Professional Documents
Culture Documents
JMS_2006_Guide_Lab_PKI_(SMIME_SSL)
JMS_2006_Guide_Lab_PKI_(SMIME_SSL)
You are the network administrator for Northwind Traders. To increase security
you are required to implement a Windows Server 2003 public key infrastructure
(PKI). In this lab, you will see how to build the PKI infrastructure, how to
implement certificates for Secure Sockets Layer (SSL)-enhanced Web sites and
how certificates can be deployed to enable client authentication and improve e-
mail security.
A portion of the Northwind Traders network infrastructure is illustrated below:
This lab uses the following computers: VAN-DC1, VAN-VPN1 and VAN-
CL1. VAN-VPN1 will be configured as a standalone root Certification
Authority (CA). VAN-DC1 will be configured as an Enterprise Subordinate
CA.
Before you begin the lab, you must start the VAN-DC1 and VAN-SRV1
computers. Start the other computers when indicated.
Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated
Lab Setup
To complete each lab module, you need to review the following:
Virtual PC
This lab uses Microsoft Virtual PC 2004, an application that allows you to run
multiple virtual computers on one physical computer. During the lab, you will
switch among different windows, each of which contains a separate virtual
machine.
Before you start the lab, familiarize yourself with the following basics of
Virtual PC:
Task Procedure
To switch the focus for your mouse and Click inside the virtual machine window.
keyboard to the virtual machine
To remove the focus from a virtual Move the mouse pointer outside the
machine virtual machine window.
To issue the CTRL+ALT+DELETE Use the <RIGHT>ALT+DELETE
keyboard combination inside a virtual keyboard combination. In Virtual PC, the
machine <RIGHT>ALT key is called the host key.
To make the virtual machine window Drag the lower-right corner of the
larger window.
To switch to full-screen mode, and to Press the <RIGHT>ALT+ENTER
return from full-screen mode keyboard combination.
To complete this lab, you need to start the virtual machines and then log on to
the computers. In each exercise, you have to start only the virtual machines that
are needed.
Exercise 1
Creating a Certification Authority Hierarchy
In this exercise you create a standalone root CA for Northwind Traders. You begin by modifying a
CAPolicy.inf file to assist in the custom installation of the service. You will also perform post-
installation tasks such as defining the Certification Revocation List Distribution Point (CDP) and
Authority Information Access (AIA) extensions for issued certificates as well as configuring the
publishing interval for certificate revocation lists.
Scenario
Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated 3
To meet the design requirements of your PKI solution, you need to implement a standalone root
CA. This CA will be used to enroll subordinate Enterprise Issuing CAs.
Note: This exercise uses the following computers: VAN-DC1 and VAN-VPN1.
By defining the CDP and AIA URLs as empty, you ensure that
applications do not check the root CA certificate for revocation.
f. Save all changes, and then close capolicy.inf.
g. Close all open windows.
3. Install the standalone CA. a. Click Start, point to Control Panel, and then click Add or Remove
CA Type: Stand-alone Root Programs.
CA b. In the Add or Remove Programs window, click Add/Remove
CSP: Microsoft Strong Windows Components.
Cryptographic Provider After a few moments the Windows Components Wizard opens.
Hash algorithm: SHA-1 c. Select the check box next to Certificate Services.
Key length: 4096 A Microsoft Certificate Services message states that the machine
name and domain membership may not be changed.
Common Name: VAN-
VPN1 d. Click Yes to continue.
Validity Period: 20 Years e. In the Windows Components dialog box, click Next.
f. In the CA Type dialog box, select Stand-alone root CA.
g. Select the Use custom settings to generate the key pair and CA
certificate check box, and then click Next.
h. On the Public and Private Key Pair page, set the following options and
then click Next:
CSP: Microsoft Strong Cryptographic Provider
Hash algorithm: SHA-1
Key length: 4096
i. In the CA Identifying Information dialog box, enter the following and
then click Next:
Common name for this CA: VAN-VPN1.
Validity Period: 20 Years
j. On the Certificate Database Settings dialog box, accept the defaults and
then click Next.
A Microsoft Certificate Services message states that Internet
Information Services must be temporarily stopped.
k. In the Microsoft Certificate Services prompt, click Yes.
The Configuring Components page shows the progress of the
component configuration and installation.
l. When the Insert Disk prompt displays, click OK.
m. In the Files Needed dialog box, click the Browse button.
n. Browse to C:\Win2k3\I386 and then click Open.
o. In the Files Needed dialog box, click OK.
The component configuration continues. This may take a few
minutes to complete.
p. When the Microsoft Certificate Services prompt is displayed click Yes
to enable Active Server Pages.
q. On the Completing the Windows Components Wizard page, click
Finish.
Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated 5
8. Publish the CRL and CA a. Log on to VAN-DC1 as Administrator with the password P@ssw0rd.
certificate for the offline root f. Start Windows Explorer and then browse to the C:\Inetpub\wwwroot
CA to the LDAP and HTTP folder.
locations.
g. Under the wwwroot folder, create a new subfolder named Legalpolicy.
h. Browse to C:\Tools\PKIFiles.
i. In the PKIFiles folder, right-click and copy rootcps.htm.
Browse to C:\inetpub\wwwroot\legalpolicy and then paste the
rootcps.htm in to the folder.
9. Copy the contents of \\ a. Browse to and click C:\Inetpub\wwwroot.
Computer\admin$\ system32\ j. Create a new subfolder named CertData.
certsrv\Certenroll to the C:\
inetpub\wwwroot\ CertData k. Click Start, and then click Run.
folder. l. In the Open box, type \\VAN-VPN1\admin$. Click OK.
m. In Windows Explorer, double-click System32, double-click Certsrv, and
then double-click Certenroll.
n. Copy all files in the \\VAN-VPN1\admin$\system32\ Certsrv\
Certenroll share to C:\inetpub\wwwroot\CertData.
These files include the Certificate Revocation List and the Security
Certificate for VAN-VPN1.
o. Close all open windows.
10. View the Certificate Practice a. Open Internet Explorer.
Statement b. In the Address bar, type http://VAN-DC1.nwtraders.msft/
Legalpolicy/rootcps.htm, and then press ENTER.
The sample Certificate Practice Statement is displayed.
Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated 7
Exercise 2
Implementing a Subordinate Enterprise CA
In this exercise, you configure a subordinate Enterprise CA below the Northwind Traders stand-
alone Root CA. You will also use the PKI Health Tool to validate CRL and AIA publication points.
Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated
Scenario
You have just completed the installation and configuration of the stand-alone Root CA for
Northwind Traders. The next step is to install and configure the Enterprise Subordinate CA.
Note: This exercise uses the following computers: VAN-DC1 and VAN-VPN1.
1. Install Certificates Services a. If necessary, log on to VAN-DC1 as Administrator with the password
with the following options, and P@ssw0rd.
then save the request to a file b. Click Start, point to Control Panel, and then click Add or Remove
named a:\request.req. Programs.
CA Type: Enterprise c. In the Add or Remove Programs window, click Add/Remove Windows
subordinate CA Components.
CSP: Microsoft Strong After a few moments the Windows Components Wizard opens.
Cryptographic Provider
d. Select the check box next to Certificate Services.
Hash algorithm: SHA-1
A Microsoft Certificate Services message states that the machine
Key length: 2048 name and domain membership may not be changed.
Common name: Northwind e. Click Yes to continue.
Traders CA
f. In the Windows Components dialog box, click Next.
g. In the CA Type dialog box, select Enterprise subordinate CA.
h. Select the Use custom settings to generate the key pair and CA
certificate check box, and then click Next.
i. On the Public and Private Key Pair page, set the following options and
then click Next:
CSP: Microsoft Strong Cryptographic Provider
Hash algorithm: SHA-1
Key length: 2048
j. In the CA Identifying Information dialog box, enter the following and
then click Next:
Common name for this CA: Northwind Traders CA.
Notice that the Validity period is determined by the parent CA.
k. On the Certificate Database Settings page, accept the default settings,
and then click Next.
l. On the CA Certificate Request page, click Save the request to a file.
Saving the request to a file would provide the ability to transfer
this request to an offline Root CA using removable storage, such
as a floppy disk or USB digital drive.
m. In the Request file box, type c:\request.req, and then click Next.
n. In the Microsoft Certificate Services message, click Yes to temporarily
stop Internet Information Services.
o. When the Insert Disk dialog box appears, click OK.
p. In the Files Needed dialog box, browse to C:\Win2k3\I386 and then
click Open.
Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated 9
5. Install the CA certificate in a. Click Start, point to Administrative Tools, and then click
Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated
Exercise 3
Deploying Certificates to Secure E-mail
In this exercise, you learn how to configure certificate templates which can be used to implement
secure e-mail communication. You will also configure and test certificate autoenrollment.
Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated 11
Scenario
To increase the security of email communication for specific users in your organization, you have
decided to implement S/MIME certificates to be used to encrypt and digitally sign e-mail messages.
Your first task is to create and enable two custom certificate templates; one to be used for
encryption and the other to be used for digital signing. You must then determine the best way to
deploy the certificates to your users. Since you have Windows XP Professional clients,
autoenrollment is a practical choice..
Note: This exercise uses the following computers: VAN-DC1, VAN-VPN1, and VAN-CL1.
1. Create a security group for a. If necessary, log on to VAN-DC1 as Administrator with the password
users that require secure e- P@ssw0rd.
mail. b. Click Start, point to Administrative Tools, and then click Active
Directory Users and Computers.
c. In the left-hand console tree pane, right-click Users, point to New, and
then click Group.
The New Object – Group dialog box is displayed.
d. In the Group Name box, type SecureMailUsers.
e. Configure the following additional settings:
Group Scope: Global
Group Type: Security
f. Click Next.
g. Do not create an Exchange e-mail address for the group. Click Next.
h. Click Finish.
i. In the console tree pane, click the Users container.
j. In the details pane, right-click SecureMailusers and then click
Properties.
k. In the SecureMailUsers Properties dialog box, click the Members tab.
l. Click Add.
m. In the Select Users, Contacts, Computers, or Groups dialog box, type
Kim and Don separated by a semi-colon (;). Click OK.
Don Hall and Kim Akers are added as members of the
SecureMailUsers security group.
n. Click OK to close the SecureMailUsers Properties dialog box.
d. In the New GPO dialog box, type Secure Mail Policy. Click OK.
e. In the details pane, double-click Secure Mail Policy.
f. On the Scope tab, under Security Filtering, click Add.
g. In the Select User, Computer, or Group dialog box, type
SecureMailUsers and then click OK.
h. Click Authenticated Users and then click Remove. Click OK.
i. In the console tree pane, right-click Secure Mail Policy and then click
Edit.
j. In Group Policy Object Editor, expand User Configuration,
Windows Settings, Security Settings, and then click Public Key
Policies.
k. In the details pane, double-click Autoenrollment Settings.
l. In the Autoenrollment Settings Properties dialog box, enable the
following options and then click OK:
Enroll certificates automatically
Renew expired certificates, update pending certificates, and
remove revoked certificates
Update certificates that use certificate templates
m. Close the Group Policy Object Editor.
n. In the console tree pane, right-click NWtraders.msft.
o. Click Link an Existing GPO.
p. In the Select GPO dialog box, click Secure Mail Policy and then click
OK.
q. Close the Group Policy Management console.
3. Update Group Policy. a. Open a command prompt.
b. At the command prompt, type gpupdate /force and then press ENTER.
c. Close the command prompt.
Note: Perform the following steps on the VAN-VPN1 computer.
4. Open the Certificate Template a. If necessary, log on to VAN-VPN1 as Administrator with the password
console and create a new of P@ssw0rd.
certificate template called b. Click Start, click Run, type Certtmpl.msc and then click OK.
SMIMESign based on the
Exchange Signature Only c. In the details pane, right-click Exchange Signature Only, and then
certificate template. click Duplicate Template.
d. In the Properties of New Template dialog box, in the Template
display name box, type SMIMESign and then click OK.
5. In the SMIMESign certificate a. In the details pane, double-click SMIMESign.
template, configure the b. In the SMIMESign Properties dialog box, on the General tab, select
following: the Publish certificate in Active Directory check box, select the Do not
Publish in Active automatically reenroll if a duplicate certificate exists in Active
Directory check box, and then click Apply.
Directory.
c. On the Request Handling tab, click Prompt the user during
Do not automatically
enrollment and require user input when the private key is used, and
reenroll if a duplicate then click Apply.
certificate exists in Active
Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated 13
Directory. The option to prompt the user during enrollment enables the user
to be notified that a certificate is being installed on their machine.
Prompt the user during
The require user input when the private key is used option forces
enrollment and require
the user to provide a password each time the certificate is used.
user input when the
You may want to enable this second option to increase security at
private key is used.
the time the certificate is used.
6. Add the Medium Assurance a. On the Extensions tab, click Issuance Policies, and then click Edit.
issuance policy OID. b. In the Edit Issuance Policies Extension dialog box, click Add.
c. In the Add Issuance Policy dialog box, click Medium Assurance, and
then click OK.
d. In the Edit Issuance Policies Extension dialog box, click OK.
e. On the Extensions tab, click Apply.
7. On the Subject name tab a. On the Subject Name tab, click Build from this Active Directory
configure the following: information, and then configure the following:
Subject name format: Fully Subject name format: Fully distinguished name
distinguished name Include e-mail name in subject name: Enabled
Include e-mail name in E-mail name: Enabled
subject name: Enabled
User principal name (UPN): Enabled
E-mail name: Enabled
b. On the Subject name tab, click Apply.
User principal name (UPN):
Enabled
8. On the Security tab, assign the a. On the Security tab, click Add.
SecureMailUsers group Read, b. In the Select Users, Computers, or Groups dialog box, in the text box,
Enroll, and Autoenroll type SecureMailUsers and then click OK.
permissions. c. In the Group or user names list, select SecureMailUsers, assign the
SecureMailUsers group Read, Enroll, and Autoenroll permissions, and
then click OK.
9. Create a new certificate a. In the details pane, right-click Exchange User, and then click Duplicate
template named Template.
SMIMEEncrypt, based on the b. In the Properties of New Template dialog box, in the Template display
Exchange User certificate name box, type SMIMEEncrypt and then click OK.
template. Configure the
following: c. In the details pane, double-click SMIMEEncrypt.
Publish certificate in Active d. In the SMIMEEncrypt Properties dialog box, on the General tab,
Directory. select the Publish certificate in Active Directory check box, select the
Do not automatically reenroll if a duplicate certificate exists in
Do not automatically Active Directory check box, and then click Apply.
reenroll if a duplicate
certificate exists in Active e. On the Request Handling tab, click Prompt the user during
Directory. enrollment and require user input when the private key is used, and
then click Apply.
Prompt the user during
enrollment and require user
input when the private key is
used.
10. On the Extensions tab, add the a. On the Extensions tab, click Issuance Policies, and then click Edit.
Medium Assurance issuance b. In the Edit Issuance Policies Extension dialog box, click Add.
policy OID.
c. In the Add Issuance Policy dialog box, click Medium Assurance, and
then click OK.
Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated
14. Configure NWTradersCA to a. Click the Start menu, point to Administrative Tools, and then click
issue the SMIMEEncrypt Certification Authority.
and SMIMESign certificate b. In the console tree pane, expand NWTradersCA, and then click
templates. Certificate Templates.
c. In the console tree pane, right-click Certificate Templates, point to
New, and then click Certificate Template to Issue.
d. In the Enable Certificate Templates dialog box, click
SMIMEEncrypt, press CTRL and click SMIMESign, and then click
OK.
e. In the details pane, ensure that SMIMEEncrypt and SMIMESign
appear.
f. Close the Certification Authority.
15. Update Group Policy. a. Open a command prompt.
b. At the command prompt, type gpupdate /force and then press ENTER.
c. Close the command prompt.
Note: Perform the following steps on the VAN-CL1 computer.
16. Log on to the domain as a. Log on to VAN-CL1 as Don with the password P@ssw0rd.
Don Hall.
17. Update Group Policy. a. Open a command prompt.
Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated 15
b. At the command prompt, type gpupdate /force and then press ENTER.
c. Close the command prompt.
18. Start the Certificate a. In the notification area, click the Certificate Enrollment balloon.
Autoenrollment process. If the certificate enrollment balloon does not appear, wait for
approximately 90 seconds. If it does not appear after 90 seconds
log off and log back on as Don. It is important that Don is
registered as a member of the SecureMailUsers security group. If
you receive any additional error messages upon logon, click OK
to close the message.
b. In the Certificate Enrollment dialog box, click Start.
This first enrollment process is for the SMIMESign certificate. It
will be configured to require a password each time the certificate
is used.
c. In the Creating a new RSA signature key dialog box, click Set
Security Level.
d. Click the button next to High. Click Next.
e. In the Creating a new RSA signature key dialog box, in the Password
and Confirm boxes, type P@ssw0rd and then click Finish.
f. In the Creating a new RSA signature key dialog box, click OK.
The next sets of steps enroll the SMIMEEncrypt certificate. The
configuration will be set to Medium security level to only request
permission to use the encryption key.
g. In the Creating a new RSA exchange key, click Set Security Level.
h. Click the button next to Medium. Click Next.
i. In the Creating a new RSA exchange key dialog box, click Finish.
j. Click OK to close the Creating a new RSA exchange key dialog box.
19. View the security settings a. Click Start, and then click E-mail.
for Outlook 2003. b. Click the Tools menu, and then click Options.
c. Click the Security tab.
d. Under Encrypted e-mail, click the Settings button.
Notice that S/MIME has been configured using SHA1 and 3DES
as the Hash and Encryption algorithm.
e. Click Cancel to close the Change Security Settings dialog box.
f. Click Cancel to close the Options dialog box.
20. Send a digitally signed e- a. Click the New button.
mail message. b. In the To: box type Kim.
c. In the subject box type Signed e-mail.
d. In the message body type: This is a test for signed e-mail.
e. Click the Options button.
f. In the Message Options dialog box, click Security Settings.
g. Select the check box next to Add digital signature to this message.
h. Click OK.
Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated
Exercise 4
Securing Web Sites Using SSL Encryption
In this exercise, you will learn how to install a Web Server certificate. You will also enforce SSL
encryption on the Web site’s virtual directory to ensure that communication is secure. Finally you
will enable client certificate mapping to provide the ability for user certificates to be used for Web
site authentication.
Scenario
Northwind Traders requires authentication in order to access their company web site. In order to
encrypt logon credentials, you have to implement SSL certificates on the Web server.
Note: This lab exercise uses the following computers: VAN-DC1 and VAN-CL1.
Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated
1. In the Internet Information a. If necessary, log on to VAN-DC1 as Administrator with the password
Services (IIS) Manager P@ssw0rd.
console, browse to the default b. On the Start menu, point to Administrative Tools, and then click
Web site. Internet Information Services (IIS) Manager.
c. In the console tree pane, expand VAN-DC1 (local computer), expand
Web Sites, and then click Default Web Site.
2. Enable SSL by running the a. Right-click Default Web Site, and then click Properties.
Web Server Certificate b. In the Default Web Site Properties dialog box, on the Directory
Wizard with the following Security tab, click Server Certificate.
options:
c. On the Welcome to the Web Server Certificate Wizard page, click
Create a new certificate Next.
Send the request
d. On the Server Certificate page, click Create a new certificate, and then
immediately to an online
certification authority click Next.
Organization: Northwind e. On the Delayed or Immediate Request page, click Send the request
Traders immediately to an online certification authority, and then click Next.
Organizational unit: f. On the Name and Security Settings page, accept the default settings, and
Corporate then click Next.
Common name: VAN- g. On the Organization Information page, in the Organization box, type
DC1.NWtraders.msft Northwind Traders.
Country/Region: CA h. In the Organizational unit box, type Corporate and then click Next.
(Canada)
i. On the Your Site’s Common Name page, in the Common name box,
State/province: BC
type VAN-DC1.NWtraders.msft, and then click Next.
City/locality: Vancouver
j. On the Geographical Information page, in the Country/Region
SSL port: 443 dropdown list, select CA (Canada).
Certification authority: k. In the State/province box, type BC.
default
l. In the City/locality box, type Vancouver and then click Next.
m. On the SSL Port page, accept the default setting (443), and then click
Next. On the Choose a Certification Authority page, accept the CA that
is presented, and then click Next.
n. On the Certificate Request Submission page, click Next.
o. On the Completing the Web Server Certificate Wizard page, click
Finish.
3. Verify that the certificate has a. In the Secure communications section, click View Certificate.
been installed. The Certificate is displayed. Notice that it is valid for two years.
b. Click the Certification Path tab.
Notice that the certificate trusts the entire certification path
including Northwind Traders CA and VAN-VPN1.
c. Click OK.
d. Click OK to close the Default Web Site Properties dialog box.
4. Create a new virtual directory a. Right-click Default Web Site, point to New, and then click Virtual
named Security that refers to Directory.
C:\Tools\PKIFiles. The Virtual Directory Creation Wizard starts.
Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated 19
7. Test the security web page. In a. If necessary, log on to VAN-CL1 as Don with the password P@ssw0rd.
Internet Explorer, open b. Open Internet Explorer.
https://VAN-
DC1.NWTraders.msft/ c. In the Address bar, type https://VAN-DC1.NWtraders.msft/security,
security. and then press ENTER.
d. If a Security Alert is displayed, click OK.
e. In the Connect to van-dc1.nwtraders.msft dialog box enter the following
information and then click OK:
User name: Don
Password: P@ssw0rd
After a few moments, the security Web page is displayed. Notice the
lock icon in the bottom right-hand corner of Internet Explorer.
f. Double-click the lock icon.
The VAN-DC1.NWtraders.msft certificate information is displayed.
g. Click OK to close the Certificate information.
h. Close Internet Explorer.
Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated
8. Enable certificate mapping a. In the IIS Manager console tree pane, right-click Security, and then click
for the Security Web site. Properties.
Configure the properties of b. In the Security Properties dialog box, on the Directory Security tab,
the Security virtual under Secure communications, click Edit.
directory with the following c. In the Secure Communications dialog box, click Require client
options: certificates.
Require client certificates d. In the Secure Communications dialog box, click Enable client
Enable client certificate certificate mapping, and then click OK.
mapping e. In the Security Properties dialog box, click Apply.
9. Clear the check boxes for all a. In the Security Properties dialog box, on the Directory Security tab, in
forms of authentication for the Authentication and access control section, click Edit.
the Security Web site. b. In the Authentication Methods dialog box, clear all authentication
method check boxes, and then click OK.
Clearing all of the check boxes prevents Internet Explorer from
presenting a user authentication dialog box if the certificate-based
authentication fails.
c. In the Security Properties dialog box, click OK.
10. In the Web site’s properties, a. In the console tree pane, right-click Web Sites, and then click Properties.
activate the Windows b. In the Web Sites Properties dialog box, on the Directory Security tab,
directory service mapper. click Enable the Windows directory service mapper, and then click
OK.
c. In the Inheritance Overrides dialog box, click Cancel.
d. Close Internet Information Services (IIS) Manager.
e. Close all open windows and log off.
Note: Perform the following steps on the VAN-CL1 computer.
11. Acquire a user certificate a. Click Start, click Run, type Certmgr.msc and then click OK.
using the Certificates console The Certificates console opens.
(Certmgr.msc).
b. In the left-hand console tree pane, click Personal.
c. Right-click Personal, point to All Tasks, and then click Request New
Certificate.
d. On the Welcome to the Request Wizard page, click Next.
e. On the Certificate Types page, in the Certificate types list, select User,
and then click Next.
f. On the Certificate Friendly Name and Description page, in the
Friendly name box, type Web Authentication and then click Next.
g. On the Completing the Certificate Request Wizard page, click Finish.
h. In the Certificate Request Wizard message box, click OK.
Verify that a certificate is displayed with the Friendly name Web
Authentication.
i. Close the Certificates console.
12. Test the security web page. a. Open Internet Explorer.
Hands-on Lab JMS 2006 | Public Key Infrastructure (PKI) Illustrated 21