Resource Page   CIS 2153 Syllabus    Chapter Lesson Notes: 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11

Chapter 11 Lesson Notes

Management and Administration of Certificate Services

I. Introduction

A. Public Key Infrastructure (PKI) is a cryptography method that protects data exchanged between computer systems. PKI uses the Rivest-Shamir-Adleman (RSA) algorithm with public and private encryption keys to perform cryptographic functions on data. The public key is freely distributed between systems, whereas the private key remains on the system and is never distributed. PKI works using the four steps shown on page 767 (and in Figure 11-1, also on page 767).

B. Microsoft uses PKI technology in its Windows 2000 Certificate Services employing a hierarchical structure as shown in Figure 11-2 on page 768. The main server is called the Certification Authority (CA) and is at the root of the hierarchy.

C. Certificates are usually created by a well-known Certificate Authority company. By using a third party company such as VeriSign, users can be sure that the entity contacting them is who it says it is.

Insider Information

From www.verisign.com

VeriSign, Inc., headquartered in Mountain View, California, is the leading provider of Internet trust services, which include authentication, validation, and payment needed by Web sites, enterprises, and e-commerce service providers to conduct trusted and secure electronic commerce and communications over IP networks. The company has established strategic relationships with industry leaders such as AT&T, British Telecommunications, Checkpoint Technologies, Cisco, Microsoft, Netscape, Network Associates, Network Solutions, RSA Security, and VISA, in order to enable widespread utilization of digital certificate services and to assure interoperability with a variety of applications and network equipment.

VeriSign's trust services for Web sites, developers, and individuals are available through www.verisign.com and through a growing number of ISPs and Web hosting companies. As of this writing, VeriSign has issued over 215,000 Web site digital certificates and over 3.9 million digital certificates for individuals. The company's Web site digital certificate services are used by all of the Fortune 500 companies with a Web presence. VeriSign also offers a suite of technologies, services, and key industry alliances to accelerate the deployment of trust in next-generation applications for wireless Internet e-commerce.

VeriSign's managed digital certificate services allow enterprises and electronic commerce service providers to leverage the company's infrastructure to deploy digital certificates for employees, customers, and partners, and are available through regional account representatives, resellers, and global affiliates. Customers include Bank of America, Barclays, Hewlett Packard, the Internal Revenue Service, Kodak, Southwest Securities, Sumitomo Bank, Texas Instruments, VISA, and US West.

The company's network of more than twenty affiliates, which provide trust services under licensed co-branding relationships using VeriSign technology and business practices, includes Arabtrust in the Middle East, British Telecommunications in the United Kingdom, CIBC of Canada, CertiSur of Argentina, Certplus of France, eSign of Australia, HiTrust of Taiwan, KPN Telecom of the Netherlands, Roccade of the Netherlands, the South African Certification Agency in South Africa, and VPN Tech of Canada.

II. Overview of Certificate Services

A. What is a Public Key Certificate?

1. A public key certificate is a security token that is passed between two computers which allows data to be encrypted.

2. A public encryption key within the public key certificate encodes the data, and only the corresponding private encryption key can decrypt the data.

B. Uses of Certificates

1. Public key certificates identify the server to the client as the correct entity with which to communicate and are most popular on e-commerce Web sites.

C. Information Contained in Certificates:

1. The public or private encryption key value

2. The name and digital signature of the certificate bearer, which may be either a user or a service

3. The length of time the certificate is valid

4. The identity of the Certificate Authority

5. Figure 11-3 on page 772 lists the values set in certificates.

D. The Certification Hierarchy

1. Figure 11-4 on page 773 shows the top-down fashion of the DNS hierarchies, which enables scalability and ease of administration.

2. Certification Authorities (see Figure 11-4 on page 773)

The two main types of CAs :

a. Root Authority - Superior CAs, they assign and authenticate subordinate CA s. Root CAs distribute very few certificates, and only to subordinates.

            b.  Subordinate CAs - Provide public keys to clients who request them. Clients then can use the public key to encrypt data that can only be decrypted with the receiver’s private key.

a. Enterprise CAs

Require and use the Active Directory, whereas stand-alone CAs do not require the Active Directory.

b. Certificate management is effected using group policies.

E. The Certificate Store

A database created during the installation of a CA that contains the information for supporting or verifying certificates issued by that particular CA.

1. One certificate store can support up to 250,000 certificates.

2. Stand-alone root CAs keep the store on the server itself; the Enterprise root CA keeps the store in the Active Directory.

III. Management and Administration of Certificates

A. Using the Certificates MMC (Microsoft Management Console)

1. Perform Exercise 11-2 on page 776: Using the MMC Certificates/Certificate Authority Snap-in.

B. Publishing Certificates to Active Directory

1. User Certificates, CA Certificates, and Certificate Revocation Lists (CRL) are included when publishing certificates to the Active Directory.

a. User certificates

Used for data exchange applications

b. CA certificates

Used for building certificate paths to trusted root CAs

c. Certificate Revocation Lists (CRL)

Used to facilitate checking of certificate validity status

C. Certificate Formats

1. Personal Information Exchange format (Public Key Cryptography Standard #12 [PKCS #12]) requires the establishment of these conditions:

a. The Cryptographic Service Provider (CSP) must recognize the certificate and keys as exportable.

b. The certificate is for Encrypting File System (EFS) or EFS recovery.

c. The certificate is requested via the Advanced Certificate Request certification authority Web page with the Mark Keys As Exportable check box enabled.

2. Cryptographic Message Syntax Standard, or PKCS #7, enables the transfer of a certificate. PKCS #7 files use the .p7b file extension.

3. DER (Distinguished Encoding Rules) Encoded Binary X.509 is used for non-Windows 2000 certification authorities and uses .cer for the file extension.

4. Base64 Encoded X.509 format also uses .cer as the file extension and, too, is used by non-Windows certificate servers.

D. Importing and Exporting Certificates

1. The CA MMC snap-in can import and export PKCS #12, PKCS #7, and DER encoded binary X.509 certificate files.

a. Certificates can be imported in order to

i. Install a certificate that was sent in a file by another user, computer, or CA

ii. Restore a damaged or lost certificate that was previously backed up

iii. Install a certificate and its associated private key from a computer that the certificate holder was previously using.

b. Certificates can be exported in order to

i. Back up a certificate

ii. Back up a certificate and its associated private key

iii. Copy a certificate so it can be used on another computer

iv. Remove a certificate and its private key from the current certificate holder for installation on another computer.

IV. Creating and Issuing Certificate in Windows 2000

A. Generating Encryption Keys and Certificate Requests

1. Web-based enrollment: when a user visits a site and requests a certificate

2. Policy-based auto-enrollment: when a user logs on to a Windows 2000 domain using Microsoft’s X.509 certificate enrollment control.

3. PKCS #10 certificate request is comprised of

a. A version value

b. The subject name and subject public key

c. The signature algorithm and the digital signature of the requesting user

d. Additional optional attributes

4. CryptoAPI

a. A software component that adds cryptographic functionality management to certificates