Home > Articles

Top Ten Things You Need to Know about Certificate Services to Pass a Microsoft Exam

  • Sep 12, 2011
As Microsoft’s networking exams get more complex, more complex topics begin to appear, including Public Key Infrastructure (PKI) and certification services. In this article, David Leaver reviews ten things you should know about the use of PKI in Microsoft settings, such as certificate enrollment, certificate services, and command line tools. These tips will help you better prepare for networking certification exams.

As you proceed into the more complex areas of the Microsoft networking exam course you inevitably come across Microsoft’s implementation of a Public Key Infrastructure (PKI) —Microsoft certificate services. Although this is a subject area all of its own on a number of tracks, it appears on many other topic areas whenever you are considering securing communications with the highest levels of authentication and encryption. With that in mind, it is important to make sure you know this topic well, as achieving the highest levels of security is always a hot topic on any Microsoft exam course.

1. Setting up a PKI

In short, a PKI provides an asymmetric key-based system to provide enhanced secure communications for both internal and external network communications. By the time you get to study the PKI in your networking exam track, you have probably come across it already, whether it is for providing authentication within IPSEC, setting up SSL for secure web browsing or perhaps setting up secure e-mail within Microsoft Exchange. For your Microsoft exam it is important that you know how to install and configure a Certificate Authority (CA) from scratch; this includes subordinate CAs as well. This makes up a big part of the PKI topic, be aware of the IIS components that need installing, like ASP for the web enrolment site. Also note that the CRL location needs to be in an accessible place for all enrolling clients to refer too (more on this later).

In reality, the best way to practice and get to know this to exam standard is to setup a test lab and install certificate services step-by-step. By default, it is available as an additional role within the server management console. There are a number of restrictions on certificate services when installed on any server version lower than enterprise, as it is a big network tool—so to get the most out of your exams, it is recommended you use this operating system level.

2. Certificate hierarchies

If you have ever taken a Microsoft exam, then you will be used to the style of questions that come up in the examinations. It is assumed that you are working in a medium-to-large company with a sizable IT infrastructure, in which case you would distribute to a structured hierarchy of certificate servers on your network, with different tiers of distribution. So as we have already established, you have the root server which holds the root certificate from which all subsequent certificates are children of, and remember there can only be one root server.

As I will mention later in best practices, you should never distribute certificates from the root server. Instead you introduce a second tier within the hierarchy that can either be an intermediate set of servers which then distribute to a third tier of issuing CAs, or alternatively distribute from the root to issuing CAs, which then distribute to users and clients (a two tier hierarchy). When you are answering questions related to choosing a suitable certificate hierarchy, consider this is usually based on a site’s geographical location, such as a subordinate CA for each site. Alternatively, it could be for each division, or based on the certificate to be distributed, for example a subordinate CA responsible for distributing just secure e-mail certificates to clients.

Also be aware that subordinate CAs can be used to provide fault tolerance to the CA infrastructure or to load balance CA distribution in a scenario where certificate requests are particularly heavy.

3. Types of Certificate server

There are two types of root Certification Authority that you should be aware of for the Microsoft exams: a Standalone CA or an Enterprise CA. The main difference between the two authorities is that a standalone server is just that; it is not part of any domain network, whereas an enterprise CA requires it. A standalone CA is usually used to issue certificates to clients that require security for external access, such as for web server SSL certificates or for digitally signing e-mails, anything that involves access off the network. Certificate requests to Standalone CA are always marked as pending and require an admin to authorize prior to being issued; they cannot be enrolled automatically.

In contrast, an Enterprise CA must be installed on an active directory domain controller, as it uses the domain details and group policy to distribute certificates to the trusted stores of clients and to publish the latest CRL. Although it doesn’t have a centralized secure domain to authenticate client enrolment, what makes a standalone CA more secure is that it can be kept offline, whereas an enterprise CA cannot because your domain cannot function for any extended time without the domain controller. This isn’t to say that a standalone CA cannot be installed on a domain; however, if it is, it automatically becomes a member of the trusted certification authority for all domain clients. This is fine if the default certificate processing is left in place (pending prior to authorization); however, if this is turned off, the standalone CA member server will process certificate requests without authorising them with active directory.

4. Certificate types

The specifics of certificates warrant an article itself. However, within the context of your PKI studies there are a number of key factors you should keep in mind.

First is that there are two certificate versions, simply named version 1 and version 2 certificates. The Microsoft 2003 track introduced the version 2 certificate in order to allow auto enrolment and further editing of certificates, as opposed to the read-only version certificates. One thing to note here is that version 1 certificates can be duplicated and then turned into version 2 certificates, therefore making them editable.

For the exam, the most likely questions related to the specifics of a certificate will be based around changing the permissions on the certificates ACL in order to allow for enrolment and auto enrolment.

Also consider that each certificate is designed to provide security for a different role, such as secure e-mail or IPSEC. This is straightforward regardless of what type of CA infrastructure you go for, unless you are considering Smart card domain login, as only Enterprise CAs can authenticate back to active directory.

Finally, make sure you are familiar with the certificate template snap in, and more importantly the properties of both the version 1 and version 2 certificates. Like the certificate itself, version 1 certificates are read only, unless they are duplicated to version 2 templates as mentioned above.

5. Certificate Enrolment

The way in which users and computers enroll for certificates varies, depending on the CA infrastructure that has been deployed. One of the big question areas on this topic is based on your knowledge of what type of enrollment method you should use based on the questions scenario. Make sure you keep in mind the main differences between a standalone and an enterprise CA, as mentioned above.

You should be familiar with the certificate web console, how to create a pending certificate request, and completing the process once the certificate has been granted.

Although it is now a firm fixture in today’s PKIs, auto enrolment was considered a new feature in Windows Server 2003, so if you are considering still taking this track, you should be familiar with it—being questioned on it is a certainty. Basically, auto enrollment allows domain-based clients to request update certificates without any input from the user. A few things to watch out for here are that this only applies to Windows Server 2003 upwards; additionally, this is only supported by the Enterprise edition. Also, the certificate must be a version 2 certificate. You know that if there are specific conditions like this to be aware of, then you are likely to be quizzed on them in the exam.

For your exams, it’s important that you know about certificate mapping, as although it’s breezed over in the text books, it seems to crop up in Microsoft exams all too often to be ignored. The principle behind mapping certificates to user accounts is to allow user authentication, for example, to a web page or secure server. Rather than entering any credentials, the user would present the certificate, which is mapped to their account, which in turn authorizes their access to the site. You need to know that you have the option to map one-to-one certificate mapping, as described above, or many-to-one mapping. Just as it sounds, it basically allows multiple certificates from the same CA to be mapped to a single account.

6. Best practices

When you are taking your Microsoft exam, you should always keep in mind that most of all, Microsoft is testing that you are following best practice. When it comes to best practice within your PKI, most of the "must do’s" are based on securing your CA servers to ensure their integrity on the network. The root CA should be kept offline and only brought into action to issue certificate information to subordinate CAs, not users or computers directly. Obviously, this cannot be the case with regards to an Enterprise CA.

Backing up is always a best practice; however, knowing exactly what you need to backup is always useful. In order to back up your PKI you need to back up your CA database, your root CA, and CA keys. This is done via the CA snap in or via the certutil–backup command switch. Similarly, you should consider archiving the private keys of issued certificates in case they become corrupted or deleted.

The Certificate Revocation List (CRL) is mentioned in more detail later, but in terms of employing best practices, you should always remember to keep the CRL in an accessible area to the requesting clients. Also, in order to keep the CRL manageable, you should ensure a regular publishing schedule for your Delta CRL and its differential listing of revoked certificates.

7. Certificate services and IIS

When you go through the initial installation of Microsoft certificate services, you are given the option of installing the certificate web enrollment console. I recommend that for the purpose of your hands-on exam practice that you install this feature and practice requesting certificates of different types with it as instructed through your Microsoft materials. By default, the URL to the web enrollment console is localhost/certsrv; in order for clients to enroll using I, you will need to set permissions accordingly, as by default, only domain admins can access the console.

If you have ever accessed a secure website on the internet, that website is using an SSL certificate, usually from a publically-recognized CA such as Verisign or Comodo. When managing your websites in a Microsoft exam, it is assumed you are managing them on an IIS server, and you are using an SSL certificate that was issued by your Microsoft CA. This could be a prime area for a simulation question where you are required to supply a pending request from your IIS console to your CA to setup SSL for a secure company web page, so practicing with the certification wizards in this area will be beneficial.

8. Certificate Revocation

When a certificate is removed, replaced, or updated, the rest of the network needs to know about it. For example, if an issued certificate that all of your clients are using for smart card domain login becomes compromised, then there needs to be a way for the certificate to marked as untrustworthy and a new certificate to then be issued. This process is called certificate revocation, and any certificates that have been “revoked” are listed on a Certificate Revocation List (CRL). In terms of the examination, this is a fairly straightforward topic; however, there are a couple of key things to remember. Firstly, there are two types of CRL: the base CRL and the delta CRL. The base CRL lists all of the revoked certificates on that CA; this list can get quite large, so a delta CRL lists the interim certificate revocations since the last base CRL was published. It’s common within the Microsoft exams to get a question or two about CRLs that test your ability to remember which certificates will be listed as revoked from the time a base CRL is published, and the subsequent delta CRLs published a number of days later.

The distribution of the CRL is another common testing area; you need to make sure that all clients can locate the CRL as this is referenced prior to certificate enrollment. Having the CRL published through group policy ensures all domain members are kept up-to-date, whereas in a standalone environment, you would need to bring your root server online, revoke the certificate, and then publish this revocation to all of your subordinate standalone CAs. The process of certificate revocation is an important part of maintaining the integrity of your CA, so be sure not overlook this part as it is a sure-fire exam question.

9. Troubleshooting the PKI

Like any Microsoft infrastructure server applications, you have occasions when it doesn’t work, and these scenarios are always common territory for exam questions. Make sure you cover what can go wrong, and what you need to do to fix it. The most common issues are related to certificate enrollment, which can be caused by either permission issues or replication problems between network servers within the CA infrastructure.

In order for certificates to be enrolled or auto enrolled by clients, you need to ensure that the read, enroll, and auto-enroll permissions are configured on the certificate’s ACL. As mentioned previously, auto-enroll restrictions should be considered (as mentioned above) as well as forcing group policy replication for auto enrolment to take place. An enterprise CA replicates using active directory replication (which by default has the replication time of 5 minutes); this is worth noting when answering questions related to template differences between network CAs, as it’s likely they just need time to catch up.

Issues with the web enrollment pages can be a mixture of both IIS and CA problems, so it’s important that some study time is reserved for looking at IIS and the web-based permissions. For example, by default, only domain administrators can use the web enrollment feature, so normal users attempting to access the console will fail. Also be aware if a question mentions an inaccessible web console that is installed on a server that is not the CA, this will be because the NTLM authentication is enabled instead of basic authentication combined with SSL to protect the passwords.

10. Command line tools

There are always command line tools to master within Microsoft exams, and certificate services are no different. The main command to master is the certutil utility that is installed as part of your certificate services installation. For the purposes of the exam, you should be aware of this command and that it can be used to administer your CA, such as backing up/restoring the CA database, verifying the certificate chain and the validity of the issuing CA. The command syntax can be quite complex, and you are unlikely to have to come across running this command in a simulation question. However, be aware of some of the key switches, as identifying which command will perform a certain action may come up.

Another command which is worth remembering is the gpupdate tool. Any topic that includes the use of group policy may ask questions related to errors once a policy is setup. For example, you have set up your clients to auto enroll for their IPSEC certificates through group policy, but secure communications fail because the clients haven’t picked up their certificates as expected. The root of the problem is usually down to group policy replication, and running the gpupdate with the optional /force switch will resolve the issue.

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020