Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.


  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL
Help

Part 3: Deploying Application-Specific S... > Chapter 15: Issuing Certificates

A.18. Chapter 15: Issuing Certificates

Q:Assume that a custom version 2 certificate template is created for code signing that requires CA certificate manager approval. What enrollment method should you use for deploying the custom code-signing certificates to the three members of the Quality Assurance team if you perform the request from a Windows XP client computer?
A:The Certificate Services Web Enrollment site method is recommended because the Web site implements cookies to allow the Windows XP user to return and complete a pending certificate request.
Q:If the user had a Windows Vista client, are other options available for enrollment?
A:Yes, the Windows Vista Certificates console allows the initiation and completion of pending certificate requests. In fact, the enrollment can be initiated using the Web Enrollment pages and completed using the Certificate Enrollment wizard.
Q:Assume that a custom version 2 certificate template is created for EFS certificates. What options must be enabled in the certificate template to permit autoenrollment for all users in the Lucerne Publishing forest?
A:The certificate template must assign all users Read, Enroll, and Autoenroll permissions.
Q:Where must you configure Group Policy to enable autoenrollment of the custom EFS certificate to all users in the LucernePublish.msft domain?
A:You must configure a GPO linked to the LucernePublish.msft domain that selects all Autoenrollment Settings check boxes in User Configuration\Windows Settings\Security Settings\Public Key Policies\Autoenrollment Settings.
Q:Does autoenrollment deploy custom EFS certificates to all users of laptops running Windows 2000, Windows XP, and Windows Vista? Why or why not?
A:No. Autoenrollment Settings deploy custom EFS certificates only to users with Windows XP or Windows Vista laptops.
Q:What method of enrollment allows EFS certificates to be deployed to users of laptops running Windows 2000 without user intervention?
A:Lucerne Publishing can develop a Microsoft Visual Basic script that utilizes the Certificate Enrollment Control to submit a request for the custom EFS certificate. To provide automation, this script can be executed at logon to automate the distribution of the custom EFS certificate.
Q:Assume that the default EFS Recovery Agent certificate template is modified so that only the two EFS recovery agents are assigned Read and Enroll permissions for the certificate template. What enrollment method(s) can they use to acquire their EFS Recovery Agent certificates?
A:The agents can use any manual enrollment method, such as the Certificates MMC console focused on the current user or the Certificate Services Web Enrollment pages, to request their EFS Recovery Agent certificates.
Q:Assuming that the default IPsec certificate is used for the IPsec tunnel mode project, do you use ACRS or Autoenrollment Settings to automate the deployment of IPsec certificates to computers running Windows Server 2008 at the corporate office?
A:You must use ACRS to deploy the IPsec certificates. The IPsec certificate is a version 1 certificate that can be deployed only by using ACRS.
Q:What must be done to the IPsec certificate template and the Automatic Certificate Request Settings Group Policy setting to enable automatic enrollment of the IPsec certificates by computers running Windows Server 2008?
A:The permissions on the IPsec certificate template must enable Read and Enroll permissions for a group that contains the Windows Server 2003 computer accounts. A Group Policy that enables the Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Automatic Certificate Request Settings GPO with the IPsec certificate template must be linked to the OU containing the Windows Server 2008 computer accounts.
Q:What must be done to the IPsec certificate template and the Autoenrollment Settings Group Policy setting to enable automatic enrollment of the IPsec certificates by computers running Windows Server 2008?
A:The IPsec certificate must be duplicated to create a custom version 2 certificate template. The permissions on the custom IPsec certificate template must enable Read, Enroll, and Autoenroll permissions for a group that contains the Windows Server 2003 computer accounts. Finally, the Autoenrollment Settings Group Policy must be linked to an OU containing the computer accounts and enable all options in Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Autoenrollment Settings.
Q:How do you deploy IPsec certificates to the third-party VPN devices at the remote offices?
A:A PKCS #10 request file can be created at each third-party VPN device and submitted to an enterprise CA by using the Certificate Services Web Enrollment pages.


  

You are currently reading a PREVIEW of this book.

                                                                                                                    

Get instant access to over $1 million worth of books and videos.

  

Start a Free Trial


  
  • Safari Books Online
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint