Certificate Services
Certificate role
encrypted data
Identification
Key (Encryption) Basic Concepts
Data transmission: Encrypt the content of the data using an encryption method, or use it for identification
Symmetric encryption: The sender and receiver must use the same method to encrypt and decrypt the content of the data, and identification - general security - high efficiency
Asymmetric encryption: The sender and receiver use a pair of different methods to encrypt and decrypt data, identity recognition - better security - lower efficiency
PKI public key infrastructure
basic concept:
According to the information of the object (name, IP address, etc.), a pair of keys is calculated by the specified algorithm (RSA). The key:
The contents of the two keys are completely different
Can only encrypt and decrypt each other
It is difficult to deduce another key from one key
Defined according to the way of use: public key: information identification, by default any object can hold
Private key: Only the specified object has it, it needs to be stored properly and cannot be leaked
data encryption
The sender uses the receiver's public key to encrypt the data and sends the encrypted data to the receiver
After the receiver receives the data, it decrypts the data with its own private key
digital signature
sender
The raw data to be sent is calculated by the specified algorithm (SHA, MD5), and the digest value
The sender encrypts the digest value of the original data with its own private key
Send the original data, the sender's public key and the digest value encrypted with its own private key to the receiver
receiver
After receiving the original data and the sender's public key, and after the digest value encrypted by the sender
Decrypt the received digest value using the sender's public key
Decryption succeeded - the data is confirmed as sent by the sender
Calculate the digest value from the received raw data using the same algorithm as the sender
Compare the calculated digest value with the decrypted digest value
Alignment Success: Integrity of Original Data
Hybrid encryption
Security of the source of the key
Certificate
as a carrier for keys (x.509)
Information identifying the key: subject, certificate origin, other information
source:
Self-signed: the user issues the certificate to himself
Certificate Authority (CA): Issued by a certificate authority
The role of the certificate authority
Certificate issuance service: generate a pair of keys for yourself, use the public key and the authority (service) information to generate a certificate (CA root certificate)
CA root certificate: information and status used to identify the organization
When the client receives a certificate sent by another service, it will compare the issuer of the certificate with the local list of "trusted certificate authorities". If the issuer of the certificate is in the local trusted list, it is considered that the certificate The source of the certificate is trusted and the public key in this certificate can be used for secure data transfer
How the client's trusted list is updated
Internet automatic update: The client's trusted list is updated by the windows system through automatic update (easy to use and high cost)
Mobile and Apple OS:
Mobile: Certificate has lower security level - does not verify certificate origin (receives all ssl certificates)
Mac OS: Trusted List-
Domain update: Enterprise deployment and AD integrated AD certificate service (AD CS), after the certificate service (CA) is integrated with AD, all computers that join the AD domain will automatically update the trusted list and automatically add the CA root certificate of the certificate service
Manual update: Manually import the CA root certificate of Certificate Services to the local trusted list
How to use the certificate
Certificate Services (Certificate Authority CA)
Issue a certificate for yourself
Issue certificates for other services & objects
Certificate Maintenance
Certificate revocation
Public CA: Deployed in the internet environment to issue certificates for services on the public network (application costs are required), try to choose a CA agency in the client's trusted list
Internal CA
Standalone CA: Workgroup Status, Deployment Certificate Services (CA)
AD Certificate Services (AD CS)
Automatically issue certificates
Rich certificate templates
Path to definable certificate revocation list
Update the client's internal CA in the client's trusted list via AD's Group Policy
Root CA and Child CAs: Requirements for a Hierarchy of CAs
Root CA: unique in the organization, issues and maintains certificates for other sub-CAs, can be offline when the entire CA is deployed
Sub-CA: Issue certificates for other services & objects, certificate templates, revoke certificates
Best Practices:
Small and medium-sized enterprises: deploy a server independently as a CA server - it must be backed up regularly (AD integration), in the actual environment, it is not recommended to deploy the CA service on the DC
Medium and large enterprises: Deploy an independent root CA server (offline requirements-workgroup), and deploy other sub-CA servers according to business requirements & high availability & geographic location
Validity period of CA root certificate: more than 10 years
Basic Configuration Certificate Services
Simple application for certificate
IIS configuration
Client access Https error status
Advanced Configuration Certificate Services
Certificate Services
Custom certificate templates
Certificate Revocation List Issuance Path (CDP)
Apply for and manage certificates
Client - MMC Console
Apply
Export the certificate with the private key
Import certificate