Manage Certificates Part 1

Introduction

The Manage Certificates Part 1 module provides you with the instruction and server hardware to develop your hands on skills in the defined topics. This module includes the following exercises:

• Managing Certificate Templates
• Configuring Certificate Auto Enrollment
• Implementing Key Archival
• Enrolling for User Certificate
• Managing Key Recovery

Lab Time: It will take approximately 1 hour to complete the exercises in this lab.

Exam Objectives

• Install Active Directory Enterprise Certificate Authority
• Manage certificate templates
• Implement certificate deployment and validation
• Manage certificate enrolment using Group Policies
• Configure and manage key archival and recovery

Exercise 1 - Managing Certificate Templates

Certificate Templates are used by Enterprise Certification Authorities (CA) to define the purpose and content of certificates that can be issued to a requesting entity like user, computer or network service.

In this exercise, you will first install AD Certificate Services and its required components and later customize the certificate template properties.

Exercise 2 - Configuring Certificate Auto Enrollment

Enrollment for machine or user certificate can be done manually by using certificates request wizard through the Microsoft Management Console (MMC) in a small organization. For big companies that maintain hundreds of network users, certificate enrollment can be streamlined by customizing a certificate template. A customized certificate template allows you to set properties such as auto enrollment and simplify certificates deployment to domain users by using Group Policy Objects.

In this exercise, you will learn how to manage certificates by setting the different properties for a custom template such security that indicate which user or security group has access to the certificate, timeline that illustrate validity of an issued certificate and other properties relating to a certificate templates.

Exercise 3 - Implementing Key Archival

To ensure the recoverability of issued certificates, a certification authority (CA) server must be configured to archive keys or certificates that it has issued to users and computers. Key archival means that the CA server has a copy of all issued certificates and therefore allows recovery of certificates lost by the user due to a number of reasons such as theft of smart card, an accidental reformat of the user workstation where the user certificate is saved and among other things.

In this exercise, you will learn to how set up key archival by first enabling a key recovery agent in certification authority and issue a recovery agent certificate to the CA administrator.

Exercise 4 - Enrolling for User Certificate

In the previous exercise, you have performed the essential tasks to set up key archival in a CA server. These tasks include the following: creating a custom certificate for key recovery agent, configured the administrator account to request for a key recovery agent certificate, enabled the CA server to archive issued certificate and created a custom certificate template enabled for archiving.

In this task, you will test a new user to enroll for a custom certificate that was enabled for certificate archiving.

Exercise 5 - Managing Key Recovery

The previous exercise illustrated that if a user account having access to the encrypted file is deleted, it will be denied access to the folder/file it had encrypted even if the account is re-created with the exact same properties as the old user account. This exercise will demonstrate how to recover an archived certificate/key that was issued to the user and show how to link the certificate to its rightful owner. After which you will perform an export of the key to a file and finally test if the recovered key can be used for decrypting a protected document.