Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
42 Cards in this Set
- Front
- Back
|
What does ADCS involve? |
Administration, Creation, Management, Revocation, Publication…etc” of “Digital Certificates” |
|
|
When would I ever use PKI in my organization? |
#1.Using https instead of http to secure data between or client's browsers and our website. #2.Using a hybrid wired/wireless LAN using PEAP, EAP-TLS..etc # |
|
|
function as ID badges, for “users, computers, and other network devices(switches, routers, WAPs) and even hardware can identify itself to other entities on our network by means of a ? |
Digital Certificates |
|
|
What are the three main purposes of a Digital Certificate? |
#1.Data Encryption = “Confidentiality #2.Authentication = “Credential Validation #3.Integrity = “Digital Signatures” |
|
|
Data Encryption = “Confidentiality”- this refers to? |
the digital certificates encrypting the data (Public Key) |
|
|
Authentication = “Credential Validation”-deals with ? |
“Public Keys, Private Keys, and Digital Signatures” as a way for security principals to claim “Yes I am, who I say I am”; |
|
|
Integrity = “Digital Signatures” refers to ? |
Integrity means that the message sent from one server, arrives at it’s destination, being “FULLY INTACT;*Digital Signatures and digital signing” will alert us if a “single bit” has been changed in the data during transit. |
|
|
what is Cryptography? |
Cryptography- refers to the process of taking a plain text message, which can be anything such as a letter..etc, that we want to ensure that only our target audience, the individual with whom we are sharing the message, can see this plain text. |
|
|
If these algorithms are known by everyone, how can we be sure that are data is actually safe? |
Because we add a third component called a “key”-which is the long number, and the longer the number , the more difficult in theory it is to reverse engineer and decrypt the plain text message |
|
|
this refers to whether that “secret key” is shared between both parties on either end of that communication or if it’s not shared |
Symmetric vs Asymmetric Cryptography |
|
|
is much faster and efficient way to perform cryptography, because both parties (sender/receiver(destination)) have the same key, which allows us to quickly encrypt and decrypt and back and forth |
Symmetric |
|
|
relies upon “Asymmetric Cryptography |
PKI; when we issue a digital certificate to a user, computer, or network device; the entity will have “two keys" One Public, One Private. |
|
|
is meant to be shared with other entities (devices, users, computers …etc) with whom we want to perform cryptography with. |
public key |
|
|
is extremely sensitive and that needs to be protected by the “owner (user, computer, or device)” of the key pair (public & private keys |
private key |
|
|
How does Integrity and Authentication work? *How would we know and have assurance that the web server was the appropriate web server that it claims to be and not a spoofed fake webserver? |
By using a “Digital Signature" ; webserver sends its certificate (public key) to the browser which contains a public key and “digital signature” of the Certificate Authority, that gave the www webserver it’s digital certificate. The web browser(client) has a known public CA’s digital certificate assigned to them and already in its cache (Trusted Root CA) and will use the public CA's public key to validate the digital signature created by the private key. |
|
|
What do Private Keys do? |
decrypt the encryption (ciphertext) created by Public Keys, and generate digital signatures (credentials) that prove that the certificate came from a legitimate source, which is validated by the corresponding public key of that entity. |
|
|
The digital “certificate” itself is a file governed by a standard called “x.509” that contains information such as: |
*#1.validation period *#2.primarily the “Owner’s public shared key” *#3.Digital Signature of the signing CA |
|
|
Public Certification Authority advantages & disadvantages? |
-*Our clients would already trust the CA, because they are known public entities -*We wouldn’t have to worry about trust with anybody in our own organization or the world as long as they too trust the publicly known CA -*The certificates cost $ and we pay per certificate |
|
|
Private Certification Authority advantages & disadvantages? |
-*We have total control over all aspects of our digital certificate lifecycle. -*Much cheaper, because we own the PKI -*We have the ability to deploy custom templates for any purpose -*With an Enterprise CA we can use “AutoEnrollment” to enroll client devices -*If we have need to share certificates to perform secure communications with external clients, there’s not going to be any “trust” (!) |
|
|
What is a Standalone CA and when we would we use it? |
*Best practice is to deploy our Root CA as a Standalone CA and take it offline. Then provide physical security to prevent the Root CA certificate from becoming compromised. -*Useful for in mixed environments, because there is no dependency on ADDS -*Certificate Request, can be performed either manually or going to an IIS Web Enrollment website. -*No AutoEnrollment |
|
|
What is a Enterprise CA useful for? |
-*Can be root or subordinate CA -*Requires AD DS -*Autoenrollment for client certificate request -*Certificate request can be automatically issued or denied based upon “ACLs” **StandAlone and Enterprise can be combined by using the “StandAlone offline Root CA” and one or more subordinate “Enterprise CAs” |
|
|
Cross-Certification Hierarchy |
We can swap Root certificates and allow “trust” to flow between our organizations |
|
|
makes it a point to distribute your root CA certificate to domain clients; this provides the known location from which clients (anybody, devices, users, computers) from within the PKI who needs to request or retrieve a certificate, will use the published |
AIA (Authority Information Access) |
|
|
is where everybody that is affected by our PKI, can look up the CRL, where the paths can be local paths, http paths, or ldap paths |
CDP (CRL Distribution Point) |
|
|
What is ADCS responsible for? |
Issuing, Managing , Verifying, and revoking digital certificates. |
|
|
the core component responsible for issuing certificates to computers, users, and services |
Certification Authority. We can deploy 4 types of CAs. #1.Enterprise Root #2.StandAlone Root #3.Enterprise Subordinate #4.Standalone Subordinate |
|
|
Provides a web-based interface through which enrollment tasks can be performed |
Certification Authority Web Enrollment; can be used to perform certificate task for computers that are not member of the same forest as the certificate server, including computers running third-party OS. |
|
|
A web service that makes the CRL check process more efficient by enabling clients to check the status of a specific certificate without having to download CRLs and delta CRLs in their entirety |
Online Responder |
|
|
A service that enables network devices such as routers, switches, firewalls, and hardware-based VPN gateways to obtain certificates from the CA |
Network Device Enrollment Service |
|
|
A service that enables users in a forest running at the Server 2008R2 or higher FFL to obtain certificate enrollment policy information when enrolling on computer that are not members of the AD domain. |
Certificate Enrollment Policy Web Service |
|
|
A service that enables users in a forest running at the Server 2008R2 or higher FFL to interact with the CA through a web browser to request and renew certificates, retrieve CRLs, and enroll access forest boundaries and the Internet |
Certificate Enrollment Web Service |
|
|
these CAs are configured to implement specifc certificate policies such as certificate lifetime, encryption algorithm, key length, and approval requirements. |
Polciy CA; implement approval requirements for the issuing CAs on the third tier. |
|
|
this CA, can issue certificates can automatically issue a specific type of certificate to a entity without requiring manual approval of an Administrator. Issues certificates based on templates stored in AD. |
Enterprise CA; must remain online, because it is AD-Integrated *Enterprise root CA is appropriate for organizations with fewer than 300 users, who only need a single CA |
|
|
How does Microsoft recommend you configure your CAs in your environment? |
#1. Deploy only on Root CA (StandAlone) , not Enterprise root CA (small environments) #2.Then deploy Enterprise "subordinate" CAs for the day to day deployment and managing of certificates. |
|
|
To deploy a Enterprise Root or Enterprise subordinate CA, what security group does a user need to belong to? |
Both "Enterprise Admins" and the root domain's "Domain Admins group" |
|
|
Can be configured as policy CAs or issuing CAs; can obtain its signing certificate from a Standalone Root CA or Enterprise Root CA.; these CAs can issue certificates based on certificate templates stored in AD and can automatically issue certificates based on certificate template permissions and don't require admin permission. |
Enterprise Subordinate CAs |
|
|
Why should we backup the Offline Root CA |
If the Offline Root CA's harddrive goes bad, then we lose its OS, and the entire Certificate Services database. Having a backup will save you a lot of time even if you simply migrated to another Offline Root CA. |
|
|
When we would we bring a Offline Standalone Root CA online? |
To perform specific tasks such as issuing a signing certificate to a subordinate CA or publishing a CRL |
|
|
What can Offline root CAs used for? |
#1. "Deployed as a standalone root CA", we would use this because its CRL can be published to a a location separate from the server, and the CA doesn't need to be online for revocation checks to be successful #2. "Deployed on a computer that's not part of a domain"- for security precautions, it is off most of the time, and any computer that stays off for a long time, is likely to encounter problems retaining domain membership due to synchronization problems. |
|
|
What do we need to configure for an offline standalone CA? |
"the distribution points for offline access" #1.CRL #2.AIA -specifies the location of up-to-date certificates for the CA. #3.We need to export the CA certificate so that it is accessible while the CA is offline, so clients can perform successful CRL checks. #4. The CRL, AIA distribution points and the CA certificate for an offline root CA can be host a member computer of the forest. |
|
|
Can be deployed on a computer that is a member of a domain or not; these CAs are usually deployed on the perimeter network; we can also install them on a VM running on a cloud provider such as Azure; these should only used when each requests needs to be processed manually. |
Standalone Subordinate CA |
|
|
is a special hardware device that is specially designed to improve the performance and security of certificate server operations; contains special hardware for storing keys, and speeding up signature and encryption operations |
Hardware Security Module (HSM) |
