Category: PKI and Certificate Services

PKI and Certificate Services Tutorials

Establishing a Root CA

A Certificate Authority (CA) is an entity which is trusted to validate and certify the identities of others. In reality a CA is a company which maintains a software package that can manage the requests, issuance and revocation of certificate files. A CA is created by installing a certificate management software package such as Microsoft Certificate Services and implementing policies to identify and issue certificates to requestors. Certificate issuance policies fall into two general categories.

Software Issuance Policies – These policies use some form of existing credential to issue a certificate. In some cases this may be as simple as validating that your email address is in fact your email address as in the case of Thwarte (www.thwarte.com). In other cases you must have a trusted network credential. This is the method used by Active Directory integrated CAs. These CAs are referred to as enterprise CAs. Enterprise CAs will be discussed in more detail in a future article.

Manual Issuance Policies – These policies involve non-technical verification of identity and may include methods such as notarized letters, photo IDs or in some cases fingerprinting. These are generally only found in highly secure environments such as those found in large companies or the government.

Pages: Page 1, Page 2, Page 3, Page 4, Page 5, Page 6, Page 7

Fundamentals of Cryptography

Since earliest history, man has had secrets to protect. As early as ancient Egypt, people were devising ways to exchange secret data. The art of encryption has evolved over time and played a vital role in history.

This article will explore modern cryptography techniques and look at how they are applied in computing technology today.

Cryptography Basics

Cryptography is the art of taking information that is understood, changing it into something that is not understood, and then back again. Information that is understood and meaningful is called plaintext. When this information is subsequently encrypted, it becomes known as cyphertext.

The process of data encryption is often illustrated as f(x) = y. In other words, if we apply function f() to value x then we get value y. Although is seems very simple, it is an accurate depiction of the process of encrypting data. All encryption involves three fundamental elements. A Secret which is something needing protection, an algorithm which is basically a mathematical operation, and a key which is a secret that makes the whole thing possible. A simple example is below.

Ekey{data} = Dkey{data}

In order for two entities to encrypted data, both entities must agree on two vital pieces of information, the algorithm to be used the key.

Pages: Page 1, Page 2, Page 3, Page 4, Page 5, Page 6, Page 7, Page 8, Page 9, Page 10, Page 11, Page 12, Page 13, Page 14, Page 15, Page 16

Public Key Infrastructure and Certificate Services on Windows Server 2003

This article is the first in a series that will cover the design, implementation and management of a PKI. PKI systems have become more and more common in modern IT environments as more technologies are built to take advantage of the strong authentication provided by certificates.

What is a PKI?

A PKI is defined as “the set of policies, practices and components that make up a certificate hierarchy”. There are several key components that must be understood to implement a PKI.

Certificate: A file that follows the X.509 syntax. A certificate contains information identifying the holder, where the certificate came from, when the certificate is valid, what the certificate can be used for, how the certificate can be verified and a thumbprint.

CA: A Certificate Authority (CA) is a software package that accepts and processes certificate requests, issues certificates, and manages issued certificates.

Technologies that Drive PKI

Simply put, it is the role of a PKI to issue and manage certificates. It is fundamental to understanding the operation of a PKI, and that a good understanding of the operation of certificates exist.

Certificates provide the basis for authenticating an entity. This authentication is based on several key principals, some of which are managed by technology, others that are managed by law and organizational policy. At its core, a certificate implements two key technologies; asymmetric encryption (often called public/private key encryption) and hashing.

Pages: Page 1, Page 2, Page 3, Page 4, Page 5

Installing Certificate Services

Installing Certificate Services on Windows 2000 is quite simple, though the choices available to you will again depend on your environment. For the purpose of this illustration I will walk through the process of creating a Standalone Root CA – mainly because my computer is not configured as a domain member at the moment. Since it is not installed by default, you will need to add Certificate Services using the Add/Remove Programs – Windows Components option in Control Panel.

Note that when you attempt to choose Certificate Services, you will be presented with the dialog box shown below. Note the fact that you will not be able to rename the system or join or be removed from a domain without first uninstalling Certificate Services.

After choosing Next, you will be asked to decide what type of CA you wish to create. My system has only the Standalone CA options available, since it is not a member of an Active Directory domain.

Note that the Advanced options checkbox on the screenshot above will allow you to choose advanced cryptographic options in the key generation process. I would suggest allowing the default values to be used unless you are certain of the need to make other choices.

Clicking Next again will bring you into the CA Identification screen, where you should enter the appropriate information. Note that while not all fields are mandatory, they should be completed in full.

The final screen in the process asks for where you wish to place configuration and logging data.

Once Certificate Services is installed, the Server is ready to accept certificate requests from clients. For a Standalone CA these requests must be made a web browser by accessing the certificate server using the URL http://computername/certsrv. A wizard that walks you through the process step-by-step handles the actual request process.

The certificate request process also includes providing information about the user, the use