3.manage Certificates Part 1 PDF

Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.
aspx
Identity with Windows Server 2016
Manage Certificates Part 1
Introduction
Exercise 1 - Managing Certificate Templates
Exercise 2 - Configuring Certificate Auto Enrollment
Exercise 3 - Implementing Key Archival
Exercise 4 - Enrolling for User Certificate
Exercise 5 - Managing Key Recovery
Summary
Introduction
The Manage Certificates Part 1 module provides you with the instruction and
server hardware to develop your hands on skills in the defined topics. This module
includes the following exercises:
Managing Certificate Templates

Configuring Certificate Auto Enrollment
Implementing Key Archival
Enrolling for User Certificate
Managing Key Recovery
Lab Time: It will take approximately 1 hour to complete the exercises in this lab.
Exam Objectives
Install Active Directory Enterprise Certificate Authority

Manage certificate templates
Implement certificate deployment and validation
Manage certificate enrolment using Group Policies
Configure and manage key archival and recovery
1 of 128 24-01-2020, 15:47

Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.aspx
Lab Diagram
During your session you will have access to the following lab configuration.
Connecting to your Lab
In this module you will be working on the following equipment to carry out the steps
defined in each exercise.
Important: When you start a module, PLABDC01 must be powered on first.

When PLABDC01’s activity indicator states “On,” you can then power on the
other devices in the sequence indicated below. This will ensure that Windows
services like Active Directory Services are successfully started and will avoid
errors in domain security policy. Please note that some network services require
Active Directory in order to function.
PLABDC01 (Windows Server 2016 - Domain Controller)

PLABDM01 (Windows Server 2016 - Domain Member Server)
2 of 128 24-01-2020, 15:47

PLABWIN10 (Windows 10 - Domain Workstation)
To start, simply choose a device and click Power on. In some cases, the devices may
power on automatically.
For further information and technical support, please see our Help and
Support page.
Copyright Notice
This document and its content is copyright of Practice-IT - © Practice-IT 2017. All rights reserved.
Any redistribution or reproduction of part or all of the contents in any form is prohibited other than
the following:
1. You may print or download to a local hard disk extracts for your personal and non-commercial use
only.
2. You may copy the content to individual third parties for their personal use, but only if you
acknowledge the website as the source of the material. You may not, except with our express written
permission, distribute or commercially exploit the content. Nor may you transmit it or store it in any
other website or other form of electronic retrieval system.
Exercise 1 - Managing Certificate Templates

Certificate Templates are used by Enterprise Certification Authorities (CA) to define
the purpose and content of certificates that can be issued to a requesting entity like
user, computer or network service.
In this exercise, you will first install AD Certificate Services and its required
components and later customize the certificate template properties.
To get more information about managing certificate templates, please refer to your
course material or use your preferred search engine to research this topic in more
detail.
Task 1 - Add AD Certificate Services and Certificate Web

Enrollment Services
3 of 128 24-01-2020, 15:47

Typically, in a corporate network a dedicated server is set aside to handle certificate

issuance and management to requesting users, computers or network service. In this
task, you will add AD Certificate Services (AD CS) and Certificate Authority Web
Enrollment Services on the PLABDM01 server.
To add AD CS and Certificate Web Enrollment, perform the following steps:
Step 1
Ensure you have powered on the required devices indicated in the Introduction.
Connect to the PLABDM01.
In the Server Manager > Dashboard window, click on the Tools menu and select
Windows PowerShell.
Step 2
Please note that Windows PowerShell commands are not case-sensitive.
In the Windows PowerShell window, to add Active Directory Certificate Services

and Certification Authority Web Enrollment features, type the following command:
Add-WindowsFeature -Name ADCS-Cert-Authority,ADCS-

Web-Enrollment -IncludeManagementTools
Press Enter.
4 of 128 24-01-2020, 15:47

Figure 1.1 Screenshot of PLABDM01: A command is entered in Windows

PowerShell to install Certificate Authority services.
Step 3
Please wait while installation of the selected Windows features is in progress. This will
take a few minutes.
Important: You may notice a bit of a time lag about 2 minutes as the features
are being installed. Installation may seem to have frozen or stopped processing.
Should this happen, click inside the Windows PowerShell window and press
Enter to refresh the screen. If you are using HTML5 client, pressing Enter will
display the Clipboard window. Close the clipboard window if it opens while
working in the labs.
5 of 128 24-01-2020, 15:47

Step 4
Windows PowerShell confirms the successful installation of the Active Directory
Certificate Services and Certification Authority Web Enrollment features.
Keep Windows PowerShell window open.
Figure 1.2 Screenshot of PLABDM01: Windows PowerShell window indicates

a successful installation of features.
Task 2 - Install AD Certificate Enterprise CA and CA Web

Enrollment Service
In the earlier task, you simply added the AD Certificate Services and CA Web
Enrollment features into Windows. It is essential that those two services be installed
and configured with their respective system settings to make them capable of issuing
certificates to requesting user, computer or service.
6 of 128 24-01-2020, 15:47

To install and configure AD Certificate Services and CA Web Enrollment, perform the
following steps:
Step 1
In PLABDM01, Windows PowerShell is open.
To install AD Certification Authority as an Enterprise Root CA using default settings,

type the following command:
Install-AdcsCertificationAuthority -CAType
EnterpriseRootCA
Press Enter.
On the next prompt, to accept the default settings, type:
Press Enter.
7 of 128 24-01-2020, 15:47

Figure 1.3 Screenshot of PLABDM01: Windows PowerShell displays the

installation of Certificate Authority.
Step 2
The installation of AD Certification Authority is successfully confirmed with ErrorId of
“0.”
On the next prompt, to install AD Certification Authority Web Enrollment, type:
Install-AdcsWebEnrollment
Press Enter.
On the next prompt to install AD Certification Authority Web Enrollment with default
8 of 128 24-01-2020, 15:47

settings, type:
Press Enter.
Figure 1.4 Screenshot of PLABDM01: Windows PowerShell displays a screen

prompt for the installation of Certificate Authority.
Step 3
The installation of AD Certification Authority Web Enrollment is successfully
confirmed with ErrorId of “0.”
Minimize Windows PowerShell window.
9 of 128 24-01-2020, 15:47

Figure 1.5 Screenshot of PLABDM01: Windows PowerShell displays a

successful installation of certificate authority web enrolment.
Step 4
Click Server Manager icon from taskbar.
In the Server Manager > Dashboard window, click Tools and select
Certification Authority.
Step 5
The certsrv - [Certification Authority (Local)] window opens.
Expand PRACTICELABS-PLABDM01-CA node.
Then click Certificate Templates folder.
10 of 128 24-01-2020, 15:47

The details pane of the Certificates Template folder at the right, indicates the type
of certificates can be issued by PLABDM01.
Keep Certification Authority open.
Figure 1.5 Screenshot of PLABDM01: The Certification Authority console

window is displayed.
Keep the devices you have powered on in their current state and proceed to the
next exercise.
Exercise 2 - Configuring Certificate Auto

Enrollment
11 of 128 24-01-2020, 15:47

Enrollment for machine or user certificate can be done manually by using certificates
request wizard through the Microsoft Management Console (MMC) in a small
organization. For big companies that maintain hundreds of network users, certificate
enrollment can be streamlined by customizing a certificate template. A customized
certificate template allows you to set properties such as auto enrollment and simplify
certificates deployment to domain users by using Group Policy Objects.
In this exercise, you will learn how to manage certificates by setting the different
properties for a custom template such security that indicate which user or security
group has access to the certificate, timeline that illustrate validity of an issued
certificate and other properties relating to a certificate templates.
To learn more about managing certificate templates and enrollment, please refer to
your course material or use your preferred search engine to research this topic in more
detail.
Task 1 - Configure a customized certificate template
A customized certificate template gives the certificate administrator the flexibility to

change the properties of a template like security, extensions among others.
To set up a customized certificate template, perform the following steps:
Step 1
On PLABDM01, the Certification Authority console window is open.
Then right-click on Certificate Templates folder and select Manage.
12 of 128 24-01-2020, 15:47


Step 2
The Certificate Templates Console window opens.
Scroll down the templates list and right-click on User, then select Duplicate
Template.
13 of 128 24-01-2020, 15:47

Figure 2.2 Screenshot of PLABDM01: The Certification Templates console

Step 3
On the Properties of New Template dialog box, click General tab.
Step 4
In the General tab, click in the Template display name text box and type-over the
existing text with the following:
SecureUser
14 of 128 24-01-2020, 15:47

Click Apply.
Then click Request Handling tab.
Figure 2.3 Screenshot of PLABDM01: The Properties of New Template dialog

box is displayed.
Step 5
In the Request Handling tab, select Prompt the user during enrollment
option.
Click Apply.
Note: For the purpose of this lab, we will use this option Prompt the user during
enrollment. In an actual deployment, users are not prompted by any message
when they are automatically enrolled for a certificate.
15 of 128 24-01-2020, 15:47

Then click Security tab.
Figure 2.4 Screenshot of PLABDM01: The Properties of New Template dialog box is
displayed.
Step 6
In the Security tab, ensure that Authenticated Users security group is selected.
Under the Permissions for Authenticated Users section, select AutoEnroll

check box.
Click Apply.
Then select Superseded Templates tab.
16 of 128 24-01-2020, 15:47


box is displayed.
Step 7
In the Superseded Templates folder tab and click Add.
17 of 128 24-01-2020, 15:47


box is displayed.
Step 8
In the Add Superseded Template tab, scroll down the list of Certificate templates.
Select User and click OK.
18 of 128 24-01-2020, 15:47


box is displayed.
Step 9
Back in the Superseded Templates tab, the User template is now added.
Click Apply.
Then select Subject Name tab.
19 of 128 24-01-2020, 15:47


box is displayed.
Step 10
In the Subject Name tab, clear the following check boxes:
Include e-mail name in subject name

E-mail name
Click OK.
Note: You cleared the two check boxes as AD users in Practice Labs domain do
not have those attributes defined in their accounts.
20 of 128 24-01-2020, 15:47


box is displayed.
Step 11
Close Certificate Templates Console window.
Step 12
Next is to include SecureUser certificate template in the list of certificates that can
issued by PLABDM01.
Ensure that you are back on the Certification Authority console window.
Right-click on Certificate Templates folder, then point to New and select

Certificate Template to Issue.
21 of 128 24-01-2020, 15:47


Step 13
In the Enable Certificate Templates dialog box, scroll down the list of templates
and select SecureUser and click OK.
22 of 128 24-01-2020, 15:47

Figure 2.11 Screenshot of PLABDM01: The Enable Certificate Templates

dialog box is displayed.
Step 14
If you get a system message indicating that the certificate couldn’t be added this time,
click Cancel. This can happen due to some system delays in the Certification Authority
Server.
Start over with Step 13 to attempt to add the new certificate template.
You have just added SecureUser template as one of the certificate templates that can
be issued by PLABDM01 server.
Minimize Certification Authority window as you will need this application in a

later task.
23 of 128 24-01-2020, 15:47


Task 2 - Create group policy for certificate auto enrollment
In this task you will create a Group Policy Object to automate the deployment of user
certificates to domain network users.
To create a GPO for user certificate auto-enrollment, perform the following steps:
Step 1
Connect to PLABDC01.
In the Server Manager > Dashboard window, click Tools menu and select Group
Policy Management.
24 of 128 24-01-2020, 15:47

Step 2
In the Group Policy Management console window, expand Forest:
PRACTICELABS.COM > Domains > PRACTICELABS.COM > APAC and click
IT organizational unit.
Right-click on IT OU and select Create a GPO in this domain and link it here…
Figure 2.13 Screenshot of PLABDM01: The Group Policy Management

console window is displayed.
Step 3
In the New GPO dialog box, type:
25 of 128 24-01-2020, 15:47

Certificate Auto Enrollment
Click OK.
Figure 2.14 Screenshot of PLABDM01: The New GPO dialog box is displayed.
Step 4
Expand the IT OU then right-click on Certificate Auto Enrollment group policy
object link.
Note: If the Group Policy Management Console message box appears indicating
you have selected a link to a Group Policy Object (GPO), click Do not show this
message again check box then click OK.
26 of 128 24-01-2020, 15:47

Select Edit.

Step 5
The Group Policy Management Editor window opens.
Expand User Configuration > Policies > Windows Settings > Security
Settings then click Public Key Policies.
Observe the Public Key Policies details at the right. Then right-click on Certificate
Services Client - Auto-Enrollment and select Properties.
27 of 128 24-01-2020, 15:47


Step 6
In the Certificate Services Client-Auto-Enrollment… dialog box, change the
Configuration Model drop-down list to Enabled.
Step 7
A number of check boxes will become available as a result.
Select the following check boxes:
Renew expired certificates, update pending certificates, and remove

revoked certificates
Update certificates that use certificate templates
28 of 128 24-01-2020, 15:47

Display user notifications for expiring certificates in user and

machine MY store
Click OK.
Figure 2.17 Screenshot of PLABDM01: The Certificate Services Client - Auto-

Enrollment Properties dialog box is displayed.
Step 8
Close Group Policy Management Editor application window.
Similarly, exit from the Group Policy Management console window.
Step 9
Right-click on Start and select Command Prompt from the shortcut menu.
29 of 128 24-01-2020, 15:47

Figure 2.18 Screenshot of PLABDC01: The Start button shortcut menu is

displayed.
Step 10
To propagate the new user Group Policy settings to the domain, type:
gpupdate /force
Press Enter.
On the next prompt, type:
30 of 128 24-01-2020, 15:47

exit
Press Enter.
Figure 2.19 Screenshot of PLABDM01: A command is entered in the

command prompt window.
Task 3 - Verify the certificate issuance
After configuring the certificate auto enrolment policy in the previous task, you will
now sign on as a domain user located in the IT organizational unit and verify that a
certificate is issued to the user.
To verify certificate issuance, perform the following steps:
31 of 128 24-01-2020, 15:47

Step 1
You need to temporarily disable server auto login to be able log on to the lab devices
using another user account.
Click the Access your settings tab, under Device > Server auto login, click the
Disable button. Please note that this Server auto login setting is saved in your
profile and will apply in EVERY lab session that you will perform with Practice Labs.
Please note that you can select Enable button again in the Device > Server auto
login to have the convenience of being automatically logged on as the default
administrator after this exercise.
Step 2
Connect to PLABWIN10 computer.
Important: Since Server auto logon was disabled previously, you may see the
PRACTICELABS\Administrator already signed in. If this is the case, please
sign out PRACTICELABS\Administrator from PLABWIN10.
Connect again to PLABWIN10.
On the sign on screen, click Other User.
Step 3
In the User name box, type:
lisa.scott
In the password text box, type:
Passw0rd
32 of 128 24-01-2020, 15:47

Press Enter.
Figure 2.20 Screenshot of PLABWIN10: The Windows 10 sign-on screen is

displayed.
Step 4
If the Application Install - Security Warning message box appears, click Close
[x] button.
This application is for the assessment engine in the lab.
Click Agree if presented with BGInfo License Agreement page.
Step 5
When signed on, access the system tray and click the arrow to expand.
33 of 128 24-01-2020, 15:47

You should get a certificate icon. Then click on the certificate icon to proceed with the
enrollment of the user certificate for Lisa Scott.
Important: There will be a slight delay about 1 minute, before the certificate
icon appears at the system tray. If you don't get a certificate, open a command
prompt and type gpupdate /force. A certificate icon will appear on the system
tray. If no certificate icon appears, sign out and sign back in as lisa.scott.
Figure 2.21 Screenshot of PLABWIN10: The system tray is selected and a

notification about certificate enrolment is displayed.
Step 6
In the Certificate Enrollment, Before you begin page, click Next.
Step 7
34 of 128 24-01-2020, 15:47
The Request Certificates page will display SecureUser certificate template that
you created earlier.
Click Enroll.
Figure 2.22 Screenshot of PLABWIN10: The Request Certificates page is

displayed.
Step 8
Please wait while certificate enrolment is being processed.
Step 9
Lisa Scott will enroll successfully for the SecureUser certificate template.
Click Finish.
35 of 128 24-01-2020, 15:47

The certificate issued to Lisa Scott can be used for a number of tasks like protecting her
personal files using EFS and send encrypted e-mail messages, if there is an existing
e-mail server in the network.
Figure 2.23 Screenshot of PLABWIN10: The Certificate Installation Results

page is displayed.
Step 10
Right-click Start and mouse over Shut down or sign out.
Then click Sign out.
Keep the devices you have powered on in their current state and proceed to the
next exercise.
36 of 128 24-01-2020, 15:47

Exercise 3 - Implementing Key Archival

To ensure the recoverability of issued certificates, a certification authority (CA) server
must be configured to archive keys or certificates that it has issued to users and
computers. Key archival means that the CA server has a copy of all issued certificates
and therefore allows recovery of certificates lost by the user due to a number of reasons
such as theft of smart card, an accidental reformat of the user workstation where the
user certificate is saved and among other things.
In this exercise, you will learn to how set up key archival by first enabling a key
recovery agent in certification authority and issue a recovery agent certificate to the CA
administrator.
To get additional information about how to configure key archival, please refer to your
course material or use your preferred search engine to research this topic in more
detail.
Task 1 - Enable a Key Recovery Agent
The Key Recovery Agent role is security-sensitive role that must be manually
configured to be able to recover lost keys issued by the Certification Authority to users
in the domain network. In this task, you will enable the administrator account for Key
Recovery Agent role.
To enable the key recovery agent, perform the following steps:
Step 1
Connect to PLABDM01 device.
The Server Manager > Dashboard window is open.
Restore the Certification Authority from taskbar.
37 of 128 24-01-2020, 15:47

Step 2
In the Certificate Authority window, right-click on Certificate Templates folder
and select New > Certificate Template to Issue.

Step 3
In the Enable Certificate Templates dialog box, scroll down the list.
Then select Key Recovery Agent and click OK.
Minimize Certification Authority snap-in.
38 of 128 24-01-2020, 15:47


Task 2 - Request for Key Recovery Agent Certificate
To request for a Key Recovery Agent Certificate for the administrator account, do the
following steps:
Step 1
In the next few steps, you will enroll the PRACTICELABS\Administrator account
to use a Key Recovery Agent certificate.
On PLABDM01, right-click Start and select Run.
Step 2
39 of 128 24-01-2020, 15:47

In the Run dialog box, type:
mmc
Click OK.
Figure 3.3 Screenshot of PLABDM01: The Run dialog box is displayed.
Step 3
In the Console1 window, click File and select Add/Remove Snap-in.
Step 4
40 of 128 24-01-2020, 15:47

In the Add or Remove Snap-ins window, select Certificates and click Add.
Figure 3.4 Screenshot of PLABDM01: The Add or Remove Snap-ins dialog

box is displayed.
Step 5
In the Certificates dialog box, ensure that My user account option is selected.
Click Finish.
41 of 128 24-01-2020, 15:47


box is displayed.
Step 6
Click OK to close Add/Remove Snap-ins dialog box.
42 of 128 24-01-2020, 15:47


box is displayed.
Step 7
Back on the Console1 window.
Expand Certificates-Current User node.
Then right-click on Personal folder, point to All Tasks and select Request New
Certificate.
43 of 128 24-01-2020, 15:47

Figure 3.7 Screenshot of PLABDM01: The Console1 window is displayed.
Step 8
Click Next in the Before you begin page.
Step 9
In the Select Certificate Enrollment Policy page, click Next.
Step 10
In the Request Certificates page, select Key Recovery Agent check box.
Click Enroll.
44 of 128 24-01-2020, 15:47

Figure 3.8 Screenshot of PLABDM01: The Request Certificates window is displayed.
Step 11
Please wait while enrolment for Key Recovery Agent is being processed.
Click Finish when Certificate Installation Results page reports a pending enrollment.
Since Key Recovery Agent certificate is a security-sensitive key, as it indicates

“Enrollment pending” meaning it will have to be issued (approved) manually to the
user who requested for it.
45 of 128 24-01-2020, 15:47

Figure 3.9 Screenshot of PLABDM01: The Certificate Installation Results

Step 12
Minimize Console1 window.
Task 3- Issue Key Recovery Agent certificate
To approve the issuance of the Key Recovery Agent Certificate, perform the following
steps:
Step 1
On PLABDM01, restore the Certification Authority window from the taskbar.
Navigate to Pending Requests folder, on the details pane right-click on the
46 of 128 24-01-2020, 15:47

Certificate, point to All Tasks then click Issue.
Figure 3.10 Screenshot of PLABDM01: The Certification Authority window is

displayed.
Step 2
Click on the Issued Certificates folder, right-click on the certificate based on Key
Recovery Agent template.
Then select Open.
47 of 128 24-01-2020, 15:47


displayed.
Step 3
In the Certificates dialog box, click Details tab.
Step 4
Under the Details tab, click Copy to File.
48 of 128 24-01-2020, 15:47


displayed.
Step 5
In the Welcome to the Certificate Export Wizard page, click Next.
Step 6
In the Export File Format page, the default DER encoded binary X.509 (.CER)
format option is selected.
Click Next to proceed.
49 of 128 24-01-2020, 15:47

Figure 3.13 Screenshot of PLABDM01: The Export File Format page is

displayed.
Step 7
In the File to Export page, click in the File name box and type:
c:\AdminKRA
Click Next.
50 of 128 24-01-2020, 15:47

Figure 3.14 Screenshot of PLABDM01: The File to Export page is displayed.
Step 8
Click Finish when you see Completing the Certificate Export Wizard box.
51 of 128 24-01-2020, 15:47

Figure 3.15 Screenshot of PLABDM01: The Completing the Certificate Export

Wizard page is displayed.
Step 9
Click OK when the message box "The export was successful" appears.
Similarly, click OK on the Certificate dialog box to close it.
Minimize Certification Authority window.
Step 10
Restore the Console1 window from the taskbar.
Right-click on Personal folder then point to All Tasks and select Import.
52 of 128 24-01-2020, 15:47

Step 11
In the Welcome to the Certificate Import Wizard page, click Next.
Step 12
In the File to Import page, click in the File name box and type:
c:\AdminKRA.cer
Click Next.
53 of 128 24-01-2020, 15:47

Note: Please note that you can use Browse… button to find the
AdminKRA.cer certificate file.
Figure 3.17 Screenshot of PLABDM01: The File to Export page is displayed.
Step 13
In the Certificate Store page, click Next to accept the default location for certificate
in the Personal store.
Step 14
When the Completing the Certificate Import Wizard page appears, click Finish.
54 of 128 24-01-2020, 15:47

Figure 3.18 Screenshot of PLABDM01: The Completing the Certificate

Import Wizard page is displayed.
Step 15
Click OK when prompted that the import was successful.
Step 16
Back in the Console1 window, expand Certificates - Current User > Personal
and click Certificates folder.
Notice the certificate issued to Administrator with the Intended Purpose -Key
Recovery Agent is now available.
Minimize Console1 window as you will need this for later.
55 of 128 24-01-2020, 15:47

Task 4 - Configure CA for Key Archival
In this task, you will configure the Certification Authority to keep a copy of all issued
certificates by enabling key archival.
To setup key archival on the CA, perform the following steps:
Step 1
On PLABDM01 server, restore Certification Authority window from taskbar if not
yet open.
Right-click on PRACTICELABS-PLABDM01-CA and select Properties.
56 of 128 24-01-2020, 15:47


displayed.
Step 2
In the PRACTICELABS-PLABDM01-CA Properties window, select Recovery
Agents tab.
Step 3
Under the Recovery Agents tab, click Archive the key option.
Click Add…
57 of 128 24-01-2020, 15:47

Figure 3.21 Screenshot of PLABDM01: The PRACTICELABS-PLABDM01-CA

Properties dialog box is displayed.
Step 4
The Key Recovery Agent Selection message box displays the certificate that was
issued earlier to the Administrator.
Click OK.
58 of 128 24-01-2020, 15:47

Figure 3.22 Screenshot of PLABDM01: The Windows Security - Key Recovery

Agent Selection message box is displayed.
Step 5
Back in the PRACTITCELABS-PLABDM01-CA Properties dialog, click OK when
the certificate is added.
59 of 128 24-01-2020, 15:47

Figure 3.23 Screenshot of PLABDM01: The Windows Security - Key Recovery

Agent Selection message box is displayed.
Step 6
In the Certification Authority message box, select Yes to restart Active Directory
Certificate Services.
Step 7
Please wait while the Active Directory Certificate Services is stopped and started.
Keep Certification Authority window open for the next activity.
60 of 128 24-01-2020, 15:47


Task 5 - Create a new certificate template enabled for archiving
In this task, you will create a duplicate of an existing certificate template, then
customize the properties of the new template and enable it for certificate archiving.
To enable a custom certificate template for archiving, perform the following steps:
Step 1
On PLABDM01, ensure that the Certification Authority window is open.
Click on Certificate Templates folder and then right-click on it.
Select Manage.
61 of 128 24-01-2020, 15:47

Figure 3.25 Screenshot of PLABDM01: The Certification Authority console is

displayed.
Step 2
In the Certificate Templates Console window, scroll down and right-click on User
then select Duplicate Template.
62 of 128 24-01-2020, 15:47

Figure 3.26 Screenshot of PLABDM01: The Certificate Templates console is

displayed.
Step 3
In the Properties of New Template window, click General tab.
Step 4
In the General tab, in the Template display name box, type-over the existing text
with the following:
EFSUser
63 of 128 24-01-2020, 15:47

Click Apply.
Then click Request Handling tab.
Figure 3.27 Screenshot of PLABDM01: The Properties of New Template

Step 5
Under the Request Handling tab, click on Archive Subject's encryption
private key check box.
64 of 128 24-01-2020, 15:47


Step 6
The Changing Key Archival Property message box appears saying "Key archive
is only enabled for future certificates" just click OK.
65 of 128 24-01-2020, 15:47

Figure 3.29 Screenshot of PLABDM01: The Changing Key Archival

Properties message box is displayed.
Step 7
Back in the Properties of New Template dialog box, click Apply.
Then click Subject name tab.
66 of 128 24-01-2020, 15:47


Step 8
In the Subject Name tab, clear the following check boxes:
Include e-mail name in subject name

E-mail name
Note: The check boxes indicated above were cleared as the user accounts in the
domain lab do not have those attributes or properties.
Click Apply.
Go to Security tab.
67 of 128 24-01-2020, 15:47


Step 9
In the Security tab, select Authenticated Users, click Enroll check box.
Click OK to save the changes.
68 of 128 24-01-2020, 15:47


Step 10
Close the Certificate Templates Console window.
Step 11
Ensure that you are back to Certification Authority console window.
Right-click Certificate Templates and point to New and select Certificate

Template to Issue.
69 of 128 24-01-2020, 15:47


Step 12
In the Enable Certificate Templates dialog box, select EFSUser and click OK.
Keep Certification Authority console window open.
70 of 128 24-01-2020, 15:47


Keep all devices powered on in their current state and proceed to the next
exercise.
Exercise 4 - Enrolling for User Certificate

In the previous exercise, you have performed the essential tasks to set up key archival
in a CA server. These tasks include the following: creating a custom certificate for key
recovery agent, configured the administrator account to request for a key recovery
agent certificate, enabled the CA server to archive issued certificate and created a
custom certificate template enabled for archiving.
71 of 128 24-01-2020, 15:47

In this task, you will test a new user to enroll for a custom certificate that was enabled
for certificate archiving.
To learn more about enrolling for a user certificate, please refer to your course material
or use your preferred search engine to research this topic in more detail.
Task 1 - Request for new certificate
In this task, you sign-in as a regular user and request for a certificate based on the
EFSUser custom template.
To request for a new certificate, perform the following steps:
Step 1
Connect to PLABWIN10 device.
On the sign on screen, click Other User.
Step 2
In the User name text box, type:
paul.westin
In the Password box, type:
Passw0rd
Press Enter.
72 of 128 24-01-2020, 15:47

Figure 4.1 Screenshot of PLABWIN10: The Windows 10 sign-on page is

displayed.
Step 3
As before, click Agree when presented with the BGInfo License Agreement
window.
If the Application Install - Security Warning message box appears, click Close
[X].
Right-click Start and select Run.
Step 4
In the Run dialog box, type:
73 of 128 24-01-2020, 15:47

mmc
Press Enter.
Figure 4.2 Screenshot of PLABWIN10: The Run dialog box is displayed.
Step 5
In the blank MMC console, click File menu and choose Add Remove Snap-in.
Step 6
In the Add or Remove Snap-ins dialog box, select Certificates and click Add.
74 of 128 24-01-2020, 15:47

Figure 4.3 Screenshot of PLABWIN10: The Add or Remove Snap-ins dialog

box is displayed.
Step 7
Click OK to close Add or Remove Snap-ins dialog box.
Step 8
In the Console1 window, expand Certificates-Current User node.
Then right-click on Personal and choose Request New Certificate.
75 of 128 24-01-2020, 15:47

Figure 4.4 Screenshot of PLABWIN10: The Console1 window is displayed.
Step 9
In the Before you begin page, click Next.
Step 10
In the Select Certificate Enrollment Policy page, choose Next.
Step 11
In the Request Certificates page, select EFSUser check box and click Enroll.
76 of 128 24-01-2020, 15:47

Figure 4.5 Screenshot of PLABWIN10: The Request Certificates page is

displayed.
Step 12
In the Certificate Installation Results page, click Finish.
Important: If you get a certification root not trusted error, click Close. This
error usually manifests itself when the PLABWIN10 computer is unable to detect
the newly-added custom certificate template called EFSUser. You can resolve
this error by first saving Console1 on desktop for easy access. Then restart
PLABWIN10. Start over with Task 1 - Request for new certificate.
77 of 128 24-01-2020, 15:47

Figure 4.6 Screenshot of PLABWIN10: The Certificate Installation Results

page is displayed.
Task 2 - Encrypt user folder using EFS
The user has been successfully enrolled for a certificate that can be used for a number
of applications like encrypting file system (EFS).
In this task, you will encrypt a folder using the certificate that was issue to the domain
user.
Step 1
On PLABWIN10, user Paul Westin is signed in.
Click File Explorer on taskbar.
78 of 128 24-01-2020, 15:47

Step 2
In the File Explorer window, expand This PC node then click Local Disk C drive.
Create a folder called EFSUser.
Figure 4.7 Screenshot of PLABWIN10: The File Explorer window is displayed

with a new folder.
Step 3
Click EFSUser folder and create a text document.
Rename the text document as Confidential memo.
79 of 128 24-01-2020, 15:47

Figure 4.8 Screenshot of PLABWIN10: The File Explorer window is

displayed with a new folder and file.
Step 4
Open Confidential memo text file and type a one liner text, such as:
This is a test file for EFS.
Save Confidential memo text file and close Notepad.
80 of 128 24-01-2020, 15:47

Figure 4.9 Screenshot of PLABWIN10: The Notepad application window is

displayed with sample statement typed in.
Step 5
Right-click on Confidential memo text document and select Properties.
81 of 128 24-01-2020, 15:47


displayed and file is selected.
Step 6
In the Confidential memo Properties dialog box, from the General tab, click
Advanced.
Step 7
In the Advanced Attributes window, select Encrypt contents to secure data.
Click OK.
82 of 128 24-01-2020, 15:47

Figure 4.11 Screenshot of PLABWIN10: The Advanced Attributes dialog box

is displayed.
Step 8
Similarly, click OK on the Confidential memo Properties dialog box to save
changes.
83 of 128 24-01-2020, 15:47

Figure 4.12 Screenshot of PLABWIN10: The Confidential name Properties

Step 9
In the Encryption Warning message box, verify that Encrypt the file and parent
folder (recommended) option is selected.
Click OK.
84 of 128 24-01-2020, 15:47

Figure 4.13 Screenshot of PLABWIN10: The Encryption Warning message

box is displayed.
Step 10
You will notice a mini lock icon is added to the Confidential memo text document.
This indicates that the text document and the folder are now encrypted.
Right-click Start charm and mouse-over Shut down or sign out and click Sign
out.
85 of 128 24-01-2020, 15:47

Figure 4.14 Screenshot of PLABWIN10: The Start button is right-clicked and

context menu is displayed.
Task 3 - Delete and re-create user account
In this task, you will test the functionality of the Key Recovery Agent user account by
deleting a user object, re-create it and then recover its lost keys.
Step 1
Connect to PLABDC01.
Ensure that Server Manager > Dashboard window is open.
Click Tools menu and select Active Directory Users and Computers.
Step 2
86 of 128 24-01-2020, 15:47

Expand PRACTICELABS.COM > NAmerica and click Operations organizational

unit.
Right-click Paul Westin and select Delete.
Figure 4.15 Screenshot of PLABDC01: In Active Directory Users and

Computers, a user account is right-clicked and Delete is selected.
Step 3
Click Yes to proceed with the deletion of the user account.
87 of 128 24-01-2020, 15:47


Computers message box is displayed.
Step 4
To test recovery agent functionality, you will re-create a user named Paul Westin in
NAmerica/Operations OU using the same properties of the mentioned user.
While Operations OU is selected, right-click on the details pane and select New >
User.
88 of 128 24-01-2020, 15:47


Computers, an organizational unit is right-clicked and a new user account is
about to be created.
Step 5
In the New Object - User dialog box, in the First name text box, type:
Paul
In the Last name text box, type:
89 of 128 24-01-2020, 15:47

Westin
In the User logon name text box, type:
paul.westin
Click Next.

Computers, an organizational unit is right-clicked and a new user account is
about to be created.
90 of 128 24-01-2020, 15:47

Step 6
In the Password and Confirm password text boxes, type:
Passw0rd
Clear User must change password at next logon check box.
Then select Password never expires check box.
Click Next.
Figure 4.19 Screenshot of PLABDC01: The New Object - User dialog box is
displayed.
Step 7
Click Finish when you reach the summary page.
91 of 128 24-01-2020, 15:47

Minimize Active Directory Users and Computers window.
Figure 4.20 Screenshot of PLABDC01: The New Object - User dialog box is
displayed with a summary about the new user.
Task 4 - Test access to encrypted folder as re-created user

account
To see the effects accessing the encrypted folder using a re-created the user account,
perform the following steps:
Step 1
Connect PLABWIN10 computer.
Click Other user.
92 of 128 24-01-2020, 15:47

Step 2
As before, sign-in as:
paul.westin
In the Password text box, type:
Passw0rd
Press Enter.
Step 3
Click Agree if presented with BGInfo License Agreement window.
Click Close [X] if the Application Install - Security Warning message box
appears.
Step 4
Launch File Explorer from taskbar.
Then expand This PC > Local Disk (C:) drive and click EFSUser folder.
Right-click on Confidential memo text file and select Open.
93 of 128 24-01-2020, 15:47


displayed and a file is selected.
Step 5
You get an access denied message, because Paul Westin doesn't have the certificate to
unlock this file.
This is the result of deleting the user account that was performed in an earlier task.
Click OK.
Then close the Notepad window.
In the next exercise, you will recover Paul Westin’s certificate that was used to encrypt
the EFSUser folder and the file contained within it.
Minimize File Explorer window.
94 of 128 24-01-2020, 15:47

Figure 4.22 Screenshot of PLABWIN10: The Notepad message box indicates

that the user is denied access.
Keep all devices powered on in their current state and proceed to the next
exercise.
Exercise 5 - Managing Key Recovery

The previous exercise illustrated that if a user account having access to the encrypted
file is deleted, it will be denied access to the folder/file it had encrypted even if the
account is re-created with the exact same properties as the old user account. This
exercise will demonstrate how to recover an archived certificate/key that was issued to
the user and show how to link the certificate to its rightful owner. After which you will
perform an export of the key to a file and finally test if the recovered key can be used
95 of 128 24-01-2020, 15:47

for decrypting a protected document.
To learn more about managing and recovering archived keys, please consult your
reference material or use your preferred search engine to research this topic in greater
detail.
Task 1 - Import Key Recovery Agent certificate
In this task, you will import keys that are archived on the PLABDM01.
Recall that you have imported the file called AdminKRA.cer into PLABDM01 in an
earlier exercise.
Step 1
Connect to PLABDM01.
Reopen the Console1 window that you minimized earlier.
Under Certificates- Current User node, expand Personal then click Certificates
folder.
Notice on the details pane at the right, the Key Recovery Agent certificate.
Important: The file you imported in this MMC is just .cer file which is not
capable of decrypting the encrypted file as this is only a certificate. You will need
to export this file into .pfx format that includes a certificate and key that will
unlock an encrypted file.
96 of 128 24-01-2020, 15:47

Step 2
Right-click Administrator certificate and point to All Tasks and select Export.
97 of 128 24-01-2020, 15:47

Step 3
Click Next in the Welcome to the Certificate Export Wizard page.
Step 4
In the Export Private Key page, select Yes, export the private key option button.
Click Next.
98 of 128 24-01-2020, 15:47

Figure 5.3 Screenshot of PLABDM01: The Export Private Key page is

displayed.
Step 5
In the Export file format page, verify that Personal Information Exchange -
PKCS #12 (.PFX) option button is selected.
Verify that Include all certificates in the certification path if possible check
box is selected as well.
Click Next.
99 of 128 24-01-2020, 15:47

Figure 5.4 Screenshot of PLABDM01: The Export File Format page is

displayed.
Step 6
In the Security page, select Password check box.
Click in the Password and Confirm password text boxes, type:
Passw0rd
Click Next.
100 of 128 24-01-2020, 15:47

Figure 5.5 Screenshot of PLABDM01: The Security page is displayed and the
password is entered.
Step 7
In the File to Export page, click File name box and type:
c:\adminKRA
Please note that the extension name .pfx will be added automatically.
Click Next.
101 of 128 24-01-2020, 15:47

Figure 5.6 Screenshot of PLABDM01: The File to Export page is displayed

and the file name is entered.
Step 8
Click Finish when Completing the Certificate Export Wizard page is displayed.
102 of 128 24-01-2020, 15:47

Figure 5.7 Screenshot of PLABDM01: The Completing the Certificate Export

Wizard page is displayed with the summary of settings.
Step 9
Click OK when Windows notifies you that the certificate export was successful.
Step 10
After exporting the .cer to .pfx in the previous example, you will import the .pfx file
back into Console1.
The Administrator needs the .pfx file to be able to recover archived keys from the CA
server.
From Console1, select Personal folder right-click Certificates point to All Tasks
then select Import
103 of 128 24-01-2020, 15:47

Step 11
In the Welcome to the Certificate Import Wizard, click Next.
Step 12
In the File to Import page, click in the File name text box and type:
c:\adminKRA.pfx
Click Next.
104 of 128 24-01-2020, 15:47

Figure 5.9 Screenshot of PLABDM01: The File to Import page is displayed.
Step 13
In the Private key protection page, in the Password text box, type:
Passw0rd
Click Next.
105 of 128 24-01-2020, 15:47

Figure 5.10 Screenshot of PLABDM01: The Private key protection page is

displayed and a password is entered.
Step 14
In the Certificate Store page, verify that Place all certificates in the following
store is selected.
Click Next.
106 of 128 24-01-2020, 15:47

Figure 5.11 Screenshot of PLABDM01: The Certificate store page is displayed.
Step 15
In the Completing the Certificate Import Wizard page, click Finish.
107 of 128 24-01-2020, 15:47

Figure 5.12 Screenshot of PLABDM01: The Completing the Certificate

Step 16
Click OK when the system tells you that the import was successful.
Step 17
Notice that a second certificate has been added to the list.
108 of 128 24-01-2020, 15:47

Step 18
Restore the Certification Authority console window from taskbar if not yet open.
Click Issued Certificates folder.
Locate the column Requester name by expanding the column header and find
PRACTICELABS\paul.westin.
Please note the requester name indicated above as you will recover the archived
certificate of this user account.
109 of 128 24-01-2020, 15:47

Figure 5.13 Screenshot of PLABDM01: The Console1 window is displayed and

user certificate is selected.
Task 2 - Using CERTUTIL to recover archived keys
To run the certutil.exe to recover archived keys in the PLABDM01 server, perform the
following steps:
Step 1
On PLABDM01 computer, right-click Start and select Command Prompt
(Admin) from the shortcut menu.
Step 2
In the command prompt type the following:
110 of 128 24-01-2020, 15:47

certutil -getkey PRACTICELABS\paul.westin outputblob
Press Enter.

command prompt window.
Step 3
On the command prompt window, click the Command prompt icon on the top left
corner.
Click Edit and select Paste.
111 of 128 24-01-2020, 15:47

Figure 5.15 Screenshot of PLABDM01: The command prompt window

indicates a successful operation.
Step 4
To create a certificate that can unlock the encrypted file, you need to create a .PFX file
from the retrieved key file.
Type the following
certutil -recoverkey outputblob paul.pfx
Press Enter.
In the Enter new password prompt, type:
112 of 128 24-01-2020, 15:47

Passw0rd
Press Enter.
In the Confirm new password prompt, type:
Passw0rd
Press Enter.

command prompt window to recover an archived key.
Step 5
The .PFX file called paul.pfx is successfully created.
113 of 128 24-01-2020, 15:47

Figure 5.17 Screenshot of PLABDM01: The command prompt window

indicates a successful operation.
Step 6
Open File Explorer, navigate to Local Disk C > Windows > system32 folder.
Scroll down the list and locate paul - Personal Information file type.
Note that the file will look like a certificate with a key appended to it.
Right-click on paul and select Copy.
114 of 128 24-01-2020, 15:47

Figure 5.18 Screenshot of PLABDM01: The File Explorer window is displayed

and a file is copied.
Step 7
Create a folder on Local Disk C: called paulwestin and paste the .pfx certificate file
there.
115 of 128 24-01-2020, 15:47


and a file is copied.
Step 8
You will share paulwestin folder to allow the user to access the .pfx file over the
network.
Right-click on paulwestin folder and choose Properties.
116 of 128 24-01-2020, 15:47

Figure 5.20 Screenshot of PLABDM01: The File Explorer window is

displayed and a folder is selected.
Step 9
On the paulwestin Properties window, select Sharing tab.
Step 10
Under the Sharing tab and click on Advanced Sharing.
117 of 128 24-01-2020, 15:47


and a folder is selected.
Step 11
In the Advanced Sharing window, click Share this folder box and then click OK.
Similarly, click Close on the paulwestin folder.
118 of 128 24-01-2020, 15:47

Figure 5.22 Screenshot of PLABDM01: The Advanced Sharing dialog box is

displayed with its corresponding settings.
Task 3 - Test user access to encrypted file
To verify that user Paul Westin can access the file that was encrypted earlier, perform
the following steps:
Step 1
Connect to PLABWIN10 where paul.westin is signed in.
File Explorer is open.
Right-click on This PC, choose Map network drive.
119 of 128 24-01-2020, 15:47

Figure 5.23 Screenshot of PLABWIN10: In the File Explorer window, the

map network drive command is invoked.
Step 2
In the Map network drive window, in the Folder text box, type:
\\plabdm01\paulwestin
Click Finish.
120 of 128 24-01-2020, 15:47

Figure 5.24 Screenshot of PLABWIN10: In the Map Network Drive dialog

box, the network path is entered.
Step 3
A new File Explorer window opens indicating a successful connection.
Once connected right-click on paul.pfx file and choose InstallPFX.
121 of 128 24-01-2020, 15:47

Figure 5.25 Screenshot of PLABWIN10: In the File Explorer window, a file is

selected.
Step 4
In the Welcome to the Certificate Import Wizard page, click Next.
Step 5
The File to Import page, displays the path of the .pfx file.
In this case it is in z:\paul.pfx path.
Click Next.
122 of 128 24-01-2020, 15:47

Figure 5.26 Screenshot of PLABWIN10: The File to Import page is displayed.
Step 6
In the Private key protection page, type:
Passw0rd
Click Next.
123 of 128 24-01-2020, 15:47

Figure 5.27 Screenshot of PLABWIN10: The Private key protection page is

displayed.
Step 7
In the Certificate Store page, the Automatically select the certificate store
based on the type of certificate option is selected.
Click Next.
Step 8
When Completing the Certificate Import Wizard page shows up, click Finish.
124 of 128 24-01-2020, 15:47

Figure 5.28 Screenshot of PLABWIN10: The Completing the Certificate

Step 9
Click OK when import is successful.
Step 10
Back on File Explorer window, navigate to Local Disk C then click EFSUser
folder.
Right-click on Confidential memo then select Open.
125 of 128 24-01-2020, 15:47

Figure 5.29 Screenshot of PLABWIN10: In the File Explorer window, a file is

selected.
Step 11
Paul should be able to read the contents of the confidential file.
Paul Westin’s key was recovered successfully.
126 of 128 24-01-2020, 15:47

Figure 5.30 Screenshot of PLABWIN10: The Confidential memo-Notepad

Task 4 - Enable server auto login
By default, when you connect to a device in Practice Labs you are automatically logged
in - usually as the administrator. For this task, you will need to re-enable this feature
and so you will be logged in automatically in the next exercise.
Step 1
On the Practice Labs web page, click the Access your settings tab.
Under the Device heading there is an option named Server auto login, click the
Enable button.
Result - You have completed the necessary tasks for managing certificate archiving
127 of 128 24-01-2020, 15:47

and recovery.
Shutdown all virtual machines used in this lab, by using the power functions
located in the Tools bar before proceeding to the next module. Alternatively, you
can log out of the lab platform.
Summary
In this module you covered the following topics:
Managing Certificate Templates

Configuring Certificate Auto Enrollment
Implementing Key Archival
Enrolling for User Certificate
Managing Key Recovery
128 of 128 24-01-2020, 15:47

3.manage Certificates Part 1 PDF

Uploaded by

Copyright:

Available Formats

3.manage Certificates Part 1 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

3.manage Certificates Part 1 PDF

Uploaded by

Copyright:

Available Formats

Print content https://www.practice-labs.com/authenticated/vNext/vn-print-content.

Identity with Windows Server 2016

Manage Certificates Part 1

Managing Certificate Templates

Install Active Directory Enterprise Certificate Authority

1 of 128 24-01-2020, 15:47

Connecting to your Lab

Important: When you start a module, PLABDC01 must be powered on first.

PLABDC01 (Windows Server 2016 - Domain Controller)

2 of 128 24-01-2020, 15:47

PLABWIN10 (Windows 10 - Domain Workstation)

Exercise 1 - Managing Certificate Templates

Task 1 - Add AD Certificate Services and Certificate Web

3 of 128 24-01-2020, 15:47

Typically, in a corporate network a dedicated server is set aside to handle certificate

To add AD CS and Certificate Web Enrollment, perform the following steps:

Connect to the PLABDM01.

In the Windows PowerShell window, to add Active Directory Certificate Services

Add-WindowsFeature -Name ADCS-Cert-Authority,ADCS-

4 of 128 24-01-2020, 15:47

Figure 1.1 Screenshot of PLABDM01: A command is entered in Windows

5 of 128 24-01-2020, 15:47

Keep Windows PowerShell window open.

Figure 1.2 Screenshot of PLABDM01: Windows PowerShell window indicates

Task 2 - Install AD Certificate Enterprise CA and CA Web

6 of 128 24-01-2020, 15:47

To install AD Certification Authority as an Enterprise Root CA using default settings,

On the next prompt, to accept the default settings, type:

7 of 128 24-01-2020, 15:47

Figure 1.3 Screenshot of PLABDM01: Windows PowerShell displays the

On the next prompt, to install AD Certification Authority Web Enrollment, type:

8 of 128 24-01-2020, 15:47

Figure 1.4 Screenshot of PLABDM01: Windows PowerShell displays a screen

Minimize Windows PowerShell window.

9 of 128 24-01-2020, 15:47

Figure 1.5 Screenshot of PLABDM01: Windows PowerShell displays a

Expand PRACTICELABS-PLABDM01-CA node.

Then click Certificate Templates folder.

10 of 128 24-01-2020, 15:47

Keep Certification Authority open.

Figure 1.5 Screenshot of PLABDM01: The Certification Authority console

Exercise 2 - Configuring Certificate Auto

11 of 128 24-01-2020, 15:47

Task 1 - Configure a customized certificate template

A customized certificate template gives the certificate administrator the flexibility to

To set up a customized certificate template, perform the following steps:

Then right-click on Certificate Templates folder and select Manage.

12 of 128 24-01-2020, 15:47

Figure 2.1 Screenshot of PLABDM01: The Certification Authority console

13 of 128 24-01-2020, 15:47

Figure 2.2 Screenshot of PLABDM01: The Certification Templates console

14 of 128 24-01-2020, 15:47

Then click Request Handling tab.

Figure 2.3 Screenshot of PLABDM01: The Properties of New Template dialog

15 of 128 24-01-2020, 15:47

Then click Security tab.

Under the Permissions for Authenticated Users section, select AutoEnroll

Then select Superseded Templates tab.

16 of 128 24-01-2020, 15:47