Installing a Root CA on Windows Server 2012 скачать в хорошем качестве

Installing a Root CA on Windows Server 2012

This video will look at how to install a Root CA on Windows Server 2012. The root CA forms the top of the certificate hierarchy. If compromised, all certificates in your hierarchy are also compromised. This video looks at not only how to install the root CA but also how to protect it from attack. Download the PDF handout http://ITFreeTraining.com/handouts/ce... What we will do in this video This video will look at installing and configuring a root CA using Windows Server 2012 that is not connected to the network. Any certificates that are created on this server will be transported to other servers using a floppy disk or a USB flash drive. Having the root CA not connected to the network helps protect the private key installed on the server. Demonstration The installation of the Root CA is divided into 3 parts. Pre configuration is done before the Active Directory Certificate Service role is installed so that the certificate created during the install have the right settings. Once these settings are used to create the certificate, the settings in the certificate cannot be modified later on. The second part of the install of the role involves adding of the role through server manager and selecting some options. The last step is post configuration which is needed in order to ensure that certificates that are created by the Root CA have the right options. This needs to be done before the root CA issues any certificates. The files used in the demonstration are available for download. See the references part of the video for the URL. Pre configuration When the Certificate Authority role is installed, a certificate for the root CA is created, unless you have a certificate from a previous install. In order to create this certificate, a number of options needed to be configured which cannot be configured using the wizard. These additional options are read from a file in the Windows directory called CAPpolicy.inf. An example of this file is shown below. [Version] Signature="$Windows NT$" [PolicyStatementExtension] Policies=InternalPolicy [InternalPolicy] OID= 1.2.3.4.1455.67.89.5 Notice="Legal Policy Statement" URL=http://ITFreeTraining.com/cps.txt [Certsrv_Server] RenewalKeyLength=2048 RenewalValidityPeriod=Years RenewalValidityPeriodUnits=20 AlternateSignatureAlgorithm=1 CRLDeltaPeriod=Days CRLDeltaPeriodUnits=0 See below for a description for each part of the file. [Version] Signature="$Windows NT$" This identifies the file as a setting file. This part simply needs to be copied and pasted to the top of the file and is always the same. There is no need to change any part of this file. [PolicyStatementExtension] Policies=InternalPolicy This part indicates the policies that relate to the certificate. These policies do not affect the operation of the CA or how the certificates work. They define how the certificate can be used just like a license agreement would define how a piece of software can be used. The policies defined in the setting file are embed in each certificate so the person using the certificate is able to read them or can find where to look them up. [InternalPolicy] OID= 1.2.3.4.1455.67.89.5 Notice="Legal Policy Statement" URL=http://ITFreeTraining.com/cps.txt This part is an example of a policy. The OID (Object Identifier) is a unique number. See the references for a link on where you can register your own OID. The notice setting is the text that is embedded in the certificate and the URL is a link to where the user of the certificate can download the policy text if they wish. [Certsrv_Server] RenewalKeyLength=2048 RenewalValidityPeriod=Years RenewalValidityPeriodUnits=20 AlternateSignatureAlgorithm=1 CRLDeltaPeriod=Days CRLDeltaPeriodUnits=0 Description to long for YouTube. Please see the following link for the rest of the description. http://itfreetraining.com/certificate... See    / itfreetraining   or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition" pg 780 "Cryptographic Service Provider" http://en.wikipedia.org/wiki/Cryptogr... "Cryptography Next Generation" http://technet.microsoft.com/en-us/li... "Windows Server 2008 PKI and Certificate Security" pg 89