1
00:00:06,920 --> 00:00:10,430
And this led bill, but deploying them to using certificates.

2
00:00:11,180 --> 00:00:13,430
Here is the scenario for this lab.

3
00:00:14,120 --> 00:00:23,600
You are working as an administrator and a datum corporation as it expands, its security requirements

4
00:00:23,930 --> 00:00:25,400
are also increasing.

5
00:00:25,910 --> 00:00:34,340
The security department particular is interested in enabling secure access to critical websites and

6
00:00:34,340 --> 00:00:43,640
in providing additional security for features such as IFRS, digital signatures, smart cards and direct

7
00:00:43,640 --> 00:00:44,270
access.

8
00:00:44,270 --> 00:00:45,740
Feature in.

9
00:00:46,880 --> 00:00:47,850
I mean those.

10
00:00:48,970 --> 00:00:51,130
8.1 and Windows ten.

11
00:00:51,610 --> 00:00:59,050
The security department especially wants to evaluate digital signatures in Microsoft Office documents

12
00:00:59,980 --> 00:01:03,400
to address these and other security requirements.

13
00:01:03,730 --> 00:01:12,700

14
8:08 a.m. has decided to use certificates issued by the ADC after all in Windows Server 2006 to.

15
00:01:13,920 --> 00:01:22,380
As a senior network administrator at any time, you are responsible for implementing certificate enrollment.

16
00:01:23,040 --> 00:01:32,730
You also will be developing the procedures and process for managing certificate templates and for deployment

17
00:01:32,730 --> 00:01:34,200
revoking certificates.

18
00:01:36,090 --> 00:01:44,430
Now after you complete the slab, you'll, you'll have configure certificate templates, configure certificate

19
00:01:44,430 --> 00:01:50,790
enrollment and usage and configured and implemented key recovery.

20
00:01:52,930 --> 00:01:56,140
There are three exercises for this level.

21
00:01:57,080 --> 00:01:59,690
Let's start with exercise one.

22
00:02:01,950 --> 00:02:07,020
Scenario after deployment, the sea infrastructure.

23
00:02:07,140 --> 00:02:13,260
The next step is to deploy the certificate templates that the organization requires.

24
00:02:13,710 --> 00:02:20,860
First aid team wants to implement a new Web server certificate and certificates for users.

25
00:02:21,510 --> 00:02:24,690
The main tasks for this exercise are as follows.

26
00:02:25,200 --> 00:02:30,930
First, you have to create a new template based on the web server template.

27
00:02:31,470 --> 00:02:37,120
Second, create a new template for users that includes smart cards.

28
00:02:37,320 --> 00:02:42,690
And then third, configure templates so that they can be issued.

29
00:02:43,260 --> 00:02:50,340
And lastly, enroll the web server certificate on long as we are to.

30
00:02:51,960 --> 00:03:00,150
Let's review the steps for Task One, in which you have to create a new template based on the web server

31
00:03:00,150 --> 00:03:08,850
template on this one, and server manager will have to click tools and then click certification authority.

32
00:03:08,850 --> 00:03:16,710
And to the Certification Authority Council, you have to open certificate templates, console, duplicate

33
00:03:16,710 --> 00:03:25,920
the web server template and create a new template that and then name it production web server, configure

34
00:03:26,130 --> 00:03:35,820
validity for three years and configure the private key x as exportable and publish the CRL on londis

35
00:03:35,820 --> 00:03:36,300
c one.

36
00:03:37,900 --> 00:03:39,970
No talk to their.

37
00:03:41,450 --> 00:03:48,920
Eight steps to complete this task in which you have to create a new template for users that includes

38
00:03:49,310 --> 00:03:50,750
Smartcard Sign.

39
00:03:51,410 --> 00:03:58,010
So step one on land is the one you have to open certification authority console from server manager

40
00:03:58,370 --> 00:04:07,910
and then open the certificate templates council and then duplicate the user a certificate template name

41
00:04:07,910 --> 00:04:15,650
the new template added to the user and on the subject name tap clear both the include email name and

42
00:04:15,650 --> 00:04:23,810
subject name and the email name checkboxes then add Smartcard Lagoon to the application policies or

43
00:04:23,810 --> 00:04:31,250
the new certificate template and configure this new template to supersede the user template.

44
00:04:32,060 --> 00:04:38,780
The second step is to allow authenticated users to read and enrollment or to enrol for the certificate.

45
00:04:39,870 --> 00:04:46,950
And finally close to the certificate templates, council tasks three in which you have to configure

46
00:04:46,950 --> 00:04:49,920
templates so that they can be issued.

47
00:04:50,880 --> 00:04:58,260
So issued the certificates based on the date and user and production web server templates.

48
00:04:59,160 --> 00:05:06,720
Just four in which you have to enroll the web server certificate on long as we are to.

49
00:05:07,660 --> 00:05:09,610
Here are the steps for this task.

50
00:05:09,940 --> 00:05:14,880
First switch to as long as we are to clean your lab environment.

51
00:05:15,820 --> 00:05:21,730
Open Windows PowerShell and then refresh group policy on server manager.

52
00:05:23,660 --> 00:05:26,870
You have to open Internet information services.

53
00:05:27,470 --> 00:05:34,790
I as manager and learn and rule for a domain certificate by using the following settings.

54
00:05:35,300 --> 00:05:45,110
Common Name Loss Learn as we are to edit dotcom organization edit term organization to unit i.t suited

55
00:05:45,150 --> 00:05:46,850
Seattle State.

56
00:05:47,840 --> 00:05:53,540
W a gone to us friendly name alone as we are to.

57
00:05:54,420 --> 00:06:03,510
The fifth step for this task is to you have to create an eclipse binding for the default website and

58
00:06:03,510 --> 00:06:08,340
then associated with the loan as well to a certificate.

59
00:06:08,670 --> 00:06:15,960
And finally open internet explorer on loan client one and then navigate to institute is.

60
00:06:17,490 --> 00:06:20,730
Girl and slash slash low dash as well.

61
00:06:20,760 --> 00:06:30,900
2.8.1. com And to ensure the Internet Information Services page opens and that no certificate error

62
00:06:30,900 --> 00:06:31,740
displays.

63
00:06:32,490 --> 00:06:39,420
So after completing this exercise you should you should have configured certificate templates.

64
00:06:42,500 --> 00:06:44,660
Wonder how Donna is exercise one.

65
00:06:45,470 --> 00:06:51,170
Let's be sure to exercise two, which is in running and using certificates.

66
00:06:51,770 --> 00:07:01,190
The scenario for this exercise the next step in implementing a big at eight two is configured certificate

67
00:07:01,190 --> 00:07:07,910
enrollment a date and wants to enable different options for distributing the certificates.

68
00:07:08,450 --> 00:07:16,850
Users should be able to enroll automatically, and card users should get their smart cards from enrollment

69
00:07:16,850 --> 00:07:17,480
agent.

70
00:07:18,560 --> 00:07:22,070
Aid agent has delegated enrollment agent right.

71
00:07:22,400 --> 00:07:25,730
For the marketing department group to.

72
00:07:27,170 --> 00:07:29,210
User, Annie Connor.

73
00:07:29,810 --> 00:07:38,000
The main tasks for this exercise are as follows You have to configure auto enrolment for users, then

74
00:07:38,300 --> 00:07:40,310
verify auto enrolment.

75
00:07:41,180 --> 00:07:49,820
The third task is configure the enrollment agent for smart certificates and finally the user certificates

76
00:07:49,820 --> 00:07:54,170
for digital sign and add Microsoft Office document.

77
00:07:56,090 --> 00:08:04,700
So let's switch over to Task one and it's steps in which you have to configure auto enrolment for users.

78
00:08:05,150 --> 00:08:12,950
So step one, for this task, you have to log into along to see one open group policy management and

79
00:08:12,950 --> 00:08:15,650
added the default domain policy.

80
00:08:16,310 --> 00:08:24,260
Then go to the user configuration policies, windows settings, security settings and then click the

81
00:08:24,560 --> 00:08:27,470
highlight public key policies.

82
00:08:29,480 --> 00:08:38,660
Then enable the certificate services client auto enrolment option and then enable renew expired certificates

83
00:08:38,960 --> 00:08:47,510
of dependent certificates and to remove revoked certificates and update certificates that use certificate

84
00:08:47,510 --> 00:08:48,140
templates.

85
00:08:48,950 --> 00:08:53,510
The fifth step is to enable certificate services client.

86
00:08:55,040 --> 00:09:02,780
And finally, close group policy management Ed Rendell and the Group Policy Management Council.

87
00:09:04,090 --> 00:09:08,890
Task two for this exercise is to verify auto enrolment.

88
00:09:09,930 --> 00:09:18,410
So first you have to open Windows PowerShell on long client one and then use be able do flash forth

89
00:09:18,420 --> 00:09:20,640
to refresh group policy.

90
00:09:21,150 --> 00:09:29,640
Then open Microsoft Management console and then add the certificate snapping focused on the user account.

91
00:09:30,720 --> 00:09:38,550
Then verify that you have been issued a certificate based on the ADA to use our template and so on out

92
00:09:38,970 --> 00:09:40,710
of one client one.

93
00:09:42,950 --> 00:09:50,090
After completing this task, switch to Task three rituals configuring the enrollment agent for a smart

94
00:09:50,090 --> 00:09:52,220
card certificate.

95
00:09:52,730 --> 00:09:58,370
So first on one client launch DC one from Certification Authority console.

96
00:09:58,910 --> 00:10:01,820
Open the certificate template console.

97
00:10:02,830 --> 00:10:07,180
Then allow any corner to enrol for the.

98
00:10:08,650 --> 00:10:15,830
Forum Enrollment Agent Certificate and published the Enrollment Agent Certificate Template.

99
00:10:16,780 --> 00:10:18,100
Step four.

100
00:10:18,430 --> 00:10:28,420
You have to sign in to long current one as a date and a password for this user and then enroll for an

101
00:10:28,840 --> 00:10:30,760
enrollment agent certificate.

102
00:10:31,540 --> 00:10:34,060
Sign out of loan class one.

103
00:10:34,060 --> 00:10:35,920
Out on loan to see one.

104
00:10:35,920 --> 00:10:44,140
Open the broker two or three date and see and then configure the restricted enrollment agent so that

105
00:10:44,140 --> 00:10:51,040
any can only issue certificates based on a date and user for the security group marketing.

106
00:10:53,300 --> 00:11:02,540
And finally the task for in which you have to use certificates for digital sign in over Microsoft Office

107
00:11:02,540 --> 00:11:03,200
document.

108
00:11:04,220 --> 00:11:08,240
So it feels like an end to a long planned one, as they did from Administrator.

109
00:11:08,660 --> 00:11:17,990
Open Desert 2016, typed some text in the new blank document and then save the document from click insert

110
00:11:18,350 --> 00:11:22,820
in the ribbon and then insert a signature line.

111
00:11:23,660 --> 00:11:27,050
Fill the signature filled with your data right.

112
00:11:27,050 --> 00:11:31,640
Click the signature line and then choose to sign the document.

113
00:11:32,740 --> 00:11:41,350
Lemme choose a certificate that you enrolled through auto enrolment and after signing the document.

114
00:11:42,280 --> 00:11:45,910
Then make sure that you can alter the document further.

115
00:11:46,240 --> 00:11:49,780
Finally, some out of bloom client one.

116
00:11:51,730 --> 00:11:58,720
When you're done with this exercise to switch to Exercise three, which is configuring and implementing

117
00:11:58,720 --> 00:11:59,800
key recovery.

118
00:12:01,040 --> 00:12:06,860
The scenario for this exercise is another part of establishing a big guy.

119
00:12:07,820 --> 00:12:12,560
You want to configure the test procedures for private key recovery.

120
00:12:13,070 --> 00:12:22,730
You want to assign a key or a certificate for an administrator and configure a C and specific certificate

121
00:12:22,730 --> 00:12:25,670
templates to allow key archival.

122
00:12:26,730 --> 00:12:31,170
In addition, you want to test a procedure for cure of cholera.

123
00:12:31,980 --> 00:12:35,490
The main tasks for this exercise are as follows.

124
00:12:35,490 --> 00:12:35,970
First.

125
00:12:36,270 --> 00:12:42,180
Configure the certification authority to issue cholera certificates.

126
00:12:42,570 --> 00:12:46,140
Second, acquire the KRG certificate.

127
00:12:46,620 --> 00:12:50,040
Third, configure the CAA to allow Kir recovery.

128
00:12:50,940 --> 00:13:00,870
Then configure a custom template for key archival fifth exercises to verify key archival functionality.

129
00:13:01,770 --> 00:13:08,880
So let's start with Task one, in which you have to configure the certification authority to issue KRG

130
00:13:08,880 --> 00:13:13,710
certificates on one beside one in the certification authority console.

131
00:13:14,010 --> 00:13:21,180
Right click the certificates templates folder and then click manage in the certificate templates console

132
00:13:21,450 --> 00:13:29,490
open the key recovery agent certificate properties dialog box sound on the issuance requirements to

133
00:13:29,760 --> 00:13:36,900
clear the sea certificate manager approval check books then on the security DEP.

134
00:13:37,470 --> 00:13:44,070
Notice that only the demand admins and enterprise admins groups have the enrolled permissions.

135
00:13:44,580 --> 00:13:52,410
And finally, right click the certificates templates folder and then issue the key recovery agent template.

136
00:13:53,460 --> 00:14:01,950
Task two in which you have to acquire the KRG certificate first, open the Microsoft management console

137
00:14:01,950 --> 00:14:06,120
and add the certificate snapping for the current user.

138
00:14:06,540 --> 00:14:16,980
Then use the certificate enrollment wizard to request a new certificate and to enroll the KRG certificate

139
00:14:17,340 --> 00:14:20,730
and finally refresh the console, rendering them view.

140
00:14:20,730 --> 00:14:24,780
The key array is in the personal store.

141
00:14:26,520 --> 00:14:32,520
Just three in which you have to configure the Q to allow Q recovery on laundry.

142
00:14:32,520 --> 00:14:33,120
This one.

143
00:14:33,420 --> 00:14:42,510
Open the certification authority console and then open the aid agency properties dialog box.

144
00:14:43,020 --> 00:14:51,420
And on the recovery agent tap click archive the key and then add the certificate by using the key recovery

145
00:14:51,420 --> 00:14:58,290
agent selection dialog box, then restart certificate services when prompted.

146
00:14:59,480 --> 00:15:06,020
After that switch to task for the news, you have to configure a custom template for key archival.

147
00:15:06,500 --> 00:15:11,840
So on launch this one open the certificates templates console.

148
00:15:12,620 --> 00:15:18,470
Step two duplicate the user template and name it to archive user.

149
00:15:18,980 --> 00:15:21,620
Then on the request, count them tab.

150
00:15:21,890 --> 00:15:29,330
Select the archive subjects and groups and private key option by using the archive key option.

151
00:15:29,600 --> 00:15:35,000
The query can obtain the private key from the certificate store.

152
00:15:35,990 --> 00:15:43,850
Then click the subject name tap and then clear the email name and include email name and subject name

153
00:15:43,850 --> 00:15:44,720
checkboxes.

154
00:15:45,500 --> 00:15:49,550
And finally issue the archive user template.

155
00:15:50,480 --> 00:15:58,700
And the last task for this exercise is to verify key archival functionality.

156
00:15:59,270 --> 00:16:08,630
For this, you have to assign them to a long client one as a data Hayden user and open Microsoft Management

157
00:16:08,630 --> 00:16:13,460
Counsel and add the certificate Snow bin for the current user.

158
00:16:14,270 --> 00:16:23,690
Then step three you have to request to enroll a new certificate based on the archive user template after

159
00:16:23,690 --> 00:16:33,800
the from the personal store locate the archive user certificate step five is to delete the certificate

160
00:16:33,800 --> 00:16:44,960
for Reydon to simulate a lost key, then switch along to see one and open certification authority console.

161
00:16:45,050 --> 00:16:50,090
You have to expand to date on C and then click the issued certificate stores.

162
00:16:51,850 --> 00:16:54,490
In the Certification Authority Council.

163
00:16:54,640 --> 00:17:04,180
Note the serial number of the certificate that has been issued for additional Dylan and.

164
00:17:05,520 --> 00:17:07,020
Only I'm disappointed.

165
00:17:07,410 --> 00:17:08,370
Command prompt.

166
00:17:08,640 --> 00:17:13,320
You have to turn the fallen commander 1% or you have to type 30.

167
00:17:13,320 --> 00:17:15,610
Or till this get key.

168
00:17:16,460 --> 00:17:19,080
Insert the serial number and.

169
00:17:20,250 --> 00:17:22,620
Output below.

170
00:17:26,830 --> 00:17:34,570
You have to replace this serial number option with the serial number that you wrote down.

171
00:17:35,260 --> 00:17:40,360
If you copy and paste the serial number, remove the spaces between the number.

172
00:17:41,220 --> 00:17:45,850
Then the next step is to verify the output blob file.

173
00:17:46,210 --> 00:17:51,580
Now displays in the C users administrator folder.

174
00:17:52,860 --> 00:18:01,860
Step 11 is to convert the output block file into an imported dot pef x file.

175
00:18:02,490 --> 00:18:08,820
The command prompt to have the following command serve to tell the recover key o.

176
00:18:09,660 --> 00:18:20,070
Put block 18 dot perfects them and around confirm the password for the certificate and verify the creation

177
00:18:20,070 --> 00:18:24,450
of the recovered key in the C users administrator folder.

178
00:18:25,890 --> 00:18:32,790
Then switch to a loan client while in open file explorer and connect to the loan the AC.

179
00:18:34,030 --> 00:18:34,390
Sorry.

180
00:18:34,660 --> 00:18:36,030
Backslash, backslash.

181
00:18:36,040 --> 00:18:39,730
1231.8 did dot com.

182
00:18:40,000 --> 00:18:48,640
Backslash c and dollar sign when prompted for credentials to use a data administrator with a password.

183
00:18:49,250 --> 00:19:01,750
Learning Corp in the Adam don't be a fax file from this share to see user Adam on loan client one then

184
00:19:01,750 --> 00:19:11,620
on loan client one import the Adam dot perfects certificate and verify the certificate displayed in

185
00:19:11,620 --> 00:19:12,880
the personal store.

186
00:19:13,390 --> 00:19:18,100
This rule around the lab for this course.

187
00:19:19,310 --> 00:19:29,480
If you have some questions and can not perform some task, please consider reviewing the next lecture

188
00:19:29,480 --> 00:19:33,440
in which I'll show all the steps for this lab.