Basics - Page 2 - Uwe Gradenegger

Use HTTP over Transport Layer Security (HTTPS) for the revocation list distribution points (CDP) and the online responder (OCSP).

With regard to the design of the infrastructure for providing revocation information - i.e. the CRL Distribution Points (CSP) as well as the Online Responders (Online Certificate Status Protocol, OCSP) - the question arises whether these should be "secured" via Secure Sockets Layer (SSL) or Transport Layer Security (TLS).

Should HTTPS be used for the Network Device Enrollment Service (NDES)?

The Network Device Enrollment Service (NDES) is Microsoft's implementation of the Simple Certificate Enrollment Protocol (SCEP) developed by Cisco in the early 2000s. The first implementation was released with Windows Server 2003.

It may come as a surprise that NDES does not use Secure Socket Layer (SSL) for the HTTP connections in the default setting to this day. This fact is explained and evaluated in more detail below.

Literature and other resources about public key infrastructures and Active Directory Certificate Services

The following is an overview of literature available on the market on the subject of public key infrastructures and Active Directory Certificate Services, as well as online resources from Microsoft and other PKI specialists.

Description of certificate template generations

Below is a description of the different generations of certificate templates (schema versions) and the innovations introduced with them.

Certificate request basics via Certificate Enrollment Web Services (CEP, CES)

With Windows Server 2008 R2 and Windows 7, a new functionality for certificate enrollment has been introduced: The Certificate Enrollment Web Services, which are mapped by two server roles:

Certificate Enrollment Policy Web Service (CEP)
Certificate Enrollment Web Services (CES)

The following is a description of the background to these roles, how they work, and the possible deployment scenarios.

Basics of manual and automatic Certificate Enrollment via Lightweight Directory Access Protocol (LDAP) and Remote Procedure Call / Distributed Common Object Model (RPC/DCOM)

The following describes the process that runs in the background when certificates are requested manually or automatically in order to achieve the highest possible level of automation.

Public Key Infrastructures (PKI) basics

A public key infrastructure comprises all components (hardware, software, people and processes) required for the use of digital certificates. A PKI consists of one or more certification authorities (CA). The tasks of a PKI include:

Ensuring the authenticity of keys, i.e. establishing a traceable link between a key and its origin to prevent misuse.
Revocation of certificates, i.e., ensuring that decommissioned or compromised (e.g., stolen) keys can no longer be used.
Guarantee of liability (non-repudiation), i.e., the owner of a key cannot deny that it belongs to him.
Enforcement of policies, i.e. standardized procedures for the use of certificates.

Cryptography basics

The need for the use for cryptography can be summarized under the notion of ensuring secure communication in the presence of untrusted third parties. The goals of cryptography are:

To prevent data from falling into unauthorized hands (To ensure the confidentiality of data).
Find out if data has been modified during transport (Ensure the integrity of the data).
To clearly identify the source of the data (To ensure the authenticity of the data).
Additionally, users or computers can authenticate themselves using cryptography.