In this introduction to Active Directory Certificate Services, Scott Burrell describes how the need for trust drives the selection of a root certification authority. Both internal root authorities and thirrd-party certificate authorities are described. The concepts presented are applied to a business scenario.
- [Voiceover] I wanted to open this chapter with an introduction to certificate authorities. And the different roles that a certificate server might play in an active directory environment. First, let's review why we need certificates. At the end of the day, certificates are about creating trust. They allow a server to trust a user or a device. They allow a customer to trust a registration or payment website. They allow both sides of a conversation to trust that the information being sent across a public network, is protected from prying eyes.
For this trust to be of value, the person or system trusting the certificate has to have confidence in where the certificate was issued. If I want to instill trust in external customers, I need to have a transaction protected by a third party that we both trust. You see this on various payment websites, or when you register an account with your utility company. It's secured by some registration agency that you've heard of. You as a customer trust your information or your credit card number being sent because the site and the privacy of the conversation are verified by Symantec, or Entrust, or GlobalSign, or some other trusted agent.
It's kind of like a cashier seeing a debit card from a bank they've never heard of, but if it carries the Visa logo, they'll have confidence in the card. And for a different perspective, let's consider how our system knows it can trust one of users. If a new employee is trying to enter a building, security is not going to let them in because their mom vouches for them. Our local security needs to verify something provided by our company. Trusting a user to access information resources can be viewed the same way.
A certificate authority within our own company network can be compared to that security department. This is where all identity verification begins. The top level doesn't print all the ID badges, or issue all of the certificates. But it does give it's stamp of approval to the various departments that do. And active directory certificate services, we call this top level, the root authority. This server does not issue certificates to users, or computers, or services.
It doesn't even have to be online all of the time. It's job is to sign off on the other certificate authorities that will issue these IDs. And to publish lists of certificates that have been revoked when one of these issuing authorities is taken down. The servers that issue certificates can be subordinates to the root authority. Once they receive their signing certificate, or license to operate, from the root authority, they can begin issuing certificates that can be trusted by anyone that already trusts the root.
The hierarchy makes the certificate services scalable. And protects all branches of the active directory tree and forest. And we'll get into that a little more as we go along. But before we get into the video on installing certificate services, let's make a plan for the hierarchy that we're going to create. At Landon Hotels, we have a corporate office, to manage operations for hotels all around North America. The root certificate authority should be located there. In each region, we've selected one of our larger hotels to serve as a regional office.
In New England, the regional office is located at one of our Boston hotels. That is where we're going to locate the issuing certificates server for the New England region. That server will be subordinate to the root authority at corporate. And it will issue certificates that can be trusted by domain controllers and other resource servers. And we can continue this pattern throughout the company. This hierarchy is pretty simple and we will refer back to it throughout this chapter, as we install and configure these certificate servers.
- Installing root and subordinate certificate authorities
- Revoking certificates
- Configuring an online responder
- Managing certificate templates
- Renewing certificates
- Archiving private keys
- Using smart cards