Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Objetivos:
Al finalizar el laboratorio el estudiante ser capaz de:
Implementar un CA raz aislado
Implementar un CA subordinado de nivel empresarial
Configurar plantillas de certificados
Configurar la solicitud de certificados
Configurar la revocacin de certificados
Configurar y ejecutar el archivado de claves privadas y la recuperacin
Seguridad:
Ubicar maletines y/o mochilas en el gabinete al final de aula de Laboratorio o en los casilleros
asignados al estudiante.
No ingresar con lquidos, ni comida al aula de Laboratorio.
Al culminar la sesin de laboratorio apagar correctamente la computadora y la pantalla, y ordenar
las sillas utilizadas.
Equipos y Materiales:
Mquinas virtuales:
DVD:
De Windows Server 2012
Procedimiento:
Escenario A
Debido a que la empresa A. Datum se ha expandido, los requerimientos de seguridad tambin se han
incrementado. El departamento de seguridad est interesado en habilitar el acceso seguro a los sitios
web crticos, y proporcionar seguridad adicional a los servicios de red. Para cumplir con estos y otros
requerimientos de seguridad, la empresa ha decidido implementar un PKI utilizando el rol AD CS en
Windows Server 2012.
Lab Setup
1. Abrir VMware Workstation y crear un snapshot de las mquinas virtuales: LON-DC1, LON-
SVR1, LON-SVR2 y LON-CA1.
2. Encender las mquinas virtuales e iniciar sesin con la cuenta Administrador y la contrasea Pa$
$w0rd.
Escenario
24. On LON-CA1, in Server Manager, click Tools, and then click Certification Authority.
25. In the certsrv - [Certification Authority (Local)] console, right-click AdatumRootCA, and then
click Properties.
26. In the AdatumRootCA Properties dialog box, click the Extensions tab.
27. On the Extensions tab, in the Select extension drop-down list box, click CRL Distribution
Point (CDP), and then click Add.
28. In the Location box, type http://lon-svr1.adatum.com/CertData/, in the Variable drop-down list
box, click <CaName>, and then click Insert.
29. In the Variable drop-down list box, click <CRLNameSuffix>, and then click Insert.
30. In the Variable drop-down list box, click <DeltaCRLAllowed>, and then click Insert.
31. In the Location box, position the cursor at the end of the URL, type .crl, and then click OK.
32. Select the following options, and then click Apply:
Include in CRLs. Clients use this to find Delta CRL locations
Include in the CDP extension of issued certificates
1. In the Certification Authority pop-up window, click No.
2. In the Select extension drop-down list box, click Authority Information Access (AIA), and then
click Add.
3. In the Location box, type http://lon-svr1.adatum.com/CertData/, in the Variable drop-down
list box, click <ServerDNSName>, and then click Insert.
4. In the Location box, type an underscore (_), in the Variable drop-down list box, click <CaName>,
and then click Insert. Position the cursor at the end of the URL.
5. In the Variable drop-down list box, click <CertificateName>, and then click Insert.
6. In the Location box, position the cursor at the end of the URL, type .crt, and then click OK.
7. Select the Include in the AIA extension of issued certificates check box, and then click OK.
8. Click Yes to restart the Certification Authority service.
Next.
17. On the File to Export page, click Browse. In the File name box, type \\lon-svr1\C$, and then
press Enter.
18. In the File name box, type RootCA, click Save, and then click Next.
19. Click Finish, and then click OK three times.
20. Open a File Explorer window, and browse to C:\Windows\System32\CertSrv\CertEnroll.
21. In the CertEnroll folder, select both files, right-click the highlighted files, and then click Copy.
22. In the File Explorer address bar, type \\lon-svr1\C$, and then press Enter.
23. Right-click the empty space, and then click Paste.
24. Close File Explorer.
Task 2: Creating a DNS host record for LON-CA1 and configure sharing
1. ON LON-DC1, in the Server Manager, click Tools, and then click DNS.
2. In the DNS Manager console, expand LON-DC1, expand Forward Lookup Zones, click
Adatum.com, right-click Adatum.com, and then click New Host (A or AAAA).
3. In the New Host window, in the Name box, type LON-CA1.
4. In the IP address window, type 172.16.0.40, click Add Host, click OK, and then click Done.
5. Close the DNS Manager.
1. Switch to LON-CA1.
2. On the Start screen, click Control Panel.
3. In the Control Panel window, click View network status and tasks.
4. In the Network and Sharing Center window, click Change advanced sharing settings.
5. Under Guest or Public (current profile), select the Turn on file and printer sharing option,
and then click Save changes.
Results: After completing this exercise, you will have deployed a root stand-alone certification
authority (CA).
Escenario
7. In the File Explorer window, press F5, select the AdatumRootCA.crl and LON-
CA1_AdatumRootCA.crt files, right-click the files, and then click Copy.
8. Double-click inetpub.
9. Double-click wwwroot.
10. Create a new folder, and then name it CertData.
11. Paste the two copied files into that folder.
12. Switch to Local Disk (C:\).
13. Right-click the file LON-SVR1.Adatum.com_Adatum-LON-SVR1-CA.req, and then click
Copy.
14. In the File Explorer address bar, type \\LON-CA1\C$, and then press Enter.
15. In the File Explorer window, right-click an empty space, and then click Paste. Make sure that the
request file is copied to LON-CA1.
24. On the Export File Format page, click Cryptographic Message Syntax Standard - PKCS #7
Certificates (.P7B), click Include all certificates in the certification path if possible, and
then click Next.
25. On the File to Export page, click Browse.
26. In the File name box, type \\lon-svr1\C$, and then press Enter.
27. In the File name box, type SubCA, click Save, click Next, click Finish, and then click OK twice.
Keep all virtual machines running for the next lab. Do not revert any virtual machines.
Results: After completing this exercise, you will have deployed and configured an enterprise
subordinate CA.
Gua de Laboratorio Pg. 8
Administracin de Sistemas Operativos Avanzado
Escenario B
Debido a que la empresa A. Datum se ha expandido, los requerimientos de seguridad tambin se han
incrementado. El departamento de seguridad est interesado en habilitar el acceso seguro a los sitios
web crticos, y proporcionar seguridad adicional para las caractersticas como encriptacin de discos,
tarjetas inteligentes y DirectAccess. Para cumplir con estos y otros requerimientos de seguridad, la
empresa ha decidido implementar un PKI utilizando el rol AD CS en Windows Server 2012.
Lab Setup
1. Abrir VMware Workstation y crear un snapshot de las mquinas virtuales: LON-DC1, LON-
SVR1, LON-SVR2, LON-CA1 y LON-CL1.
2. Encender las mquinas virtuales e iniciar sesin con la cuenta Administrador y la contrasea Pa$
$w0rd.
Escenario
Task 2: Create a new template for users that includes smart card logon
1. In the Certificate Templates console, right-click the User certificate template, and then click
Duplicate Template.
2. In the Properties of New Template dialog box, click the General tab, and then in the Template
display name text box, type Adatum User.
3. On the Subject Name tab, clear both the Include e-mail name in subject name and the E-
mail name check boxes.
4. On the Extensions tab, click Application Policies, and then click Edit.
5. In the Edit Application Policies Extension dialog box, click Add.
6. In the Add Application Policy dialog box, select Smart Card Logon, and then click OK twice.
7. Click the Superseded Templates tab, and then click Add.
8. Click the User template, and then click OK.
9. On the Security tab, click Authenticated Users. Under Permissions for Authenticated
Users, select the Allow check box for Read, Enroll, and Autoenroll, and then click OK.
10. Close the Certificate Templates console.
Task 4: Update the web server certificate on the LON-SVR2 web server
1. Sign in to LON-SVR2 as Adatum\Administrator with the password Pa$$w0rd.
2. From the taskbar, click the Windows PowerShell icon.
3. At the Windows PowerShell prompt, type gpupdate /force, and then press Enter.
4. If prompted, restart the server, and sign in as Adatum\Administrator with the password
Pa$$w0rd.
5. On the taskbar, click the Server Manager icon.
6. From Server Manager, click Tools, and then click Internet Information Services (IIS)
Manager.
7. In the IIS console, click LON-SVR2 (ADATUM\Administrator), at the Internet
Information Services (IIS) Manager prompt, click No, and then in the central pane, double-click
Server Certificates.
8. In the Actions pane, click Create Domain Certificate.
9. On the Distinguished Name Properties page, complete the following fields, and then
click Next:
Common name: lon-svr2.adatum.com
Organization: Adatum
Organizational Unit: IT
City/locality: Seattle
State/province: WA
Country/region: US
1. On the Online Certification Authority page, click Select.
2. Click Adatum-IssuingCA, and then click OK.
3. In the Friendly name text box, type lon-svr2, and then click Finish.
4. Ensure that the certificate displays in the Server Certificates console.
1. In the IIS console, expand LON-SVR2, expand Sites, and then click Default Web Site.
Results: After completing this exercise, you will have created and published new certificate templates.
Escenario
10. Switch to LON-CL1, and sign in as Adatum\Allie with the password Pa$$w0rd.
11. Open a command-prompt window, at the command prompt, type mmc.exe, and then press Enter.
12. In Console1, click File, and then click Add/Remove Snap-in.
13. Click Certificates, click Add, and then click OK.
14. Expand Certificates - Current User, expand Personal, click Certificates, right-click
Certificates, point to All Tasks, and then click Request New Certificate.
15. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next.
16. On the Select Certificate Enrollment Policy page, click Next.
17. On the Request Certificates page, select Enrollment Agent, and then click Enroll.
18. Click Finish.
25. In the Select User, Computer or Group field, type Allie, click Check Names, and then click OK.
26. Click Everyone, and then click Remove.
27. In the certificate templates section, click Add.
28. In the list of templates, select Adatum User, and then click OK.
29. In the Certificate Templates section, click <All>, and then click Remove.
30. In the Permission section, click Add.
31. In the Select User, Computer or Group field, type Marketing, click Check Names,
and then click OK.
32. In the Permission section, click Everyone, and then click Remove.
33. Click OK.
Results: After completing this exercise, you will have configured and verified autoenrollment for users,
and configured an Enrollment Agent for smart cards.
Escenario
15. Select the Include in the AIA extension of issued certificates check box.
16. Select the Include in the online certificate status protocol (OCSP) extension check
box, and then click OK.
17. In the Certificate Authority dialog box, restart AD CS by clicking Yes.
18. In the certsrv console, expand Adatum-IssuingCA, right-click the Certificate Templates
folder, and then click Manage.
19. In the Certificate Templates console, double-click the OCSP Response Signing
template.
20. In the OCSP Response Signing Properties dialog box, click the Security tab, under
Permissions for Authenticated Users, select Allow for the Enroll check box, and then click
OK.
21. Close the Certificate Templates console.
22. In the Certification Authority console, right-click the Certificate Templates folder, point to
New, and then click Certificate Template to Issue.
23. In the Enable Certificate Templates dialog box, select the OCSP Response Signing
template, and then click OK.
24. On LON-SVR1, in the Server Manager, click Tools, and then click Online Responder
Management.
25. In the OCSP Management console, right-click Revocation Configuration, and then click
Add Revocation Configuration.
26. In the Add Revocation Configuration Wizard, click Next.
27. On the Name the Revocation Configuration page, in the Name box, type AdatumCA
Online Responder, and then click Next.
28. On the Select CA Certificate Location page, click Next.
29. On the Choose CA Certificate page, click Browse, click the Adatum-IssuingCA
certificate, click OK, and then click Next.
30. On the Select Signing Certificate page, verify that Automatically select a signing
certificate is selected and Auto-Enroll for an OCSP signing certificate are both selected,
and then click Next.
31. On the Revocation Provider page, click Finish. The revocation configuration status will
appear as Working.
32. Close the Online Responder console.
Results: After completing this exercise, you will have configured certificate revocation settings.
Escenario
Como parte de la implementacin del PKI, se desea configurar y probar los procedimientos para la
recuperacin de claves privadas. Desea asignar un certificado KRA para un administrador y configurar
el CA con plantillas de certificados especficos para permitir el archivado de claves. Adicionalmente,
se desea probar el procedimiento para la recuperacin de claves.
7. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next.
8. On the Select Certificate Enrollment Policy page, click Next.
9. On the Request Certificates page, select the Key Recovery Agent check box, click
Enroll, and then click Finish.
10. Refresh the console, and view the Key Recovery Agent (KRA) in the personal store; that
is, scroll across the certificate properties and verify that the Certificate Template Key Recovery
Agent is present.
11. Close Console1 without saving changes.
Note: If you paste the serial number from Notepad, remove spaces between numbers.
16. Verify that the outputblob file now displays in the C:\Users\Administrator.Adatum folder.
17. To convert the outputblob file into a .pfx file, at the Windows PowerShell prompt, type the
following command, and then press Enter:
Certutil -recoverkey outputblob aidan.pfx
18. When prompted for the new password, type Pa$$w0rd, and then confirm the password.
19. After the command executes, close Windows PowerShell.
20. Browse to C:\Users\Administrator.ADATUM, and then verify that aidan.pfxthe recovered key
is created.
30. Switch to LON-CL1, and ensure that you are still signed in as Aidan.
31. Browse to drive C, and double-click the aidan.pfx file.
32. On the Welcome to the Certificate Import Wizard page, click Next.
33. On the File to Import page, click Next.
34. On the Password page, enter Pa$$w0rd as the password, and then click Next.
35. On the certificate store page, click Next, click Finish, and then click OK.
36. In the Console1-[Console Root\Certificates - Current User\Personal\Certificates], expand
the Certificates - Current User node, expand Personal, and then click Certificates.
37. Refresh the console, and verify that the certificate for Aidan is restored.
1. Volver el estado de las mquinas virtuales al snapshot creado antes de iniciar el laboratorio.
Conclusiones:
Indicar las conclusiones que lleg despus de los temas tratados de manera prctica en este
laboratorio.
Rbrica
1. Los estudiantes, implementan y mantienen Redes de Computadoras y
Resultado
Sistemas de Telecomunicaciones de datos, proporcionando seguridad a
los medios involucrados, aplicando tcnicas y herramientas modernas.
Requiere No Puntaje
Criterios a Evaluar Excelente Bueno
Mejora Aceptable Logrado
Implementacin de un CA subordinado de
4 3 2 1-0
nivel empresarial
Adicionales
Bonificacin +
Penalidad -
Puntaje Final
Comentario al
alumno o alumnos
Descripcin
Demuestra un completo entendimiento del problema o realiza la actividad
Excelente
cumpliendo todos los requerimientos especificados.
Demuestra un considerable entendimiento del problema o realiza la actividad
Bueno
cumpliendo con la mayora de los requerimientos especificados.
Demuestra un bajo entendimiento del problema o realiza la actividad cumpliendo
Requiere mejora
con pocos de los requerimientos especificados.
No Aceptable No demuestra entendimiento del problema o de la actividad.