ADCS : notes, emplacements certificats / bdd, pkiview logs, best practice

  1. Rappel de base
  2. Communications
  3. Logs
  4. Best practice
  5. Emplacements utiles (clé de registre, fichiers, configurations…)
  6. Event log id et détails
  7. Liens utiles


AIA (Authoryty Inforamtion Access)

Texte de remplacement généré par une machine : Authority Information Access d. — URLs where the CA certificate can be retrieve . PrnpPrrIPc LiEI Filesystem, Idap://, http://, smb:!!1. G 6reraI PoIcyMcduIe EitMdib Er1oIert9e.I Auding Reco’eiAgenb [ Secriy Ecn;ion 5iiï,je CeItiIicdI rdI( eIecê etenion: — CA certificate • *crt (certificate) • OCSP extension I IrìcLiI in iF AV exricir J is.jed ceijíiie kkry Ir1o,matoiAccee (AL4) Specðy Iocacrv licm hch u:er c chkain the ctticate lOE this C& P InciLide in tIne onine cerIihce ‘tatu prckocol (ODFJ elerrvcr

CRL vu le CDP (CRL Distribution Point) pas dans l’AD

Texte de remplacement généré par une machine : CRL Distribution Point Enrollment Agents Auding Recovery Agents [ SecurWy — F ¡ Ie system (s m b :1/, fil e :1/) Es StoI8ge ‘Certificate S elect extens Oft — Ld a p :1/ CRL Distribr.*ion Point (CDPJ Specy locatmns from whwh users can obtain a certificate revocation list — http:// (CRU C: Windows\ orne> <CR LNarneS uff> <[ dap: ii/1N=<CJruncatedName><CALN orrie. iiLLix,LN= IveiShOrtNdI http://pkL cp. es Ir nroll/< CaN ame> <CR LN ameS uIIix Add.. Remove 1 Publish CR Ls to this location r Include in all CALs. Specifies where to publish in the Active Directory when publishing manually. T Include in CRLs. Clients use this ta lind Delta CAL lacations. r Include in the CDP e,4ension of issued certificates 1 Publish Dea CRLs to this location r Include in the IDP extensian af issued CRLs

Texte de remplacement généré par une machine : • Considerthefollowingscenario: O. Get the AlA ¡nformation periodically ( (URL, download the Root CA public key) r__ 1 I__ I i--s i or expired? CRL, OCSP External Policy CA 4. Check the Ext. Pol. CA --- - CA 1. T ustomer CA is ..prenting us its certificate (...and the related chain of trust) Should I trust the customer CA certificate, knowing I obtained the Root CA cert from the AlA? 2. Do I trust the Root CA certificate? (“Trusted Root Certification Authorities”?) Root CA 3. Is the Root CA cert. revoked certificate signature ‘- — — --j’ Cuctorners (paren

ADC Role overview


Texte de remplacement généré par une machine : wt Enroll, autoenroll ___ Online Responder - Certificate revocation info - Web proxy cache — — — — — z— — — _ — Revocation check (OCSP)) — — Ce rtificatio n Authority (CA) - íssue, renew, revoke certs ‘Active Directo - r Enrollment I objects Certificate : templates Users, computers Certificate Enrollment WS (CES) iL Legacy Certificate enrollment A 1 Certificate ) I Enrollment Policy WS DCOM, (CEP) HTTP app. Legacy — — — tern Revocation check (CRL) — — — — — — — — — — — — — — — — — — Client nrollment