Objectives Computers

Scenario Estimated time to

complete this lab:
75 minutes

Hands-on Lab JMS 2006 | Public Key

Infrastructure (PKI) Illustrated

At the end of this lab, you will be able to:

 Install and configure a stand-alone Root Certification Authority (CA).
 Install and configure a subordinate Enterprise CA.
 Configure custom certificate templates and deploy certificates using
autoenrollment.
 Secure e-mail communication and Web-site authentication using digital
certificates.

You are the network administrator for Northwind Traders. To increase security
you are required to implement a Windows Server 2003 public key infrastructure
(PKI). In this lab, you will see how to build the PKI infrastructure, how to
implement certificates for Secure Sockets Layer (SSL)-enhanced Web sites and
how certificates can be deployed to enable client authentication and improve e-
mail security.
A portion of the Northwind Traders network infrastructure is illustrated below:

Important This hands-on lab is designed to test the installation and

configuration of specific features on a limited number of computer
resources. The placement of network services reflects neither best
practices nor a desired or recommended configuration for a production
environment.

This lab uses the following computers: VAN-DC1, VAN-VPN1 and VAN-
CL1. VAN-VPN1 will be configured as a standalone root Certification
Authority (CA). VAN-DC1 will be configured as an Enterprise Subordinate
CA.
Before you begin the lab, you must start the VAN-DC1 and VAN-SRV1
computers. Start the other computers when indicated.
Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated

Lab Setup
To complete each lab module, you need to review the following:

 Virtual PC
This lab uses Microsoft Virtual PC 2004, an application that allows you to run
multiple virtual computers on one physical computer. During the lab, you will
switch among different windows, each of which contains a separate virtual
machine.
Before you start the lab, familiarize yourself with the following basics of
Virtual PC:
Task Procedure

To switch the focus for your mouse and
keyboard to the virtual machine
To remove the focus from a virtual
machine
To issue the CTRL+ALT+DELETE
keyboard combination inside a virtual
machine
To make the virtual machine window
larger
To switch to full-screen mode, and to
return from full-screen mode
Click inside the virtual machine window.
Move the mouse pointer outside the
virtual machine window.
Use the <RIGHT>ALT+DELETE
keyboard combination. In Virtual PC, the
<RIGHT>ALT key is called the host key.
Drag the lower-right corner of the
window.
Press the <RIGHT>ALT+ENTER
keyboard combination.

To complete this lab, you need to start the virtual machines and then log on to
the computers. In each exercise, you have to start only the virtual machines that
are needed.

 To log on to a computer in a virtual machine

1. Press <RIGHT>ALT+DELETE (instead of
CTRL+ALT+DELETE) to open the Logon dialog box.

Important If a service startup error appears on VAN-DC1 during the

boot process, check to ensure that the Microsoft Exchange Server
services have started as expected.

Exercise 1
Creating a Certification Authority Hierarchy
In this exercise you create a standalone root CA for Northwind Traders. You begin by modifying a
CAPolicy.inf file to assist in the custom installation of the service. You will also perform post-
installation tasks such as defining the Certification Revocation List Distribution Point (CDP) and
Authority Information Access (AIA) extensions for issued certificates as well as configuring the
publishing interval for certificate revocation lists.

Scenario
 Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated 3

To meet the design requirements of your PKI solution, you need to implement a standalone root
CA. This CA will be used to enroll subordinate Enterprise Issuing CAs.

Tasks Detailed steps

Note: This exercise uses the following computers: VAN-DC1 and VAN-VPN1.

Note: Perform the following steps on VAN-VPN1.

1. Log on to VAN-VPN1 and
copy a sample capolicy.inf
file from VAN-DC1.
The capolicy.inf file provides
Certificate Services
configuration information,
which is read during initial
CA installation and whenever
you renew a CA certificate.
This file defines settings
specific for the root CAs, as
well as settings that affect all
CAs in the hierarchy. g.
By default, the capolicy.inf Windows folder.
file does not exist when you
install Windows Server 2003.
You must manually create and
configure the file and then
store it in the %windir%
folder.
2. Configure the capolicy.inf
file.
OID: 1.2.3.4.5.6.7.8.9.2
Webserver variable: VAN-
DC1.nwtraders.msft
CrlPeriodUnits: 26
CRLPeriod: weeks
CRLDeltaPeriodUnits: 0
a. Log on to VAN-VPN1 as Administrator with the password
P@ssw0rd.
b. Click Start, and then click Run.
The Run dialog box opens.
c. In the Open box, type \\VAN-DC1\C$. Click OK.
After a few moments the \\van-dc1\c$ window opens.
d. In the \\VAN-DC1\C$ window, double-click the Tools folder.
e. In the Tools folder, double-click the PKIFiles folder.
f. In the PKIFiles folder, right-click and copy the capolicy.inf file.
Browse to C:\Windows and then paste the capolicy.inf in to the C:\
a. Right-click C:\Windows\capolicy.inf and then click Open.
The capolicy.inf text file opens in Notepad. Notice the various
sections throughout the file. The [Version] section defines that the
.inf file is in Windows NT format. The [PolicyStatementExtension]
section defines a Certificate Authorities’ certificate policies and
certificate practice statements (CPS).
b. Under [LegalPolicy], change OID to 1.2.3.4.5.6.7.8.9.2.
An object identifier (OID) is configured for the CPS, or if multiple
policies are defined, to each CA’s certificate policy. In this case
only the legalpolicy variable requires an OID.
c. On the URL line, change webserver to VAN-DC1.nwtraders.msft.
The URL provides a link to the actual text of the CPS. The URL
line should now read URL=
“http://VAN-DC1.nwtraders.msft/LegalPolicy/rootcps.htm”
d. Under [Certsrv_server], make the following changes:
 CrlPeriodUnits=26
 CRLPeriod=weeks
 CRLDeltaPeriodUnits=0
 CRLDeltaPeriod=days (default)
This section defines various settings for the Certificate Revocation
List publication invervals.
e. Leave the CRLDistributionPoint and AuthorityInformationAccess
sections at the default setting.
Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated
Tasks
3. Install the standalone CA.
CA Type: Stand-alone Root
CA
CSP: Microsoft Strong
Cryptographic Provider
Hash algorithm: SHA-1
Key length: 4096
Common Name: VAN-
VPN1
Validity Period: 20 Years
Detailed steps
By defining the CDP and AIA URLs as empty, you ensure that
applications do not check the root CA certificate for revocation.
f. Save all changes, and then close capolicy.inf.
g. Close all open windows.
a. Click Start, point to Control Panel, and then click Add or Remove
Programs.
b. In the Add or Remove Programs window, click Add/Remove
Windows Components.
After a few moments the Windows Components Wizard opens.
c. Select the check box next to Certificate Services.
A Microsoft Certificate Services message states that the machine
name and domain membership may not be changed.
d. Click Yes to continue.
e. In the Windows Components dialog box, click Next.
f. In the CA Type dialog box, select Stand-alone root CA.
g. Select the Use custom settings to generate the key pair and CA
certificate check box, and then click Next.
h. On the Public and Private Key Pair page, set the following options and
then click Next:
 CSP: Microsoft Strong Cryptographic Provider
 Hash algorithm: SHA-1
 Key length: 4096
i. In the CA Identifying Information dialog box, enter the following and
then click Next:
 Common name for this CA: VAN-VPN1.
 Validity Period: 20 Years
j. On the Certificate Database Settings dialog box, accept the defaults and
then click Next.
A Microsoft Certificate Services message states that Internet
Information Services must be temporarily stopped.
k. In the Microsoft Certificate Services prompt, click Yes.
The Configuring Components page shows the progress of the
component configuration and installation.
l. When the Insert Disk prompt displays, click OK.
m. In the Files Needed dialog box, click the Browse button.
n. Browse to C:\Win2k3\I386 and then click Open.
o. In the Files Needed dialog box, click OK.
The component configuration continues. This may take a few
minutes to complete.
p. When the Microsoft Certificate Services prompt is displayed click Yes
to enable Active Server Pages.
q. On the Completing the Windows Components Wizard page, click
Finish.
 Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated
Tasks
4. Define CRL and AIA
Publication Settings.
After you install the
standalone root CA, you
must modify the CDP and
AIA extensions at the root
CA to refer to locations that
are available when the
standalone root CA is
removed from the network.
5
Detailed steps
r. Close the Add or Remove Programs window.
a. Click Start, point to Administrative Tools, and then click Certification
Authority.
b. In the left-hand console tree pane, expand VAN-VPN1.
c. In the console tree pane, right-click Revoked Certificates and then click
Properties.
Notice that the CRL publication interval is set to 26 Weeks, and
that the Publish Delta CRLs has been disabled. This option was
configured in the capolicy.inf configuration file during
installation.
d. Click OK to close the Revoked Certificates Properties dialog box.
e. In the console tree pane, right-click VAN-VPN1, and then click
Properties.
f. In the VAN-VPN1 Properties dialog box, on the Extensions tab, in the
Select extension drop-down list, ensure that the box reads CRL
Distribution Point (CDP).
g. Review the default ldap:///, http://, and file://\\ URLs in the CRL
distribution points (CDP) list.
The URL that begins with C:\Windows\system32\CertSrv should
not be deleted because this is where the updated CRL is posted
when you manually publish a CRL or when Certificate Services
publishes the CRL at the CRL publication interval.
h. On the Extensions tab, in the Select extension drop-down list, select
Authority Information Access (AIA).
i. Review the default ldap:///, http://, and file://\\ URLs.
j. Click OK.
k. Click Start, and then click Run.
The Run dialog box opens.
l. In the Open box, type \\VAN-DC1\C$. Click OK.
After a few moments the \\van-dc1\c$ window opens.
m. In the \\VAN-DC1\C$ window, double-click the Tools folder.
n. In the Tools folder, double-click the PKIFiles folder.
o. In the PKIFiles folder, right-click and copy ModifyAIAandCDP.cmd.
p. Browse to C:\ and then paste the ModifyAIAandCDP.cmd in to the root
of the C drive.
q. Right-click C:\ModifyAIAandCDP.cmd and then click Edit.
r. On the Edit menu, click Replace.
s. In the Replace dialog box, in the Find what box, type Webserver.
t. In the Replace with box, type VAN-DC1.nwtraders.msft and then click
Replace All.
u. In the Replace dialog box, in the Find what box, type ForestName.
v. In the Replace with box, type DC=NWtraders, DC=msft and then click
Replace All.
w. Cancel the Replace dialog box and then save and close the file.
Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated
Tasks
5. Publish the latest version of
the CRL.
6. At a command prompt,
increase the validity period of
issued certificates to 10 years by
using certutil setreg.
7. Restart Certificate Services
Note: Perform the following steps on the VAN-DC1 computer.
8. Publish the CRL and CA
certificate for the offline root
CA to the LDAP and HTTP
locations.
9. Copy the contents of \\
Computer\admin$\ system32\
certsrv\Certenroll to the C:\
inetpub\wwwroot\ CertData
folder.
10. View the Certificate Practice
Statement
Detailed steps
x. Double-click ModifyAIAandCDP.cmd to run the batch file.
The batch file runs and modifies the AIA and CDP entries. It also
restarts Certificate Services.
a. In the Certification Authority console, in the left-hand console tree
pane, right-click Revoked Certificates, point to All Tasks, and then
click Publish.
b. In the Publish CRL dialog box, click New CRL, and then click OK.
The latest version of the CRL is published.
a. Open a command prompt, type certutil -setreg ca\ ValidityPeriodUnits
10 and then press ENTER.
b. At the command prompt, type certutil -setreg ca\ValidityPeriod
“Years” and then press ENTER.
c. Close the command prompt.
a. In the Certification Authority console, right-click VAN-VPN1, point to
All Tasks, and then click Stop Service.
d. In the Certification Authority console, right-click VAN-VPN1, point to
All Tasks, and then click Start Service.
e. Close the Certification Authority console and close all open windows.
a. Log on to VAN-DC1 as Administrator with the password P@ssw0rd.
f. Start Windows Explorer and then browse to the C:\Inetpub\wwwroot
folder.
g. Under the wwwroot folder, create a new subfolder named Legalpolicy.
h. Browse to C:\Tools\PKIFiles.
i. In the PKIFiles folder, right-click and copy rootcps.htm.
Browse to C:\inetpub\wwwroot\legalpolicy and then paste the
rootcps.htm in to the folder.
a. Browse to and click C:\Inetpub\wwwroot.
j. Create a new subfolder named CertData.
k. Click Start, and then click Run.
l. In the Open box, type \\VAN-VPN1\admin$. Click OK.
m. In Windows Explorer, double-click System32, double-click Certsrv, and
then double-click Certenroll.
n. Copy all files in the \\VAN-VPN1\admin$\system32\ Certsrv\
Certenroll share to C:\inetpub\wwwroot\CertData.
These files include the Certificate Revocation List and the Security
Certificate for VAN-VPN1.
o. Close all open windows.
a. Open Internet Explorer.
b. In the Address bar, type http://VAN-DC1.nwtraders.msft/
Legalpolicy/rootcps.htm, and then press ENTER.
The sample Certificate Practice Statement is displayed.
 Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated
Tasks
11. View the certificate
revocation list.
12. Publish the CRL and CA
certificate to Active Directory.
Exercise 2
Implementing a Subordinate Enterprise CA
In this exercise, you configure a subordinate Enterprise CA below the Northwind Traders stand-
alone Root CA. You will also use the PKI Health Tool to validate CRL and AIA publication points.
7
Detailed steps
a. In the Address bar, type http://VAN-DC1.nwtraders.msft/
CertData/VAN-VPN1.crl, and then press ENTER.
The File Download dialog box is displayed.
c. Click the Open button.
The certificate revocation list is displayed.
d. Click OK to close the Certificate Revocation List.
e. Close Internet Explorer.
a. Open a command prompt.
b. At a command prompt, type cd \inetpub\wwwroot\Certdata and then
press ENTER.
c. To publish the latest CRL to Active Directory, at the command prompt,
type certutil -dspublish -f VAN-VPN1.crl and then press ENTER.
You should receive a prompt stating that the –dsPublish command
completed successfully.
d. Close the command prompt.
e. To publish the CA certificate to Active Directory, open Windows
Explorer and browse to C:\Inetpub\wwwroot\CertData.
f. Double-click VAN-VPN1.NWtraders.msft_VAN-VPN1.
After a few moments, the security certificate opens, notice that is it
not trusted and needs to be placed into the Trusted Root
Certification Authorities store.
g. Click Install Certificate.
The Certificate Import Wizard starts.
h. Click Next.
i. On the Certificate Store page, click the button next to Place all
certificates in the following store.
j. Click the Browse button and then select Trusted Root Certification
Authorities. Click OK.
k. Click Next and then Finish.
A Security Warning is displayed.
l. Click Yes to install this certificate.
m. Click OK.
n. Click OK to close the Certificate window.
o. Double-click VAN-VPN1.NWtraders.msft_VAN-VPN1.
Notice that VAN-DC1 now trusts the VAN-VPN1 Certificate
Authority.
p. Close all open windows.
Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated
Scenario
You have just completed the installation and configuration of the stand-alone Root CA for
Northwind Traders. The next step is to install and configure the Enterprise Subordinate CA.
Tasks
Note: This exercise uses the following computers: VAN-DC1 and VAN-VPN1.
Note: Perform the following steps on the VAN-DC1 computer.
1. Install Certificates Services
with the following options, and
then save the request to a file
named a:\request.req.
CA Type: Enterprise
subordinate CA
CSP: Microsoft Strong
Cryptographic Provider
Hash algorithm: SHA-1
Key length: 2048
Common name: Northwind
Traders CA
Detailed steps
a. If necessary, log on to VAN-DC1 as Administrator with the password
P@ssw0rd.
b. Click Start, point to Control Panel, and then click Add or Remove
Programs.
c. In the Add or Remove Programs window, click Add/Remove Windows
Components.
After a few moments the Windows Components Wizard opens.
d. Select the check box next to Certificate Services.
A Microsoft Certificate Services message states that the machine
name and domain membership may not be changed.
e. Click Yes to continue.
f. In the Windows Components dialog box, click Next.
g. In the CA Type dialog box, select Enterprise subordinate CA.
h. Select the Use custom settings to generate the key pair and CA
certificate check box, and then click Next.
i. On the Public and Private Key Pair page, set the following options and
then click Next:
 CSP: Microsoft Strong Cryptographic Provider
 Hash algorithm: SHA-1
 Key length: 2048
j. In the CA Identifying Information dialog box, enter the following and
then click Next:
 Common name for this CA: Northwind Traders CA.
Notice that the Validity period is determined by the parent CA.
k. On the Certificate Database Settings page, accept the default settings,
and then click Next.
l. On the CA Certificate Request page, click Save the request to a file.
Saving the request to a file would provide the ability to transfer
this request to an offline Root CA using removable storage, such
as a floppy disk or USB digital drive.
m. In the Request file box, type c:\request.req, and then click Next.
n. In the Microsoft Certificate Services message, click Yes to temporarily
stop Internet Information Services.
o. When the Insert Disk dialog box appears, click OK.
p. In the Files Needed dialog box, browse to C:\Win2k3\I386 and then
click Open.
 Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated
Tasks
Note: Perform the following steps on the VAN-VPN1 computer.
2. In the Certification
Authority console, request a new
certificate by using the
request.req request file.
3. In the Certification
Authority console, issue the
pending certificate request.
4. Export the issued certificate
to a PKCS #7 file named
subca.p7b that includes all of
the certificates in the
certification path.
Note: Perform the following steps on the VAN-DC1 computer.
5. Install the CA certificate in
9
Detailed steps
q. In the Files Needed dialog box, click OK.
The component configuration continues. This may take a few
minutes to complete.
r. In the Microsoft Certificate Services message box, acknowledge that
the CA installation is incomplete, and then click OK.
The installation is incomplete until you manually submit the
request.req file to the root CA.
s. On the Completing the Windows Components Wizard page, click
Finish.
t. Close the Add or Remove Programs window.
a. If necessary, log on to VAN-VPN1 as Administrator with the password
of P@ssw0rd.
b. Click Start, point to Administrative Tools, and then click Certification
Authority.
c. In the console tree pane, right-click VAN-VPN1, point to All Tasks, and
then click Submit new request.
d. In the Open Request File dialog box, in the File name box, type \\van-
dc1\c$\Request.req and then click Open.
If the stand-alone root CA is disconnected from the network, the
Request.req file can be transported by a physical device such as a
floppy disk or USB digital drive.
a. In the console tree pane, expand VAN-VPN1, and then click Pending
Requests.
b. In the details pane, right-click the pending certificate, point to All Tasks,
and then click Issue.
a. In the console tree pane, click Issued Certificates.
b. In the details pane, double-click the issued certificate.
c. In the Certificate dialog box, on the Details tab, click Copy to File.
d. On the Welcome to the Certificate Export Wizard page, click Next.
e. On the Export File Format page, click Cryptographic Message
Syntax Standard – PKCS #7 Certificates (.P7B), select the Include all
certificates in the certification path if possible check box, and then
click Next.
f. On the File to Export page, in the File name box, type c:\subca.p7b
and then click Next.
g. On the Completing the Certificate Export Wizard page, click Finish.
h. In the Certificate Export Wizard message box, click OK.
i. In the Certificate dialog box, click OK.
j. Close the Certification Authority console.
k. Close all open windows.
a. Click Start, point to Administrative Tools, and then click
Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated
Tasks
the Certification Authority
console by using the subca.p7b
file.
6. Before you issue a
subordinate CA certificate
from the offline root CA,
verify that the offline root
CA’s CDP and AIA
extensions are properly
configured. you can use the
PKI Health Tool from the
Windows Server 2003
Server Resource Kit to
validate the CDP and AIA
extensions that you
configured on the offline
root CA.
Exercise 3
Deploying Certificates to Secure E-mail
In this exercise, you learn how to configure certificate templates which can be used to implement
secure e-mail communication. You will also configure and test certificate autoenrollment.
Detailed steps
Certification Authority.
b. In the console tree, right-click Northwind Traders CA, point to All
Tasks, and then click Install CA Certificate.
c. In the Select file to complete CA installation dialog box, in the File
name box, type \\VAN-VPN1\c$\subca.p7b and then click Open.
After a few moments a message states that the root certificate is
untrusted.
d. Click OK at the Microsoft Certificate Services message.
e. In the console tree, right-click Northwind Traders CA, point to All
Tasks, and then click Start Service.
f. In the Certification Authority console, in the console tree pane, right-
click Northwind Traders CA, and then click Properties.
g. In the Northwind Traders CA Properties dialog box, click View
Certificate.
Notice that the validity period is for ten years, as defined in the
ValidityPeriodUnits registry entry of the root CA.
h. In the Certificate dialog box, click the Certification Path tab.
i. Notice that the CA hierarchy path is VAN-VPN1=> Northwind Traders
CA.
j. In the Certificate dialog box, click OK.
k. In the Northwind Traders CA Properties dialog box, click OK.
l. Close the Certification Authority console.
a. Open a command prompt.
b. At the command prompt, type cd \tools\pkifiles.
c. At the command prompt, type regsvr32 pkiview.dll and then press
ENTER.
d. In the RegSvr32 message box, click OK.
e. At the command prompt type pkiview.msc. Press ENTER.
The pkiview console opens.
f. In the left-hand console tree pane, click VAN-VPN1.
g. Verify that the status for all certificates, AIA, and CDP locations are OK.
h. Expand VAN-VPN1 and click Northwind Traders CA.
i. Verify that the status for all certificates, AIA, and CDP locations are OK.
j. Close the pkiview console.
k. Close the command prompt and all other open windows.
 Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated 11

Scenario
To increase the security of email communication for specific users in your organization, you have
decided to implement S/MIME certificates to be used to encrypt and digitally sign e-mail messages.
Your first task is to create and enable two custom certificate templates; one to be used for
encryption and the other to be used for digital signing. You must then determine the best way to
deploy the certificates to your users. Since you have Windows XP Professional clients,
autoenrollment is a practical choice..

Tasks Detailed steps

Note: This exercise uses the following computers: VAN-DC1, VAN-VPN1, and VAN-CL1.

Note: Perform the following steps on the VAN-DC1 computer.

1. Create a security group for a. If necessary, log on to VAN-DC1 as Administrator with the password
users that require secure e- P@ssw0rd.
mail. b. Click Start, point to Administrative Tools, and then click Active
Directory Users and Computers.
c. In the left-hand console tree pane, right-click Users, point to New, and
then click Group.
The New Object – Group dialog box is displayed.
d. In the Group Name box, type SecureMailUsers.
e. Configure the following additional settings:
 Group Scope: Global
 Group Type: Security
f. Click Next.
g. Do not create an Exchange e-mail address for the group. Click Next.
h. Click Finish.
i. In the console tree pane, click the Users container.
j. In the details pane, right-click SecureMailusers and then click
Properties.
k. In the SecureMailUsers Properties dialog box, click the Members tab.
l. Click Add.
m. In the Select Users, Contacts, Computers, or Groups dialog box, type
Kim and Don separated by a semi-colon (;). Click OK.
Don Hall and Kim Akers are added as members of the
SecureMailUsers security group.
n. Click OK to close the SecureMailUsers Properties dialog box.

o. Close Active Directory Users and Computers.

2. Create the Autoenrollment
Group Policy Object and link
it to the NWTraders domain.
a. Click the Start menu, point to Administrative Tools, and then click
Group Policy Management.
b. In the Group Policy Management console, expand
Forest:NWtraders.msft, Domains, NWTraders.msft, and then click
Group Policy Objects.
c. Right-click Group Policy Objects and then click New.
Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated
Tasks
3. Update Group Policy.
Note: Perform the following steps on the VAN-VPN1 computer.
4. Open the Certificate Template
console and create a new
certificate template called
SMIMESign based on the
Exchange Signature Only
certificate template.
5. In the SMIMESign certificate
template, configure the
following:
Publish in Active
Directory.
Do not automatically
reenroll if a duplicate
certificate exists in Active
Detailed steps
d. In the New GPO dialog box, type Secure Mail Policy. Click OK.
e. In the details pane, double-click Secure Mail Policy.
f. On the Scope tab, under Security Filtering, click Add.
g. In the Select User, Computer, or Group dialog box, type
SecureMailUsers and then click OK.
h. Click Authenticated Users and then click Remove. Click OK.
i. In the console tree pane, right-click Secure Mail Policy and then click
Edit.
j. In Group Policy Object Editor, expand User Configuration,
Windows Settings, Security Settings, and then click Public Key
Policies.
k. In the details pane, double-click Autoenrollment Settings.
l. In the Autoenrollment Settings Properties dialog box, enable the
following options and then click OK:
 Enroll certificates automatically
 Renew expired certificates, update pending certificates, and
remove revoked certificates
 Update certificates that use certificate templates
m. Close the Group Policy Object Editor.
n. In the console tree pane, right-click NWtraders.msft.
o. Click Link an Existing GPO.
p. In the Select GPO dialog box, click Secure Mail Policy and then click
OK.
q. Close the Group Policy Management console.
a. Open a command prompt.
b. At the command prompt, type gpupdate /force and then press ENTER.
c. Close the command prompt.
a. If necessary, log on to VAN-VPN1 as Administrator with the password
of P@ssw0rd.
b. Click Start, click Run, type Certtmpl.msc and then click OK.
c. In the details pane, right-click Exchange Signature Only, and then
click Duplicate Template.
d. In the Properties of New Template dialog box, in the Template
display name box, type SMIMESign and then click OK.
a. In the details pane, double-click SMIMESign.
b. In the SMIMESign Properties dialog box, on the General tab, select
the Publish certificate in Active Directory check box, select the Do not
automatically reenroll if a duplicate certificate exists in Active
Directory check box, and then click Apply.
c. On the Request Handling tab, click Prompt the user during
enrollment and require user input when the private key is used, and
then click Apply.
 Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated
Tasks
Directory.
Prompt the user during
enrollment and require
user input when the
private key is used.
6. Add the Medium Assurance
issuance policy OID.
7. On the Subject name tab
configure the following:
Subject name format: Fully
distinguished name
Include e-mail name in
subject name: Enabled
E-mail name: Enabled
User principal name (UPN):
Enabled
8. On the Security tab, assign the
SecureMailUsers group Read,
Enroll, and Autoenroll
permissions.
9. Create a new certificate
template named
SMIMEEncrypt, based on the
Exchange User certificate
template. Configure the
following:
Publish certificate in Active
Directory.
Do not automatically
reenroll if a duplicate
certificate exists in Active
Directory.
Prompt the user during
enrollment and require user
input when the private key is
used.
10. On the Extensions tab, add the
Medium Assurance issuance
policy OID.
13
Detailed steps
The option to prompt the user during enrollment enables the user
to be notified that a certificate is being installed on their machine.
The require user input when the private key is used option forces
the user to provide a password each time the certificate is used.
You may want to enable this second option to increase security at
the time the certificate is used.
a. On the Extensions tab, click Issuance Policies, and then click Edit.
b. In the Edit Issuance Policies Extension dialog box, click Add.
c. In the Add Issuance Policy dialog box, click Medium Assurance, and
then click OK.
d. In the Edit Issuance Policies Extension dialog box, click OK.
e. On the Extensions tab, click Apply.
a. On the Subject Name tab, click Build from this Active Directory
information, and then configure the following:
 Subject name format: Fully distinguished name
 Include e-mail name in subject name: Enabled
 E-mail name: Enabled
 User principal name (UPN): Enabled
b. On the Subject name tab, click Apply.
a. On the Security tab, click Add.
b. In the Select Users, Computers, or Groups dialog box, in the text box,
type SecureMailUsers and then click OK.
c. In the Group or user names list, select SecureMailUsers, assign the
SecureMailUsers group Read, Enroll, and Autoenroll permissions, and
then click OK.
a. In the details pane, right-click Exchange User, and then click Duplicate
Template.
b. In the Properties of New Template dialog box, in the Template display
name box, type SMIMEEncrypt and then click OK.
c. In the details pane, double-click SMIMEEncrypt.
d. In the SMIMEEncrypt Properties dialog box, on the General tab,
select the Publish certificate in Active Directory check box, select the
Do not automatically reenroll if a duplicate certificate exists in
Active Directory check box, and then click Apply.
e. On the Request Handling tab, click Prompt the user during
enrollment and require user input when the private key is used, and
then click Apply.
a. On the Extensions tab, click Issuance Policies, and then click Edit.
b. In the Edit Issuance Policies Extension dialog box, click Add.
c. In the Add Issuance Policy dialog box, click Medium Assurance, and
then click OK.
Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated
Tasks
11. On the Subject name tab
configure the following:
Subject name format: Fully
distinguished name
Include e-mail name in
subject name: Enabled
E-mail name: Enabled
User principal name (UPN):
Enabled
12. On the Security tab, assign the
SecureMailUsers group Read,
Enroll, and Autoenroll
permissions.
Note: Perform the following steps on the VAN-DC1 computer.
13. Update Group Policy.
14. Configure NWTradersCA to
issue the SMIMEEncrypt
and SMIMESign certificate
templates.
15. Update Group Policy.
Note: Perform the following steps on the VAN-CL1 computer.
16. Log on to the domain as
Don Hall.
17. Update Group Policy.
Detailed steps
d. In the Edit Issuance Policies Extension dialog box, click OK.
e. On the Extensions tab, click Apply.
a. On the Subject Name tab, click Build from this Active Directory
information, and then configure the following:
 Subject name format: Fully distinguished name
 Include e-mail name in subject name: Enabled
 E-mail name: Enabled
 User principal name (UPN): Enabled
b. On the Subject name tab, click Apply.
a. On the Security tab, click Add.
b. In the Select Users, Computers, or Groups dialog box, in the text box,
type SecureMailUsers and then click OK.
c. In the Group or user names list, select SecureMailUsers, assign the
SecureMailUsers group Read, Enroll, and Autoenroll permissions, and
then click OK.
d. Close the Certificate Templates console
e. Close all open windows.
a. Open a command prompt.
b. At the command prompt, type gpupdate /force and then press ENTER.
c. Close the command prompt.
a. Click the Start menu, point to Administrative Tools, and then click
Certification Authority.
b. In the console tree pane, expand NWTradersCA, and then click
Certificate Templates.
c. In the console tree pane, right-click Certificate Templates, point to
New, and then click Certificate Template to Issue.
d. In the Enable Certificate Templates dialog box, click
SMIMEEncrypt, press CTRL and click SMIMESign, and then click
OK.
e. In the details pane, ensure that SMIMEEncrypt and SMIMESign
appear.
f. Close the Certification Authority.
a. Open a command prompt.
b. At the command prompt, type gpupdate /force and then press ENTER.
c. Close the command prompt.
a. Log on to VAN-CL1 as Don with the password P@ssw0rd.
a. Open a command prompt.
 Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated
Tasks
18. Start the Certificate
Autoenrollment process.
19. View the security settings
for Outlook 2003.
20. Send a digitally signed e-
mail message.
15
Detailed steps
b. At the command prompt, type gpupdate /force and then press ENTER.
c. Close the command prompt.
a. In the notification area, click the Certificate Enrollment balloon.
If the certificate enrollment balloon does not appear, wait for
approximately 90 seconds. If it does not appear after 90 seconds
log off and log back on as Don. It is important that Don is
registered as a member of the SecureMailUsers security group. If
you receive any additional error messages upon logon, click OK
to close the message.
b. In the Certificate Enrollment dialog box, click Start.
This first enrollment process is for the SMIMESign certificate. It
will be configured to require a password each time the certificate
is used.
c. In the Creating a new RSA signature key dialog box, click Set
Security Level.
d. Click the button next to High. Click Next.
e. In the Creating a new RSA signature key dialog box, in the Password
and Confirm boxes, type P@ssw0rd and then click Finish.
f. In the Creating a new RSA signature key dialog box, click OK.
The next sets of steps enroll the SMIMEEncrypt certificate. The
configuration will be set to Medium security level to only request
permission to use the encryption key.
g. In the Creating a new RSA exchange key, click Set Security Level.
h. Click the button next to Medium. Click Next.
i. In the Creating a new RSA exchange key dialog box, click Finish.
j. Click OK to close the Creating a new RSA exchange key dialog box.
a. Click Start, and then click E-mail.
b. Click the Tools menu, and then click Options.
c. Click the Security tab.
d. Under Encrypted e-mail, click the Settings button.
Notice that S/MIME has been configured using SHA1 and 3DES
as the Hash and Encryption algorithm.
e. Click Cancel to close the Change Security Settings dialog box.
f. Click Cancel to close the Options dialog box.
a. Click the New button.
b. In the To: box type Kim.
c. In the subject box type Signed e-mail.
d. In the message body type: This is a test for signed e-mail.
e. Click the Options button.
f. In the Message Options dialog box, click Security Settings.
g. Select the check box next to Add digital signature to this message.
h. Click OK.
Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated
Tasks
21. Verify that Kim is a member
of the SecureMailUsers
group.
22. Start the Certificate
Autoenrollment process for
Kim.
23. Verify that the signed
message has been received
from Don.
Detailed steps
i. In the Message Options dialog box, click Close.
j. Click Send.
A password box prompts you for your CryptoAPI Private Key
password.
k. In the CryptoAPI Private key dialog box, type P@ssw0rd. Click OK.
l. Close Microsoft Outlook and log off.
a. Log on to VAN-CL1 as Kim with the password P@ssw0rd.
b. Open a command prompt.
c. At the command prompt type gpresult. Press ENTER.
If Kim is not a member of the SecureMailUsers security group log
off and log back on again as Kim.
d. Close the command prompt window.
a. In the notification area, click the Certificate Enrollment balloon.
If the certificate enrollment balloon does not appear, wait for
approximately 90 seconds. If it does not appear after 90 seconds
log off and log back on as Kim. It is important that Kim is
registered as a member of the SecureMailUsers security group. If
you receive any additional error messages upon logon, click OK
to close the message.
b. In the Certificate Enrollment dialog box, click Start.
This first enrollment process is for the SMIMESign certificate. It
will be configured to require a password each time the certificate
is used.
c. In the Creating a new RSA signature key dialog box, click Set Security
Level.
d. Click the button next to High. Click Next.
e. In the Creating a new RSA signature key dialog box, in the Password
and Confirm boxes, type P@ssw0rd and then click Finish.
f. In the Creating a new RSA signature key dialog box, click OK.
The next sets of steps are used to enroll the SMIMEEncrypt
certificate. This will be set to Medium security level to only
request permission to use the encryption key
g. In the Creating a new RSA exchange key, click Set Security Level.
h. Click the button next to Medium. Click Next.
i. In the Creating a new RSA exchange key dialog box, click Finish.
j. Click OK to close the Creating a new RSA exchange key dialog box.
a. Click Start, and then click E-mail.
A message is displayed asking if you would like to import a new
account.
b. In the Microsoft Office Outlook message box, click No.
c. Double-click the message from Don Hall.
d. d. Click the seal icon in the top right-hand corner of the e-mail message.
e. Click the details button.
 Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated 17

Tasks Detailed steps

f. Click the Signer:Don@NWtraders.msft entry.

24. Send an encrypted reply.
25. Log on as Don Hall and
verify that an encrypted
message has been received
from Kim.
Notice that the message was signed using RSA/SHA1.
g. Click Close.
h. Click Close to close the Digital Signature dialog box.
a. Click Reply.
b. Click the Options button.
c. In the Message Options dialog box, click Security Settings.
d. Select the check box next to Encrypt message contents and
attachments.
e. Ensure that the check box next to Add digital signature to this message
is selected.
f. Click OK.
g. Click Close to close the Message Options dialog box.
h. Click Send.
i. In the CryptoAPI Private Key prompt type P@ssw0rd. Click OK.
j. Close all windows and log off.
a. Log on to VAN-CL1 as Don with the password P@ssw0rd.
b. Click Start, and then click E-mail.
c. Open the e-mail message from Kim Akers.
d. In the CrytoAPI Private Key prompt, click OK.
The prompt appears indicating that you are using your private
key to open the encrypted e-mail message. When the message is
opened, notice that the lock and seal icons are displayed in the
top right-hand corner of the message, indicating an encrypted
and signed e-mail message.
e. Close all windows and log off.

Exercise 4
Securing Web Sites Using SSL Encryption
In this exercise, you will learn how to install a Web Server certificate. You will also enforce SSL
encryption on the Web site’s virtual directory to ensure that communication is secure. Finally you
will enable client certificate mapping to provide the ability for user certificates to be used for Web
site authentication.

Scenario
Northwind Traders requires authentication in order to access their company web site. In order to
encrypt logon credentials, you have to implement SSL certificates on the Web server.

Tasks Detailed steps

Note: This lab exercise uses the following computers: VAN-DC1 and VAN-CL1.
Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated
Tasks
Note: Perform the following step on the VAN-DC1 computer.
1. In the Internet Information
Services (IIS) Manager
console, browse to the default
Web site.
2. Enable SSL by running the
Web Server Certificate
Wizard with the following
options:
Create a new certificate
Send the request
immediately to an online
certification authority
Organization: Northwind
Traders
Organizational unit:
Corporate
Common name: VAN-
DC1.NWtraders.msft
Country/Region: CA
(Canada)
State/province: BC
City/locality: Vancouver
SSL port: 443
Certification authority:
default
3. Verify that the certificate has
been installed.
4. Create a new virtual directory
named Security that refers to
C:\Tools\PKIFiles.
Detailed steps
a. If necessary, log on to VAN-DC1 as Administrator with the password
P@ssw0rd.
b. On the Start menu, point to Administrative Tools, and then click
Internet Information Services (IIS) Manager.
c. In the console tree pane, expand VAN-DC1 (local computer), expand
Web Sites, and then click Default Web Site.
a. Right-click Default Web Site, and then click Properties.
b. In the Default Web Site Properties dialog box, on the Directory
Security tab, click Server Certificate.
c. On the Welcome to the Web Server Certificate Wizard page, click
Next.
d. On the Server Certificate page, click Create a new certificate, and then
click Next.
e. On the Delayed or Immediate Request page, click Send the request
immediately to an online certification authority, and then click Next.
f. On the Name and Security Settings page, accept the default settings, and
then click Next.
g. On the Organization Information page, in the Organization box, type
Northwind Traders.
h. In the Organizational unit box, type Corporate and then click Next.
i. On the Your Site’s Common Name page, in the Common name box,
type VAN-DC1.NWtraders.msft, and then click Next.
j. On the Geographical Information page, in the Country/Region
dropdown list, select CA (Canada).
k. In the State/province box, type BC.
l. In the City/locality box, type Vancouver and then click Next.
m. On the SSL Port page, accept the default setting (443), and then click
Next. On the Choose a Certification Authority page, accept the CA that
is presented, and then click Next.
n. On the Certificate Request Submission page, click Next.
o. On the Completing the Web Server Certificate Wizard page, click
Finish.
a. In the Secure communications section, click View Certificate.
The Certificate is displayed. Notice that it is valid for two years.
b. Click the Certification Path tab.
Notice that the certificate trusts the entire certification path
including Northwind Traders CA and VAN-VPN1.
c. Click OK.
d. Click OK to close the Default Web Site Properties dialog box.
a. Right-click Default Web Site, point to New, and then click Virtual
Directory.
The Virtual Directory Creation Wizard starts.
 Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated
Tasks
5. Configure authentication for
the Security Web site.
6. Enable SSL and require 128-
bit encryption for the Security
virtual directory.
Note: Perform the following steps on the VAN-CL1 computer.
7. Test the security web page. In
Internet Explorer, open
https://VAN-
DC1.NWTraders.msft/
security.
19
Detailed steps
b. On the Welcome to the Virtual Directory Creation Wizard page, click
Next.
c. On the Virtual Directory Alias page, in the Alias box, type Security and
then click Next.
d. On the Web Site Content Directory page, in the Path box, type C:\
Tools\PKIFiles and then click Next.
e. On the Virtual Directory Access Permissions page, accept the default
settings, and then click Next.
f. On the You have successfully completed the Virtual Directory
Creation Wizard page, click Finish.
a. In the console tree pane, right-click Security, and then click Properties.
b. Click the Directory Security tab.
c. Under the Authentication and access control section, click Edit.
The Authentication Methods dialog box is displayed.
d. Clear the check box next to Enable anonymous access.
e. Select the check box next to Basic authentication.
A warning is displayed indicating that Basic authentication does
not encrypt data. You are going to configure an SSL connection
and so this will not apply.
f. Click Yes.
g. Click OK to close the Authentication Methods dialog box.
a. In the Security Properties dialog box, on the Directory Security tab,
under Secure communications, click Edit.
b. In the Secure Communications dialog box, click Require secure
channel (SSL), click Require 128-bit encryption, and then click OK.
c. In the Security Properties dialog box, click OK.
a. If necessary, log on to VAN-CL1 as Don with the password P@ssw0rd.
b. Open Internet Explorer.
c. In the Address bar, type https://VAN-DC1.NWtraders.msft/security,
and then press ENTER.
d. If a Security Alert is displayed, click OK.
e. In the Connect to van-dc1.nwtraders.msft dialog box enter the following
information and then click OK:
 User name: Don
 Password: P@ssw0rd
After a few moments, the security Web page is displayed. Notice the
lock icon in the bottom right-hand corner of Internet Explorer.
f. Double-click the lock icon.
The VAN-DC1.NWtraders.msft certificate information is displayed.
g. Click OK to close the Certificate information.
h. Close Internet Explorer.
Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated
Tasks
Note: Perform the following steps on the VAN-DC1 computer.
8. Enable certificate mapping
for the Security Web site.
Configure the properties of
the Security virtual
directory with the following
options:
Require client certificates
Enable client certificate
mapping
9. Clear the check boxes for all
forms of authentication for
the Security Web site.
10. In the Web site’s properties,
activate the Windows
directory service mapper.
Note: Perform the following steps on the VAN-CL1 computer.
11. Acquire a user certificate
using the Certificates console
(Certmgr.msc).
12. Test the security web page.
Detailed steps
a. In the IIS Manager console tree pane, right-click Security, and then click
Properties.
b. In the Security Properties dialog box, on the Directory Security tab,
under Secure communications, click Edit.
c. In the Secure Communications dialog box, click Require client
certificates.
d. In the Secure Communications dialog box, click Enable client
certificate mapping, and then click OK.
e. In the Security Properties dialog box, click Apply.
a. In the Security Properties dialog box, on the Directory Security tab, in
the Authentication and access control section, click Edit.
b. In the Authentication Methods dialog box, clear all authentication
method check boxes, and then click OK.
Clearing all of the check boxes prevents Internet Explorer from
presenting a user authentication dialog box if the certificate-based
authentication fails.
c. In the Security Properties dialog box, click OK.
a. In the console tree pane, right-click Web Sites, and then click Properties.
b. In the Web Sites Properties dialog box, on the Directory Security tab,
click Enable the Windows directory service mapper, and then click
OK.
c. In the Inheritance Overrides dialog box, click Cancel.
d. Close Internet Information Services (IIS) Manager.
e. Close all open windows and log off.
a. Click Start, click Run, type Certmgr.msc and then click OK.
The Certificates console opens.
b. In the left-hand console tree pane, click Personal.
c. Right-click Personal, point to All Tasks, and then click Request New
Certificate.
d. On the Welcome to the Request Wizard page, click Next.
e. On the Certificate Types page, in the Certificate types list, select User,
and then click Next.
f. On the Certificate Friendly Name and Description page, in the
Friendly name box, type Web Authentication and then click Next.
g. On the Completing the Certificate Request Wizard page, click Finish.
h. In the Certificate Request Wizard message box, click OK.
Verify that a certificate is displayed with the Friendly name Web
Authentication.
i. Close the Certificates console.
a. Open Internet Explorer.
 Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated 21

Tasks Detailed steps

In Internet Explorer, open b. In the Address bar, type https://VAN-DC1.NWtraders.msft/security,

https://VAN- and then press ENTER.
DC1.NWTraders.msft/ c. If a Security Alert is displayed, click OK.
security.
d. In the Choose a digital certificate dialog box, click View Certificate.
Notice that the certificate is issued to Don Hall and is valid for 1
year.
e. Click OK.
f. In the Choose a digital certificate dialog box, select the Users certificate
and then click OK.
The Security web site is displayed with the lock icon indicating an
SSL connection.
g. Close Internet Explorer.
13. Shut down computers. a. Shut down all Virtual PC computers without saving the changes.