Chris Macaulay Masakazu Asano Program Manager Manager Microsoft GlobalSign K.K. Steve Roylance Business Development Director GlobalSign SIA316 Business Ready Security Help securely enable business by managing risk and empowering.
Download ReportTranscript Chris Macaulay Masakazu Asano Program Manager Manager Microsoft GlobalSign K.K. Steve Roylance Business Development Director GlobalSign SIA316 Business Ready Security Help securely enable business by managing risk and empowering.
Chris Macaulay Masakazu Asano Program Manager Manager Microsoft GlobalSign K.K. Steve Roylance Business Development Director GlobalSign SIA316 Business Ready Security Help securely enable business by managing risk and empowering people Identity Highly Secure and Inter-operable Platform from: Block Cost Siloed to: Enable Value Seamless Agenda Session goals Conceptual enrollment architecture Using enrollment web services with GlobalSign GlobalSign enrollment architecture Windows enrollment architecture Using enrollment web services in the enterprise Summary Session Goals Provide an architecture overview of Certificate Enrollment Introduce the Certificate Enrollment Web Services Demonstrate scenarios where you can use Certificate Enrollment Web Services Automating certificate lifecycle for web servers Extending the reach of the Enterprise PKI beyond the corporate network boundaries Windows 7 Investments Strong Authentication Public Key Infrastructure Server consolidation Improve existing scenarios Enrollment using Web services Agenda Session goals Conceptual enrollment architecture Using Enrollment Web Services with GlobalSign GlobalSign enrollment architecture Windows enrollment architecture Using enrollment web services in the Enterprise Summary Conceptual Enrollment Architecture Policy Authority Enrollment Client Provides certificate enrollment policy to a requestor Certificate Enrollment policy consists of: • A unique identifier • A collection of certificate templates • A collection of certificate issuers Certificate Enrollment Policy is the central point of PKI management for administrators Conceptual Enrollment Architecture Enrollment Client Policy Authority Provides certificate enrollment policy to a requestor Certification Authority Receives, processes and responds to certificate requests Authentication Authority Provides or validates authentication information Identity Authority Provides identity information Legacy Enrollment in Windows Authentication Authority: Kerberos Identity Authority: Active Directory Identity Authority Authentication Authority Policy Authority Active Directory 1. 1 LDAP Client requests certificate enrollment policy Enrollment Client 2 DCOM Certification Authority 3 2. ADCS CA 3. Client sends enrollment request CA issues certificate and returns to client Certificate Enrollment Web Services Two Web services protocols Certificate enrollment policy [MS-XCEP] Certificate enrollment [MS-WSTEP] HTTPS based, so firewall-friendly Practical to implement Integrate with non-enterprise issuers Public Root integration for Web SSL, and Hosted PKI Make the enterprise better Extend existing PKI investments with little effort and no additional ongoing cost Agenda Session goals Conceptual enrollment architecture Using enrollment web services with GlobalSign GlobalSign enrollment architecture Windows enrollment architecture Using enrollment web services in the enterprise Summary A Leading Public Certification Authority Steve Roylance Business Development Director GlobalSign Limited (UK) Masakazu Asano Technical Team Manager GlobalSign KK (Japan) Who is GlobalSign? Global offices in the US, Europe, Japan and China, part of the GMO Internet (ticker TSE:9449) Certification Authority credentials: Second longest operational Certification Authority in Europe Owner of the highly ubiquitous 2048 bit GlobalSign Root CA WebTrust compliant since 2002 WebTrust for Extended Validation compliant and CABForum member Provider of SSL certificates, Digital IDs for people / machines, Code (Kernel) Signing, Document security and compliancy solutions Directly Issued over 1.4 million digital certificates Issued over 150,000 SSL Server certificates Over 20 million certificates worldwide rely on the public trust provided by the GlobalSign root The SSL Certificate Business SSL Certificate deployment continues to grow 2000000 1000000 ESTIMATED Extended Domain Ogranization 0 All Legislation & Compliance (PCI) and best practice to protect consumers/stakeholders Cryptographic technology shift 1024bit-2048bit in readiness to support NIST’s December 31, 2010 guideline Ubiquity, while important, now ranks behind lifecycle management tools as the focus for both the SSL certificate provider and platform vendor Data from Netcraft SSL Survey March 2009 (www.netcraft.com) “I need an SSL Certificate for my public facing web server” Challenges with SSL Certificates Certificate Signing Request (CSR) Generation (1024bit versus 2048bit) – Industry awareness Inconsistent CSR rules (OIDs, Extensions, Hashing etc) Lack of standard (or user friendly) tools for CSR generation Limitations in IIS for renewals Limited flexibility to periodically renew (new CSR needed) Limited flexibility for additional subject alternate names during lifetime General Limitations Complicated multi-page web experiences No yearly (or periodic) automation for renewals Complex terminology for non-tech savvy buyers Today’s SSL Experience Install Intermediates Register Save as… Create CSR Install Certificate Validate Download Certificate Domain Validation Organization Validation and authorization Extended Validation checking Challenge Response and/or WHO-IS verification of domain ownership. Verification of Organizational existence and authorization of the SSL certificate request. Validation of business registration details, physical existence and a higher degree of verification of the contract signers authority. DomainSSL™ Save as… OrganizationSSL™ ExtendedSSL™ GlobalSign's New SSL Enrollment Register Enroll and Install Validate Domain Validation Organization Validation and authorization Extended Validation checking Challenge Response and/or WHO-IS verification of domain ownership. Verification of Organizational existence and authorization of the SSL certificate request. Validation of business registration details, physical existence and a higher degree of verification of the contract signers authority. DomainSSL™ OrganizationSSL™ ExtendedSSL™ SSL Certificate Purchasing & Registration Steve Roylance Business Development Director GlobalSign Limited The New SSL Registration Experience Search Choose Supplier Choose Product Apply GlobalSign's New SSL Enrollment Register Enroll and Install Validate Domain Validation Organization Validation and authorization Extended Validation checking Challenge Response and/or WHO-IS verification of domain ownership. Verification of Organizational existence and authorization of the SSL certificate request. Validation of business registration details, physical existence and a higher degree of verification of the contract signers authority. DomainSSL™ OrganizationSSL™ ExtendedSSL™ Validation and Approval Domain Validation Challenge Response and/or WHO-IS verification of domain ownership. DomainSSL™ Organization Validation and Authorization Verification of Organizational existence and authorization of the SSL certificate request. OrganizationSSL™ Extended Validation Checking Validation of business registration details, physical existence, and a higher degree of verification of the contract signers authority. ExtendedSSL™ GlobalSign's New SSL Enrollment Register Enroll and Install Validate Domain Validation Organization Validation and authorization Extended Validation checking Challenge Response and/or WHO-IS verification of domain ownership. Verification of Organizational existence and authorization of the SSL certificate request. Validation of business registration details, physical existence and a higher degree of verification of the contract signers authority. DomainSSL™ OrganizationSSL™ ExtendedSSL™ Approval and Final Installation Steve Roylance Business Development Director GlobalSign Limited The New SSL Enrollment Experience Login Pickup and Install Complete Benefits of Windows and Web Services With GlobalSign New Windows APIs oriented around “in session” issuance for a low friction user experience No need for CSR generation! Simplifies the purchasing experience with lower requirements from the client Web Services configuration and enrollment can happen in a single low prompt interaction Renewals can happen automatically! “It’s been almost a year, do I need to renew my SSL certificate?” Renewal Challenges Most SSL websites are long lived, but on average certificates are issued for 1 year 65-75% of customers renew (5-10% attrition, 20% stop) Process for a renewed certificate is the same as a new certificate Same request generation and web experience Same validation Same PAIN! After renewal, must reconfigure the web server Certificate Renewal Renewal Experience Automatic Renewal! Automatic Update! SSL Scenario Summary SSL certficates are growing in usage Consider SSL and EV certificates to protect your intranet, extranet and internet web assets today Windows eases the enrollment pain Low friction enrollment No and low touch renewal and lifecycle management GlobalSign and Microsoft provide a better together experience for your certificate needs Agenda Session goals Conceptual enrollment architecture Using enrollment web services with GlobalSign GlobalSign enrollment architecture Windows enrollment architecture Using enrollment web services in the enterprise Summary SSL Scenario Architecture Overview Two new Certificate Enrollment Protocols Certificate Enrollment Policy [MS-XCEP] Certificate Enrollment [MS-WSTEP] Certificate Enrollment Policy is configured by GlobalSign using Web APIs GlobalSign provides Enrollment Web Services Windows autoenrollment retrieves Certificate Enrollment Policy and enrolls for certificates Windows autoenrollment renews the certificate IIS uses the renewed SSL certificate GlobalSign Enrollment Architecture Policy Authority Configuration 1 HTTPS HTTPS 1. Enrollment Policy Web Service Enrollment Client 2 GlobalSign Policy Store Client reads certificate enrollment policy Certification Authority 3 2. GlobalSign CA Enrollment Web Service 3. Client sends enrollment request CA issues certificate and returns to client Agenda Session goals Conceptual enrollment architecture Using enrollment web services with GlobalSign GlobalSign enrollment architecture Windows enrollment architecture Using enrollment web services in the enterprise Summary ADCS Web Services Architecture Two new ADCS role features Certificate Enrollment Policy Web Service Certificate Enrollment Web Service Certificate Enrollment Policy Web Service uses Active Directory stored certificate templates Certificate Enrollment Web Service provides the web services for access to a Windows CA New Group Policy controls for Certificate Enrollment Policy management Windows Architecture Policy Authority Group Policy Configuration Active Directory HTTPS 1 Enrollment Client 2 HTTPS 1. ADCS Enrollment Policy Web Service Client reads certificate enrollment policy Certification Authority 3 2. ADCS CA 3. ADCS Enrollment Web Service Client sends enrollment request CA issues certificate and returns to client Windows Architecture Policy Authority Active Active Directory Directory HTTPS 1 Enrollment Client 1. ADCS Enrollment Policy Existing PKI Web Service Client reads certificate enrollment policy Infrastructure 2 HTTPS Certification Authority 3 2. Windows ADCS CACA 3. ADCS Enrollment Web Service Client sends enrollment request CA issues certificate and returns to client Available Enrollment Operations Functional parity with LDAP/DCOM protocol Supports new and renewed certificates Supports key archival for encryption certificates Supported authentication types Kerberos Username/Password X.509 Certificate Windows autoenrollment and CertEnroll APIs support Web Services Enrollment No application code change required! Agenda Session goals Conceptual enrollment architecture Using enrollment web services with GlobalSign GlobalSign enrollment architecture Windows enrollment architecture Using enrollment web services in the enterprise Summary Challenges in Enterprise PKI Complexity More complex the AD deployment, the more complex the PKI becomes Reaching external users Mobile and remote workers are not always on the corporate network Managing non-domain joined machines Employee home machines Non-domain workstations and work load servers Engaging with partners Strong authentication is desirable Managing internal and external server workloads that use SSL In-House PKI expertise When can I outsource my PKI? “I need my users to be able to renew certificates automatically, even when disconnected from the corporate network” Renewal Challenges A CA in the extranet seems risky How do you renew your VPN certificate (SmartCard, etc) when you are on the road? Branch office and mobile workers are increasingly common in the “connected” workplace The lifecycle costs are too high today “Renewal Only” for Windows Server Windows features a renewal only mode for the Certificate Enrollment Web Service Requires the user to have the original certificate Used to sign the renewal request Significant attack footprint reduction Wire traffic is well defined and scoped to the renewal operation The CA remains in the intranet No Kerberos delegation required Windows requires authentication in addition to the existing certificate Renewing Off the Corporate Network Chris Macaulay Program Manager, Microsoft Windows AutoEnrollment Support for multiple certificate enrollment policies Full support of web services enrollment Manages several client tasks Enrollment policy cache Server selection for enrollment operations Adds renewal only request support with web services enrollment Runs on all Windows 7 and Windows Server 2008 R2 SKUs Agenda Session goals Conceptual enrollment architecture Using enrollment web services with GlobalSign GlobalSign enrollment architecture Windows enrollment architecture Using enrollment web services in the enterprise Summary Summary Extranet Renewals SSL Certificate Enrollment Summary Hosted PKI Client Opportunities Resources www.microsoft.com/teched www.microsoft.com/learning Sessions On-Demand & Community Microsoft Certification & Training Resources http://microsoft.com/technet http://microsoft.com/msdn Resources for IT Professionals Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources Complete an evaluation on CommNet and enter to win! © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.