guide to windows certification and public keys.pdf
(
1315 KB
)
Pobierz
Aelita.Exchange.01_
Sponsored by
IT
Pro
SERIES
Books
Guide to
Windows
Certification
& Public Keys
By Jan De Clercq, Brett Hill, John Savill,
and Randy Franklin Smith
A
i
Contents
Chapter 1: Uncover PKI and Certificate Services in
Windows Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
by Jan De Clercq
Windows 2003 Certificate Services Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Windows 2003 Certificate Services Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Certificate Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Certificate Request Information Retrieval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Automated Certificate Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Centralized Key Archival . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Certificate Request Approval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Publishing Certificates and CRLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
The Best CA for the Job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Chapter 2: CA Trust Relationships in Windows Server 2003 PKI . . . . . . . . 9
by Jan De Clercq
Hierarchical Trust Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
The Networked Trust Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Constrained Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Defining Trust Constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Flexible PKI Trust Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Chapter 3: User-Side PKI Trust Management . . . . . . . . . . . . . . . . . . . . . . 20
by Jan De Clercq
User-Centric PKI Trust Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Centralized User PKI Trust Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Flexible PKI Trust Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Chapter 4: Validating Digital Certificates in Windows PKI . . . . . . . . . . . . . 26
by Jan De Clercq
Certificate-Validation Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Regular Certificate-Chain Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
CTL Certificate-Chain Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Cross-Certification Chain Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
ii
A Guide to Windows Certification and Public Keys
Chapter 5: Windows Server 2003 PKI Certificate Autoenrollment . . . . . . . 32
by Jan De Clercq
How Autoenrollment Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Setting Up Certificate Autoenrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Forcing Automatic Enrollment and Renewal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Advanced Autoenrollment Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Ease of Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Chapter 6: Understanding Windows PKI Certificate Revocation . . . . . . . . 40
by Jan De Clercq
Certificate Revocation Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Revoking a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
PKI-Enabled Application Revocation Checking Support . . . . . . . . . . . . . . . . . . . . . . . . . 44
Automated Revocation Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
CRL Distribution Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Netscape Revocation Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
A Crucial PKI Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Chapter 7: Windows Server 2003 PKI Key Archival and Recovery . . . . . . . 49
by Jan De Clercq
Configuring Automatic Key Archival and Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Automatic Key Archival and Recovery Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Sidebar: Manual Key Archival and Recovery
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Key Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Data Recovery vs. Key Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Powerful Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Chapter 8: Using Certificates to Secure Your WLAN . . . . . . . . . . . . . . . . . 57
by Randy Franklin Smith
Adding X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Certificate Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Obtaining Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Wireless Client Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Configure IAS and the APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Test Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
iii
Chapter 9: FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Obtaining a Server Certificate from Your Own CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
by Randy Franklin Smith
Using Windows Server 2003’s Certificate Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
by Randy Franklin Smith
Enabling SSL on Your Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
by Brett Hill
Using the SSL Protocol to Secure HTTP Basic Authentication Traffic . . . . . . . . . . . . . . . . 66
by Jan De Clercq
Addressing ActiveX Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
by John Savill
Enabling SSL on IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
by John Savill
IIS Client Service Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
by Jan De Clercq
Controlling Which CAs Windows Can Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
by Randy Franklin Smith
Mitigating a Problem with Computer-Only Authentication to a WLAN . . . . . . . . . . . . . . . 71
by Randy Franklin Smith
Setting Up SSL Certificates for an NLB Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
by Paul Robichaux
1
Chapter 1
Uncover PKI and Certificate Services
—by Jan De Clercq
The core component of the Windows Server 2003 public key infrastructure (PKI) software is the
Certification Authority (CA), which Microsoft often refers to as the Certificate Server or Certificate
Services. A CA receives and processes PKI user certificate requests, identifies and validates those
requests, issues certificates according to the PKI’s security policy, renews and revokes certificates,
publishes certificates to different locations, creates and publishes certificate revocation lists (CRLs), and
logs all certificate and CRL transactions to the appropriate database. A Windows 2003 CA can also
perform secure private key archival and recovery. To better understand how CAs and PKI have
evolved in Windows 2003, let’s examine the components of the latest Certificate Services architecture
and the differences between establishing an enterprise CA and a standalone CA in Windows 2003.
Windows 2003 Certificate Services Architecture
The Windows 2003 Certificate Services architecture is almost identical to the architecture that
Microsoft used for previous editions of Certificate Services. A key difference is that Microsoft modified
the CA database layout to let the CA archive and recover PKI users’ private keys. Figure 1 shows the
architecture, which includes various modules, databases, administrative tools, intermediaries, and
CryptoAPI.
Brought to you by
Thawte
and
Windows IT Pro
eBooks
in Windows Server 2003
Plik z chomika:
mikroprocesory
Inne pliki z tego folderu:
windows power tools - winternals.pdf
(488 KB)
windows 2003 - Active directory administration essentials.pdf
(3169 KB)
widnows - disaster and recovery backup.pdf
(708 KB)
Tools for Managing AD.xps
(243 KB)
Terminal services deployment.xps
(438 KB)
Inne foldery tego chomika:
- ! ▣ WINDOWS 7 PL [32 BIT]
• HTML - JAVA - PHP
• Pierwsze kroki w cyfrówce
• Szkoła konstruktorów
Acronis Partition Expert. PL
Zgłoś jeśli
naruszono regulamin