第1页 / 共771页
第2页 / 共771页
第3页 / 共771页
第4页 / 共771页
第5页 / 共771页
第6页 / 共771页
第7页 / 共771页
第8页 / 共771页
Windows Server 2008 PKI and Certificate Security原文書.pdf
Cover
Copyright Page
Contents at a Glance
Table of Contents
Acknowledgments
Foreword
Introduction
About This Book
Windows Server 2008 PKI and Certificate Security Companion CD
System Requirements
Part I: Foundations of PKI
Chapter 1: Cryptography Basics
Encryption Types
Algorithms and Keys
Data Encryption
Symmetric Encryption
Asymmetric Encryption
Asymmetric Signing Process
Combining Symmetric and Asymmetric Encryption
Digital Signing of Data
The Hash Process
Hash Algorithms
Combining Asymmetric Signing and Hash Algorithms
Cryptography Next Generation (CNG)
Features of CNG
Algorithms Supported
Supported Clients and Applications
Case Study: Microsoft Applications and Their Encryption Algorithms
Opening the EFS White Paper
Case Study Questions
Additional Information
Chapter 2: Primer to PKI
Certificates
X.509 Version 1
X.509 Version 2
X.509 Version 3
Certification Authorities
Root CA
Intermediate CA
Policy CA
Issuing CA
Certificate Revocation Lists
Types of CRLs
Revocation Reasons
Online Certificate Status Protocol (OCSP)
OCSP Client
Online Responder Service
Case Study: Inspecting an X.509 Certificate
Opening the Certificate File
Case Study Questions
Additional Information
Chapter 3: Policies and PKI
Security Policy
Defining Effective Security Policies
Resources for Developing Security Policies
Effects of External Policies on Your PKI
Defining PKI-Related Security Policies
Certificate Policy
Contents of a Certificate Policy
Certificate Policy Example
Certification Practice Statement (CPS)
CPS Section: Introduction
CPS Section: Publication and Repository Responsibilities
CPS Section: Identification and Authentication
CPS Section: Certificate Life-Cycle Operational Requirements
CPS Section: Facility, Management, and Operational Controls
CPS Section: Technical Security Controls
CPS Section: Certificate, CRL, and OCSP Profiles
CPS Section: Compliance Audit and Other Assessment
CPS Section: Other Business and Legal Matters
Case Study: Planning Policy Documents
Design Requirements
Case Study Questions
Additional Information
Part II: Establishing a PKI
Chapter 4: Preparing an Active Directory Environment
Analyzing the Active Directory Environment
Upgrading the Schema
Identifying the Schema Operations Master
Performing the Schema Update
Modifying the Scope of the Cert Publishers Groups
Deploying Windows Server 2008 Enterprise CAs in Non–AD DS Environments
Case Study: Preparing Active Directory Domain Services
Network Details
Case Study Questions
Additional Information
Chapter 5: Designing a Certification Authority Hierarchy
Determining the Number of Tiers in a CA Hierarchy
Single-Tier CA Hierarchy
Two-Tier CA Hierarchy
Three-Tier CA Hierarchy
Four-Tier CA Hierarchy
Organizing Issuing CAs
Choosing an Architecture
Gathering Required Information
Identifying PKI-Enabled Applications
Determining Security Requirements
Determining Technical Requirements
Determining Business Requirements
Determining External Requirements
Collecting AD DS Requirements
Naming Conventions
Choosing Domains for CA Computer Accounts
Choosing an Organizational Unit Structure
Case Study: Identifying Requirements
Case Study Questions
Additional Information
Chapter 6: Implementing a CA Hierarchy
CA Configuration Files
CAPolicy.inf File
Pre-Installation Scripts
Post-Installation Scripts
Implementing a Three-Tier CA Hierarchy
Implementing an Offline Root CA
Implementing an Offline Policy CA
Implementing an Online Issuing CA
Implementing an Enterprise Root CA
Creating a CAPolicy.inf File
Installing Active Directory Certificate Services
Post-Installation Configuration
Enabling Auditing
Verifying Installation
Case Study: Deploying a PKI
Case Study Questions
Additional Information
Chapter 7: Upgrading Your Existing Microsoft PKI
Supported Scenarios
What Versions Can You Upgrade to Windows Server 2008?
32-Bit to 64-Bit Considerations
Performing the Upgrade
Upgrading the Schema
Upgrading Certificate Templates
Performing the Upgrade
Post-Upgrade Operations
Case Study: Upgrading an Existing PKI
Case Study Questions
Additional Information
Chapter 8: Verifying and Monitoring Your Microsoft PKI
Verifying the Installation
PKI Health Tool
Certutil
Ongoing Monitoring
CAMonitor.vbs Script
Microsoft Operations Manager Certificate Services Management Pack
Case Study: Verifying a PKI Deployment
CA Hierarchy Details
CA Hierarchy Verification Questions
Monitoring Requirements
Monitoring Questions
Additional Information
Chapter 9: Securing a CA Hierarchy
CA Configuration Measures
Designing Physical Security Measures
Securing the CA’s Private Key
Private Key Stored in the Local Machine Store
Private Keys Stored on Smart Cards
Private Keys Stored on Hardware Security Modules
Hardware Security Modules
Categories of HSMs
HSM Deployment Methods
Case Study: Planning HSM Deployment
Scenario
Case Study Questions
Additional Information
Chapter 10: Certificate Revocation
When Do You Revoke Certificates?
Revocation Reasons
Revocation Policy
Performing Revocation
Methods of Identifying Revoked Certificates
Problems with CRLs
Latency
Caching of CRLs
Support for Delta CRLs
Online Certificate Status Protocol (OCSP)
Microsoft’s Implementation of OCSP
Implementing the Microsoft Online Responder
Providing High Availability for the Online Responder
Case Study: Planning Revocation
Design Requirements
Case Study Questions
Additional Information
Chapter 11: Certificate Validation
Certificate Validation Process
Certificate Validity Checks
Revocation Checking Methods
Changing the Default Validation Behavior
Building Certificate Chains
Exact Match
Key Match
Name Match
Designing PKI Object Publication
Choosing Publication Protocols
Choosing Publication Points
Choosing Publication Intervals
Troubleshooting Certificate Validation
CAPI Diagnostics
Case Study: Choosing Publication Points
Design Requirements
Case Study Questions
Troubleshooting Exercise
Additional Information
Chapter 12: Designing Certificate Templates
Certificate Template Versions
Version 1 Certificate Templates
Version 2 Certificate Templates
Version 3 Certificate Templates
Enrolling Certificates Based on Certificate Templates
Default Certificate Templates
Modifying Certificate Templates
Modifying Version 1 Certificate Template Permissions
Modifying Version 2 and Version 3 Certificate Templates
Case Study: Certificate Template Design
Requirements
Case Study Questions
Best Practices for Certificate Template Design
Additional Information
Chapter 13: Role Separation
Common Criteria Roles
Common Criteria Levels
Windows Implementation of Common Criteria
Assigning Common Criteria Roles
Implementing Certificate Manager Restrictions
Enforcing Common Criteria Role Separation
Other PKI Management Roles
Local Administrator
Enterprise Admins
Certificate Template Manager
Enrollment Agent
Key Recovery Agent
Case Study: Planning PKI Management Roles
Scenario
Case Study Questions
Additional Information
Chapter 14: Planning and Implementing Disaster Recovery
Developing Required Documentation
Choosing a Backup Method
Who Can Perform Backups of Certificate Services
System State Backups
Windows Server Backups
Manual Backups
Performing a System State Backup
Installing Windows Server Backup
Performing a System State Backup
Performing Windows Server Backups
Creating a Scheduled Windows Server Backup
Performing a One-Time-Only Windows Server Backup
Performing Manual Backups
Using the Certification Authority Console
Certutil Commands
Restoration Procedures
Determining Backup Versions
Restoring a System State Backup
Restoring a Windows Server Backup
Restoring a Manual Backup
Evaluating Backup Methods
Hardware Failure
Certificate Services Failure
Server Replacement
Availability Options
CRL Re-Signing
HSM Fail Over
Clustering Certificate Services
Case Study: Replacing Server Hardware
Scenario
Case Study Questions
Additional Information
Chapter 15: Issuing Certificates
Certificate Enrollment Methods
Choosing an Enrollment Method
Choosing Among Manual Enrollment Methods
Choosing Among Automatic Enrollment Methods
Publishing Certificate Templates for Enrollment
Performing Manual Enrollment
Requesting Certificates by Running the Certificate Enrollment Wizard
Using Web Enrollment to Request a Certificate
Completing a Pending Certificate Request
Submitting a Certificate Request from Network Devices and Other Platforms
Performing Automatic Enrollment
Automatic Certificate Request Settings
Autoenrollment Settings
Performing Scripted Enrollment
Credential Roaming
What Is Included in the Roaming
How Does CRS Use Active Directory Domain Services?
Requirements
Group Policy Settings
Case Study: Selecting a Deployment Method
Scenario
Case Study Questions
Additional Information
Chapter 16: Creating Trust Between Organizations
Methods of Creating Trust
Certificate Trust Lists
Common Root CAs
Cross Certification
Bridge CAs
Name Constraints
Basic Constraints
Application Policies
Certificate Policies
Best Practices
Implementing Cross Certification with Constraints
Implementing the Policy.inf File
Acquiring a Partner’s CA Certificate
Generating the Cross Certification Authority Certificate
Publishing to Active Directory Domain Services
Verifying Cross Certification Constraints
Case Study: Trusting Certificates from Another Forest
Case Study Questions
Additional Information
Part III: Deploying Application-Specific Solutions
Chapter 17: Identity Lifecycle Manager 2007 Certificate Management
Key Concepts
Profile Templates
CLM Roles
Permissions
Permission Assignment Locations
CLM Components
Planning an ILM 2007 Certificate Management Deployment
Management Policies
Registration Models
Deploying ILM 2007 Certificate Management
Installation of Server
Configuration of Server
CA Component Installation
Deploying a Code Signing Certificate
Defining Certificate Template Permissions
Creating a Profile Template
Executing the Management Policies
Case Study: Contoso, Ltd.
Proposed Solution
Case Study Questions
Best Practices
Additional Information
Chapter 18: Archiving Encryption Keys
Roles in Key Archival
The Key Archival Process
The Key Recovery Process
Requirements for Key Archival
Defining Key Recovery Agents
Enabling a CA for Key Archival
Enabling Key Archival in a Certificate Template
Performing Key Recovery
Using Certutil to Perform Key Recovery
Performing Key Recovery with ILM 2007 Certificate Management
Case Study: Lucerne Publishing
Scenario
Case Study Questions
Best Practices
Additional Information
Chapter 19: Implementing SSL Encryption for Web Servers
How SSL Works
Certificate Requirements for SSL
Choosing a Web Server Certificate Provider
Placement of Web Server Certificates
Single Web Server
Clustered Web Servers
Web Server Protected by ISA Server with Server Publishing
Web Server Protected by ISA Server with Web Publishing
Choosing a Certificate Template
Issuing Web Server Certificates
Issuing Web Server Certificates to Domain Members
Issuing Web Server Certificates to Non-Forest Members
Issuing Web Server Certificates to Third-Party Web Servers and Web Acceleration Devices
Certificate-Based Authentication
Defining Certificate Mapping
Performing Certificate-Based Authentication
Creating a Certificate Template
Defining the Mapping in Active Directory Domain Services
Enabling Windows Server 2003 to Use Certificate Mapping
Enabling Windows Server 2008 to Use Certificate Mapping
Connecting to the Web Site
Case Study: The Phone Company
Scenario
Case Study Questions
Best Practices
Additional Information
Chapter 20: Encrypting File System
EFS Processes
How Windows Chooses an EFS Encryption Certificate
Local EFS Encryption
Remote Encryption
EFS Decryption
EFS Data Recovery
One Application, Two Recovery Methods
Data Recovery
Key Recovery
Implementing EFS
Enabling and Disabling EFS
Certificate Templates for EFS Encryption
Certificate Enrollment
What’s New in Windows Vista for EFS Management
Case Study: Lucerne Publishing
Scenario
Design Requirements
Proposed Solution
Case Study Questions
Best Practices
Additional Information
Chapter 21: Deploying Smart Cards
Using Smart Cards in an Active Directory Environment
Smart Cards and Kerberos
Requirements for Smart Card Certificates
Planning Smart Card Deployment
Deploying Smart Cards with Windows Vista
Deploying Smart Cards by Using ILM 2007 Certificate Management
Managing Issued Smart Cards
Requiring Smart Cards for Interactive Logon
Requiring Smart Cards at Specific Computers
Requiring Smart Cards for Remote Access
Configuring Smart Card Removal Behavior
Configuring Smart Card Settings
Case Study: City Power and Light
Case Study Questions
Best Practices
Additional Information
Chapter 22: Secure E-Mail
Securing E-Mail
Secure/Multipurpose Internet Mail Extensions (S/MIME)
SSL for Internet Protocols
Choosing Certification Authorities
Choosing Commercial CAs
Choosing Private CAs
Choosing Certificate Templates
A Combined Signing and Encryption Template
Dual Certificates for E-Mail
Choosing Deployment Methods
Software-Based Certificate Deployment
Smart Card–Based Certificate Deployment
Enabling Secure E-Mail
Enabling Outlook
Enabling S/MIME in OWA
Sending Secure E-Mail
Case Study: Adventure Works
Scenario
Case Study Questions
Best Practices
Additional Information
Chapter 23: Virtual Private Networking
Certificate Deployment for VPN
Point-to-Point Tunneling Protocol (PPTP)
Layer Two Tunneling Protocol (L2TP) with Internet Protocol Security
Secure Sockets Tunneling Protocol (SSTP)
Certificate Template Design
User Authentication
Server Authentication
IPsec Endpoint Authentication
SSTP Endpoint Authentication
Deploying a VPN Solution
Network Policy Server Configuration
VPN Server Configuration
Create a VPN Client Connection
Case Study: Lucerne Publishing
Scenario
Case Study Questions
Best Practices
Additional Information
Chapter 24: Wireless Networking
Threats Introduced by Wireless Networking
Protecting Wireless Communications
MAC Filtering
Wired Equivalent Privacy
Wi-Fi Protected Access (WPA) and WPA2
802.1x Authentication Types
EAP-TLS Authentication
PEAP Authentication
How 802.1x Authentication Works
Planning Certificate for 802.1x Authentication
Computer Certificates for RADIUS Servers
User Certificates for Clients
Computer Certificates for Clients
Deploying Certificates to Users and Computers
RADIUS Server
Client Computers
Users
Implementing 802.1x Authentication
Configuring the RADIUS Server
Configuring the Wireless Access Point
Connecting to the Wireless Network
Using Group Policy to Enforce Correct Wireless Client Configuration
Case Study: Margie’s Travel
Scenario
Case Study Questions
Best Practices
Additional Information
Chapter 25: Document and Code Signing
How Code Signing Works
How Document Signing Works
Certification of Signing Certificates
Commercial Certification of Code Signing Certificates
Corporate Certification of Code Signing and Document Signing Certificates
Planning Deployment of Signing Certificates
Certificate Template Design
Planning Enrollment Methods
Time Stamping Considerations
Performing Code Signing
Gathering the Required Tools
Using SignTool.exe
Visual Basic for Applications Projects
Performing Document Signing
Microsoft Office 2007 Documents
Adobe PDF Documents
Verifying the Signature
Internet Explorer
Validating Signed Code
Microsoft Office Documents
PDF Documents
Case Study: Lucerne Publishing
Scenario
Case Study Questions
Best Practices
Additional Information
Chapter 26: Deploying Certificates to Domain Controllers
Changes in Domain Controller Certificates
Enforcing Strong KDC Validation
Windows Server 2008 Domain Controller Certificate Selection
Deploying Domain Controller Certificates
Automatic Certificate Request Settings
Autoenrollment
Third-Party CAs or CAs in Other Forests
Add the Internal Root CA as a Trusted Root CA
Add the Subordinate CA Certificates
Define NTAuth Certificates
Enable the SAN Extension for Certificate Requests
Creating the Certificate Requests
Managing Domain Controller Certificates
Verifying Existing Certificates
Replacing Existing Certificates
Removing All Existing Certificates
Case Study: Consolidated Messenger
Deployment Progress
Case Study Questions
Best Practices
Additional Information
Chapter 27: Network Device Enrollment Service
History of NDES and Microsoft PKI
Simple Certificate Enrollment Protocol Enroll Process
Implementing an NDES Server
Permission Requirements
CA Requirements
Create the Service Account
Installing the NDES Server
Configuring NDES
Modifying the Registry
Enabling Logging
Backup and Restoration
Case Study: Lucerne Publishing
Requirements
Case Study Questions
Best Practices
Additional Information
Appendix
Case Study Questions and Answers
Chapter 1: Cryptography Basics
Chapter 2: Primer to PKI
Chapter 3: Policies and PKI
Chapter 4: Preparing an Active Directory Environment
Chapter 5: Designing a Certification Authority Hierarchy
Chapter 6: Implementing a CA Hierarchy
Chapter 7: Upgrading Your Existing Microsoft PKI
Chapter 8: Verifying and Monitoring Your Microsoft PKI
CA Hierarchy Verification Questions
Monitoring Questions
Chapter 9: Securing a CA Hierarchy
Chapter 10: Certificate Revocation
Chapter 11: Certificate Validation
Troubleshooting Exercise
Chapter 12: Designing Certificate Templates
Chapter 13: Role Separation
Chapter 14: Planning and Implementing Disaster Recovery
Chapter 15: Issuing Certificates
Chapter 16: Creating Trust Between Organizations
Chapter 17: Identity Lifecycle Manager 2007 Certificate Management
Chapter 18: Archiving Encryption Keys
Chapter 19: Implementing SSL Encryption for Web Servers
Chapter 20: Encrypting File System
Chapter 21: Deploying Smart Cards
Chapter 22: Secure E-Mail
Chapter 23: Virtual Private Networking
Chapter 24: Wireless Networking
Chapter 25: Document and Code Signing
Chapter 26: Deploying Certificates to Domain Controllers
Chapter 27: Network Device Enrollment Service
About the Author
PUBLISHED BY
Microsoft Press
A Division of Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052-6399
Copyright © 2008 by Brian Komar
All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or
by any means without the written permission of the publisher.
Library of Congress Control Number: 2008920575
Printed and bound in the United States of America.
1 2 3 4 5 6 7 8 9 QWT 3 2 1 0 9 8
Distributed in Canada by H.B. Fenn and Company Ltd.
A CIP catalogue record for this book is available from the British Library.
Microsoft Press books are available through booksellers and distributors worldwide. For further infor-
mation about international editions, contact your local Microsoft Corporation office or contact Microsoft
Press International directly at fax (425) 936-7329. Visit our Web site at www.microsoft.com/mspress.
Send comments to mspinput@microsoft.com.
Microsoft, Microsoft Press, Access, Active Directory, ActiveX, Authenticode, BitLocker, Excel,
IntelliMirror, Internet Explorer, MSDN, Outlook, SQL Server, Visual Basic, Visual C#, Visual C++,
Visual Studio, Win32, Windows, Windows Server System and Windows Vista are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other
product and company names mentioned herein may be the trademarks of their respective owners.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places,
and events depicted herein are fictitious. No association with any real company, organization, product,
domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
This book expresses the author’s views and opinions. The information contained in this book is provided
without any express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor its
resellers, or distributors will be held liable for any damages caused or alleged to be caused either directly
or indirectly by this book.
Acquisitions Editor: Martin DelRe
Developmental Editor: Karen Szall
Project Editor: Denise Bankaitis
Editorial Production: Interactive Composition Corporation
Technical Reviewer: Paul Adare; Technical Review services provided by Content Master, a member of
CM Group, Ltd.
Cover: Tom Draper Design
Body Part No. X14-60364
Contents at a Glance
Part I
1
2
3
Foundations of PKI
Cryptography Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Primer to PKI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Policies and PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Part II Establishing a PKI
Preparing an Active Directory Environment . . . . . . . . . . . . . . . . . . . . . . 59
Designing a Certification Authority Hierarchy . . . . . . . . . . . . . . . . . . . . 73
Implementing a CA Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Upgrading Your Existing Microsoft PKI . . . . . . . . . . . . . . . . . . . . . . . . . 151
Verifying and Monitoring Your Microsoft PKI. . . . . . . . . . . . . . . . . . . . 165
Securing a CA Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Certificate Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Certificate Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Designing Certificate Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Role Separation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Planning and Implementing Disaster Recovery . . . . . . . . . . . . . . . . . . 307
Issuing Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Creating Trust Between Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . 383
4
5
6
7
8
9
10
11
12
13
14
15
16
Part III Deploying Application-Specific Solutions
17
18
19
20
21
22
23
24
25
26
27
A
Identity Lifecycle Manager 2007 Certificate Management . . . . . . . . . 413
Archiving Encryption Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Implementing SSL Encryption for Web Servers . . . . . . . . . . . . . . . . . . 475
Encrypting File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Deploying Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
Secure E-Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Virtual Private Networking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
Wireless Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
Document and Code Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Deploying Certificates to Domain Controllers . . . . . . . . . . . . . . . . . . . 667
Network Device Enrollment Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683
Case Study Questions and Answers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699
iii
Table of Contents
Part I
1
Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii
Foreword. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxv
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxvii
About This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii
Windows Server 2008 PKI and Certificate Security Companion CD . . . . . . . . . . . . xxviii
System Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
Foundations of PKI
Cryptography Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Encryption Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Algorithms and Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Data Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Symmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Asymmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Asymmetric Signing Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Combining Symmetric and Asymmetric Encryption. . . . . . . . . . . . . . . . . . . . . . . 9
Digital Signing of Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
The Hash Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Hash Algorithms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Combining Asymmetric Signing and Hash Algorithms . . . . . . . . . . . . . . . . . . . 12
Cryptography Next Generation (CNG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Features of CNG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Algorithms Supported. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Supported Clients and Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
What do you think of this book? We want to hear from you!
Microsoft is interested in hearing your feedback so we can continually improve our books and learning
resources for you. To participate in a brief online survey, please visit:
www.microsoft.com/learning/booksurvey/
v
vi
Table of Contents
2
3
Case Study: Microsoft Applications and Their Encryption Algorithms . . . . . . . . . . . . 18
Opening the EFS White Paper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Case Study Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Primer to PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
X.509 Version 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
X.509 Version 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
X.509 Version 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Certification Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Root CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Intermediate CA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Policy CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Issuing CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Certificate Revocation Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Types of CRLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Revocation Reasons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Online Certificate Status Protocol (OCSP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
OCSP Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Online Responder Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Case Study: Inspecting an X.509 Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Opening the Certificate File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Case Study Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Policies and PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Security Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Defining Effective Security Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Resources for Developing Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Effects of External Policies on Your PKI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Defining PKI-Related Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Certificate Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Contents of a Certificate Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Certificate Policy Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Certification Practice Statement (CPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
CPS Section: Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
CPS Section: Publication and Repository Responsibilities. . . . . . . . . . . . . . . . . 49
Table of Contents
vii
CPS Section: Identification and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . 50
CPS Section: Certificate Life-Cycle Operational Requirements. . . . . . . . . . . . . 50
CPS Section: Facility, Management, and Operational Controls. . . . . . . . . . . . . 52
CPS Section: Technical Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
CPS Section: Certificate, CRL, and OCSP Profiles . . . . . . . . . . . . . . . . . . . . . . . . 53
CPS Section: Compliance Audit and Other Assessment. . . . . . . . . . . . . . . . . . . 53
CPS Section: Other Business and Legal Matters . . . . . . . . . . . . . . . . . . . . . . . . . 54
Case Study: Planning Policy Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Design Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Case Study Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Part II Establishing a PKI
4
5
Preparing an Active Directory Environment . . . . . . . . . . . . . . . . . . . . . . 59
Analyzing the Active Directory Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Upgrading the Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Identifying the Schema Operations Master . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Performing the Schema Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Modifying the Scope of the Cert Publishers Groups . . . . . . . . . . . . . . . . . . . . . 63
Deploying Windows Server 2008 Enterprise CAs
in Non–AD DS Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Case Study: Preparing Active Directory Domain Services . . . . . . . . . . . . . . . . . . . . . . . 68
Network Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Case Study Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Designing a Certification Authority Hierarchy . . . . . . . . . . . . . . . . . . . . 73
Determining the Number of Tiers in a CA Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Single-Tier CA Hierarchy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Two-Tier CA Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Three-Tier CA Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Four-Tier CA Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Organizing Issuing CAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Choosing an Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Gathering Required Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Identifying PKI-Enabled Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Determining Security Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Determining Technical Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
viii
Table of Contents
Determining Business Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Determining External Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Collecting AD DS Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Naming Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Choosing Domains for CA Computer Accounts . . . . . . . . . . . . . . . . . . . . . . . . . 94
Choosing an Organizational Unit Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Case Study: Identifying Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Case Study Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Implementing a CA Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
CA Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
CAPolicy.inf File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Pre-Installation Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Post-Installation Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Implementing a Three-Tier CA Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Implementing an Offline Root CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Implementing an Offline Policy CA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Implementing an Online Issuing CA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Implementing an Enterprise Root CA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Creating a CAPolicy.inf File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Installing Active Directory Certificate Services . . . . . . . . . . . . . . . . . . . . . . . . . 142
Post-Installation Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Enabling Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Verifying Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Case Study: Deploying a PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Case Study Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Upgrading Your Existing Microsoft PKI . . . . . . . . . . . . . . . . . . . . . . . . . 151
Supported Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
What Versions Can You Upgrade to Windows Server 2008? . . . . . . . . . . . . . 151
32-Bit to 64-Bit Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Performing the Upgrade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Upgrading the Schema. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Upgrading Certificate Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Performing the Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Post-Upgrade Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
6
7
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
