Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning , Microsoft

Microsoft Virtual Academy

Active Directory Certificate Services

(AD CS)

Module Overview
What is AD CS?

What does AD CS do/provide?

Module Overview
Overview of Active Directory Certificate Services

Understanding Active Directory Certificate Services Certificates

Implementing Certificate Enrollment and Revocation

Lesson 1: Overview of Active Directory Certificate Services

What Is a Certification Authority?

How CA Hierarchies Work

Options for Implementing CAs

Options for Integrating AD CS and AD DS

Demonstration: Tools for Managing AD CS

What Is a Certification Authority?

A Certification Authority (CA) is an entity entrusted to issue certificates to: Individuals Computers Organizations Services

These certificates verify the identity and other attributes of the certificate subject to other entities

How CA Hierarchies Work

CA hierarchies include a root CA and one or more levels of subordinate CAs Reasons for deploying more than a single server CA hierarchy:
Usage Organizational divisions Geographic divisions Load balancing High availability Restrict administrative access

Options for Implementing Certification Authorities

When implementing a CA solution, you can:
Use an internal private CA Use an external public CA

Internal CAs are less expensive and provide more administrative options, but the issued certificates are not trusted by external clients

Options for Integrating AD CS and AD DS

Enterprise Can use without AD DS Stand-Alone X

Uses Group Policy for Trusted Root propagation

Publishes certificates and CRL to AD DS Can enforce credential checks during enrollment

X
X X X X X X

Can have subject name generated automatically from logon credentials

Can use certificate templates Can be used to generate smart card Windows domain authentication certificates Can use certificate auto-enrollment

Demo: Tools for Managing AD CS

Certification Authority

Certificate Templates
Online Responder Enterprise PKI Certificates

Lesson 2: Understanding Active Directory Certificate Services Certificates

What Are Digital Certificates?

How Public Keys and Private Keys Work

Demonstration: Using Certificates to Secure Data

What Are Certificate Templates?

What Are Digital Certificates?

A certificate is a digital file with two parts
Base certificate information Public Key

Public keys are distributed to all clients who request the key
Private keys are stored only on the computer from which the certificate was requested

How Public Keys and Private Keys Work

Plaintext

SSL (Encrypted)

Plaintext

Web Server

Encrypt

Decrypt

Web Client

Different keys are used to encrypt and decrypt the message

Private Key

Public Key

Demonstration: Using Certificates to Secure Data

In this demonstration, you will see how to use certificates to secure data

What Are Certificate Templates?

Certificate templates:
Define what certificates can be issued by the CAs Define certificates used for various purposes Define which security principals have permissions to read, enroll, and configure the certificate template

Lesson 3: Implementing Certificate Enrollment and Revocation

Options for Implementing Certificate Enrollment

Demonstration: Using Web Enrollment to Obtain Certificates

Administering Certificate Enrollment

Demonstration: Administering Certificate Requests

Options for Automating Certificate Enrollment What is Certificate Revocation? Demonstration: Revoking Certificates

Options for Implementing Certificate Enrollment

What methods are used for certificate enrollment?
Web Enrollment Manual/Offline Enrollment

Automatic Enrollment

Demo: Using Web Enrollment to Obtain Certificates

In this demonstration, you will see how to use Web enrollment to obtain certificates

Administering Certificate Enrollment

To obtain a certificate using manual enrollment: 1 Create a certificate request 2 Submit certificate request to CA 3 Obtain administrative approval for certificate 4 Retrieve certificate from CA and install on client

Demo: Administering Certificate Requests

In this demonstration, you will see how to administer certificate requests

Options for Automating Certificate Enrollment

Group Policy triggers automatic request

Enterprise CA
Group Policy

Domain Computer Auto-enroll is enabled on the template from which the requested certificate is created

What Is Certificate Revocation?

Certificate revocation occurs when a certificate is invalidated before its expiration period

Clients can ensure the certificate has not been revoked by using the following methods:
Online Certificate Status Protocol responder service (OCSP)

Certificate Revocation Lists (CRLs)

Demonstration: Revoking Certificates

In this demonstration, you will see how to revoke certificates

Module Review and Takeaways

Review Questions

Summary of AD CS

Thanks for Watching!

2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.