Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
55 Cards in this Set
- Front
- Back
|
Certificate Authority Web Enrollment
|
Users can request certificates via the Web using
|
|
|
shared secret key
|
One alternative to public key cyrptography is to us a
|
|
|
certutil
|
You can manage many facets of the AD Certificate Services server role from the command line by using the __________________ utility
|
|
|
default administrator and administrator
|
Configure certificate revocation by logging in to the CA as the
|
|
|
autoenrollment
|
PKI feature supported by Windows Server 2003 and later that allows users and computers to automatically enroll for certificates based on one or more certificate templates, as well as use Group Policy settings in Active Directory
|
|
|
Revocation Configuration
|
Each server that functions as a CA must be configured with a?
|
|
|
Security Group Membership
|
You can restrict enrollment agents so that they can only request certificates on behalf of specific users or computers based on:
|
|
|
o Certification Authority (CA)
o Web enrollment o Online responder o Network Device Enrollment Service (NDES) |
The Windows Server 2008 Active Directory Certificate Services includes the following features:
|
|
|
Online Responder
|
is a service that responds to requests from clients concerning the revocation status of a particular certificate, returning a digitally signed response indicating the certificate’s current status.
|
|
|
This tab of the Certificates Template > Manage box contains options that specify the amount of user input during certificate enrollment, including "Prompt the user during enrollment" that forces user to enter a PIN for the smart card.
|
Request Handling tab
|
|
|
The "Archive Subject's encryption private key" on the Request Handling tab does what?
|
Allows AES
|
|
|
"Authorize additional service accounts to access the private key" on the Requests Handling tab of Cert Templates > Manage box, does what?
|
Allows a custom ACL to be specified on the private keys of computer certs.
|
|
|
The Certificates Templates snap in can be accessed with what command?
|
Certmpl.msc
|
|
|
Auto-enroll is available in what version cert template?
|
V2/3
|
|
|
What are the minimum permissions are needed for Auto-enrollment?
|
Read, Enroll, Autoenroll
|
|
|
What server version is needed to issue v2/3 certificate templates?
|
Enterprise
|
|
|
What utility would a Key Recovery Agent use to recover a key?
|
Certutil.exe
They need to know the 20 digit hex serial # of the archived key |
|
|
This new role service in 2008 allows users to autoenroll and obtain new or renewed certs across an internet connection.
|
Certification Authority Web Enrollment
|
|
|
This CS role allows network devices like routers to enroll for x.509 certs.
|
NDES
|
|
|
MSCEP is an alias of what?
|
NDES.
Microsoft Simple Cert Enrollment Protocol is an alias of NDES |
|
|
What kind of server is needed for Autoenrollment?
|
Server 2008 enterprise or Datacenter
|
|
|
How would a user request a cert using the Cert Authority Web Enrollment service?
|
Navigate to http://CA_servername/certsrv
|
|
|
This device stores public and private keys and can be used in a domain or for remote access logins.
|
Smart Card
|
|
|
What utility would you use to setup a smart card?
|
certmgr.msc
|
|
|
This is a user that can grant permission to enroll certificates on behalf of other users.
|
Enrollment agent
|
|
|
If you want to limit the users that an enrollment agent enrolled, what must you do?
|
You must use Security Groups, not containers in A.D.
|
|
|
What is the alternate method to CRLs for revoking certs?
|
OCSP.
|
|
|
This is a list of certs that have been revoked since the last publication of a full CRL
|
Delta CRL.
Note - They are published differentially. Each delta CRL includes ALL revoked certs since the last full CRL was published. Note, the interval for Delta CRLs 1 day, for CRLs 1 weeks |
|
|
This is the location on the network from which apps can locate the most recent base and delta CRLs to check for cert validity.
|
The CRL Distribution Point (CDP)
|
|
|
Which tab of the CA's properties box allows you to add, remove or modify the CDP?
|
Extensions tab
|
|
|
2008 provides what that is used to generate certificates used by computers configured as Online Responders?
|
OCSP Response Signing Certificate
|
|
|
A revocation configuration includes what 3 things?
|
CA certificate
Signing certificate source of the revocation information |
|
|
This is an extension that can be applied to certificates issued by the CA that points to the URLs where you can retrieve the issuing CA's cert.
|
Authority Information Access (AIA)
|
|
|
For the OR to work properly, you must include the ____ for the online responder in the IA extension of certificates issued by the CA
|
URL
|
|
|
If you're a user requesting a user cert by means of web-based cert enrollment and want to use a 4096 bit key size, what do you need to choose from the web page?
|
Advanced Certificate Request.
Select Create and submit a request to this CA, select Create new key set option Choose 4096 |
|
|
Would you edit the Enrollment tab or Security tab of the certificate server's Properties box to define a restricted user policy?
|
In the Enrollment Agents tab of the cert server's Properties box, remove the Everyone group.
Then ad the user/group. |
|
|
If you want to enable smart cards in your network, what is the easiest way to do this?
|
Use Group Policy. GP allows you to use smart cards by enabling "interactive logon: Require Smart Card" policy setting.
Note: You could manually choose "Smart card is required for interactive logon" |
|
|
To support an Online Responder what 2 things must you do?
|
Enable the use of the OCSP Response Signing Certificate template.
Choose a URL for the online responder and select "include in the AIA extension of issued certs" and "Include in the OCSP extension" |
|
|
What major benefit does the Online Responder have?
|
The requesting system doesn't need to obtain a full CRL and can submit validation requests for specific certificates.
Remember, OR's are an alternative to CRLs |
|
|
Low level devices like routers can participate in a PKI using what protocol?
|
Simple Certificate Enrollment Protocol (SCEP).
Allows devices without AD accounts. |
|
|
What are the 3 new features for AD CS in 2008 R2?
|
*Cert Enrollment and Cert Enrollment Policy Web Services
*Cert enrollment across forests *Better support for high-volume CAs |
|
|
What are the requirements for AD CS Web services?
|
Forest Func level of 2008 R2
Enterprise CA running 2008 R2, 2008 or 2003 Win 7 clients x |
|
|
What are the requirements for Cross-forest enrollment?
|
Two way trust relationship
Forest Func level of 2003 for ISSUING certs Forest Func level of 2008 R2 for enrollment |
|
|
What is non-persistent certificate processing?
|
When a server does not store the request record or the issued certificates.
Note that servers store both by default. |
|
|
What major downside is there to enabling Non-persistent certificate processing?
|
You can no longer revoke issued certs.
IE., you cannot manage CRLs after enabling this high-volume feature. |
|
|
What 3 main steps are there when configuring a Revocation Configuration?
|
*Specify CRL distribution points
*Configure CRL and Delta CRL overlap *Schedule the publication of CRLs |
|
|
If you will use wireless networks, what type of template would you create?
|
Network Policy Server (NPS)
|
|
|
How do you configure Enrollment?
|
Through Group Policy. The policy must be assigned to all members of domain, so use Default Domain Policy.
|
|
|
How do you backup your CA?
|
In server manager, expand Roles\Active Directory Certificate Services\CA <server name>. Right click the server > All Tasks > Back Up CA
|
|
|
This is a protected area of registry on ALL server and client computers.
|
Certificate Store.
within the store is a series of sub-stores that include certificates for various purposes. |
|
|
What 3 ways can you back up Certificate Services?
|
Wbadmin.exe to perform Critical volumes backup
Wbadmin.exe to perform a System State backup Cert Authority Snap-in > right click the CA and choose All Tasks > Back up CA |
|
|
Which AD CS role can you delegate to approve certification enrollment and revocation requests?
|
Certification Manager
|
|
|
Which AD CS role can you delegate to backup and recover the CA database, configuration and database?
|
Backup Operator
|
|
|
If you want to grant permission to request retrieval of private keys, what would you do?
|
Make the user a Private Key Manager
|
|
|
Looking at the CA server's Properties box, what permission do Authenticated users have by default?
|
"Request Certificates." NOT "read". "Read" is for admins.
You don't need Read rights on the CA to obtain certs. |
