|
Lesson 3
Managing Certificates
11-29
Lesson Summary
■
Only enterprise CAs can use auto-enrollment, in which clients send
certificate
requests to a CA and the CA automatically issues or denies the certificate.
■
For a client to receive certificates using auto-enrollment, it must have
permission
to use the certificate template for the type of certificate it is
requesting.
■
Stand-alone CAs do not use certificates or auto-enrollment. Certificate
requests are
stored in a queue on the CA until an administrator approves or denies them.
■
Clients can request certificates using the Certificates console (for
enterprise CAs
only) or Web Enrollment Support pages (for stand-alone CAs).
■
CAs publish certificate revocation lists (CRLs) at regular intervals, to
inform
authenticating computers of certificates that they should no longer honor.
Case Scenario Exercise
You are the network infrastructure design specialist for Litware Inc., a
manufacturer of
specialized scientific software products, and you have already created a
network
design for their new office building, as described in the Case Scenario in
Chapter 1.
You are designing a PKI solution for the entire corporate network, which
will enable
all network users to encrypt and digitally sign their e-mail. In addition,
you want the
employees of the R&D department, who work with highly sensitive data, to be
authen-
ticated using smart card logons, to store their data files using EFS, and to
transmit their
files in encrypted form using IPSec. You also want to enable registered
users of the
company’s products to be able to download software updates from your
company’s
Web servers without fear of viruses or other forms of tampering.
To achieve these goals, you have designed a hierarchy of certificate
authorities using
three levels. The design calls for a single enterprise root CA at the
company’s head-
quarters and one or more enterprise subordinate CAs at each of the company’s
branch
offices. Depending on the number of users, an office might have a single
issuing CA or
an intermediate CA and two subordinate issuing CAs.
1. After the initial deployment of the PKI, which of the CAs can safely be
taken
offline? (Choose all correct answers.)
a. The root CA
b. The intermediate CAs
c. One of the issuing CAs at each office with an intermediate CA
d. All the issuing CAs
|
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)