intended use.
single-function template A single-function template is a certificate template that is highly restricted and can only be used for a single function.
multiple-function template You can use a certificate template for multiple functions. For example, you can use a single user certificate template to encrypt and decrypt files, to authenticate with a server, and to send and receive secure e-mail.
certificate template permissions Certificate template permissions define the security principals that can read, modify, or enroll certificates based on certificate templates.
|< Day Day Up >|| |