Windows 2008 PKI combat 1: Management

Microsoft PKI has made many improvements in Windows Server 2008 and adds many features. The first of these features is certificate lifecycle management, especially with regard to automatic registration of computers and user certificates. In Windows Server 2008, enhancements to certificate lifecycle management were achieved through the use of new features for certificate roaming. We will describe this feature later.

A more general practice for developers is to tie the PKI infrastructure to the company's business applications. A good example is the company looking to integrate smart cards or strong authentication into its own software. The new certificate registration application interface allows this functionality to be integrated more smoothly.

On the server side, enhancements to usability are reflected in managing and deploying certificate services. There has also been a significant increase in certificate revocation, especially in the area of ​​revocation checks.

Instance Environment

Let's take an example:

We use a server named SEA-DC-01, which is a domain controller, DNS server, and then We will demonstrate how to install the Active Directory Certificate Services role. Figure 1:

presentation PKI
in 2008 Windows Server

Windows Server 2008 includes the Add Roles Wizard. The Add Roles Wizard is not only used to install roles, it also includes the configuration of the roles. The key configuration tasks that must be performed in order for the role to work properly are part of the wizard. All of the configurations shown in the Add Roles Wizard are safe by default and have default smart optimizations for IT professionals. Our first step is to open the server manager. Server Manager shows all the different roles from the details. Currently, Active Directory Domain Services and DNS Server roles are configured. What we are going to add today is the certificate service. First we need to add the IIS role.

As a best practice, we should always assign a strong password to the administrator, set a static IP, and ensure that the operating system has the latest security updates applied.

We will select Active Directory Certificate Services, as shown in Figure 2. Our guide will show you the personalized steps based on the role we want to add.

then we can view Active Directory Certificate Services, access other Windows Server-based Public Key Infrastructure 2008 deployment and management information.

We see that the certificate server contains different role services. As shown in Figure 3. Because we will be using network registration, we must also increase the IIS server role.

public key infrastructure is a plurality of components, comprising certificates, certificate revocation lists, and certificate authorities or CAs. In most cases, applications that rely on X.509 certificates, such as Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Sockets Layer, Encrypted File System, and smart cards, require that the status of the certificate be executed. When authenticating, signing, or encrypting operations. There are several ways to verify certificate revocation status. The most common mechanisms are CRLs, delta CRLs, and online certificate status protocols or OCSP. We will add the OCSP protocol.

CA can be installed as a corporate or standalone server. The difference between them is whether the directory service is used to simplify management, publishing, or certificate management. As shown in Figure 4.

we need this server is the root CA, because we have no other CAs to obtain the key. As shown in Figure 5.

Since this is a new installation, we will create a new private key is the use of our CA. The server will use this key to generate and issue certificates to users. As shown in Figure 6.

There are many options that can be selected for the cryptographic service provider (CSP) and Hash Algorithm for. The default option is set to RSA Microsoft Software Key Storage Provider and 2048-bit encrypted SHA1 algorithm. As shown in Figure 7.

we use the default name for the CA. As shown in Figure 8.



Each certificate has an expiration date. After the expiration date, the certificate will not be considered as acceptable or available credentials. You can update the certificate by using the same key you have used before or by using a new key set. We use the default value for this setting. As shown in Figure 9.

CA data and log file location can be changed at the time of installation. As shown in Figure 10.

Because IIS is a service dependent, so in this presentation also needs to be installed, we also need to configure it. We don't need to configure any special options in the IIS installation, as shown in Figure 11, so we can use the default settings to go to the final page.



To review summary of installation options that role, we can click on the print, e-mail or save the link. This will open a Windows Internet Explorer window to realistically all the information. As shown in Figure 12.

our reality to begin the installation. As shown in Figure 13. When the installation is complete, our servers will have the ability to assign and manage user credentials and keys.

Introduction to Credential Management Services

The credential management service will be introduced. These features can be divided into client and server roles.

The client certificate service consists of automatic registration and credential roaming. Auto-registration is not new, but its architecture has been redesigned for security in Windows Vista and Windows Server 2008.

Credential Roaming is a new feature introduced in Windows Server 2003 SP1 and is now an integral part of Windows Vista and Windows Server 2008.

The server side includes the Active Directory Certificate Server role. First, we have a delegated registration agent that defines specific registration privileges.

Finally, we have an integrated network device registration service, which is a Microsoft deployment for hardware device simple certificate registration protocols.

In Windows, auto-enrollment is not really a new component, but its architecture has been rewritten to reduce the attack surface.