Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Lab A: Deploying and Configuring a CA Hierarchy
Exercise 1: Deploying a StandAlone Root CA
Task 1: Install and configure Active Directory Certificate Services on LONCA1
1. Sign in to LONCA1 as Administrator with the password Pa$$w0rd.
2. In the Server Manager, click Add roles and features.
3. On the Before You Begin page, click Next.
4. On the Select installation type page, click Next.
5. On the Select destination server page, click Next.
6. On the Select server roles page, select Active Directory Certificate Services. When
the Add Roles and Features Wizard displays, click Add Features, and then click Next.
7. On the Select features page, click Next.
8. On the Active Directory Certificate Services page, click Next.
9. On the Select role services page, ensure that Certification Authority is selected, and
then click Next.
10. On the Confirm installation selections page, click Install.
11. On the Installation progress page, after installation completes successfully, click the
text Configure Active Directory Certificate Services on the destination server.
12. In the AD CS Configuration Wizard, on the Credentials page, click Next.
13. On the Role Services page, select Certification Authority, and then click Next.
14. On the Setup Type page, select Standalone CA, and then click Next.
15. On the CA Type page, ensure that Root CA is selected, and then click Next.
16. On the Private Key page, ensure that Create a new private key is selected, and then
click Next.
17. On the Cryptography for CA page, keep the default selections for Cryptographic
Service Provider (CSP) and Hash Algorithm, but set the Key length to 4096, and then
click Next.
18. On the CA Name page, in the Common name for this CA box, type AdatumRootCA,
and then click Next.
19. On the Validity Period page, click Next.
20. On the CA Database page, click Next.
21. On the Confirmation page, click Configure.
22. On the Results page, click Close.
23. On the Installation progress page, click Close.
24. On LONCA1, in Server Manager, click Tools, and then click Certification Authority.
25. In the certsrv – [Certification Authority (Local)] console, rightclick AdatumRootCA,
and then click Properties.
26. In the AdatumRootCA Properties dialog box, click the Extensions tab.
27. On the Extensions tab, in the Select extension dropdown list box, click CRL
Distribution Point (CDP), and then click Add.
28. In the Location box, type http://lonsvr1.adatum.com/CertData/, in the Variable
dropdown list box, click <CaName>, and then click Insert.
29. In the Variable dropdown list box, click <CRLNameSuffix>, and then click Insert.
30. In the Variable dropdown list box, click <DeltaCRLAllowed>, and then click Insert.
31. In the Location box, position the cursor at the end of the URL, type .crl, and then click
OK.
32. Select the following options, and then click Apply:
• Include in the CDP extension of issued certificates
• Include in CRLs. Clients use this to find Delta CRL locations
33. In the Certification Authority popup window, click No.
34. In the Select extension dropdown list box, click Authority Information Access (AIA),
and then click Add.
35. In the Location box, type http://lonsvr1.adatum.com/CertData/, in the Variable
dropdown list box, click <ServerDNSName>, and then click Insert.
36. In the Location box, type an underscore (_),in the Variable dropdown list box, click
<CaName>, and then click Insert. Position the cursor at the end of the URL.
37. In the Variable dropdown list box, click <CertificateName>, and then click Insert.
38. In the Location box, position the cursor at the end of the URL, type .crt, and then click
OK.
39. Select the Include in the AIA extension of issued certificates check box, and then
click OK.
40. Click Yes to restart the Certification Authority service.
41. In the Certification Authority console, expand AdatumRootCA, rightclick Revoked
Certificates, point to All Tasks, and then click Publish.
42. In the Publish CRL window, click OK.
43. Rightclick AdatumRootCA, and then click Properties.
44. In the AdatumRootCA Properties dialog box, click View Certificate.
45. In the Certificate dialog box, click the Details tab.
46. On the Details tab, click Copy to File.
47. In the Certificate Export Wizard, on the Welcome page, click Next.
48.
On the Export File Format page, select DER encoded binary X.509 (.CER), and then
click Next.
49. On the File to Export page, click Browse. In the File name box, type \\lonsvr1\C$,
and then press Enter.
50. In the File name box, type RootCA, click Save, and then click Next.
51. Click Finish, and then click OK three times.
52. Open a File Explorer window, and browse to
C:\Windows\System32\CertSrv\CertEnroll.
53. In the Cert Enroll folder, click both files, rightclick the highlighted files, and then click
Copy.
54. In the File Explorer address bar, type \\lonsvr1\C$, and then press Enter.
55. Rightclick the empty space, and then click Paste.
56. Close File Explorer.
Task 2: Creating a DNS host record for LONCA1 and configure sharing
1. ON LONDC1, in the Server Manager, click Tools, and then click DNS.
2. In the DNS Manager console, expand LONDC1, expand Forward Lookup Zones,
click Adatum.com, rightclick Adatum.com, and then click New Host (A or AAAA).
3. In the New Host window, in the Name box, type LONCA1.
4. In the IP address window, type 172.16.0.40, click Add Host, click OK, and then click
Done.
5. Close the DNS Manager.
6. Switch to LONCA1.
7. On the Start screen, click Control Panel.
8. In the Control Panel window, click View network status and tasks.
9. In the Network and Sharing Center window, click Change advanced sharing settings.
10. Under Guest or Public (current profile), select the Turn on file and printer sharing
option, and then click Save changes.
Results: After completing this exercise, you will have deployed a root standalone
certification authority (CA).
Exercise 2: Deploying an Enterprise Subordinate CA
Task 1: Install and configure AD CS on LONSVR1
1. Sign in to LONSVR1 as Adatum\Administrator with the password Pa$$w0rd.
2. In the Server Manager, click Add roles and features.
3. On the Before You Begin page, click Next.
4. On the Select installation type page, click Next.
5. On the Select destination server page, click Next.
6. On the Select server roles page, select Active Directory Certificate Services.
7. When the Add Roles and Features Wizard displays, click Add Features, and then click
Next.
8. On the Select features page, click Next.
9. On the Active Directory Certificate Services page, click Next.
10. On the Select role services page, ensure that Certification Authority is selected
already, and then select Certification Authority Web Enrollment.
11.
When the Add Roles and Features Wizard displays, click Add Features, and then click
Next.
12. On the Confirm installation selections page, click Install.
13. On the Installation progress page, after installation is successful, click the text
Configure Active Directory Certificate Services on the destination server.
14. In the AD CS Configuration Wizard, on the Credentials page, click Next.
15. On the Role Services page, select both Certification Authority and Certification
Authority Web Enrollment, and then click Next.
16. On the Setup Type page, select Enterprise CA, and then click Next.
17. On the CA Type page, click Subordinate CA, and then click Next.
18. On the Private Key page, ensure that Create a new private key is selected, and then
click Next.
19. On the Cryptography for CA page, keep the default selections, and then click Next.
20. On the CA Name page, in the Common name for this CA box, type Adatum
IssuingCA, and then click Next.
21. On the Certificate Request page, ensure that Save a certificate request to file on the
target machine is selected, and then click Next.
22. On the CA Database page, click Next.
23. On the Confirmation page, click Configure.
24. On the Results page, click Close.
25. On the Installation progress page, click Close.
Task 2: Install a subordinate CA certificate
1. On LONSVR1, open a File Explorer window, and then navigate to Local Disk (C:).
2. Rightclick RootCA.cer, and then click Install Certificate.
3. In the Certificate Import Wizard, click Local Machine, and then click Next.
4. On the Certificate Store page, click Place all certificates in the following store, and
then click Browse.
5. Select Trusted Root Certification Authorities, click OK, click Next, and then click
Finish.
6. When the Certificate Import Wizard window appears, click OK.
7. In the File Explorer window, select the AdatumRootCA.crl and LON
CA1_AdatumRootCA.crt files, rightclick the files, and then click Copy.
8. Doubleclick inetpub.
9. Doubleclick wwwroot.
10. Create a new folder, and then name it CertData.
11. Paste the two copied files into that folder.
12. Switch to Local Disk (C:).
13. Rightclick the file LONSVR1.Adatum.com_AdatumLONSVR1CA.req, and then
click Copy.
14. In the File Explorer address bar, type \\LONCA1\C$, and then press Enter.
15. In the File Explorer window, rightclick an empty space, and then click Paste. Make
sure that the request file is copied to LONCA1.
16. Switch to the LONCA1server.
17. In the Certificate Authority console, rightclick AdatumRootCA, point to All Tasks,
and then click Submit new request.
18. In the Open Request File window, navigate to Local Disk (C:), click file LON
SVR1.Adatum.com_AdatumLONSVR1CA.req, and then click Open.
19.
In the Certification Authority console, click the Pending Requests container. Right
click Pending Requests, and then click Refresh.
20. In the details pane, rightclick the request (with ID 2), point to All Tasks, and then click
Issue.
21. In the Certification Authority console, click the Issued Certificates container.
22. In the details pane, doubleclick the certificate, click the Details tab, and then click
Copy to File.
23. In the Certificate Export Wizard, on the Welcome page, click Next.
24. On the Export File Format page, click Cryptographic Message Syntax Standard –
PKCS #7 Certificates (.P7B), click Include all certificates in the certification path if
possible, and then click Next.
25. On the File to Export page, click Browse.
26. In the File name box, type \\lonsvr1\C$, and then press Enter.
27. In the File name box, type SubCA, click Save, click Next, click Finish, and then click
OK twice.
28. Switch to LONSVR1.
29. In the Server Manager, click Tools, and then click Certification Authority.
30. In the Certification Authority console, rightclick AdatumIssuingCA, point to All
Tasks, and then click Install CA Certificate.
31. Navigate to Local Disk (C:), click the SubCA.p7b file, and then click Open.
32. Wait for 15 to 20 seconds, and then on the toolbar, click the green icon to start the CA
service.
33. Ensure that the CA starts successfully.
Task 3: Publish the root CA certificate through Group Policy
1. On LONDC1, on the taskbar, click the Server Manager icon.
2. In the Server Manager, click Tools, and then click Group Policy Management.
3. In the Group Policy Management Console, expand Forest: Adatum.com, expand
Domains, expand Adatum.com, rightclick Default Domain Policy, and then click
Edit.
4. In the Computer Configuration node, expand Policies, expand Windows Settings,
expand Security Settings, expand Public Key Policies, rightclick Trusted Root
Certification Authorities, click Import, and then click Next.
5. On the File to Import page, click Browse.
6. In the file name box, type \\lonsvr1\C$, and then press Enter.
7. Click file RootCA.cer, and then click Open.
8. Click Next two times, and then click Finish.
9. When the Certificate Import Wizard window appears, click OK.
10. Close the Group Policy Management Editor and the Group Policy Management Console.
Task 4: Prepare for the next lab
Keep all virtual machines running for the next lab. Do not revert any virtual machines.
Results: After completing this exercise, you will have deployed and configured an
enterprise subordinate CA.
Lab B: Deploying and Managing Certificates
Exercise 1: Configuring Certificate Templates
Task 1: Create a new template based on the web server template
1. On LONSVR1, in the Certification Authority console, expand AdatumIssuingCA,
rightclick Certificate Templates, and then select Manage.
2. In the Certificate Templates console, locate the Web Server template in the list, right
click it, and then click Duplicate Template.
3. Click the General tab.
4. In the Template display name field, type Adatum WebSrv, and set the Validity period
to 3 years.
5. Click the Request Handling tab, select Allow private key to be exported, and then
click OK.
Task 2: Create a new template for users that includes smart card logon
1. In the Certificate Templates console, rightclick the User certificate template, and then
click Duplicate Template.
2. In the Properties of New Template dialog box, click the General tab, and then in the
Template display name text box, type Adatum User.
3. On the Subject Name tab, clear both the Include email name in subject name and the
Email name check boxes.
4. On the Extensions tab, click Application Policies, and then click Edit.
5. In the Edit Application Policies Extension dialog box, click Add.
6. In the Add Application Policy dialog box, select Smart Card Logon, and then click
OK twice.
7. Click the Superseded Templates tab, and then click Add.
8. Click the User template, and then click OK.
9. On the Security tab, click Authenticated Users. Under Permissions for Authenticated
Users, select the Allow check box for Read, Enroll, and Autoenroll, and then click
OK.
10. Close the Certificate Templates console.
Task 3: Configure the templates so that they can be issued
1. On LONSVR1, in the Certification Authority console, rightclick Certificate
Templates, point to New, and then click Certificate Template to Issue.
2. In the Enable Certificate Templates window, select Adatum User and Adatum
WebSrv, and then click OK.
Task 4: Update the web server certificate on the LONSVR2 web server
1. Sign in to LONSVR2 as Adatum\Administrator with the password Pa$$w0rd.
2. From the taskbar, click the Windows PowerShell icon.
3. At the Windows PowerShell® prompt, type gpupdate /force, and then press Enter.
4. If prompted, restart the server, and sign in as Adatum\Administrator with the password
Pa$$w0rd.
5. On the taskbar, click the Server Manager icon.
6. From Server Manager, click Tools, and then click Internet Information Services (IIS)
Manager.
7. In the IIS console, click LONSVR2 (ADATUM\Administrator), at the Internet
Information Services (IIS) Manager prompt, click No, and then in the central pane,
doubleclick Server Certificates.
8. In the Actions pane, click Create Domain Certificate.
9.
On the Distinguished Name Properties page, complete the following fields, and then
click Next:
• Common name: lonsvr2.adatum.com
• Organization: Adatum
• Organizational Unit: IT
• City/locality: Seattle
• State/province: WA
• Country/region: US
10. On the Online Certification Authority page, click Select.
11. Click AdatumIssuingCA, and then click OK.
12. In the Friendly name text box, type lonsvr2, and then click Finish.
13. Ensure that the certificate displays in the Server Certificates console.
14. In the IIS console, expand LONSVR2, expand Sites, and then click Default Web Site.
15. In the Actions pane, click Bindings.
16. In the Site Bindings window, click Add.
17. In the Type dropdown list box, click https.
18. In the SSL certificate dropdown list box, click lonsvr2, click OK, and then click
Close.
19. Close the IIS console.
Results: After completing this exercise, you will have created and published new
certificate templates.
Exercise 2: Configuring Certificate Enrollment
Task 1: Configure autoenrollment for users
1. On LONDC1, in the Server Manager, click Tools, and then click Group Policy
Management.
2. Expand Forest: Adatum.com, expand Domains, expand Adatum.com, rightclick
Default Domain Policy, and then click Edit.
3. Expand User Configuration, expand Policies, expand Windows Settings, expand
Security Settings, and then click to highlight Public Key Policies.
4. In the right pane, doubleclick Certificate Services Client – AutoEnrollment.
5. In the Configuration Model dropdown list box, click Enabled.
6. Select the Renew expired certificates, update pending certificates, and remove
revoked certificates option.
7. Select the Update certificates that use certificate templates option.
8. Click OK to close the properties window.
9. In the right pane, doubleclick the Certificate Services Client – Certificate Enrollment
Policy object.
10. On the Enrollment Policy tab, set the Configuration Model to Enabled, and ensure
that the certificate enrollment policy list displays the Active Directory Enrollment
Policy (it should have a checkmark next to it, and display a status of Enabled).
11. Click OK to close the window.
12. Close both the Group Policy Management Editor and the Group Policy Management
console.
Task 2: Verify autoenrollment
1. On LONSVR1, from the taskbar, click the Windows PowerShell icon.
2. At the Windows PowerShell prompt, type gpupdate /force, and then press Enter.
3. After the policy refreshes, type mmc.exe, and then press Enter.
4. In Console1, click File, and then in the File menu, click Add/Remove Snapin.
5. Click Certificates, and then click Add.
6. Click Finish, and then click OK.
7. Expand Certificates – Current User, expand Personal, and then click Certificates.
8. Verify that a certificate based on Adatum User template is issued for Administrator.
9. Close Console1. Click No without saving the changes.
Task 3: Configure the Enrollment Agent for smart card certificates
1. On LONSVR1, in the Server Manager console, click Tools, and then open
Certification Authority.
2. In the certsrv console, expand AdatumIssuingCA, rightclick Certificate Templates,
and then click Manage.
3. In the Certificate Templates console, doubleclick Enrollment Agent.
4. Click the Security tab, and then click Add.
5. In the Select Users, Computers, Service Accounts, or Groups window, type Allie, click
Check Names, and then click OK.
6. On the Security tab, click Allie Bellew, select Allow for Read and Enroll permissions,
and then click OK.
7. Close the Certificate Templates console.
8. In the certsrv console, rightclick Certificate Templates, point to New, and then click
Certificate Template to Issue.
9. In the list of templates, click Enrollment Agent, and then click OK.
10. Switch to LONCL1, and sign in as Adatum\Allie with the password Pa$$w0rd.
11. Open a commandprompt window, at the command prompt, type mmc.exe, and then
press Enter.
12. In Console1, click File, and then click Add/Remove Snapin.
13. Click Certificates, click Add, and then click OK.
14. Expand Certificates – Current User, expand Personal, click Certificates, rightclick
Certificates, point to All Tasks, and then click Request New Certificate.
15. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next.
16. On the Select Certificate Enrollment Policy page, click Next.
17. On the Request Certificates page, select Enrollment Agent, and then click Enroll.
18. Click Finish.
19. Switch to LONSVR1.
20. In the Certification Authority console, rightclick AdatumIssuingCA, and then click
Properties.
21. Click the Enrollment Agents tab.
22. Click Restrict Enrollment agents.
23. On the popup window that displays, click OK.
24. In the Enrollment agents section, click Add.
25. In the Select User, Computer or Group field, type Allie, click Check Names, and then
click OK.
26. Click Everyone, and then click Remove.
27. In the certificate templates section, click Add.
28. In the list of templates, select Adatum User, and then click OK.
29. In the Certificate Templates section, click <All>, and then click Remove.
30. In the Permission section, click Add.
31. In the Select User, Computer or Group field, type Marketing, click Check Names,
and then click OK.
32. In the Permission section, click Everyone, and then click Remove.
33. Click OK.
Results: After completing this exercise, you will have configured and verified
autoenrollment for users, and configured an Enrollment Agent for smart cards.
Exercise 3: Configuring Certificate Revocation
Task 1: Configure certified revocation list (CRL) distribution
1. On LONSVR1, in the Certification Authority console, rightclick Revoked
Certificates, and then click Properties.
2. In the Revoked Certificates Properties dialog box, set the CRL publication interval
to 1 Days, and the Delta CRL publication interval to 1 Hours, and then click OK.
3. Rightclick AdatumIssuingCA, and then click Properties.
4. In the AdatumIssuingCA Properties dialog box, click the Extensions tab, and review
the values for CDP.
5. Click Cancel.
Task 2: Install and configure an Online Responder
1. On LONSVR1, on the taskbar, click the Server Manager icon.
2. In the Server Manager, click Add roles and features.
3. Click Next three times.
4. On the Select server roles page, expand Active Directory Certificate Services (2 of 6
Installed), and then click Online Responder.
5. Click Add Features.
6. Click Next two times, and then click Install.
7. When the message displays that installation succeeded, click Configure Active
Directory Certificate Services on the destination server.
8. In the Active Directory® Certificate Services (AD CS) Configuration Wizard, click
Next.
9. Click Online Responder, and then click Next.
10. Click Configure, and then click Close two times.
11. On LONSVR1, open the Certification Authority console.
12. In the Certification Authority console, rightclick AdatumIssuingCA, and then click
Properties.
13. In the AdatumIssuingCA Properties dialog box, on the Extensions tab, in the Select
extension list, click Authority Information Access (AIA), and then click Add.
14. In the Add Location dialog box, type http://LONSVR1/ocsp, and then click OK.
15. Select the Include in the AIA extension of issued certificates check box.
16. Select the Include in the online certificate status protocol (OCSP) extension check
box, and then click OK.
17. In the Certificate Authority dialog box, restart AD CS by clicking Yes.
18. In the certsrv console, expand AdatumIssuingCA, rightclick the Certificate
Templates folder, and then click Manage.
19. In the Certificate Templates console, doubleclick the OCSP Response Signing
template.
20. In the OCSP Response Signing Properties dialog box, click the Security tab, under
Permissions for Authenticated Users, select Allow for the Enroll check box, and then
click OK.
21. Close the Certificate Templates console.
22. In the Certification Authority console, rightclick the Certificate Templates folder,
point to New, and then click Certificate Template to Issue.
23. In the Enable Certificate Templates dialog box, select the OCSP Response Signing
template, and then click OK.
24. On LONSVR1, in the Server Manager, click Tools, and then click Online Responder
Management.
25. In the OCSP Management console, rightclick Revocation Configuration, and then
click Add Revocation Configuration.
26. In the Add Revocation Configuration Wizard, click Next.
27. On the Name the Revocation Configuration page, in the Name box, type AdatumCA
Online Responder, and then click Next.
28. On the Select CA Certificate Location page, click Next.
29. On the Choose CA Certificate page, click Browse, click the AdatumIssuingCA
certificate, click OK, and then click Next.
30. On the Select Signing Certificate page, verify that Automatically select a signing
certificate is selected and AutoEnroll for an OCSP signing certificate are both
selected, and then click Next.
31. On the Revocation Provider page, click Finish. The revocation configuration status
will appear as Working.
32. Close the Online Responder console.
Results: After completing this exercise, you will have configured certificate revocation
settings.
Exercise 4: Configuring Key Recovery
Task 1: Configure the CA to issue KRA certificates
1. On LONSVR1, open the Certification Authority console.
2. In the Certification Authority console, expand the AdatumIssuingCA node, rightclick
the Certificates Templates folder, and then click Manage.
3. In the Details pane, rightclick the Key Recovery Agent certificate, and then click
Properties.
4. In the Key Recovery Agent Properties dialog box, click the Issuance Requirements
tab.
5. Clear the CA certificate manager approval check box.
6. Click the Security tab. Notice that Domain Admins and Enterprise Admins are the only
groups that have the Enroll permission, and then click OK.
7. Close the Certificate Templates console.
8. In the Certification Authority console, rightclick Certificate Templates, point to New,
and then click Certificate Template to Issue.
9. In the Enable Certificate Templates dialog box, click the Key Recovery Agent
template, and then click OK.
10. Close the Certification Authority console.
Task 2: Acquire the KRA certificate
1. On LONSVR1, on the taskbar, click the Windows PowerShell icon.
2. At the Windows PowerShell prompt, type MMC.exe, and then press Enter.
3. In the Console1[Console Root] console, click File, and then click Add/Remove Snap
in.
4. In the Add or Remove Snapins dialog box, click Certificates, and then click Add.
5. In the Certificates snapin dialog box, select My user account, click Finish, and then
click OK.
6. Expand the Certificates Current User node, rightclick Personal, point to All Tasks,
and then click Request New Certificate.
7. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next.
8. On the Select Certificate Enrollment Policy page, click Next.
9. On the Request Certificates page, select the Key Recovery Agent check box, click
Enroll, and then click Finish.
10. Refresh the console, and view the Key Recovery Agent (KRA) in the personal store; that
is, scroll across the certificate properties and verify that the Certificate Template Key
Recovery Agent is present.
11. Close Console1 without saving changes.
Task 3: Configure the CA to allow key recovery
1. On LONSVR1, open the Certification Authority console.
2. On LONSVR1, in the Certification Authority console, rightclick AdatumIssuingCA,
and then click Properties.
3. In the AdatumIssuingCA Properties dialog box, click the Recovery Agents tab, and
then select Archive the key.
4. Under Key recovery agent certificates, click Add.
5. In the Key Recovery Agent Selection dialog box, click the certificate that is for the Key
Recovery Agent purpose (it will most likely be last on the list, or you can click the link
Click here to view the certificate properties for each certificate on the list to ensure
that you select the right certificate), and then click OK twice.
6. When prompted to restart the CA, click Yes.
Task 4: Configure a custom template for key archival
1. On LONSVR1, in the Certification Authority console, rightclick the Certificates
Templates folder, and then click Manage.
2. In the Certificate Templates console, rightclick the User certificate, and then click
Duplicate Template.
3. In the Properties of New Template dialog box, on the General tab, in the Template
display name box, type Archive User.
4. On the Request Handling tab, select the Archive subject's encryption private key
check box.
5. If a popup window displays, click OK.
6. Click the Subject Name tab, clear both the Email name and Include email name in
subject name check boxes, and then click OK.
7. Close the Certificate Templates console.
8. In the Certification Authority console, rightclick the Certificates Templates folder,
point to New, and then click Certificate Template to Issue.
9. In the Enable Certificate Templates dialog box, click the Archive User template, and
then click OK.
10. Close the Certification Authority console.
Task 5: Verify key archival functionality
1. Sign in to LONCL1 as Adatum\Aidan, using the password Pa$$w0rd.
2. On the Start screen, type mmc.exe, and then press Enter. Click Yes in the User Account
Control dialog box.
3. In the Console1[Console Root] console, click File, and then click Add/Remove Snap
in.
4. In the Add or Remove Snapins dialog box, click Certificates, click Add, click Finish,
and then click OK.
5. Expand the Certificates Current User node, rightclick Personal, click All Tasks, and
then click Request New Certificate.
6. In the Certificate Enrollment Wizard, on the Before You Begin page, click Next twice.
7. On the Request Certificate page, select the Archive User check box, click Enroll, and
then click Finish.
8. Refresh the console, and notice that a certificate is issued to Aidan, based on the
Archive User certificate template.
9. Simulate the loss of a private key by deleting the certificate. In the central pane, right
click the certificate that you just enrolled, select Delete, and then click Yes to confirm.
10. Switch to LONSVR1.
11. Open the Certification Authority console, expand AdatumIssuingCA, and then click
the Issued Certificates store.
12. In the details pane, doubleclick a certificate with Requestor Name Adatum\Aidan, and
Certificate Template name Archive User.
13. Click the Details tab, copy the Serial Number, and then click OK. (You may either
copy the number to Notepad—select it and press CTRL+C— or write it down on paper.)
14. On the taskbar, click the Windows PowerShell icon.
15. At the Windows PowerShell prompt, type the following command (where <serial
number> is the serial number that you copied), and then press Enter:
16. Verify that the outputblob file now displays in the C:\Users\Administrator.Adatum
folder.
17. To convert the outputblob file into a .pfx file, at the Windows PowerShell prompt, type
the following command, and then press Enter:
18. When prompted for the new password, type Pa$$w0rd, and then confirm the password.
19. After the command executes, close Windows PowerShell.
20. Browse to C:\Users\Administrator.ADATUM, and then verify that aidan.pfx—the
recovered key—is created.
21. Switch to LONCL1 machine.
22. On the Start screen, type Control Panel and then click Control Panel.
23. In the Control Panel window, click View network status and tasks.
24. In the Network and Sharing Center window, click Change advanced sharing settings.
25. Under Guest or Public (current profile), select the option Turn on file and printer
sharing.
26. Click Save changes.
27. If asked for credentials, use Adatum\administrator as the user name, and Pa$$w0rd as
the password.
28. Switch back to the LONSVR1 machine.
29. Copy the aidan.pfx file to \\loncl1\C$.
30. Switch to LONCL1, and ensure that you are still signed in as Aidan.
31. Browse to drive C, and doubleclick the aidan.pfx file.
32. On the Welcome to the Certificate Import Wizard page, click Next.
33. On the File to Import page, click Next.
34. On the Password page, enter Pa$$w0rd as the password, and then click Next.
35. On the certificate store page, click Next, click Finish, and then click OK.
36. In the Console1[Console Root\Certificates Current User\Personal\Certificates],
expand the Certificates Current User node, expand Personal, and then click
Certificates.
37. Refresh the console, and verify that the certificate for Aidan is restored.
Task 6: Prepare for the next module
When you finish the lab, revert the virtual machines to their initial state. To do this, complete
the following steps.
1. On the host computer, start HyperV® Manager.
2. On the Virtual Machines list, rightclick 20412DLONDC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps two and three for 20412DLONCL1, 20412DLONSVR1, 20412DLON
CA1, and 20412DLONSVR2.
Results: After completing this exercise, you will have implemented key archival and tested
private key recovery.