M2821 Designing and Managing a Public Key Infrastructure

This five-day, instructor-led course provides students with the knowledge and skills to design, deploy, and manage a public key infrastructure (PKI) to support applications that require distributed security. Students get hands-on experience implementing solutions to secure PKI-enabled applications and services, such as Microsoft Internet Explorer, Microsoft Exchange Server, Microsoft Internet Information Server, Microsoft Outlook, and remote access services.

Also, during the course will be demonstrated:

Capabilities of Certificate Authorities on Microsoft Windows 2012R platform

o Supporting remote clients requests by policy server (Certificate Enrollment Services)
o Online Responding Service (Online Certificate Status Protocol)
o Supporting requests from hardware devices (Network Device Enrollment Service)

Enrollment requests from IIS8

Supporting Certificates for Exchange 2013 SP 1

Organizing Digital signature and encryption of E-Mail in corporate environment with Microsoft Office 2013

This course is intended for IT systems engineers who are responsible for designing and implementing security solutions.

After completing this course, students will be able to:

Describe PKI and the major components of a PKI.

Design a certification authority (CA) hierarchy to meet business requirements.

Install Certificate Services to create a CA hierarchy.

Perform certificate management tasks, CA management tasks, and plan for disaster recovery of Certificate Services.

Create and publish a certificate template, and replace an existing certificate template.

Enroll a certificate manually, auto-enroll a certificate, and enroll a smart card certificate.

Implement manual and automatic key archival and recovery in a Windows Server 2003 PKI.

Configure trust between organizations by configuring and implementing qualified subordination.

Deploy smart cards in a Windows environment.

Secure a Web environment by implementing SSL security and certificate-based authentication for Web applications.

Implement secure e-mail messages by using Microsoft Exchange Server.

Module 1: Overview of Public Key Infrastructure

This module explains the basic concepts of a public key infrastructure (PKI) and its components. It also provides an overview of the topics that will be explained in-depth in the course.

Lessons

Introduction to PKI

Introduction to Cryptography

Certificates and Certification Authorities

Module 2: Designing a Certification Authority Hierarchy

This module introduces students to designing a CA hierarchy. It explains the major tasks that are involved, including identifying business and legal requirements and planning a Certification Authority (CA) hierarchy structure.Lessons

Identifying CA Hierarchy Design Requirements

Common CA Hierarchy Designs

Documenting Legal Requirements

Analyzing Design Requirements

Designing a CA Hierarchy Structure

Lab : Designing a CA Hierarchy

Identifying Applications and Certificate Holders

Identifying Technical and Business Requirements

Designing a CA Hierarchy

After completing this module, students will be able to:

Identify technical and business requirements for designing a CA hierarchy.

Describe common CA hierarchy designs.

Describe policies and documents for specifying the legal requirements of a CA hierarchy design.

Identify the impact of design requirements and determine design changes to a CA hierarchy design.

Design a CA hierarchy to meet business requirements.

Module 3: Creating a Certification Authority Hierarchy

This module explains how to create a CA hierarchy based on a CA hierarchy design. Students also learn how to install Certificate Services, validate a certificate, and publish a certificate revocation list (CRL) and an Authority Information Access (AIA).Lessons

Creating an Offline CA

Validating Certificates

Planning CRL Publication

Installing a Subordinate CA

Lab : Installing an Offline CA

Configuring CAPolicy.inf for installing the Offline Root CA

Installing the Offline Root CA

Lab : Publishing CRLs and AIAs

Defining CRL and AIA Publication Settings

Publishing the CRL and AIA Information

Adding the Web Server to Local Intranet Sites

Lab : Implementing a Subordinate Enterprise CA

Installing the Subordinate Enterprise CA

Validating the PKI Health of your CA Hierarchy

After completing this module, students will be able to:

Create an offline root CA.

Design an infrastructure to validate certificates.

Design an infrastructure to publish CRLs.

Install a subordinate CA.

Module 4: Managing a Public Key Infrastructure

This module explains how to manage a PKI by managing certificates and CAs. Students also learn how to recover a PKI in the event of a failure.Lessons

Introduction to PKI Management

Managing Certificates

Managing Certification Authorities

Planning for Disaster Recovery

Lab : Enabling Role Separation

Defining CA Administrators and Certificate Managers

Restricting Certificate Managers

Generating Certificate Requests

Testing CA Administrator Tasks

Testing Certificate Manager Tasks

Enabling Certificate Services Auditing

Lab : Backing Up and Restoring a Certification Authority

Determining Backup Privileges

Backing Up Certificate Services

Removing the CA's Private Key from the CA Certificate Store

Restoring the System State Backup

After completing this module, students will be able to:

Describe the use of roles in PKI management.

Perform certificate management tasks.

Perform CA management tasks.

Plan for disaster recovery of Certificate Services.

Module 5: Configuring Certificate Templates

This module introduces students to certificate templates and how to design them. Students also learn about creating, publishing, and changing certificate templates.Lessons

Introduction to Certificate Templates

Designing and Creating a Certificate Template

Publishing a Certificate Template

Managing Changes in a Certificate Template

Lab : Delegating Certificate Template Management

Delegating Certificate Template Administration Permissions

Lab : Designing a Certificate Template

Reviewing an Existing Certificate Template

Designing the Custom Code Signing Certificate Template

Lab : Configuring Certificate Templates

Creating a Certificate Template

Publishing a Certificate Template

Enrolling the Certificate Template

Superceding a Certificate Template

After completing this module, students will be able to:

Describe the function of certificate templates in a Windows Server 2003 PKI.

Design and create a certificate template.

Publish a certificate template.

Replace an existing certificate template with an updated certificate template.

Module 6: Configuring Certificate Enrollment

In this module, students learn about the various methods of enrolling certificates. Students can either process the certificate requests manually or automatically, depending upon the approval requirement from the certificate manager.Lessons

Introduction to Certificate Enrollment

Enrolling Certificates Manually

Autoenrolling Certificates

Lab : Enrolling Certificates

Choosing an Enrollment Method

Enrolling Computer Certificates by Using the Certificate Enrollment Wizard

Creating a User Certificate Template that Enables Autoenrollment

Deploying the Certificates by Using Autoenrollment

After completing this module, students will be able to:

Select the appropriate certificate enrollment method for a given scenario.

Enroll certificates manually.

Autoenroll certificates.

Enroll smart card certificates.

Module 7: Configuring Key Archival and Recovery

This module describes the importance of creating a strategy for data and key recovery and explains the key archival and recovery process. Students also learn how Windows XP and Windows Server 2003 enhance data protection and data recovery.Lessons

Introduction to Key Archival and Recovery

Implementing Manual Key Archival and Recovery

Implementing Automatic Key Archival and Recovery

Lab : Configuring Key Recovery

Publishing the Key Recovery Agent Certificate Template

Enrolling the Key Recovery Agent Certificates

Implementing Key Recovery on an Enterprise CA

Creating an Archive-enabled Certificate Template

Acquiring an ArchiveEFS Certificate

Performing Key Recovery

After completing this module, students will be able to:

Describe the key archival and recovery process in a Windows Server 2003 PKI.

Implement manual key archival and recovery.

Implement automatic key archival and recovery.

Module 8: Configuring Trust Between Organizations

Students learn how to extend an organization's PKI trust hierarchy to other organizations. By extending the trust hierarchy, an organization's certificates can be used and trusted across organizations for purposes like secure e-mail messages, client authentication, and server authentication.Lessons

Introduction to Advanced PKI Hierarchies

Qualified Subordination Concepts

Configuring Constraints in a Policy.inf File

Implementing Qualified Subordination

Lab : Implementing a Bridge CA

Creating a Qualified Subordination Signing Certificate Template

Configuring a Policy.inf File

Requesting a Qualified Subordination Signing Certificate

Generating a Cross Certification Authority Certificate for the Bridge CA

Modifying the Policy.inf File on the Bridge CA

Creating the Cross Certification Authority Certificate

Publishing the Bridge CA Cross Certification Authority Certificates

Issuing Certificates that Meet Qualified Subordination Constraints

After completing this module, students will be able to:

Describe advanced PKI hierarchies.

Describe how constraints are used in qualified subordination.

Configure a policy.inf file to implement qualified subordination constraints.

Implement qualified subordination between CA hierarchies.

Module 9: Deploying Smart Cards

In this module, students learn how smart cards provide secure storage for data and also support authentication of users. Students also learn how to configure and deploy smart cards in a Windows Server 2003 PKI environment.Lessons

Introduction to Smart Cards

Enrolling Smart Card Certificates

Deploying Smart Cards

Lab : Deploying Smart Cards

Modifying and Publishing the Enrollment Agent Certificate Template

Acquiring the Enrollment Agent Certificates

Creating a Custom Smart Card Certificate

Enabling the Downloading of Unsafe Microsoft ActiveX Controls

Performing Smart Card Enrollment Agent Requests

Configuring a Certificate to Require a Smart Card Signature during Autoenrollment

Signing an Autoenrollment Certificate Request with a Smart Card

Planning for Re-enrollment

After completing this module, students will be able to:

Describe the use of smart cards for authentication in a Windows Server 2003 PKI environment.

Deploy smart cards for authentication in a Windows Server 2003 PKI environment.

Module 10: Securing Web Traffic by Using SSL

This module explains how to secure a Web environment by implementing SSL security and certificate-based authentication for Web applications.Lessons

Introduction to SSL Security

Enabling SSL on a Web Server

Implementing Certificate-based Authentication

Lab : Deploying SSL Encryption at a Web Server

Enabling SSL Encryption in IIS

Securing the Security Virtual Folder

Enabling Certificate Mapping in Active Directory

Enabling Certificate Mapping in IIS

After completing this module, students will be able to:

Describe how security is implemented in a Web environment.

Configure IIS to implement SSL security.

Implement certificate-based authentication for Web applications.

Module 11: Configuring E-mail Security

In this module, students learn how to implement secure e-mail messages in an Exchange 2003 environment.Lessons

Introduction to E-mail Security

Configuring Secure E-mail Messages

Recovering E-mail Private Keys

Migrating a KMS Database to a CA Running Windows Server 2003

Lab : Securing E-mail Messages in Exchange Server 2003

Creating Exchange Server 2003 Mailboxes

Creating and Publishing S/MIME Certificate Templates

Configuring Outlook 2002

Sending Secure E-mail Between Organizations

After completing this module, students will be able to:

Describe how e-mail security is implemented by a server running Exchange in a Windows Server 2003 environment.

Securing e-mail messages in an Exchange 2003 environment.

Recover e-mail private keys.

Migrate a Key Management Service (KMS) database to a Windows Server 2003 Enterprise Edition enterprise CA.