Understand the security concerns of archiving private keys. Learn how to configure the archival of private keys throughout your Active Directory domain.
- [Instructor] I'm going to wrap up this chapter…on certificates with a topic that,…depending on who you talk to,…is either very important or very dangerous,…and that is the archiving of private keys…for recovery should they become lost or corrupt.…When we use a certificate to encrypt a file in transit…and the certificate becomes corrupt,…the only thing we lost is the information on the wire.…If, however, we're using a certificate to encrypt…a file store, such as the encrypted file system certificate,…and that private key is lost or corrupt,…we could lose access to all of that data,…that's why this is considered important.…
We can configure Active Directory certificate services…to archive private keys so they can be recovered later.…I mentioned that some people consider this dangerous.…Remember that the certificate authority database…can be replicated through Active Directory…throughout our organization.…There are many who think that keeping multiple copies…of all your private keys is a bad idea…because it gives you multiple points of vulnerability.…
Note: The topics covered here map to the Configure Identity and Access Solutions domain for Microsoft Certified Solutions Associate (MCSA) Exam 70-412, Configuring Advanced Windows Server 2012 Services. Use these tutorials to study for the exam.
- Implementing Active Directory Federation Services (AD FS)
- Configuring AD FS authentication policies
- Configuring multifactor authentication
- Installing and configuring Active Directory Certificate Services (AD CS)
- Creating certificate templates
- Configuring certificate authority backup and recovery
- Managing certificates, including templates and renewal
- Installing and configuring Active Directory Rights Management Services (AD RMS)