Module 5: Configuring Network Security Using Public Key Infrastructure (PKI) in Windows Server

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Introduction to Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI) is a framework used to secure network communications through the use of digital certificates and cryptographic key pairs. In Windows Server, configuring PKI enables authentication, data encryption, and integrity for users, systems, and services.

  • Public Key Encryption
network security with PKI
  • Public Key Authentication
digital certificates Windows Server
  • Certificate Authority
public key infrastructure
  • Certificate Hierarchies
PKI Network Security Architecture
  • Windows 2018 PKI
PKI Authentication Flow

Deploying Certificate Services in Windows Server for Secure PKI Implementation

Deploying Certificate Services in Windows Server involves installing and configuring the Active Directory Certificate Services (AD CS) role to enable digital certificate issuance, management, and validation within a Public Key Infrastructure (PKI). This provides secure authentication, data integrity, and encryption for users, devices, and services.

Typical Deployment Steps (Summary):

  1. Install AD CS Role via Server Manager

  2. Choose Certificate Authority (CA) type:

    • Enterprise CA (requires AD)

    • Standalone CA

  3. Configure CA hierarchy (Root CA / Subordinate CA)

  4. Select Cryptographic options

  5. Set up Certificate Templates

  6. Configure Web Enrollment (optional)

  7. Verify certificate issuance and revocation

Use Cases of Deploying Certificate Services:

  • Securing websites (HTTPS)

  • VPN and Wi-Fi authentication

  • Code signing for applications

  • Email encryption (S/MIME)

  • Smart card logins

  • Choosing a Certificate Authority (CA) Model
  • Enterprise Root CA A top-level CA in a certification hierarchy that signs its own CA certificate and requires Active Directory.
  • Enterprise Subordinate CA A subordinate CA that obtains its CA certificate from another CA and requires Active Directory.
  • Stand-Alone Root CA A top-level CA in a certification hierarchy that does not require Active Directory.
  • Stand-Alone Subordinate CA A subordinate CA that obtains its CA certificate from another CA and does not require Active Directory.
  • Installing Certificate Services
  • Select a CA Type
  • Set Advanced Options
  • Enter Identifying Information
  • Specify Locations for Database, Log Files, and Shared Folder
  • Backing up and Restoring Certificate Services
Digital Certificate Lifecycle

Using Digital Certificates in Windows Server for Secure Authentication and Encryption

Digital certificates are used to verify identity, secure communication, and ensure data integrity in a network. In Windows Server, certificates enable secure access to services like HTTPS, VPNs, email encryption, and smart card logins by validating trust between devices and users.

How to Use Certificates in Windows Server:
1. Enroll for a Certificate

  • Via Certificate Enrollment Web Service, MMC snap-in, or auto-enrollment in Active Directory

2. Store Certificates

  • Stored in the Windows Certificate Store under:

    • Local Computer

    • Current User

3. Use in Services

  • Bind certificate to:

    • IIS for HTTPS

    • Remote Desktop Services

    • Network Policy Server (NPS)

    • Email client (e.g., Outlook)

4. Verify and Trust

  • Ensure the certificate chain is valid

  • Trusted Root CA must be present in the machine/user store

  • Using the Certificate Request Wizard
  • Using Certificate Templates
  • Requesting a Certificate
  • Using the Certificate Services Web Pages
  • Submitting a Certificate Request
  • Submitting an Advanced Certificate Request
  • Checking a Pending Request
  • Viewing Certificates
Public Key Infrastructure Diagram
Managing Certificates in Windows Server: Best Practices for PKI Security and Administration

Managing certificates involves issuing, renewing, revoking, and maintaining digital certificates in a Windows Server environment. Proper certificate management ensures secure authentication, data integrity, and encrypted communication across the network.

Tools for Managing Certificates in Windows Server:

  1. Certification Authority Console

    • Issue/revoke certificates

    • Manage Certificate Revocation Lists (CRLs)

    • Publish and manage templates

  2. MMC Certificate Snap-In

    • Manage local or user certificates

    • Import/export certificates

    • View trust chain and usage

  3. PowerShell (Cert:\ Drive)
    Example:

Get-ChildItem -Path Cert:\LocalMachine\My

  1. Group Policy

    • Auto-enrollment settings

    • Trusted Root Certification Authorities deployment

  2. PKIView.msc

    • Graphical overview of the health of your enterprise PKI

Best Practices for Certificate Management:

  • Enable Auto-Renewal via GPO for domain-joined devices

  • Revoke Compromised Certificates immediately and republish CRLs

  • Monitor Expiry Dates with scripts or certificate monitoring tools

  • Use Templates to standardize certificate issuance policies

  • Secure CA Private Key with proper ACLs and offline storage for Root CA

  • Issuing Certificates
  • Rejecting a Certificate Request
  • Issuing a Certificate Request
  • Revoking Certificates
Secure Network Using PKI
  • Publishing a Certificate Revocation List
Digital Certificate Lifecycle
  • Importing and Exporting Certificates
  • Examining Certificate
  • File Formats Importing a Certificate
  • Exporting a Certificate
Install CA Windows Server 2019/2022
Configuring Active Directory for Certificate Services (PKI Integration in Windows Server)

Configuring Active Directory for certificates involves integrating Active Directory with Active Directory Certificate Services (AD CS) to enable enterprise-wide certificate auto-enrollment, user authentication, and secure communication using Public Key Infrastructure (PKI).

Key Steps to Configure Active Directory for Certificates:

  1. Install Active Directory Certificate Services (AD CS)

    • Use Server Manager > Add Roles and Features

    • Select Certification Authority (and optionally: Web Enrollment, Policy Web Service, etc.)

  2. Choose CA Type

    • Enterprise CA (requires Active Directory, supports auto-enrollment)

    • Standalone CA (no AD integration; manual certificate approval)

  3. Publish Certificate Templates to AD

    • Use Certification Authority Console

    • Duplicate default templates (e.g., Workstation Authentication, Web Server)

    • Publish templates under Certificate Templates

  4. Enable Auto-Enrollment via Group Policy

    • Open Group Policy Management Console (GPMC)

    • Navigate to:

Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies

    • Enable:

      • Autoenrollment Settings

      • Certificate Services Client – Auto-Enrollment

  • Add CA to Active Directory

    • When setting up Enterprise CA, it automatically publishes itself to AD

    • Ensures trusted CA information is replicated across domain controllers

  • Replicate AD & Test Enrollment

    • Ensure domain controllers and member devices replicate new CA info

    • Test auto-enrollment with domain-joined devices

  • External User Must Have a Certificate
  • External User Must Have a User Account
  • External User's Certificate Must Be Issued by a Trusted CA
  • Name Mapping Must Exist Between the External User Certificate and Active Directory Account

Add comment

Your email address will not be published. Required fields are marked

Quick Links

ADDITIONAL LINKS

Categories

Subscribe Now!

get 20% Off on courses collection Now!

© 2024 SkillPoint IT. All rights reserved.