Saturday, March 14, 2015

PKI (Public Key Infrastructure), special post: training course with Mark Cooper

I'm going to interrupt the sequence of my blog posts on PKI to share an excellent experience I had learning more about the subject and that may help me avoid some signficant mistakes in future projects.

I attended a training session by Mark Cooper called "In-Depth Training for Windows Server 2012 R2 ADCS". If you've been following this blog, you know (or may have already known) that ADCS means "Active Directory Certificate Services".

And who is Mark Cooper?

Mark Cooper is a "former Microsoft Senior Engineer and subject matter expert" for ADCS. You can read more about him on the website of his company "PKI Solutions":

Otherwise, if you have heard of Brian Komar and read his "PKI and Certificate Security" (Windows Server 2008), you might be interested in knowing that Mark Cooper is working on the latest version of this book, updated for Windows 2012 R2.

The PKI training course costs $5000 for five days of both presentations and "hands-on" labs. Questions are welcome so prepare a list. In fact, and although anyone can take the course, my opinion is that you will benefit from it most if you already have some knowledge of PKI and come with questions about your future projects. If you prepare yourself well, the training may replace the need to hire a consultant, at least for less complex PKI implementations, and the cost may be compensated in that way.

Class size may vary. I was in a group of six so each participant was able to ask any questions they had and also receive personal one-on-one attention for the labs.

I learned much from the class and notably about high availability which is somewhat particular with ADCS.

With Active Directory, for example, we can achieve high availability by adding more domain controllers.

Not so with ADCS.

Before taking the class, I thought that my practice network (see previous posts) would have a root CA and then two subordinate issuing CAs (CA1 and CA2). If CA1 was unavailable, clients could simply interact with CA2. Well, this would function if it was simply a matter of requesting new certificates. But the validity of a certificate must be verifiable at any time after it is issued and that is achieved by consulting the CRL (certification revocation list).

Here is the problem: only the CRL published (and signed) by the specific issuing CA can be used to validate the certificate. Unlike the Active Directory database (for example), CRLs are not replicated among CAs. Therefore, if CA1 is not available, and the current CRL expires, clients will be unable to use their certificates because no updated CRL can be consulted. Clients cannot simply query another CA as they might query another domain controller.

As for the course, one (possible) challenge to keep in mind is that participants were expected to have a laptop powerful enough to run three to four virtual machines at a time (and thus have either VMware workstation or Windows 8 Hyper-V or a similar product). This may change in the future if participants are be able to access virtual machines in the Cloud. Such a transition was being examined when I took the course.

In general, ADCS is one of the more complex Microsoft technologies to implement and while the initial setup can be challenging enough, the real test is how well it continues to function for the duration of its existence. With that in mind, I would definitely recommend the course to anyone intending to use PKI in their environment or to offer services in PKI consulting.  

1 comment: