Information Technology Reference
In-Depth Information
2. In the message box explaining that you can't decrypt data encrypted with this certificate,
click
Yes
.
3. Right-click the
Certificates
folder, point to
All Tasks
, and click
Import
. (Note that you can
request a new certificate, but a new certificate can't decrypt data encrypted with the deleted
certificate.)
4. The Certificate Import Wizard starts. Click
Next
.
5. In the File to Import window, click
Browse
. In the File types list box, click
Personal
Information Exchange
. Click the
EFSCert
certificate you exported in Activity 11-11, and
then click
Open
. Click
Next
.
6. In the Password window, type
Password01
in the Password text box, and then click the
Mark this key as exportable
check box. If you don't select this check box, you can't export
the key again. Click
Next
.
7. In the Certificate Store window, accept the default
Personal
option, and then click
Next
.
8. In the Completing the Certificate Import Wizard window, click
Finish
. In the success mes-
sage box, click
OK
. You should see your EFS-2008 certificate displayed in the Certificates
folder.
9. Close all open windows on all computers and log off.
Active Directory Certificate Services (AD CS) provides services for creating a PKI in a
Windows Server 2008 environment. A PKI enables administrators to issue and manage
certificates, which can add a level of security to a network.
■
A PKI binds the identity of a user or device to a cryptographic key. The main services a
PKI provides are confidentiality, integrity, nonrepudiation, and authentication.
■
Some key terms for describing a PKI and AD CS include private and public keys, digital
signature, certification authority, certificate revocation list, online responder, and certifi-
cate enrollment.
■
An enterprise CA integrates with Active Directory; a standalone CA does not. Windows
Server 2008 Enterprise Edition must be installed to install an enterprise CA. For non-
Windows devices or users, you need to install a standalone CA.
■
A CA can be online or offline. An offline CA is more secure and usually used in a CA hier-
archy with one or more online issuing CAs. An issuing CA issues a certificate to users and
devices. A CA hierarchy is usually two-level or three-level. The first level is the root CA,
and each level created is subordinate to the level above it.
■
The AD CS role is installed in Server Manager and should not be installed on a domain
controller. An enterprise CA must be installed on a domain member server. A standalone
CA can be installed on a member server or a standalone server.
■
Configuring a CA involves configuring certificate templates, enrollment options, and an
online responder as well as creating a revocation configuration. Certificate templates can
be version 1, version 2, or version 3. Version 1 templates can't be changed and are pro-
vided for backward compatibility. Version 2 templates are compatible with Windows
Server 2003 and later, and version 3 templates are compatible with Windows Server 2008.
■
Certificate enrollment occurs when a user or device requests a certificate and the certificate
is granted. Enrollment can occur with autoenrollment, the Certificates MMC, Web enroll-
ment, NDES, and smart cards.
■
An online responder allows clients to check a certificate's revocation status without having
to download the CRL periodically. The Online Responder role service requires installing
the Web Server role service, too.
■
Search WWH ::
Custom Search