setting up a PKI in a lab environment
Hi all,
I have a lab environment setup at home on hyper-v. I have two forests and each forest has two domains, each domain has a couple of client machines.
In preperation for my exams i would like to better understand the workings of a PKI.
Can anyone suggest a way i can setup a lab to simulate a PKI? I would like to install and configure a enterprise CA and a stand alone CA and other bits that are mentioned in the books.
From what i can see PKI is not the easiest thing to simulate in a lab.
Any suggestions would be much appreciated
Thanks
May 24th, 2012 6:47am
Hi,
I would recommend reading
http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx and part two of the blog.
create two more VM's and install. It can be as easy as next, next install. Regards, Rmknight
Free Windows Admin Tool Kit Click here and download it now
May 24th, 2012 10:52am
You can always use opensssl to test stuff, verry easy to configure and deploy. for basic understanding of a PKI this is the fastest way.
http://www.openssl.org/
to create a CA:
openssl genrsa -des3 -out CA.key 4096
openssl req -config openssl.conf -new -x509 -days 7305 -key CA.key -out certs/CA.cer
If you want to test a full functional PKI infrastructure AD CS is the way. Check out cross-certification and qualified subordination if you want to use a PKI in both forests
Active Directory Certificate Services:
http://technet.microsoft.com/en-us/windowsserver/dd448615.aspx
Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure
http://technet.microsoft.com/en-us/library/cc772670(WS.10).aspx
AD CS Step-By-Step Guide:
http://www.microsoft.com/en-us/download/details.aspx?id=22838
Certificate Autoenrollment in Windows XP:
http://technet.microsoft.com/en-us/library/bb456981.aspx
Troubleshooting autoenrollment:
http://blogs.technet.com/b/instan/archive/2009/12/07/troubleshooting-autoenrollment.aspx
Troubleshooting Certificate Enrollment:
http://blogs.msdn.com/b/windowsvistanow/archive/2008/04/08/troubleshooting-certificate-enrollment.aspx
Certificate Path Validation:
http://technet.microsoft.com/en-us/library/cc770844.aspx
Manage Revocation Checking Policy:
http://technet.microsoft.com/en-us/library/cc753863.aspx
How to refresh the CRL cache on Windows Vista:
http://blogs.technet.com/b/pki/archive/2007/09/13/how-to-refresh-the-crl-cache-on-windows-vista.aspx
CA Maintenance:
http://technet.microsoft.com/en-us/library/cc782041(WS.10).aspx
Troubleshooting Certificate Status and Revocation:
http://technet.microsoft.com/en-us/library/cc700843.aspx
Certificate Revocation Checking in Windows Vista and Windows Server 2008:
http://technet.microsoft.com/en-us/library/ee619730(WS.10).aspx
Qualified Subordination and Cross-Certification:
http://technet.microsoft.com/en-us/library/cc787237(WS.10).aspx
Walkthrough (Planning and Implementing Cross-Certification and Qualified Subordination Using Windows Server 2003):
http://technet.microsoft.com/en-us/library/cc787276(WS.10).aspx
May 24th, 2012 11:32am