1
00:00:01,910 --> 00:00:06,410
What are the benefits of having our own certification authority.

2
00:00:06,550 --> 00:00:12,610
The first benefit is security will be able to specified that we only trust certificates issued by our

3
00:00:12,670 --> 00:00:16,920
own certification authority.

4
00:00:17,090 --> 00:00:21,650
We would avoid risks associated with the fact that someone else has already invested in a certificate

5
00:00:22,010 --> 00:00:25,560
and we now indirectly trust him.

6
00:00:25,570 --> 00:00:30,820
Secondly we have greater control over the certificates themselves.

7
00:00:30,880 --> 00:00:36,400
We can for example immediately revoke them and attempt to revoke a certificate that for some reason

8
00:00:36,400 --> 00:00:38,230
has been compromised.

9
00:00:38,230 --> 00:00:44,280
For example someone stole a smart card takes a very long time.

10
00:00:44,460 --> 00:00:47,940
Maybe some of you have learned that this is not such an easy procedure.

11
00:00:49,520 --> 00:00:51,790
Thirdly we'll probably benefit from it.

12
00:00:53,000 --> 00:01:00,200
If we issue 50 100 or 200 certificates at this point the cost to purchase these certificates will exceed

13
00:01:00,200 --> 00:01:05,980
the cost of starting a public key infrastructure.

14
00:01:06,180 --> 00:01:12,440
Since we decided to have our own infrastructure we just need the planet first.

15
00:01:12,440 --> 00:01:17,970
Remember that one certification authority may not issue all the certificates for the company.

16
00:01:17,990 --> 00:01:24,300
This is a single point of trust if something happens if someone discredits the certification authority

17
00:01:25,140 --> 00:01:27,310
then we lose trust on a global scale.

18
00:01:29,490 --> 00:01:35,440
The entire computer system stops working no one sends mail and computers don't connect with each other

19
00:01:35,440 --> 00:01:37,460
because it doesn't work.

20
00:01:37,810 --> 00:01:39,390
It's one big disaster.

21
00:01:40,750 --> 00:01:47,090
The cost of rectifying such a situation will be enormous having a hierarchy of certificates.

22
00:01:47,100 --> 00:01:50,820
We obtain two things.

23
00:01:50,850 --> 00:01:55,980
First of all Theroux's certification authority will be better protected because it's turned off and

24
00:01:55,980 --> 00:01:58,550
locked in a safe.

25
00:01:58,720 --> 00:02:03,910
This will be a computer that we pull out of the safe once a year and only turn on for a moment not connecting

26
00:02:03,910 --> 00:02:05,500
it to a local network.

27
00:02:05,560 --> 00:02:07,910
It will be harder to break into.

28
00:02:08,150 --> 00:02:13,070
Secondly the subordinate certification authority will be for example functional.

29
00:02:13,070 --> 00:02:18,190
We could have only a certification authority responsible for ipsa.

30
00:02:18,290 --> 00:02:23,660
If something bad happened to that authority then all certificates connected with Essec must be revoked

31
00:02:23,990 --> 00:02:26,530
and most likely will be reissued later.

32
00:02:26,870 --> 00:02:28,780
But everything else works.

33
00:02:28,820 --> 00:02:30,470
It has not been compromised.

34
00:02:32,920 --> 00:02:38,860
If we want to be in accordance with certain classifications classification documents of our computer

35
00:02:38,860 --> 00:02:42,760
system we need to plan a two or three level hierarchy.

36
00:02:45,350 --> 00:02:50,450
Moreover certificates of root certification authorities will have to be issued by a device that generates

37
00:02:50,480 --> 00:02:58,910
external hardware certificates.

38
00:02:58,970 --> 00:03:02,450
The hierarchy of our certification authority may look as follows.

39
00:03:04,020 --> 00:03:07,550
We'll have a route certification authority into subordinate authorities.

40
00:03:09,840 --> 00:03:15,330
One of them will support the internal network and the second the external network such as business partners

41
00:03:16,760 --> 00:03:21,440
under those authorities will be the functional authorities responsible for various types of certificates

42
00:03:29,620 --> 00:03:30,160
in windows.

43
00:03:30,160 --> 00:03:34,150
We have two types of available certification authorities.

44
00:03:34,170 --> 00:03:37,170
The first is called the standalone.

45
00:03:37,190 --> 00:03:42,050
This is a certification authority that we can install ourselves on the computer which is not a member

46
00:03:42,050 --> 00:03:46,210
of the Active Directory domain.

47
00:03:46,220 --> 00:03:49,140
The second is the Enterprise certification authority.

48
00:03:49,400 --> 00:03:57,630
As you might have guessed this authority requires active directory standalone is much less functional.

49
00:03:57,630 --> 00:04:03,050
There is no automatic processing of certificate requests.

50
00:04:03,060 --> 00:04:10,130
It is also more limited when it comes to the types of certificates it may issue at the enterprise certification

51
00:04:10,130 --> 00:04:11,140
authority.

52
00:04:11,240 --> 00:04:17,910
Requests can be processed automatically and we can create our own templates for certificates.

53
00:04:17,920 --> 00:04:22,080
It follows that the root certification authority should be a standalone.

54
00:04:22,230 --> 00:04:24,880
It's disconnected all the time from networks anyway.

55
00:04:26,350 --> 00:04:30,370
However all the subordinate authorities should be enterprise certification authorities

56
00:04:36,970 --> 00:04:42,460
since the root certification authority is a standalone and operates off line or it's most often turned

57
00:04:42,460 --> 00:04:48,410
off we need to change a few things during installation.

58
00:04:48,420 --> 00:04:54,180
This is one of the few places in the Microsoft environment where before you run the installer we have

59
00:04:54,180 --> 00:04:59,070
to manually change the configuration file later it's impossible to change it.

60
00:05:01,650 --> 00:05:07,980
The file name CA policy dot in must be prepared according to the template presented below and saved

61
00:05:07,980 --> 00:05:10,800
in no windows folder.

62
00:05:10,910 --> 00:05:14,210
The installer will find it there and use it.

63
00:05:14,240 --> 00:05:16,810
What do we need to change.

64
00:05:16,860 --> 00:05:23,280
It would be good to enter a security policy this policy is recorded in the certificate and everyone

65
00:05:23,280 --> 00:05:27,300
who has it knows how it should be used in this file.

66
00:05:27,320 --> 00:05:33,910
It will be abbreviated but there will also be the address of the full policy.

67
00:05:33,930 --> 00:05:39,920
We should also configure certain things related to the length of the key and the validity of the certificate.

68
00:05:39,920 --> 00:05:42,910
This is the most important certificate that we have.

69
00:05:42,950 --> 00:05:47,300
Therefore it should be the best protected.

70
00:05:47,340 --> 00:05:52,790
This should be a long key but also valid for a long time.

71
00:05:52,860 --> 00:05:58,520
The certification authority may not issue certificates valid for longer than its own certificate.

72
00:05:58,530 --> 00:06:06,100
This would be meaningless if the validity date in this file is not long enough then automatically we

73
00:06:06,100 --> 00:06:15,030
shorten the lifetime of all certificates in the company such a certificate is unlikely to be revoked.

74
00:06:15,090 --> 00:06:21,520
Therefore we should extend the period of publishing the certificate revoked and list if we don't do

75
00:06:21,520 --> 00:06:25,530
this we'll have to turn on the computer that's stored in the safe or closet.

76
00:06:25,540 --> 00:06:31,240
More frequently just to generate a new CRL list in which case we indicated that we have not revoked

77
00:06:31,240 --> 00:06:34,500
certificates at the end.

78
00:06:34,500 --> 00:06:41,720
We need to change two pieces of information whereas the data of the certification authority and certificate

79
00:06:41,720 --> 00:06:44,530
revocation lists available by default.

80
00:06:44,530 --> 00:06:47,910
They are available locally.

81
00:06:48,010 --> 00:06:52,240
We would want for them to be published by one of the subordinate certification authorities which are

82
00:06:52,240 --> 00:06:57,060
currently online after preparation of such a file.

83
00:06:58,120 --> 00:07:00,690
Rerun the wizard and returned to the Windows environment.

84
00:07:01,550 --> 00:07:06,530
We accept the next screen and from that moment the certification authority operates

85
00:07:13,680 --> 00:07:19,110
we'd already mention that later we will configure two attributes indicating where the actual information

86
00:07:19,110 --> 00:07:22,950
will be available about the authority and the lists on the company's network

87
00:07:25,570 --> 00:07:26,920
using the command line.

88
00:07:26,980 --> 00:07:30,960
We need to extend the validity period of the certificate.

89
00:07:31,050 --> 00:07:32,650
For this we have a tool called cert.

90
00:07:32,670 --> 00:07:33,340
You tell

91
00:07:37,960 --> 00:07:41,890
later we publish the certificate from the root certification authority.

92
00:07:41,950 --> 00:07:49,860
We do this in two places on the Web site server and on the domain controller we would also like for

93
00:07:49,860 --> 00:07:53,990
our clients to be able to verify our identity both over the web and automatically

94
00:07:57,230 --> 00:08:04,030
this entire procedure is much easier for subordinate certification authorities there online and by default.

95
00:08:04,040 --> 00:08:06,180
The settings are correct.

96
00:08:06,260 --> 00:08:10,030
Nothing needs to be changed or extended.

97
00:08:10,080 --> 00:08:14,820
The thing that's interesting is that the subordinate certification authority does not run until it's

98
00:08:14,820 --> 00:08:17,450
on the trusted list.

99
00:08:17,670 --> 00:08:22,440
The subordinate certification authority must submit a certificate request to the root certification

100
00:08:22,440 --> 00:08:27,760
authority the certification authority is blocked until the request is processed.