PKI Concepts

Practice Labs Module
Time
40 minutes
Difficulty
Intermediate

Welcome to the PKI Concepts Practice Lab. In this module you will be provided with the instructions and devices needed to develop your hands-on skills.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Overview

Introduction

Welcome to the PKI Concepts Practice Lab. In this module you will be provided with the instructions and devices needed to develop your hands-on skills.

Learning Outcomes

In this module, you will complete the following exercises:

  • Install and Configure Active Directory Certificate Services
  • Configure Certificate Revocation Lists (CRLs)
  • Manage Certificate Templates
  • Configure Certificate Auto Enrollment
  • Implement Key Archival
  • Enroll for User Certificate
  • Manage Key Recovery

After completing this lab, you will be able to:

  • Install Active Directory Enterprise Root Certificate Service
  • Configure Active Directory Certificate Services
  • Install Subordinate CA
  • Configure Subordinate CA
  • Request User Certificates
  • Verify Issued Certificate
  • Configure a new path for CRLs
  • Add Certificate Managers
  • Manage Certificate Templates
  • Configure Certificate Auto Enrollment
  • Implement Key Archival
  • Enrolling for User Certificate
  • Manage Key Recovery
  • Add AD Certificate Services and Certificate Web Enrollment Services
  • Install AD Certificate Enterprise CA and CA Web Enrollment Service
  • Configure a customized certificate template
  • Create a group policy for certificate auto enrollment
  • Verify the certificate issuance
  • Enable a Key Recovery Agent
  • Request for Key Recovery Agent Certificate
  • Issue Key Recovery Agent certificate
  • Configure CA for Key Archival
  • Create a new certificate template enabled for archiving
  • Request for new certificate
  • Encrypt user folder using EFS
  • Delete and re-create user account
  • Test access to the encrypted folder as re-created user account
  • Import Key Recovery Agent certificate
  • Using CERTUTIL to recover archived keys
  • Test user access to the encrypted file
  • Enable server auto login

Exam Objectives

The following exam objectives are covered in this lab:

  • CAS-003 4.3 Given a scenario, integrate and troubleshoot advanced authentication and authorization technologies to support enterprise security objectives.
  • CAS-003 4.4 Given a scenario, implement cryptographic techniques.

Lab Duration

It will take approximately 2 hours to complete this lab.

Exercise 1 - Install and Configure Active Directory Certificate Services

Active Directory Certificate Services (AD CS) allows an organization to build a public key infrastructure (PKI). It is intended to provide the following capabilities:

  • Public key cryptography
  • Digital certificates
  • Digital signature

In this exercise, you will install and configure Active Directory Certificate Services in a Windows domain environment.

Learning Outcomes

After completing this exercise, you will be able to:

  • Install Active Directory Enterprise Root Certificate Service
  • Configure Active Directory Certificate Services
  • Install Subordinate CA
  • Configure Subordinate CA

Exercise 2 - Configure Certificate Revocation Lists (CRLs)

In this exercise, you will configure certificate revocation lists in Certificate Services. When a user certificate is revoked by an administrator regardless of the reason, the Certificate Server records that cancellation to prevent a user from reusing a revoked certificate. In a large network, the revocation of the certificate must be replicated to other CA servers to prevent canceled certificates from being used to access network resources.

Learning Outcomes

After completing this exercise, you will be able to:

  • Request User Certificates
  • Verify Issued Certificate
  • Configure a new path for CRLs
  • Adding Certificate Managers

Exercise 3 - Managing Certificate Templates

Certificate Templates are used by Enterprise Certification Authorities (CA) to define the purpose and content of certificates that can be issued to a requesting entity like user, computer or network service.

In this exercise, you will first install AD Certificate Services and its required components and later customize the certificate template properties.

Learning Outcomes

After completing this exercise, you will be able to:

  • Add AD Certificate Services and Certificate Web Enrollment Services
  • Install AD Certificate Enterprise CA and CA Web Enrollment Service

Exercise 4 - Configure Certificate Auto Enrollment

Enrollment for machine or user certificate can be done manually by using certificates request wizard through the Microsoft Management Console (MMC) in a small organization. For big companies that maintain hundreds of network users, certificate enrollment can be streamlined by customizing a certificate template. A customized certificate template allows you to set properties such as auto enrollment and simplify certificates deployment to domain users by using Group Policy Objects.

In this exercise, you will learn how to manage certificates by setting the different properties for a custom template, such as security, indicates which user or security group has access to the certificate, timeline that illustrates the validity of an issued certificate and other properties relating to a certificate template.

Learning Outcomes

After completing this exercise, you will be able to:

  • Configure a customized certificate template
  • Create a group policy for certificate auto enrollment
  • Verify the certificate issuance

Exercise 5 - Implement Key Archival

To ensure the recoverability of issued certificates, a certification authority (CA) server must be configured to archive keys or certificates that it has issued to users and computers. Key archival means that the CA server has a copy of all issued certificates and therefore allows recovery of certificates lost by the user due to a number of reasons such as theft of the smart card, an accidental reformat of the user workstation where the user certificate is saved and among other things.

In this exercise, you will learn to how to set up key archival by first enabling a key recovery agent in certification authority and issue a recovery agent certificate to the CA administrator.

Learning Outcomes

After completing this exercise, you will be able to:

  • Enable a Key Recovery Agent.
  • Request for Key Recovery Agent Certificate
  • Issue Key Recovery Agent certificate
  • Configure CA for Key Archival
  • Create a new certificate template enabled for archiving

Exercise 6 - Enroll for User Certificate

In the previous exercise, you have performed the essential tasks to set up key archival in a CA server. These tasks include the following: creating a custom certificate for key recovery agent, configured the administrator account to request for a key recovery agent certificate, enabled the CA server to archive issued a certificate and created a custom certificate template enabled for archiving.

In this task, you will test a new user to enroll for a custom certificate that was enabled for certificate archiving.

Learning Outcomes

After completing this exercise, you will be able to:

  • Request for new certificate
  • Encrypt user folder using EFS
  • Delete and re-create user account
  • Test access to the encrypted folder as re-created user account

Exercise 7 - Manage Key Recovery

The previous exercise illustrated that if a user account having access to the encrypted file is deleted, it will be denied access to the folder/file it had encrypted even if the account is re-created with the exact same properties as the old user account. This exercise will demonstrate how to recover an archived certificate/key that was issued to the user and show how to link the certificate to its rightful owner. After this, you will perform an export of the key to a file and finally test if the recovered key can be used for decrypting a protected document.

Learning Outcomes

After completing this exercise, you will be able to:

  • Import Key Recovery Agent certificate
  • Using CERTUTIL to recover archived keys
  • Test user access to the encrypted file
  • Enable server auto login