98-367 Chapter Eleven

Chapter 11: Understanding Certificates and a PKI

Topics Covered:

  • Understanding a certificate
  • Exploring Components of a PKI
Understanding a Certificate

A certificate is a file that is used for a variety of security purposes such as:

  • Issued to a person and associated with an account and used with smart card
  • Issued to a device such as a server, mobile device or workstation

Certificates contain information such as

  • Who was it issued to
  • Who issued it
  • It purpose(s)
  • Validity dates (including an expiration date)
  • Unique Serial Number
  • Public Key

Common usages for Certifications:

  • Authentication: if from a trusted entity other party can be assured of identity
  • Encryption: may be used to encrypt and decrypt data
  • Digital Signatures: added to email to provide authentication, integrity, and non repudiation
  • Code Signing: used to identify/validate the author of the software

####### Comparing Public and Private Keys

If private key is compromised CA can revoke certificate that holds matching public key
Outlook can query Active Directory for a users certificate to encrypt an email etc.

####### Understanding Certificate Errors

Clients may check with CA if cert is valid (has not been revoked) or has not expired etc.

CA publishes CRL (Certification Revocation List). CRL contains serial number of all revoked certs and the date they were revoked on.

Certificate formatting may differ based on version. CRLs use a version 2 certificate.

Some errors that indicate a certificate has a problem:

  • This websites security certificate has been revoked: private key probably leaked
  • This websites security certificate is out of date
  • This websites security certificate isn’t from a trusted source: Not issued by trusted CA
  • Internet Explorer has found a problem with this websites security certificate: if cert was modified or tampered with
  • There is a problem with this websites security certificate: Cert was issued to one website but is being used by another.
Viewing Certificate Properties

In IE:
Tools > Internet Options > Content > Certificates

Certificate chains show path to root CA.

Exploring the Components of a PKI

PKI includes these components:

  • Public/Private Keypairs
  • Certificates
  • Certification Authority
  • Registration Authority: Optional, in large orgs this accepts cert request and validates credentials of the person making the request.
    After request has been verified the RA forwards the request to CA. RA does NOT issue certificates
  • Root CA: First certification in a chain. Can issue certificates to subordinate CAs which are considered to be in the same chain.
Understanding the Certificate Chain

Root CA is first CA in the chain, it issues itself a self-signed cert. Can issue certs to intermidiate CAs which can then issue
to subordinate CAs.

Comparing Certificate Services

AD CS (Active Directory Certificate Services) can be added as a role. Can be used in two modes:

  • Standalone CA: can be used to issue certificates within an organization or publicly
  • Enterprise CA: Used to issue certificates only within the organization

Enterprise CA can be configured to automatically enroll and issue certificates automatically to users or machines.
This can be configured based on types of certificates needed. Root CA needs to be in Trusted Root Certification Authority Store.

Chapter Review Questions:

  1. True or false: A server will give out its certificate containing its private key
  2. Which of the following are valid uses of a certificate (Choose all that apply)
    a. Authentication
    b. Encryption
    c. Digital Signatures
    d. Antivirus Scanning
  3. True or false: A certificate issued to a web server with one name can be used on another web server with another name without any problems.
  4. How are certificates uniquely identified?
    a. Public Key
    b. Issuer
    c. Version Number
    d. Serial Number
  5. You want all certificates issued by a CA to be trusted. Where should you place its root certificate?
  6. A CA issues itself the first certificate in the trust chain. What is the CA called?
    a. Root CA
    b. Self-signed CA
    c. Enterpriste subordinate CA
    d. Standalone subordinate CA
  7. An organization wants to create a CA that will be used internally with a Microsoft domain, with the ability to automatically enroll
    certificates for users. What should be created?
    a. Standalone CA
    b. Public CA
    c. Enterprise CA
    d. RA-enabled CA
  8. What role is added to a Windows Server 2008 server to create a CA?
    a. Certification Authority role
    b. Active Directory Domain Services
    c. Active Directory Certificate Services
    d. File services

Answers:

  1. False
  2. A, B, C
  3. False
  4. D
  5. Trusted Root Certification Authority Store
  6. A
  7. C
  8. C

Relevant sections of Certification Exam

Notes