Professional Documents
Culture Documents
Deploying and Managing Certificates
Deploying and Managing Certificates
Deploying and Managing Certificates
Deploying and
Managing Certificates
Module Overview
Configuring Certificate Templates
Deploying Certificates by Using AD CS
Deploying Certificates by Using Autoenrollment
Revoking Certificates
Configuring Certificate Recovery
Template
Version 2:
Allows customization of most settings in the template
Several preconfigured templates are provided when a CA is installed
Version 3:
Supports advanced Suite B cryptographic settings
Includes advanced options for encryption, digital signatures, key exchange,
and hashing
Only supports Windows Server 2008 and Windows Vista
Category
Single Purpose
Basic Encrypting File
System (EFS)
Authenticated Session
Smart Card Logon
Multiple Purposes
Administrator
User
Smart Card User
Users
Computers
Web Server
Computer
IPSec
Domain Controller
Description
Modifying
Original
Updated
Superseding
Smart Card
Smart Card
Smart Cards
Two-Factor
Web Service
What Is NDES?
Digital Certificate
Subject Information
CA Information
The certificate is
expired, renewed, or
revoked.
Use
Autoenrollment
Manual Enrollment
Web Enrollment
Enrollment Agents
2
Connect to
http://ServerName/certsrv by
using a Web browser.
4
Type or verify your
identification.
Manual Enrollment
Certificates MMC
Web Server
NDES
enrollment methods
What Is NDES?
Network Router
CA
Network
NDES:
Requires IIS
organization?
Functioning of Autoenrollment
A certificate template is configured to allow, enroll,
and autoenroll permissions for users who receive the
certificates.
Certificate Template
Description
Key compromise
CA compromise
A CA certificate is compromised.
Affiliation change
Superseded
Cessation of operation
Certificate hold
Unspecified
Configure the CA
Create a
Revocation Configuration
Stop
The tool used depends upon the certificate template upon which the certificate is based.
Serial #: 00AD036
2
1
The Certificate
Manager finds the
serial number of
the certificate.
PKCS#7
4
5
The Certificate
Manager extracts
the number
PKCS#7 from the
CA.
The Certificate
Manager transfers
the number PKCS
#7 to the KRA.
Logon information
Virtual machine
6426B-HQDC01-B
User name
Contoso\Administrator
Password
Pa$$w0rd
Lab Scenario
Now that you have deployed an AD CS infrastructure, your IT Director