Understanding pki concepts

 

Install and Configure Active Directory Certificate Services

In this exercise, you will install and configure Active Directory Certificate Services in a Windows domain environment.

To get a better understanding of this technology, please refer to your course material or use your preferred search engine to research this topic in more detail.

Task 1 - Install Active Directory Enterprise Root Certificate Service

In this task, you will install AD Certificate Services on Domain Controller device.

Step 1

Ensure you have powered on the required devices and connect to PLABDC01 device.

Server Manager automatically opens upon sign on.

Click on Add roles and features link.

Figure 1.1 Screenshot of the PLABDC01 desktop
Figure 1.1 Screenshot of the PLABDC01 desktop: Server Manager console is displayed showing the Add roles and features link highlighted.

Step 2

On the Before you begin page, click Next.

Figure 1.2 Screenshot of the PLABDC01 desktop
Figure 1.2 Screenshot of the PLABDC01 desktop: Before you begin page on the Add Roles and Features Wizard is displayed showing the Next button highlighted.

Step 3

On the Select installation type page, click Next.

In Select destination server, keep the default options and click Next.

Figure 1.3 Screenshot of the PLABDC01 desktop
Figure 1.3 Screenshot of the PLABDC01 desktop: Select installation type page on the Add Roles and Features Wizard is displayed showing default settings and the Next button highlighted.

Step 4

From Select server roles page, click the Active Directory Certificate Services check box.

The Add Roles and Features Wizard automatically appears, click on Add Features.

Figure 1.4 Screenshot of the PLABDC01 desktop
Figure 1.4 Screenshot of the PLABDC01 desktop: Select server roles page on the Add Roles and Features Wizard is displayed showing the required role highlighted.

Step 5

Back on the Select server roles page, you’ll notice the Active Directory Certificate Services check box is now selected.

Click Next to continue.

Figure 1.5 Screenshot of the PLABDC01 desktop
Figure 1.5 Screenshot of the PLABDC01 desktop: Select server roles page on the Add Roles and Features Wizard is displayed showing the required selection performed and the Next button highlighted.

Step 6

On the Select features page, keep the default settings then click Next.

Read through the information about Active Directory Certificate Services and click Next.

From Select role services page, verify that the Certification Authority check box is selected, then select Online Responder check box.

Figure 1.6 Screenshot of the PLABDC01 desktop
Figure 1.6 Screenshot of the PLABDC01 desktop: Select role services page on the Add Roles and Features Wizard is displayed showing the required settings performed.

Step 7

Like before, the Add Roles and Features Wizard box appears as the component you selected will require other components for it to run.

Click Add Features to proceed.

Figure 1.7 Screenshot of the PLABDC01 desktop
Figure 1.7 Screenshot of the PLABDC01 desktop: Add Roles and Features Wizard dialog box is displayed showing default settings and the Add Features button highlighted.

Step 8

With Certification Authority and Online Responder tick boxes selected, click Next.

Figure 1.8 Screenshot of the PLABDC01 desktop
Figure 1.8 Screenshot of the PLABDC01 desktop: Select role services page on the Add Roles and Features Wizard is displayed showing the required settings performed and the Next button highlighted.

Step 9

Read through the Web Server Role (IIS) to find out its role in the network and then click Next.

In Select role services page, accept the default role services that will be added by IIS. Click Next.

Click Install to proceed.

Figure 1.9 Screenshot of the PLABDC01 desktop
Figure 1.9 Screenshot of the PLABDC01 desktop: Select role services page on the Add Roles and Features Wizard is displayed showing default settings and the Next button highlighted.

Step 10

The installation will begin. Please be patient, this will take a few minutes.

Important: If you get an error saying “The request to add or remove features on the specified server failed.” Click Close. This is caused when Server Manager is busy collecting system information on the server following a recent start-up or reboot. Wait for about 1 minute and start over with the installation of the Windows features in this task. If the same problem persists, restart the affected computer and start over with the installation of the Windows features.

Choose Close when Installation progress reports a successful operation.

  

Figure 1.10 Screenshot of the PLABDC01 desktop
Figure 1.10 Screenshot of the PLABDC01 desktop: Installation progress page on the Add Roles and Features Wizard is displayed listing details of the installation and the Close button highlighted.

Keep all devices powered on in their current state and proceed to the next task.

Task 2 - Configure Active Directory Certificate Services

After a brief installation of Active Directory Certificate Services and Online Responder on PLABDC01, you must setup these services with the appropriate settings. This will enable these services perform its intended role.

To configure Active Directory Certificate Services, follow these steps:

Step 1

On PLABDC01, you are redirected to Server Manager console.

Click on the flag icon and choose Configure Active Directory Certificate Services on the destination server link.

Figure 1.11 Screenshot of the PLABDC01 desktop
Figure 1.11 Screenshot of the PLABDC01 desktop: Configure Active Directory Certificate Services on the destination server link is displayed on the Post-deployment Configuration information pane.

Step 2

On the Credentials page, the system has detected you’re currently signed in as PRACTICELABS\Administrator.

Click Next.

Figure 1.12 Screenshot of the PLABDC01 desktop
Figure 1.12 Screenshot of the PLABDC01 desktop: Credentials page on the AD CS Configuration wizard is displayed showing the detected login credentials and the Next button highlighted.

Step 3

In Role Services, select Certification Authority check box. There will be a momentary pause when you select this.  

Then click on Online Responder check box.

Click Next.

Figure 1.13 Screenshot of the PLABDC01 desktop
Figure 1.13 Screenshot of the PLABDC01 desktop: Role Services page on the AD CS Configuration wizard is displayed showing the required selections performed and the Next button available.

Step 4

On the Setup Type page, ensure that Enterprise CA option is selected. Click Next.

Figure 1.14 Screenshot of the PLABDC01 desktop
Figure 1.14 Screenshot of the PLABDC01 desktop: Setup Type page on the AD CS Configuration wizard is displayed showing the required selection performed and the Next button highlighted.

In CA Type, ensure that Root CA is selected. Click Next.

Step 5

On the Private Key page, verify that the Create a new private key radio button is selected.

Click Next.

Figure 1.15 Screenshot of the PLABDC01 desktop
Figure 1.15 Screenshot of the PLABDC01 desktop: Private Key page on the AD CS Configuration wizard is displayed showing the required selections performed and the Next button highlighted.

Step 6

On the Cryptography for CA dialogue box, leave the default cryptographic settings and click Next.

Figure 1.16 Screenshot of the PLABDC01 desktop
Figure 1.16 Screenshot of the PLABDC01 desktop: Cryptography for CA page on the AD CS Configuration wizard is displayed showing default settings and the Next button highlighted.

Step 7

Accept the default CA Name supplied by the AD CS Configuration then click Next.

On the next page accept the Validity Period of 5 years and click Next again.

Figure 1.17 Screenshot of the PLABDC01 desktop
Figure 1.17 Screenshot of the PLABDC01 desktop: CA Name page on the AD CS Configuration wizard is displayed showing default settings and the Next button highlighted.

Step 8

Accept the default path for CA Database and click Next.

Figure 1.18 Screenshot of the PLABDC01 desktop
Figure 1.18 Screenshot of the PLABDC01 desktop: CA Database page on the AD CS Configuration wizard is displayed showing default settings and the Next button highlighted.

Step 9

On the Confirmation page, read through the summary settings of this Active Directory Certificate Services that is about to be setup.

Click Configure to proceed with the configuration of AD CS.

Figure 1.19 Screenshot of the PLABDC01 desktop
Figure 1.19 Screenshot of the PLABDC01 desktop: Confirmation page on the AD CS Configuration wizard is displayed listing the configuration settings and the Configure button highlighted.

Step 10

Please wait while the service is being setup.

When the Results are displayed with Configuration succeeded, click Close.

Figure 1.20 Screenshot of the PLABDC01 desktop
Figure 1.20 Screenshot of the PLABDC01 desktop: Results page on the AD CS Configuration wizard is displayed showing status of the configuration and the Close button highlighted.

Step 11

You’ll now verify that AD CS is working.

From the Server Manager Dashboard, go to Tools > Certification Authority.

Figure 1.21 Screenshot of the PLABDC01 desktop
Figure 1.21 Screenshot of the PLABDC01 desktop: Tools > Certification Authority menu-options are selected on the Server Manager console.

Step 12

Verify Certification Authority snap-in works by expanding PRACTICELABS-PLABDC01-CA node.

The green tick mark indicates that the service has successfully started.

Minimize Certification Authority and Server Manager windows to clear the desktop of PLABDC01.

Figure 1.22 Screenshot of the PLABDC01 desktop
Figure 1.22 Screenshot of the PLABDC01 desktop: Certification Authority (Local) window is displayed showing the green tick mark confirming that the service is successfully started on the PLABDC01 server.

Keep all devices powered on in their current state and proceed to the next task.

Task 3 - Install Subordinate CA

In this task, you will install a subordinate CA of PracticeLabs.com on a domain member server called PLABDM01. You will follow the same steps that were done earlier when you installed the Enterprise Root CA.

To install the subordinate CA, follow these steps.

Step 1

Connect to PLABDM01.

The Server Manager Dashboard opens automatically. Click on the Add roles and features link.

Figure 1.23 Screenshot of the PLABDM01 desktop
Figure 1.23 Screenshot of the PLABDM01 desktop: Server Manager console is displayed showing the Add roles and features link highlighted.

Step 2

On the Before you Begin page, click Next.

On Select Installation Type page, accept the default setting Role-based or feature installation option. Click Next.

From Select destination server page, click Next.

Figure 1.24 Screenshot of the PLABDM01 desktop
Figure 1.24 Screenshot of the PLABDM01 desktop: Select destination server page on the Add Roles and Features Wizard is displayed showing default settings and the Next button highlighted.

Step 3

From Select server roles page, click the Active Directory Certificate Services check box.

Like in the earlier task, the Add Roles and Features Wizard appears. Other components are required to make Active Directory Certificate services work on this computer.

Click Add Features.

Figure 1.25 Screenshot of the PLABDM01 desktop
Figure 1.25 Screenshot of the PLABDM01 desktop: Select server roles page on the Add Roles and Features Wizard is displayed showing the required role selected.

Step 4

Click Next when you see the Active Directory Certificate Services check box selected.

In Select features page, click Next to accept the default settings.

Read through the introductory text about Active Directory Certificate Services and click Next.

Figure 1.26 Screenshot of the PLABDC01 desktop
Figure 1.26 Screenshot of the PLABDC01 desktop: Select server roles page on the Add Roles and Features Wizard is displayed showing the required selections performed and the Next button highlighted.

Step 5

In Select role services page, select the Online Responder check box.

The Add Roles and Features Wizard will reappear, click Add Features.

Figure 1.27 Screenshot of the PLABDM01 desktop
Figure 1.27 Screenshot of the PLABDM01 desktop: Select role services page on the Add Roles and Features Wizard is displayed showing the required settings performed and the Next button highlighted.

Step 6

When both Certification Authority and Online Responder are selected, click Next.

In Web Server Role (IIS) information page, read through the description about this service, then click Next.

Figure 1.28 Screenshot of the PLABDM01 desktop
Figure 1.28 Screenshot of the PLABDM01 desktop: Select role services page on the Add Roles and Features Wizard is displayed showing the required settings performed and the Next button highlighted.

Step 7

From Select role services, the default IIS role services are selected, click Next.

In Confirm installation selections, click Install.

Figure 1.29 Screenshot of the PLABDM01 desktop
Figure 1.29 Screenshot of the PLABDM01 desktop: Select role services page on the Add Roles and Features Wizard is displayed showing default settings and the Next button highlighted.

Step 8

On Installation Progress screen, please wait while the services and its components are being installed.

Important: If you get an error saying “The request to add or remove features on the specified failed.” Click Close. This is caused when Server Manager is busy collecting system information on the server following a recent start-up or reboot. Wait for about 1 minute and start over with the installation of the Windows features in this task. If the same problem persists, restart the affected computer and start over with the installation of the Windows features.

Figure 1.30 Screenshot of the PLABDM01 desktop
Figure 1.30 Screenshot of the PLABDM01 desktop: Installation progress page on the Add Roles and Features Wizard is displayed listing details of installation and the Close button highlighted.

When Installation progress is completed, click Close.

Keep all devices powered on in their current state and proceed to the next task.

Task 4 - Configure Subordinate CA

After a brief installation of Active Directory Certificate Services and Online Responder, you must setup this Certificate service on PLABDM01 to assume the role of a subordinate CA to PLABDC01-PRACTICELABS.COM-CA.

To configure Active Directory Certificate Services subordinate CA role, follow these steps:

Step 1

On PLABDM01, you are back in Server Manager.

Select the flag icon with an exclamation point and click Configure Active Directory Certificate Services on the destination server link.

Figure 1.31 Screenshot of the PLABDM01 desktop
Figure 1.31 Screenshot of the PLABDM01 desktop: Configure Active Directory Certificate Services on the destination server link is displayed on the Post-deployment Configuration information pane.

Step 2

In Credentials page, click Next.

Figure 1.32 Screenshot of the PLABDM01 desktop
Figure 1.32 Screenshot of the PLABDM01 desktop: Credentials page on the AD CS Configuration wizard is displayed showing the detected credentials.

Step 3

Similar to the task done earlier about configuring the Enterprise Root CA, select Certification Authority and Online Responder check boxes.

Then click Next.

Figure 1.33 Screenshot of the PLABDM01 desktop
Figure 1.33 Screenshot of the PLABDM01 desktop: Role Services page on the AD CS Configuration wizard is displayed showing the required selections performed and the Next button highlighted.

Step 4

In Setup Type page, verify that Enterprise CA radio button is selected.

Click Next to accept default settings.

Figure 1.34 Screenshot of the PLABDM01 desktop
Figure 1.34 Screenshot of the PLABDM01 desktop: Setup Type page on the AD CS Configuration wizard is displayed showing the required selections performed and the Next button highlighted.

Step 5

From CA Type, ensure that Subordinate CA option is selected and click Next.

Figure 1.35 Screenshot of the PLABDM01 desktop
Figure 1.35 Screenshot of the PLABDM01 desktop: CA Type page on the AD CS Configuration wizard is displayed showing the required selections performed and the Next button highlighted.

Step 6

From Private Key page, accept the default setting for Create a new private key and click Next.

Figure 1.36 Screenshot of the PLABDM01 desktop
Figure 1.36 Screenshot of the PLABDM01 desktop: Private Key page on the AD CS Configuration wizard is displayed showing default settings and the Next button highlighted.

Step 7

In Cryptography for CA, change the Key length to 1024, and then click Next.

Figure 1.37 Screenshot of the PLABDM01 desktop
Figure 1.37 Screenshot of the PLABDM01 desktop: Cryptography for CA page on the AD CS Configuration wizard is displayed showing the required settings performed and the Next button highlighted.

Step 8

From CA Name, accept the name automatically assigned by Windows, click Next to continue.

Figure 1.38 Screenshot of the PLABDM01 desktop
Figure 1.38 Screenshot of the PLABDM01 desktop: CA Name page on the AD CS Configuration wizard is displayed showing default settings and the Next button highlighted.

Step 9

In Certificate Request page, choose the following radio buttons:

  • Send a certificate request to a parent CA
  • CA Name

Click the Select… button opposite the Parent CA text field.

Figure 1.39 Screenshot of the PLABDM01 desktop
Figure 1.39 Screenshot of the PLABDM01 desktop: Certificate Request page on the AD CS Configuration wizard is displayed showing the required settings performed and the Select button highlighted.

Step 10

The Select Certification Authority dialogue automatically displays the detected CA in the network called PRACTICELABS-PLABDC01-CA.

Click OK.

Figure 1.40 Screenshot of the PLABDM01 desktop
Figure 1.40 Screenshot of the PLABDM01 desktop: Select Certification Authority dialog box on the AD CS Configuration wizard is displayed showing the detected CA for the network of the local server and the OK button highlighted.

Step 11

You are redirected back to Certificate Request page.

It is now filled in with the correct information, click Next.

Figure 1.41 Screenshot of the PLABDM01 desktop
Figure 1.41 Screenshot of the PLABDM01 desktop: Certificate Request page on the AD CS Configuration wizard is displayed showing the required settings performed and the Next button highlighted.

Step 12

Accept the default paths in CA Database by choosing Next.

Figure 1.42 Screenshot of the PLABDM01 desktop
Figure 1.42 Screenshot of the PLABDM01 desktop: CA Database page on the AD CS Configuration wizard is displayed showing default settings and the Next button highlighted.

In Confirmation page, click Configure to proceed.

Step 13

Please wait while the subordinate CA is being configured in PLABDM01 server.

Server Manager will then report that Certification Authority and Online Responder are successfully configured.

Figure 1.43 Screenshot of the PLABDM01 desktop
Figure 1.43 Screenshot of the PLABDM01 desktop: Results page on the AD CS Configuration wizard is displayed showing status of the configuration and the Close button highlighted.

Click Close.

Step 14

You are redirected back to Server Manager console.

Click on the refresh dashboard button to refresh the display.

Figure 1.44 Screenshot of the PLABDM01 desktop
Figure 1.44 Screenshot of the PLABDM01 desktop: Task Details information pane is displayed confirming successful feature installation and post-deployment configuration.

You will notice that the red indicators on the different sections of the console has disappeared.

This confirms that there are no errors in this CA configuration on this server.


Configure Certificate Revocation Lists (CRLs)

In this exercise, you will configure certificate revocation lists in Certificate Services. When a user certificate is revoked by an administrator regardless of the reason, the Certificate Server records that cancellation to prevent a user from reusing a revoked certificate. In a large network, the revocation of the certificate must be replicated to other CA servers to prevent cancelled certificates from being used to access network resources.

Please refer to your course material or use your preferred search engine to research this topic in more detail.

Task 1 - Request User Certificates

Now that you have configured the CA servers, the next step is to ask for a certificate as an Active Directory user.

To request for a user certificate using a Windows 8.1 workstation, follow these steps:

Step 1

You’ll now need to disable the Server Auto Login feature on the Practice Labs platform. For more information on how to do this, please see the Help/Support page.

Note: You can find it via the following page: http :// www . practice - labs . com / support /#/ userguide / help - tab # ref - inlinehelpNote: Once this setting has been toggling this setting you will need to re-connect to the device in order for it to take effect.

Once done, connect to PLABWIN10.

Figure 2.1 Screenshot of the PLABWIN10 desktop
Figure 2.1 Screenshot of the PLABWIN10 desktop: PRACTICELABS\Administrator login screen prompting the relevant password is displayed on the PLABWIN10 Windows desktop.

Step 2

From the windows logon screen, click Other user.

Sign in with the following credentials:

Jan.Regus
Passw0rd

Figure 2.2 Screenshot of the PLABWIN10 desktop
Figure 2.2 Screenshot of the PLABWIN10 desktop: Jan Regus Welcome screen on the PLABWIN10 Windows desktop is displayed.

Step 3

Click the Start button and enter:

mmc

Figure 2.3 Screenshot of the PLABWIN10 desktop
Figure 2.3 Screenshot of the PLABWIN10 desktop: Required key typed in the search text box on the Start menu is displayed.

Step 4

In Console1, click on File and choose Add/Remove Snap-in.

Figure 2.4 Screenshot of the PLABWIN10 desktop
Figure 2.4 Screenshot of the PLABWIN10 desktop: File > Add/Remove Snap-in menu-options are highlighted on the Console1 window.

Step 5

From Add or Remove Snap-ins, select Certificates and click Add.

Figure 2.5 Screenshot of the PLABWIN10 desktop
Figure 2.5 Screenshot of the PLABWIN10 desktop: Add or Remove Snap-ins dialog box is displayed showing the required selection performed on the list at the left and the Add button highlighted.

Certificates - Current User is now added.

Click OK to close Add or Remove Snap-in dialogue box.

Step 6

From Console1, expand Certificates-Current User.

Expand Personal.

Then right-click on Personal and choose All Tasks > Request New Certificate.

Figure 2.6 Screenshot of the PLABWIN10 desktop
Figure 2.6 Screenshot of the PLABWIN10 desktop: Context menu (that appears on right-clicking the Personal folder) > All Tasks > Request New Certificate menu-options are highlighted on the Console1 window.

In Before you begin, click Next.

Step 7

In Select Certificate Enrollment Policy, click Next.

Figure 2.7 Screenshot of the PLABWIN10 desktop
Figure 2.7 Screenshot of the PLABWIN10 desktop: Select Certificate Enrollment Policy page on the Certificate Enrollment wizard is displayed showing default settings and the Next button highlighted.

Step 8

In Request Certificates, click User check box and click Details down arrow button.

Alert: If there are no certificates listed, please close all open windows including Console1. When asked to save console settings to Console1, click No.

Select the Windows start button and type Command Prompt. Right click on the Command Prompt and select Run as administrator.

The credentials required are as follows.
Username: Administrator
Password: Passw0rd
Input the following command and press enter.
Gpupdate /forceAfterwards, attempt from step 3 again.

Figure 2.8 Screenshot of the PLABWIN10 desktop
Figure 2.8 Screenshot of the PLABWIN10 desktop: Request Certificates page on the Certificate Enrollment wizard is displayed showing the required selection performed and the Details down-arrow button available.

Step 9

The details now display additional information about this certificate.

Click on Properties.

Figure 2.9 Screenshot of the PLABWIN10 desktop
Figure 2.9 Screenshot of the PLABWIN10 desktop: Request Certificates page on the Certificate Enrollment wizard is displayed showing additional information about the selected certificate and the Properties button available.

Step 10

The Certificate Properties dialogue box is displayed.

Click on Certification Authority tab.

Figure 2.10 Screenshot of the PLABWIN10 desktop
Figure 2.10 Screenshot of the PLABWIN10 desktop: Certification Authority tab on the Certificate Properties dialog box on the Certificate Enrollment wizard is displayed.

Step 11

On Certification Authority tab, you will find the servers that can issue certificates to the user.

Clear PRACTICELABS-PLABDC01-CA check box.

Leave the other PRACTICELABS-PLABDM01-CA selected.

Figure 2.11 Screenshot of the PLABWIN10 desktop
Figure 2.11 Screenshot of the PLABWIN10 desktop: Certification Authority tab on the Certificate Properties dialog box on the Certificate Enrollment wizard is displayed showing the required settings performed and the OK button highlighted.

Click OK.

Back in the Request Certificates page, click Enroll.

Step 12

Wait for the enrolment to be completed.

Then click Finish when STATUS: Succeeded is displayed.

Figure 2.12 Screenshot of the PLABWIN10 desktop
Figure 2.12 Screenshot of the PLABWIN10 desktop: Certificate Installation Results page on the Certificate Enrollment wizard is displayed showing enrolment details and the Finish button highlighted.

Step 13

Expand Personal and then click on Certificates folder.

A user certificate has now been issued to Jan Regus.

Figure 2.13 Screenshot of the PLABWIN10 desktop
Figure 2.13 Screenshot of the PLABWIN10 desktop: Console1 window is displayed listing the newly enrolled user certificate.

Keep all devices powered on in their current state and proceed to the next task.

Task 2 - Verify Issued Certificate

Remember that during the certificate enrolment, you configured PLABWIN10 computer to enrol with PLABDM01 server.

In this step, you will verify the certificate issued to Jan Regus.

Step 1

Switch to PLABDM01 device.

Reopen Server Manager dashboard from the taskbar.

Click on Tools and select Certification Authority.

Figure 2.14 Screenshot of the PLABDM01 desktop
Figure 2.14 Screenshot of the PLABDM01 desktop: Tools > Certification Authority menu-options are highlighted on the Server Manager console.

Step 2

Certification Authority (Local) opens.

Expand PRACTICELABS-PLABDM01-CA.

Click on Issued Certificates folder and verify if you can view the issued certificate to Jan Regus on the right details pane.

  

Figure 2.15 Screenshot of the PLABDM01 desktop
Figure 2.15 Screenshot of the PLABDM01 desktop: Required node path is selected on the navigation pane at the left and the relevant user certificate is listed on the details pane at the right on the certsrv - Certification Authority (Local) window.

Step 3

Right-click on the PRACTICELABS\jan.regus certificate and choose All Tasks > Revoke Certificate.

Figure 2.16 Screenshot of the PLABDM01 desktop
Figure 2.16 Screenshot of the PLABDM01 desktop: Context menu (that appears on right-clicking the name of an issued certificate) > All Tasks > Revoke Certificate menu-options are highlighted on the certsrv - Certification Authority (Local) window.

Step 4  

In Certificate Revocation, select Key Compromise and then click Yes to proceed.

Note: If Reason code for certificate revocation is Certificate Hold, it can be unrevoked by the administrator.

Figure 2.17 Screenshot of the PLABDM01 desktop
Figure 2.17 Screenshot of the PLABDM01 desktop: Certificate Revocation dialog box is displayed showing the required settings performed and the Yes button highlighted.

Step 5

The Jan Regus' certificate disappears from the Issued Certificates folder.

Click on Revoked Certificates folder instead.

Figure 2.18 Screenshot of the PLABDM01 desktop
Figure 2.18 Screenshot of the PLABDM01 desktop: Required node path is selected on the navigation pane at the left and the relevant user certificate is removed from the details pane at the right on the Issued Certificates window.

Step 6

The Revoked Certificates folder now displays the revoked certificate of user Jan Regus.

Figure 2.19 Screenshot of the PLABDM01 desktop
Figure 2.19 Screenshot of the PLABDM01 desktop: Required node path is selected on the navigation pane at the left and the relevant user certificate is listed on the details pane at the right on the Revoked Certificates window.

Step 7

Next is to publish the revoked certificates to other CA servers.

Right-click on Revoked Certificates folder and choose All Tasks > Publish.

Figure 2.20 Screenshot of the PLABDM01 desktop
Figure 2.20 Screenshot of the PLABDM01 desktop: Context menu (that appears on right-clicking a certificate category) > All Tasks > Publish menu-options are highlighted on the certsrv - Certification Authority (Local) window.

Step 8

In Publish CRL, verify that New CRL is chosen.

Click OK.

Figure 2.21 Screenshot of the PLABDM01 desktop
Figure 2.21 Screenshot of the PLABDM01 desktop: Publish CRL dialog box is displayed showing the required selection performed and the OK button highlighted.

Step 9

Right-click on Revoked Certificates folder and choose Properties.

The CRL Publishing Parameters tab displays the publication interval for New CRL and Delta CRLs (recent updates of revoked certificates).

Figure 2.22 Screenshot of the PLABDM01 desktop
Figure 2.22 Screenshot of the PLABDM01 desktop: CRL Publishing Parameters tab on the Revoked Certificates Properties dialog box is displayed showing the required information.

Step 10  

Click on View CRLs tab.

View CRLs tab displays publication status of CRLs.

Figure 2.23 Screenshot of the PLABDM01 desktop
Figure 2.23 Screenshot of the PLABDM01 desktop: View CRLs tab on the Revoked Certificates Properties dialog box is displayed showing the required information.

Click OK. Keep Certification Authority window open for the next task.  

Keep all devices powered on in their current state and proceed to the next task.

Task 3 - Configure a new path for CRLs

To configure a new path for CRLs, follow these steps:

Step 1

On PLABDM01 server, right-click on PRACTICELABS-PLABDM01-CA and choose Properties.

Figure 2.24 Screenshot of the PLABDM01 desktop
Figure 2.24 Screenshot of the PLABDM01 desktop: Context menu (that appears on right-clicking the FQDN of a certifying authority) > Properties menu-options are highlighted on the Revoked Certificates window.

Step 2

In PRACTICELABS-PLABDM01-CA Properties, click on Extensions tab.

Under the Extensions tab, click Add

Step 3

From Add Location, click in Location text box and type:

\\plabdc01\sw\

Figure 2.26 Screenshot of the PLABDM01 desktop
Figure 2.26 Screenshot of the PLABDM01 desktop: Add Location dialog box is displayed showing the required value typed-in.

Step 4

From Add Location dialogue box, after adding the network path, put the cursor at the end of network path location. Click Insert.

You’ll see that <CaName> has appended at the end of network path \\plabdc01\sw.

Click OK.

Figure 2.27 Screenshot of the PLABDM01 desktop
Figure 2.27 Screenshot of the PLABDM01 desktop: Add Location dialog box is displayed showing the required value inserted and the OK button available.

Step 5

Click Apply to save changes in the Extensions tab.

When prompted to restart, click Yes.

Figure 2.28 Screenshot of the PLABDM01 desktop
Figure 2.28 Screenshot of the PLABDM01 desktop: Certification Authority caution box is displayed prompting you to restart the active directory services and the Yes button highlighted.

Keep all devices powered on in their current state and proceed to the next task.

Task 4 - Adding Certificate Managers

To configure certificate managers, follow these steps:

Step 1

Still on PLABDM01 server, from Certificate Managers tab, select Restrict certificate managers radio button.

Click OK.

Note: By selecting this option, you will be restricting aspects of AD Certificate Services administration to Domain Admins and Enterprise Admins groups in this domain.

Figure 2.29 Screenshot of the PLABDM01 desktop
Figure 2.29 Screenshot of the PLABDM01 desktop: Certificate Managers tab on the PRACTICELABS-PLABDM01-CA Properties dialog box is displayed showing the required settings performed and the OK button available.

Shut down all virtual machines used in this exercise using Practice Labs power button function to revert these devices to their default settings. Alternatively, you may sign out of the lab portal to power down all devices.
Please sign out of the PLABWIN10 device and leave the devices you have powered on and proceed to the next exercise.

Comments

Popular Posts