PKI: A Comprehensive Hands-On Introduction

Frequently Asked Questions

What is this course about? This course provides a comprehensive introduction to PKI technologies that are increasingly being used to solve many system and network security problems. Organizations today increasingly rely on the Internet and networked systems to conduct business. At the same time, cyber crime and security violations pose an ever-growing threat to business-critical functions and data. Public key infrastructure (PKI) provides the overall security framework and tools, enabling organizations to reduce security threats, safeguard sensitive data and maintain business continuity. Once implemented, PKI can lower overall security costs and increase interoperability within and between various enterprise systems. Almost all applications are security conscious and most rely on using digital certificates, thus requiring an enterprise PKI solution. This course presents the best and the most practical solutions and skills for creating your own PKI. Who will benefit from this course? This course is valuable for those involved in enterprise security, including those responsible for developing overall security policies, as well as those evaluating enterprise security solutions for the Internet, intranets, or extranets. Technical managers such as corporate information security officers, security managers, and computer and network security managers learn the benefits associated with various approaches to PKI architectures. Those responsible for designing and implementing PKI within their organization learn the various tradeoffs associated with the PKI choices available in a rapidly changing security marketplace. What background do I need? Familiarity with security issues at the level of Course 468, System and Network Security: A Comprehensive Introduction, is recommended. Additionally, it is assumed you are well accustomed to using the Windows operating system. My organization wants to reduce network security costs and improve interoperability across various network applications. Can PKI help us? PKI offers a universal security framework that allows complete security interoperability while greatly increasing the opportunities for cost reduction through use of common, standardized security mechanisms. Through a series of hands-on exercises, you investigate how PKI is used in several applications, such as secure Web access with SSL/TLS, secure e-mail, network security through IPSec virtual private networks and universal logon using smart cards. Do I need to have a background in cryptography? Although some knowledge may be helpful, the first portion of this course sufficiently covers enough cryptography essentials to fully understand PKI. Can I secure my e-commerce applications with PKI? PKI has been one of the main technologies that enabled the explosive growth of the Internet and intranets for business-to-consumer (B2C) uses. This course provides a basis for allowing enterprises to extend these benefits into both business-to-business (B2B) and extranet applications. This encompasses e-mail, Web and VPN applications. Will I learn to how to install a PKI? During this course, you install and configure PKI products from two major vendors: Microsoft and Entrust on Windows platforms. By configuring these products, you learn key PKI concepts as well as how to design the most effective PKI architecture. Will I set up a Certification Authority (CA) hierarchy? Yes. You will set up a hierarchical PKI, which includes a Root CA and a Subordinate CA. Will I learn about integrating a Microsoft CA with an Entrust CA? Yes, the PKI hierarchy you build in the class will have Entrust as the root CA and Microsoft as the subordinate CA. Several compatibility settings will be configured to make this relationship work. Does this course cover connecting your PKI to a PKI of another organization? Yes. This concept is one of the focal points of this course. There is hardly ever complete trust between organizations as inter-organizational communication is usually controlled by a mix of basic constraints, name constraints, application constraints, policy constraints and policy mappings. In one of a series of hands-on exercises, you set up a cross-certificate, which examines and specifies these constraints. Does this course cover the CA Bridge? Yes. In this course, you examine benefits of linking multiple PKIs together using a CA bridge. These concepts are reinforced with an exercise in which you connect your PKI to the classroom Entrust bridge CA. This activity simulates the Federal PKI (FPKI) model that many U.S. government agencies use to connect to the Federal Bridge CA (FBCA). Will I learn the practical implementations of a CA? Yes. This course provides information for many aspects of creating a secure CA. This includes hardening the platform, CA key rollover scenarios, Hardware Security Modules (HSMs) and private key protection options. Additionally, we describe how Microsoft implements the Common Criteria role separation. How much time is devoted to each topic? Content Hours Trust in a digital world 3.0 Securing PKI 3.5 Authenticating with PKI credentials 5.0 Dissecting PKI components 5.0 Designing trust architectures 6.0 Interfacing with Microsoft PKI 0.5 Times, including the workshops, are estimates; exact times may vary according to the needs of each class. What kinds of hands-on exercises are included in the course? Approximately 50 percent of the course is spent doing hands-on exercises. You create your own hierarchical PKI of several CAs, which is independent from other students in the classroom. Then you set up trust with other participants using multiple techniques. This includes linking through an Entrust bridge and setting up Microsoft cross certificates. Be prepared for several lengthy exercises, particularly those where you install and configure your CAs. Exercises include: Setting up an RA to issue certificates to the Entrust Entelligence PKI client Creating custom certificate content Building an Entrust Root CA and connecting to an X.500 directory Cross-certifying with a Bridge CA Constraining trust among PKIs Establishing a Microsoft SCA under an Entrust Root CA What platform and software are used in this course? This course uses a Windows Server 2003 platform and a VMware workstation Windows Server 2003 image for the student workstations. Servers include a Domain Controller and an X.500 Directory. For e-mail, you will use the Microsoft Exchange 2003 Server. Class exercises run on Version 7.1 of the Entrust Authority software. Will this course help me prepare for the CISSP Certification examination? Yes. This course helps you prepare for multiple domains on the CISSP Certification exam, including those covering cryptography and PKI. How does this course relate to other Learning Tree courses? Course 468, System and Network Security: A Comprehensive Introduction, provides a detailed introduction to analyzing the security risks to your computer and network systems. This course is recommended as a lead-in to Course 586. Other Learning Tree courses that may be of interest to Course 586 participants include: 420, Securing Wireless Networks: Hands-On offers the experience to defend against attacks and maintain security within your wireless network. PKI is specifically required for the 802.1X distributed authentication implementation. 589, Vulnerability Assessment: Protecting Your Organization provides the skills to configure and use vulnerability scanners to detect weaknesses and prevent network exploitation. 536, Computer Forensics and Incident Response: Hands-On provides experience with the latest Windows-based computer forensic techniques to uncover illicit activity and recover lost data. 537, Ethical Hacking and Countermeasures: Hands-On provides the knowledge to discover weaknesses in your network using the same mindset and methods as hackers.