|
Lesson 2
Designing a Public Key Infrastructure
11-9
Lesson 2: Designing a Public Key Infrastructure
As with most elements of a network, implementing a public key infrastructure
requires
careful planning before you begin deployment. Planning a PKI typically
consists of the
following basic steps:
■
Defining certificate requirements
■
Creating a certification authority infrastructure
■
Configuring certificates
After this lesson, you will be able to
■ List the types of certificates a Windows Server 2003 CA can issue
■ Describe the structure of a CA hierarchy
■ List the differences between enterprise and stand-alone CAs
■ Configure certificate parameters
Estimated lesson time: 30 minutes
Defining Certificate Requirements
As in most phases of designing a network, the first step of the planning
phase is to
determine the requirements of the users. In the case of a PKI design, you
must deter-
mine what your client’s security needs are, how certificates can help
provide that secu-
rity, which users, computers, services, and applications will use
certificates, and what
kinds of certificates your clients need. In many cases, you will have
already answered
some or all of these questions as you developed an overall security
strategy.
A PKI using computers running Windows Server 2003 can create certificates
that sup-
port any or all of the following applications:
■
Digital signatures Used to confirm that the person sending a message, file,
or
other data is actually who he or she purports to be. Digital signatures do
not pro-
tect the data itself from compromise; they only verify the identity of the
sender.
■
Encrypting File System user and recovery certificates The Windows
Server 2003 Encrypting File System (EFS) enables users to store data on disk
in
encrypted form, to prevent other users from accessing it. To prevent loss of
data
resulting from users leaving the organization or losing their encryption
keys, EFS
allows designated recovery agents to create public keys that can decode the
encrypted information. As with IPSec, EFS does not have to use the PKI for
its
encryption keys, but the use of a PKI simplifies managing EFS.
|
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)