Title: Windows 2000 Public Key Infrastructure and Certificate Services Duane Crider Support Professional Mi
1Windows 2000 Public Key Infrastructure and
Certificate ServicesDuane CriderSupport
ProfessionalMicrosoft Corporation
2Public Key Infrastructure
- Certificate Authorities
- Digital Signatures
- Authentication
- File Encryption
- IP Security
- Secure E-mail
3Symmetric vs. Asymmetric Encryption
- Symmetric Encryption (Secret Key Encryption)
- Asymmetric Encryption (Public Key Encryption)
4Public Key Cryptography Standards (PKCS)
- PKCS 7
- Cryptographic Message Syntax Standard
- PKCS 10
- Certification Request Syntax Standard
- PKCS 12
- Personal Information Exchange Syntax Standard
5Overall Picture of Public Key Infrastructure
6Windows 2000 Certificate Services
- Issues, manages, renews, and revokes certificates
- Part of the public-key infrastructure
implementation as Certificate Authorities (CAs) - Allows businesses to act as their own CAs to
issue and manage digital certificates
7Enhancements Since 1.0
- New Microsoft Management Console (MMC) snap-in
manageability - Smart card, Encrypted File System (EFS), and
Internet Protocol security (IPSec) certificate
usage types - Integration with Windows 2000 for native
certificate support - CA hierarchies
8(No Transcript)
9Digital Certificates
- A collection of data used for authentication and
secure transfer of information across unsecure
systems - Responsible for ensuring the identity of the
certificate requestor - Typically uses a public key system maintained by
a CA
10Certificate Contents
- Version
- Serial number
- Signature algorithm ID
- Issuer name
- Validity period
- Subject (user) name
- Subject public key information
- Issuer unique identifier
- Subject unique identifier
- Extensions
- Issuer signature
11Uses for Certificates
- Encrypting file system (EFS, recovery agents, and
so on) - IPSec (encrypting protocol-based communication)
- Digitally signed and encrypted e-mail messages
- Smart card logon
- Secure Sockets Layer (SSL) and thread local
storage (TLS) communication
12Certificate Authorities
- Responsible for issuing certificates based on a
set of established criteria - Responsible for guaranteeing that the
certificates are authentic and valid - Can be a group within the company or a
third-party vendor (for example, Verisign)
13Certificate Authority Classes in Windows 2000
- Enterprise CA
- Requires a domain controller
- Database is stored in Active Directory
- Issues certificates inside a corporation
- Stand-Alone CA
- Does not require a domain controller
- Maintains its own certificate database
- Issues certificates outside an organization
14Enterprise Certificate Authority Installation
Requirements
- Windows 2000 DNS service
- Windows 2000 Directory service
- Administrative privileges on the DNS, directory,
and CA servers
15Enterprise Subordinate Requirements
- Must have a parent CA
- Can be an external commercial CA, an enterprise
CA, or a stand-alone CA - Windows 2000 DNS service
- Windows 2000 Directory service
- Administrative privileges to DNS, Active
Directory, and CA servers
16Stand-Alone Root CA
- Administrative privileges to local CA server
17Stand-Alone Subordinate CA
- Must be associated with a CA that processes the
subordinate CAs requests - Administrative privileges on the local CA server
18Root, Intermediate, and Issuing CAs
Root CA 1
Root CA 2
Intermediate CA - C
Issuing CA - B
Issuing CA - C
Issuing CA - A
19Reasons for CA Hierarchies
- Administrative Benefits
- CA security environment
- Updates for issuing CA keys/certificates
- Maintenance
- Operational Issues
- Multiple issuing policies
- Usability requirements
20Protecting a Certificate Authority
- Physical Protection
- Key Management
- Restoration
21Certificate Enrollment
22Certificate Enrollment Methods
- Web-based enrollment
- Client certificate enrollment
- Automated enrollment
23Managing Trusts
- Trusts
- Trusted CA roots
- Trust in multiple CA hierarchies
24Further Information
- Windows 2000 Help
- http//www.microsoft.com/windows/server/technical/
security/default.asp - http//www.microsoft.com/security/
- http//www.rsasecurity.com/
- http//www.ietf.org/
25(No Transcript)