Writing /var/www/html/john.de-graaff.net/webroot/wiki/data/cache/b/bf111e76e59a388c9525e3ec822a9d12.xhtml failed

Differences

This shows you the differences between two versions of the page.

--- links:pki [2015/09/21 10:17]
jdg
+++ links:pki [2019/03/06 07:33]
@@ Line 1: / Line 1: @@
-====== PKI ======
-  * tags: PKI, RSA, X509, SSL, HTTPS, Encryption, Digital Signatures, CA
-  * [[:links:tls]]
-  * [[:links:ipv6]]
-===== Definitions =====
-  * PKI = [[wp>Public_key_infrastructure|Public Key Infrastructure]]
-  * [[wp>Public-key_cryptography|Public Key Cryptography]]
-  * [[wp>Digital_signature|Digital Signature]]
-  * [[wp>Public_key_certificate|Public Key Certificate]]
-  * [[wp>X.509]]
-  * TLS = [[wp>Transport_Layer_Security|Transport Layer Security]]
-  * Certificate Revocation, published by either of these methods:
-    * CRL = [[wp>Revocation_list|Certificate Revocation List]]
-    * delta CRL
-    * OCSP ([[wp>Online_Certificate_Status_Protocol|Online Certificate Status Protocol]])
-      * OCSP is [[https://tools.ietf.org/html/rfc5019|RFC-5019]] \\ "The Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments"
-      * [[https://tools.ietf.org/html/rfc6960|RFC-6960]] \\ "X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP" \\ <code>
-.1.  Request Syntax
-... The actual formatting of the message could vary, depending
-on the transport mechanism used (HTTP, SMTP, LDAP, etc.).
-Appendix A.  OCSP over HTTP
-A.1.  Request
-GET {url}/{url-encoding of base-64 encoding of the DER encoding of
-   the OCSPRequest}
-An OCSP request using the POST method is constructed as follows: The
-   Content-Type header has the value "application/ocsp-request", ...
-</code>
-      * //Most OCSP responders get their data from published CRLs and are therefore reliant on the publishing frequency of the CA.//
-      * About [[https://www.grc.com/revocation/ocsp-must-staple.htm|OCSP Stapling]]
-  * AIA = [[wp>PKI_Resource_Query_Protocol#Certificate_Extensions|Authority Information Access]] (defined in [[https://www.ietf.org/rfc/rfc3280.txt|RFC-3280]])
-  * PRQP = [[wp>PKI_Resource_Query_Protocol|PKI Resource Query Protocol]] is similar (in concept) to a 'DNS for PKI resources'
-===== PEN =====
-  * [[http://kazmierczak.eu/itblog/2012/08/22/the-dos-and-donts-of-pki-microsoft-adcs/|Kazmierczak]] recommends: \\ //If implementing in organizations, DO use templates OID to differentiate company’s policy objects from default Microsoft policy objects tree. You should request PEN (Private Enterprise Number) from IANA organization (Internet Assigned Numbers Authority). Templates OID should be created with PREFIX (got from IANA) and individually created numbers for template structure.//
-  * PEN = [[wp>Private_Enterprise_Number|Private Enterprise Numbers]]
-  * application (free) -> http://pen.iana.org/pen/PenApplication.page
-  * list -> http://www.iana.org/assignments/enterprise-numbers
-  * for example: JDG has these 2: \\ <code>
-SMI Network Management Private Enterprise Codes:
-Prefix: iso.org.dod.internet.private.enterprise (1.3.6.1.4.1)
-This file is http://www.iana.org/assignments/enterprise-numbers
-Decimal
-| Organization
-| | Contact
-| | | Email
-| | | |
-  SmallBizConcepts BV
-    John de Graaff
-      iana_registration_j&smallbizconcepts.nl
-  Networkconcepts BV
-    John de Graaff
-      iana.j&networkconcepts.nl
-# so that is:
-.3.6.1.4.1.23044 = SmallBizConcepts BV
-.3.6.1.4.1.29914 = Networkconcepts BV
-</code>
-===== Public Trusted Root =====
-  * CA/B = [[wp>CA/Browser_Forum|CA/Browser Forum]]
-  * https://cabforum.org
-  * https://www.sslcertificaten.nl/support/Terminologie/CAB_Forum
-  * [[
-http://social.technet.microsoft.com/wiki/contents/articles/5973.certification-authority-root-signing.aspx
-|Certification Authority Root Signing]]
-    * subordinate your __Private PKI__ to one of the commercial __Public PKI root certificates__ that are trusted by Microsoft Windows installations
-    * Root Signing is implemented in a Qualified Subordination or Cross-Certification This link is external to TechNet Wiki. It will open in a new window. form. This means that your PKI (under an external root) will be eligible to issue certificates only for a set of specified purposes, such as Server/Client Authentication, Code/Document/Email signing and so on. In addition, your CA will be restricted to issue certificates for the domains owned by the trusted organization.
-  * [[
-https://technet.microsoft.com/en-us/library/cc787237(WS.10).aspx
-|Planning and Implementing Cross-Certification and Qualified Subordination Using Windows Server 2003]]
-===== Microsoft Security =====
-  * [[http://www.cisecurity.org|CIS]] = [[wp>Center_for_Internet_Security|Center for Internet Security]]
-  * GPO = [[wp>Group_Policy|Group Policy Object]]
-  * ISATAP = [[wp>ISATAP|Intra-Site Automatic Tunnel Addressing Protocol]]
-==== Microsoft IP-HTTPS ====
-| {{:links:ic254820.gif|}} | {{:links:ic254781.gif}} |
-  * MS-IPHTTPS = [[
-https://msdn.microsoft.com/en-us/library/dd358571.aspx
-|IP over HTTPS (IP-HTTPS) Tunneling Protocol]]
-  * MS-DA is **IPv6** in **IPsec** (Transport mode) in **IP-HTTPS**
-  * http://tools.ietf.org/html/rfc1945 Hypertext Transfer Protocol -- HTTP/1.0
-  * http://tools.ietf.org/html/rfc2616 Hypertext Transfer Protocol -- HTTP/1.1
-  * http://tools.ietf.org/html/rfc2818 HTTP Over TLS
-  * SSTP = [[wp>Secure_Socket_Tunneling_Protocol|Secure Socket Tunneling Protocol]]
-  * DirectAccess IP-HTTPS in Server 2012 uses [[wp>Null_encryption]] to avoid double load \\ (the encapsulated IPsec does use encryption)
-  * [[wp>AuthIP]] is a Microsoft auth extension for IPsec, similar to [[wp>IKEv2]]
-  * [[
-https://technet.microsoft.com/en-us/library/ee649207(v=ws.10).aspx
-|NRPT]] = Name Resolution Policy Table
-  * [[
-https://msdn.microsoft.com/en-us/library/windows/desktop/bb540800(v=vs.85).aspx
-|Cross Certification]]
-  * MS [[wp>Microsoft_Jet_Database_Engine|Jet Database Engine]]
-  * if the local LAN only talks IPv4 (and the DA clients talk IPv6) the DA server translates using: [[wp>DNS64]] en [[wp>NAT64]]
-===== MS PKI =====
-  * MS supports 2 kinds of PKI:
-    * Stand-Alone CA
-    * Enterprise CA \\ uses: Active Directory Certificate Services (AD CS)
-  * [[
-http://social.technet.microsoft.com/wiki/contents/articles/9256.active-directory-certificate-services-ad-cs-clustering.aspx
-|Active Directory Certificate Services (AD CS) Clustering]]
-  * [[
-http://social.technet.microsoft.com/wiki/contents/articles/7421.ad-cs-pki-design.aspx
-|Active Directory Certificate Services (AD CS) Public Key Infrastructure (PKI) Design Guide]]
-  * HSM = [[
-http://social.technet.microsoft.com/wiki/contents/articles/10576.hardware-security-module-hsm.aspx
-|Hardware Security Module]]
-  * [[
-https://itworldjd.wordpress.com/2015/03/19/ad-cs-pki-migration-to-2012-r2/
-|AD CS (PKI) Resources and Migration to 2012 R2]] \\ //Is it possible to cohabit with an old PKI hierarchy and a new PKI in a same Forest?// \\ “Yes you can have multiple root CAs and even multiple PKIs in a single Active Directory forest. Because of the way the objects are representing those CAs are named and stored, you couldn’t possibly experience a conflict unless you tried to give more than one CA the same CA name."
-  * [[https://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx|Win2012R2 AD CS Migrating the Certification Authority]]
-  * [[
-https://esihere.wordpress.com/2012/01/17/a-complete-guide-on-active-directory-certificate-services-in-windows-server-2008-r2/
-|A Complete Guide on Active Directory Certificate Services in Windows Server 2008 R2]]
-  * [[
-https://technet.microsoft.com/en-us/library/hh831574.aspx
-|Certification Authority Guidance]]
-  * microsoftvirtualacademy.com [[
-http://channel9.msdn.com/Series/Windows-Server-2012-Implementing-a-Basic-PKI
-|Windows Server 2012 R2: Implementing a Basic PKI]]
-  * [[https://technet.microsoft.com/library/cc728279.aspx|CAPolicy.inf Syntax]] \\ <code>
-[Version]
-Signature= "$Windows NT$"
-[Certsrv_Server]
-RenewalKeyLength=4096
-RenewalValidityPeriod=Years
-RenewalValidityPeriodUnits=20
-[CRLDistributionPoint]
-[AuthorityInformationAccess]
-</code>
-  * [[http://kazmierczak.eu/itblog/2012/08/22/the-dos-and-donts-of-pki-microsoft-adcs/|The DOs and DON’Ts of PKI – Microsoft ADCS]]
-  * [[http://blogs.technet.com/b/askds/archive/2009/10/15/windows-server-2008-r2-capolicy-inf-syntax.aspx|Windows Server 2008 R2 CAPolicy.inf Syntax]]
-  * [[https://technet.microsoft.com/en-us/library/cc738069(v=ws.10).aspx|Administer a Certification Authority]]
-  * [[http://serverfault.com/questions/606305/can-a-single-adcs-instance-hold-more-than-one-pki-namespace|Can a single ADCS instance “hold” more than one PKI namespace?]]
-  * https://www.manageengine.com/products/active-directory-audit/
-  * [[https://technet.microsoft.com/en-us/library/cc732590.aspx|Implement Role-Based Administration]] (Applies To: Windows Server 2008 R2)
-  * [[https://technet.microsoft.com/en-us/library/hh831822.aspx|Certificate Enrollment Web Service Guidance]] (Applies To: Windows Server 2012 R2, Windows Server 2012)
-  * [[http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx|Certificate Enrollment Web Services in Active Directory Certificate Services] (Applies to Windows Server 2008 R2 and Windows Server 2012)
-  * OCSP
-  * [[
-https://technet.microsoft.com/en-us/library/cc770413(v=ws.10).aspx
-|Online Responder Installation, Configuration, and Troubleshooting Guide]]
-  * OCSP -> [[https://technet.microsoft.com/en-us/library/cc731099.aspx|Creating a Revocation Configuration]] (Applies To: Windows Server 2008 R2)
-  * https://raymii.org/s/articles/OpenSSL_Manually_Verify_a_certificate_against_an_OCSP.html
-===== Microsoft DA =====
-  * Microsoft [[wp>DirectAccess]], also known as Unified Remote Access, is a VPN-like technology that provides intranet connectivity to client computers when they are connected to the Internet. \\ DA-Client connects using one of these IPv6 tunneling protocols:
-    *  [[wp>6to4]] (IP protocol 41)
-    * [[wp>Teredo_tunneling|Teredo]] (UDP/3544)
-    * IP-HTTPS (TCP/443)
-  * [[
-https://technet.microsoft.com/library/hh801901.aspx
-|Windows Server 2012 R2 and Windows Server 2012]]
-  * [[
-https://technet.microsoft.com/nl-nl/library/cc772393(v=ws.10).aspx
-|Stapsgewijze handleiding bij Active Directory Certificate Services voor Windows Server]]
-  * [[
-http://careexchange.in/how-to-install-certificate-authority-on-windows-server-2012/
-|how to install certificate authority on windows server 2012]]
-  * [[
-https://technet.microsoft.com/en-us/library/dd637827(v=ws.10).aspx
-|DirectAccess Technical Overview for Windows 7 and Windows Server 2008 R2]]
-  * [[
-https://technet.microsoft.com/library/dn753677
-|What's new in DirectAccess in Windows Server 2012 R2 and Windows Server 2012]]
-  * [[
-https://technet.microsoft.com/en-us/library/ee382297(v=ws.10).aspx
-|DirectAccess Design Guide]]
-  * [[
-http://blogs.technet.com/b/meamcs/archive/2010/12/01/auto-enrollment-avoid-the-challenges-of-making-end-users-manage-their-certificates.aspx
-|Auto-Enrollment - Avoid the challenges of making end users manage their certificates]]
-  * [[http://www.primemsp.com/content/msc_Shortcuts.aspx|System Administrator command line shortcuts to popular MMCs]] \\ <code>
-adsiedit.msc = AD SI edit
-certsrv.msc  = Certification Authority Management
-certmgr.msc  = Local Certificates Current User
-certlm.msc   = Local Certificates Local Computer
-certtmpl.msc = Certificate Templates
-dsa.msc      = AD Users and Computers
-gpedit.msc   = Local Group Policy Editor
-ocsp.msc     = Online Responder Configuration
-mstsc.exe    = Remote Desktop Client
-cluadmin.exe = Cluster Administrator
-dnsmgmt.msc  = DNS Management
-eventvwr.msc = Event Viewer
-nlbmgr.exe   = Network Load balancing
-pkiview.msc  = PKI Viewer
-pkmgmt.msc   = Public Key Management
-</code> <code>
-C:\Windows\System32>dir *.msc
--06-2013  17:02            63.081 certlm.msc
--06-2013  17:02            63.070 certmgr.msc
--06-2015  13:44            92.853 certsrv.msc
--06-2015  13:44           145.293 certtmpl.msc
--06-2013  16:51           147.439 gpedit.msc
--06-2015  13:44            92.554 ocsp.msc
--06-2013  17:01           145.519 perfmon.msc
--06-2015  13:44           144.354 pkiview.msc
--06-2013  16:47            92.746 services.msc
--06-2013  17:30            64.923 wbadmin.msc
-</code>
-  * MMC = [[wp>Microsoft_Management_Console|Microsoft Management Console]]
-  * PowerShell.exe = [[wp>Windows_PowerShell|Windows PowerShell]]
-  * CSP = [[wp>Cryptographic_Service_Provider|Cryptographic Service Provider]] \\ is a software library that implements the CAPI ([[wp>Microsoft_CryptoAPI|Microsoft CryptoAPI]]) \\ CNG = Cryptography API Next Generation
-  * [[
-http://blogs.technet.com/b/mspfe/archive/2013/01/24/how-to-configure-directaccess-in-windows-server-2012-to-work-with-an-external-hardware-load-balancer.aspx
-|How to Configure DirectAccess in Windows Server 2012 to Work with an External Hardware Load Balancer]]
-  * [[
-http://burgerhout.org/directaccess-troubleshooting-tool/
-|DirectAccess Troubleshooting Tool]]
-===== Microsoft Bitlocker =====
-  * [[
-https://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/mdop/mbam.aspx
-|MBAM]] = Microsoft BitLocker Administration and Monitoring
-  * [[wp>BitLocker]]
-  * TPM = [[wp>Trusted_Platform_Module|Trusted Platform Module]]
-  * [[
-https://technet.microsoft.com/en-us/library/hh826072.aspx
-|technet]] Microsoft BitLocker Administration and Monitoring
-  * [[
-https://technet.microsoft.com/en-us/library/dn186170.aspx
-|Microsoft BitLocker Administration and Monitoring 2 Administrator's Guide]]
-  * [[
-https://technet.microsoft.com/library/cc732774.aspx
-|BitLocker Drive Encryption Overview]]
-  * [[
-https://technet.microsoft.com/en-us/library/cc732774(WS.10).aspx
-|BitLocker Drive Encryption Technical Overview]]
-  * [[
-https://support.microsoft.com/en-us/kb/2754259
-|MBAM and Secure Network Communication]]
-  * [[
-https://deploymentramblings.wordpress.com/2014/12/03/bitlocker-mbam-and-data-recovery-agents-dra/
-|BitLocker, MBAM and Data Recovery Agents (DRA)]]
-  * http://www.pcworld.com/article/2013621/what-you-should-know-about-microsoft-bitlocker-administration-and-management-mbam-2-0.html
-  * http://www.css-security.com/blog/mbam-real-world-information/
-===== Microsoft SCCM =====
-  * SCCM = [[wp>System_Center_Configuration_Manager|System Center Configuration Manager]]
-===== Microsoft Failover Clustering & NLB =====
-  * [[
-https://technet.microsoft.com/en-us/library/hh831698.aspx
-|Network Load Balancing Overview]]
-  * [[
-https://technet.microsoft.com/en-us/library/hh831579.aspx
-|Failover Clustering Overview]]
-  * NLB = [[wp>Network_Load_Balancing#Microsoft_NLB|(Microsoft) Network Load Balancing]] \\ [[wp>Network_Load_Balancing_Services|NLB Services]]
-    * VMware [[
-http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006580
-|KB article]]
-    * Cisco [[
-http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/107995-configure-nlb-00.html
-|config example]]
-  * http://www.vmware.com/files/pdf/implmenting_ms_network_load_balancing.pdf
-  * [[
-https://technet.microsoft.com/en-us/library/cc731386(v=ws.10).aspx
-|Export a Server Certificate (IIS 7)]]
-===== S/MIME in Office365 =====
-  * [[wp>S/MIME]] = Secure / Multipurpose Internet Mail Extensions
-  * Microsoft Premum Partner - Advisory Case - Response:
-    * [[http://blogs.technet.com/b/exchange/archive/2014/12/15/how-to-configure-s-mime-in-office-365.aspx|How to Configure S/MIME in Office 365]]
-    * [[http://blogs.office.com/2014/02/26/smime-encryption-now-in-office-365/|S/MIME encryption now in Office 365]]
-    * [[https://technet.microsoft.com/en-us/library/dn626158(v=exchg.150).aspx|S/MIME for message signing and encryption]]
-  * SST = Serialized Store (keeps properties of MS Cert Store)
-  * [[http://blogs.msdn.com/b/kaushal/archive/2010/11/05/ssl-certificates.aspx|Various SSL/TLS Certificate File Types/Extensions]]
-  * [[https://azure.microsoft.com/nl-nl/documentation/articles/active-directory-whatis/|What is Azure Active Directory?]]
-  * https://azure.microsoft.com/
-  * [[wp>Microsoft_Azure|Microsoft Azure]]
-  * [[https://support.microsoft.com/en-us/kb/2840546|How to prevent Outlook 2010 from publishing certificates to userSMIMEcertificate]]

Website van John de Graaff

User Tools

Site Tools

Differences

Page Tools