Top Ten Things You Need to Know about Certificate Services to Pass a Microsoft Exam
As you proceed into the more complex areas of the Microsoft networking exam course you inevitably come across Microsoft’s implementation of a Public Key Infrastructure (PKI) Microsoft certificate services. Although this is a subject area all of its own on a number of tracks, it appears on many other topic areas whenever you are considering securing communications with the highest levels of authentication and encryption. With that in mind, it is important to make sure you know this topic well, as achieving the highest levels of security is always a hot topic on any Microsoft exam course.
1. Setting up a PKI
In short, a PKI provides an asymmetric key-based system to provide enhanced secure communications for both internal and external network communications. By the time you get to study the PKI in your networking exam track, you have probably come across it already, whether it is for providing authentication within IPSEC, setting up SSL for secure web browsing or perhaps setting up secure e-mail within Microsoft Exchange. For your Microsoft exam it is important that you know how to install and configure a Certificate Authority (CA) from scratch; this includes subordinate CAs as well. This makes up a big part of the PKI topic, be aware of the IIS components that need installing, like ASP for the web enrolment site. Also note that the CRL location needs to be in an accessible place for all enrolling clients to refer too (more on this later).
In reality, the best way to practice and get to know this to exam standard is to setup a test lab and install certificate services step-by-step. By default, it is available as an additional role within the server management console. There are a number of restrictions on certificate services when installed on any server version lower than enterprise, as it is a big network toolso to get the most out of your exams, it is recommended you use this operating system level.
2. Certificate hierarchies
If you have ever taken a Microsoft exam, then you will be used to the style of questions that come up in the examinations. It is assumed that you are working in a medium-to-large company with a sizable IT infrastructure, in which case you would distribute to a structured hierarchy of certificate servers on your network, with different tiers of distribution. So as we have already established, you have the root server which holds the root certificate from which all subsequent certificates are children of, and remember there can only be one root server.
As I will mention later in best practices, you should never distribute certificates from the root server. Instead you introduce a second tier within the hierarchy that can either be an intermediate set of servers which then distribute to a third tier of issuing CAs, or alternatively distribute from the root to issuing CAs, which then distribute to users and clients (a two tier hierarchy). When you are answering questions related to choosing a suitable certificate hierarchy, consider this is usually based on a site’s geographical location, such as a subordinate CA for each site. Alternatively, it could be for each division, or based on the certificate to be distributed, for example a subordinate CA responsible for distributing just secure e-mail certificates to clients.
Also be aware that subordinate CAs can be used to provide fault tolerance to the CA infrastructure or to load balance CA distribution in a scenario where certificate requests are particularly heavy.
3. Types of Certificate server
There are two types of root Certification Authority that you should be aware of for the Microsoft exams: a Standalone CA or an Enterprise CA. The main difference between the two authorities is that a standalone server is just that; it is not part of any domain network, whereas an enterprise CA requires it. A standalone CA is usually used to issue certificates to clients that require security for external access, such as for web server SSL certificates or for digitally signing e-mails, anything that involves access off the network. Certificate requests to Standalone CA are always marked as pending and require an admin to authorize prior to being issued; they cannot be enrolled automatically.
In contrast, an Enterprise CA must be installed on an active directory domain controller, as it uses the domain details and group policy to distribute certificates to the trusted stores of clients and to publish the latest CRL. Although it doesn’t have a centralized secure domain to authenticate client enrolment, what makes a standalone CA more secure is that it can be kept offline, whereas an enterprise CA cannot because your domain cannot function for any extended time without the domain controller. This isn’t to say that a standalone CA cannot be installed on a domain; however, if it is, it automatically becomes a member of the trusted certification authority for all domain clients. This is fine if the default certificate processing is left in place (pending prior to authorization); however, if this is turned off, the standalone CA member server will process certificate requests without authorising them with active directory.
4. Certificate types
The specifics of certificates warrant an article itself. However, within the context of your PKI studies there are a number of key factors you should keep in mind.
First is that there are two certificate versions, simply named version 1 and version 2 certificates. The Microsoft 2003 track introduced the version 2 certificate in order to allow auto enrolment and further editing of certificates, as opposed to the read-only version certificates. One thing to note here is that version 1 certificates can be duplicated and then turned into version 2 certificates, therefore making them editable.
For the exam, the most likely questions related to the specifics of a certificate will be based around changing the permissions on the certificates ACL in order to allow for enrolment and auto enrolment.
Also consider that each certificate is designed to provide security for a different role, such as secure e-mail or IPSEC. This is straightforward regardless of what type of CA infrastructure you go for, unless you are considering Smart card domain login, as only Enterprise CAs can authenticate back to active directory.
Finally, make sure you are familiar with the certificate template snap in, and more importantly the properties of both the version 1 and version 2 certificates. Like the certificate itself, version 1 certificates are read only, unless they are duplicated to version 2 templates as mentioned above.
5. Certificate Enrolment
The way in which users and computers enroll for certificates varies, depending on the CA infrastructure that has been deployed. One of the big question areas on this topic is based on your knowledge of what type of enrollment method you should use based on the questions scenario. Make sure you keep in mind the main differences between a standalone and an enterprise CA, as mentioned above.
You should be familiar with the certificate web console, how to create a pending certificate request, and completing the process once the certificate has been granted.
Although it is now a firm fixture in today’s PKIs, auto enrolment was considered a new feature in Windows Server 2003, so if you are considering still taking this track, you should be familiar with itbeing questioned on it is a certainty. Basically, auto enrollment allows domain-based clients to request update certificates without any input from the user. A few things to watch out for here are that this only applies to Windows Server 2003 upwards; additionally, this is only supported by the Enterprise edition. Also, the certificate must be a version 2 certificate. You know that if there are specific conditions like this to be aware of, then you are likely to be quizzed on them in the exam.
For your exams, it’s important that you know about certificate mapping, as although it’s breezed over in the text books, it seems to crop up in Microsoft exams all too often to be ignored. The principle behind mapping certificates to user accounts is to allow user authentication, for example, to a web page or secure server. Rather than entering any credentials, the user would present the certificate, which is mapped to their account, which in turn authorizes their access to the site. You need to know that you have the option to map one-to-one certificate mapping, as described above, or many-to-one mapping. Just as it sounds, it basically allows multiple certificates from the same CA to be mapped to a single account.
6. Best practices
When you are taking your Microsoft exam, you should always keep in mind that most of all, Microsoft is testing that you are following best practice. When it comes to best practice within your PKI, most of the "must do’s" are based on securing your CA servers to ensure their integrity on the network. The root CA should be kept offline and only brought into action to issue certificate information to subordinate CAs, not users or computers directly. Obviously, this cannot be the case with regards to an Enterprise CA.
Backing up is always a best practice; however, knowing exactly what you need to backup is always useful. In order to back up your PKI you need to back up your CA database, your root CA, and CA keys. This is done via the CA snap in or via the certutil–backup command switch. Similarly, you should consider archiving the private keys of issued certificates in case they become corrupted or deleted.
The Certificate Revocation List (CRL) is mentioned in more detail later, but in terms of employing best practices, you should always remember to keep the CRL in an accessible area to the requesting clients. Also, in order to keep the CRL manageable, you should ensure a regular publishing schedule for your Delta CRL and its differential listing of revoked certificates.
7. Certificate services and IIS
When you go through the initial installation of Microsoft certificate services, you are given the option of installing the certificate web enrollment console. I recommend that for the purpose of your hands-on exam practice that you install this feature and practice requesting certificates of different types with it as instructed through your Microsoft materials. By default, the URL to the web enrollment console is localhost/certsrv; in order for clients to enroll using I, you will need to set permissions accordingly, as by default, only domain admins can access the console.
If you have ever accessed a secure website on the internet, that website is using an SSL certificate, usually from a publically-recognized CA such as Verisign or Comodo. When managing your websites in a Microsoft exam, it is assumed you are managing them on an IIS server, and you are using an SSL certificate that was issued by your Microsoft CA. This could be a prime area for a simulation question where you are required to supply a pending request from your IIS console to your CA to setup SSL for a secure company web page, so practicing with the certification wizards in this area will be beneficial.
8. Certificate Revocation
When a certificate is removed, replaced, or updated, the rest of the network needs to know about it. For example, if an issued certificate that all of your clients are using for smart card domain login becomes compromised, then there needs to be a way for the certificate to marked as untrustworthy and a new certificate to then be issued. This process is called certificate revocation, and any certificates that have been “revoked” are listed on a Certificate Revocation List (CRL). In terms of the examination, this is a fairly straightforward topic; however, there are a couple of key things to remember. Firstly, there are two types of CRL: the base CRL and the delta CRL. The base CRL lists all of the revoked certificates on that CA; this list can get quite large, so a delta CRL lists the interim certificate revocations since the last base CRL was published. It’s common within the Microsoft exams to get a question or two about CRLs that test your ability to remember which certificates will be listed as revoked from the time a base CRL is published, and the subsequent delta CRLs published a number of days later.
The distribution of the CRL is another common testing area; you need to make sure that all clients can locate the CRL as this is referenced prior to certificate enrollment. Having the CRL published through group policy ensures all domain members are kept up-to-date, whereas in a standalone environment, you would need to bring your root server online, revoke the certificate, and then publish this revocation to all of your subordinate standalone CAs. The process of certificate revocation is an important part of maintaining the integrity of your CA, so be sure not overlook this part as it is a sure-fire exam question.
9. Troubleshooting the PKI
Like any Microsoft infrastructure server applications, you have occasions when it doesn’t work, and these scenarios are always common territory for exam questions. Make sure you cover what can go wrong, and what you need to do to fix it. The most common issues are related to certificate enrollment, which can be caused by either permission issues or replication problems between network servers within the CA infrastructure.
In order for certificates to be enrolled or auto enrolled by clients, you need to ensure that the read, enroll, and auto-enroll permissions are configured on the certificate’s ACL. As mentioned previously, auto-enroll restrictions should be considered (as mentioned above) as well as forcing group policy replication for auto enrolment to take place. An enterprise CA replicates using active directory replication (which by default has the replication time of 5 minutes); this is worth noting when answering questions related to template differences between network CAs, as it’s likely they just need time to catch up.
Issues with the web enrollment pages can be a mixture of both IIS and CA problems, so it’s important that some study time is reserved for looking at IIS and the web-based permissions. For example, by default, only domain administrators can use the web enrollment feature, so normal users attempting to access the console will fail. Also be aware if a question mentions an inaccessible web console that is installed on a server that is not the CA, this will be because the NTLM authentication is enabled instead of basic authentication combined with SSL to protect the passwords.
10. Command line tools
There are always command line tools to master within Microsoft exams, and certificate services are no different. The main command to master is the certutil utility that is installed as part of your certificate services installation. For the purposes of the exam, you should be aware of this command and that it can be used to administer your CA, such as backing up/restoring the CA database, verifying the certificate chain and the validity of the issuing CA. The command syntax can be quite complex, and you are unlikely to have to come across running this command in a simulation question. However, be aware of some of the key switches, as identifying which command will perform a certain action may come up.
Another command which is worth remembering is the gpupdate tool. Any topic that includes the use of group policy may ask questions related to errors once a policy is setup. For example, you have set up your clients to auto enroll for their IPSEC certificates through group policy, but secure communications fail because the clients haven’t picked up their certificates as expected. The root of the problem is usually down to group policy replication, and running the gpupdate with the optional /force switch will resolve the issue.