Bill Gonzalez December 11, 2019 at 9:34 am Thank you for your article.
Windows 2012 R2 Server Key Windows 10 Microsoft 365Search our courses 1-800-264-9029 602-266-8500 Course Schedule Microsoft Training Windows 10 Microsoft 365 Windows Server 2019 Windows Server 2016 Windows Server 2012 SQL Server Power BI Azure Data Engineering Machine Learning Artificial Intelligence (AI) Teams Office 365 Exchange Server PowerShell System Center SharePoint IIS Skype for Business BizTalk Server Cloud Computing Azure Amazon Cloud (AWS) Developer Training Web Development.NET Development and Visual Studio Docker Kubernetes Java Programming Python Team Foundation Server Cisco Training Cisco CCNA Routing Switching Cisco CCNP HD Telepresence Cisco Training HD TelePresence CompTIA Certification CompTIA A CompTIA Network CompTIA Security Business Training Project Management ITIL NIST COBIT Business Analysis Agile IT Security Training CISSP CEH PKI Security NIST Wireless Wireshark Training Wireless Networking Wireshark Red Hat Red Hat Linux Red Hat DevOps Other Training DevOps VMware NetApp F5 Networks Salesforce Citrix Subscription Schedule RemoteLive Replay Video Courses Blogs Tech Blogs Tech Videos About Instructors Interface Gold Benefits TechPaks Our Video Training Timeline Training Room Rental Onsite Training Contact Selecting a Cryptographic Key Provider in Windows Server 2012 AD CS Home Blogs Security Selecting a Cryptographic Key Provider in Windows Server 2012 AD CS Selecting a Cryptographic Key Provider in Windows Server 2012 AD CS Like This Blog 2 Added by Mike Danseglio August 26, 2013 This is part 2 of selecting a Public Key Infrastructure (PKI) for your Windows Server 2012 environment.In part 1; Selecting a Key Size for Your Root Certificate Server in Windows Server 2012 AD CS, we looked at creating a Strong Key for Root Certification Authority.
Deploying the Root Certification Authority The Root CA certificate is easily generated during the creation of the CA. The Active Directory Certificate Services (AD CS) installation task within the Add Roles and Features Wizard prompts you for virtually everything. It even gives you an important warning right off the bat: The name and domain settings of this computer cannot be changed after a certification authority (CA) has been installed. Thats because a root CA always generates a self-signed certificate. The data you must supply include the CA name, the Certificate Revocation List Distribution Point (CDP), and the parameters for the root CAs key pair. Your first option is to select whether the server should use an existing key pair or create a new one. Figure 1. AD CS Configuration Specify a new or existing private key. Assuming youre creating a new key pair, youre presented with the aptly-named Cryptographic Options page. Figure 2. AD CS Configuration Specify the cryptographic options for the root CA key pair. I call this an aptly-named page because it is, itself, cryptic. How do you make sense of this It is really a confusing dialog, one that gives super-nerds a lot of flexibility but means little to most of us. Windows 2012 R2 Server Key Software Component ThatSelecting a Cryptographic Provider for the Root Key Pair The cryptographic provider is the software component that actually generates the key pair. It generally supports the standard Windows APIs and identifies which algorithms, key strengths, etc. The AD CS Configuration page queries CryptoAPI to determine which providers it should display in this list for you to choose. Figure 3. AD CS Configuration The list of cryptographic providers for generating the key pair. In Windows Server 2012 the built-in cryptographic providers are: Microsoft Base Smart Card Crypto Provider Microsoft Enhanced Cryptographic Provider v1.0 ECDSAP256Microsoft Smart Card Key Storage Provider ECDSAP521Microsoft Smart Card Key Storage Provider RSAMicrosoft Software Key Storage Provider Microsoft Base Cryptographic Provider v1.0 ECDSAP256Microsoft Software Key Storage Provider ECDSAP521Microsoft Software Key Storage Provider Microsoft Strong Cryptographic Provider ECDSAP384Microsoft Software Key Storage Provider Microsoft Base DSS Cryptographic Provider RSAMicrosoft Smart Card Key Storage Provider DSAMicrosoft Software Key Storage Provider ECDSAP384Microsoft Smart Card Key Storage Provider Some of these have obvious uses. For example, there are smart card providers that are used if you plan to store the private key on a smart card. If you deploy a cryptographic hardware device and have loaded the appropriate software, it will appear on this list as well. Some use the RSA algorithm, while others use elliptic curve cryptographic algorithms. My advice: Unless you have a specific compliance requirement, use a hardware cryptographic appliance, or use a specific smart card vendor with their own provider, theres no benefit and the complexity of managing those keys may not be worth it. If you want more Windows PKI articles please be sure to drop me a comment. Take care Mike Danseglio -CISSP CEH Interface Technical Training Technical Director and Instructor Subscribe to this authors posts feed via RSS You May Also Like How to clone a Windows Server 2012 or 2012 R2 Domain Exploring Join Paths; The Key to Building Using PowerShell to Manage Dynamic Distribution Time to Recover Rebuilding your Computer Category Security, Windows Server 2012 Tags AD CS, CA key pair, CDP, Certificate Revocation List Distribution Point, Certification Authority, Crypto, Cryptography, CrytoAPI, PKI, Public Key Infrastructure, Root Certification Authority, RSA Videos You May Like Windows 10 Features and Navigation December 1, 2015 0 114 1 In this recorded Windows 10 webinar from December 1,2015, Windows Instructor Steve Fullmer presents the navigation and some of the new features associated with Windows 10 including Sysinternals Tools for Windows Client, Windows core concepts, exploring Process Explorer as well as some of the features that are not yet ready for prime time but will Continue reading Windows 10 Features and Navigation December 1, 2015 How to clone a Windows Server 2012 or 2012 R2 Domain Controller 3 1460 3 One of the coolest new features in Window Server 2012 and Windows Server 2012 R2 is the ability to clone a Domain Controller. In the past, if we had virtualized Domain Controllers and we actually took a snapshot of it and then rolled back to that snapshot, it would break the logon service on that Continue reading How to clone a Windows Server 2012 or 2012 R2 Domain Controller Detailed Forensic Investigation of Malware Infections April 21, 2015 4 595 5 How does an investigator hunt down and identify unknown malware In this recording of our IT Security training webinar on April 21, 2015, Security expert Mike Danseglio (CISSP CEH) performed several malware investigations on infected computers and identify symptoms, find root cause, and follow the leads to determine whats happening. He demonstrated his preferred Continue reading Detailed Forensic Investigation of Malware Infections April 21, 2015 Write a Comment See what people are saying.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |