[email protected] | | … · verisign secure server certification authority 2003 and 5.0 ......

Certificate

Data structure (file) which holds public key

subject, validity, issuer, key usage

Digitally signed

by a CA's private key

by its own private key (self-signed)

Private key is separate from certificate

certificate in registry

private key in a file on disk or key container in a smart card

Sample certificate

Certificate (key) types

Signature keys

documents

files, executables, scripts

Online transaction keys

TLS, IPSec

client authentication

Encrypted data

files, BitLocker, S/MIME

key recovery

Private key "backup"?

Signature keys

no

Transport keys

no

Encryption keys

backup

key recovery

data recovery

6

Validity and crypto operations

Valid certificate

Can sign new data with private key

Can encrypt new data with public key

After certificate expires, the Subject is not responsible for its private key anymore

Expired/revoked certificate

Can verify signature with its public key

Can decrypt data with its private key

7

Certificate authenticationDifferent subject name

Certificate authenticationExpired or not yet valid

Certificate authenticationRoot/Issuer/Self-Signed not trusted

Certificate authenticationRevoked yet before expiration

RDP client also prevents connecting to explicitly revoked certificates (even if Kerberos authentication of server identity is possible)

RDP client warns if revocation check cannot be performed

X.509V1 CERTIFICATE CONTENT

Certificates

X.509 v1 certificate

15

Subject: E = [email protected]

Public key: 37A1B883C19...

Validity: 2010

Verified by: Verisign CA

Thumbprint SHA-1: 155D1A89

Serial #: 388

Signature RSA: 6E33FD12

Key Usage: Signature

Key Usage

Signature

signature (RSA + ECDH)

non-repudiation

certificate signing

Encryption

key encipherment (RSA-KE)

key agreement (ECDSA + ECDH)

data encipherment

Valid combinations for TLS server

DSS + signature + DH

you cannot do any kind of encryption with DSS

RSA + key encipherment + RSA-KE

you cannot do key agreement with RSA

RSA + signature + ECDH

EC + key agreement + ECDH

you cannot do key encipherment with EC

Certification Authority

Self-signed certificate

Trusted third party organization

manually installed into trust store

distributed with OS/application

mobile devices, browsers

Automatically updated

Microsoft Root CA Program

Windows 2003- with Windows Update

Windows Vista+ dynamically

Self-signed certificates

RootCA certificateis always self-signed

Subject = Issuer

Never use the sameSubject and Issueron non-selfsignedcertificates

CA hierarchy example

CA hierarchy/chain/path

Root CA

PolicySubordinateIntermediate

CA


CAPolicy

SubordinateIntermediate

IssuingCA

LeafEnd entityEndpoint

Certificate

Qualified Subordination

???

name constraintsEKU constraints

path length constrains


IssuingCA

Trusted CAs (physical computer stores)

Trusted CAs (physical user stores)

Trusted CAs on DC1

Untrusted certificates (Windows 2003/XP)

Untrusted certificates (CTL – certificate trust list - since Windows 2012/8)

Automatic CA update

Windows XP/2003/2000

hard import from Windows Update or WSUS

Windows Vista+

dynamic import from Windows Update online/cached CTL

cannot use WSUS

Disable automatic update

Automatic Updating on XP/2003

IIS can generate self-signed web server certificates

In principleCA certificate

Must be trustedindividually

IIS AND SELF-SIGNED CERTIFICATES

Certificates

Generate IIS self-signed certificate

Bind the self-signed certificate to https://portal

Test HTTPS connection from Client7https://portal

Install the self-signed certificate into Trusted Root Certificate Authorities

Install the self-signed certificate into Trusted Root Certificate Authorities

Test HTTPS connection from Client7https://wfe1.gopas.virtual

Chrome requires SAN since 2017NET::ERR_CERT_COMMON_NAME_INVALID

X.509V3 CERTIFICATE CONTENT

Certificates

Subject

CA guarantees that the information in the Subject is related to the real owner of the certificate

CA implements certification policies under which is verifies the Subject

called Certificate Template in Windows

Subject

CN = Common Name

E = Email

G = Given Name, SN = Surname

OU = Organizational Unit

O = Organization

L = Locality (city), STREET = Street

S = State (either Washington or Czech Republic)

C = Country (CZ, US, UK, only two letters) ISO-3166-1, X520CountryName

41

Subject validation by CAs

Domain control validation domain registry + administrative contact email

DNS TXT record

Higher validation not supported by all browsers

identity, address, etc.

Extended validation (EV) standard by W3C consortium

green bar

DNS name + company registration

Domain control validated certificates

Higher validation without IE support

Extended validation (EV) supported by browsers

More DNS names in Subject

Later IE is able to parse more CN components in subject, but not supported on all clients

Not all clients support wildcard CNs such as *.sevecek.com

Wildcard CN does not apply to domain CN

*.sevecek.com

sevecek.com

More names can be present in SAN (Subject Alternative Name)

46

Wildcard subject and SAN

More names in SAN

Subject Alternative Name (SAN)

SAN:[email protected] (Principal Name) SAN:[email protected] (RFC822 Name) SAN:dns=www.idtt.com (DNS Name) SAN:dn=“CN=Ondra,OU=Company,DC=iddt,DC

=local” SAN:url=http://www.idtt.com/smartcards SAN:ipaddress=10.10.0.16 SAN:guid=f7c3ac41-b8ce-4fb4-aa58-

3d1dc0e36b39 SAN:[email protected]&email=ondrej@idt

t.com

49

Subject in EV certificates

1.3.6.1.4.1.311.60.2.1.3 = jurisdictionOfIncorporationCountryName

CZ, UK, US, ...

SERIALNUMBER = Legal ID

IČO

50

http://www.idtt.com/smartcards

Subject Alternative Name (SAN)

Can contain more than a single CN in Subject

Should contain also the Subject CN again

If SAN present, Subject is not processed at all

AD CS

must be enabled for offline request which supply custom subject alternative names

certutil –setreg policy\EditFlags+EDITF_ATTRIBUTESUBJECTALTNAME2

51

X.509 v3 certificate

52

Subject: CN = Ondrej Sevecek


Validity: 2010



Serial #: 388


SAN: [email protected]

EKU: Secure Email

Certificate Policies: 1.3.6.1.4.1.25005.30.11.3.6.1.4.125005.30.2

Enhanced Key Usage (EKU) extension

Secure Email Server Authentication Client Authentication

Smart Card Logon

Encrypting File System Document Signing

Code Signing

Remote Desktop Authentication Enrollment Agent

Key Recovery Agent

IPSec IKE Intermediate

53

EKU in CA certificates - the root

EKU in CA certificates - subordinate

Special EKUs

- eku not present - leaf certificate - use for all purposes

Any purpose (anyExtendedKeyUsage) 2.5.29.37.0 leaf certificate - use for all purposes

All application policies = All purpose XCN_OID_ANY_APPLICATION_POLICY

1.3.6.1.4.1.311.10.12.1 CA certificate - qualified subordination example: not allowed in MS Root CA program

http://technet.microsoft.com/en-us/library/cc751157.aspx

57

CLIENT SUPPORT

Enterprise PKI

Support for SAN and wildcards

58

Application Supports * Supports SAN

Internet Explorer 4.0 and older no no

Internet Explorer 5.0 and newer yes yes

Internet Explorer 7.0 yes yes, if SAN present Subject is ignored

Windows Pocket PC 3.0 a 4.0 no no

Windows Mobile 5.0 no yes

Windows Mobile 6.0 and newer yes yes

Outlook 2003 and newer yes yes

RDP/TS proxy yes yes, if SAN present Subject is ignored

ISA Server firewall certificate yes yes

ISA Server 2000 and 2004 published

server certificateno no

ISA Server 2006 published server

certificateyes yes, only the first SAN name

OCSP and Delta CRL

59

System Checks OCSP Delta CRL

Windows 2000 and older no no

Windows XP and older no yes

Windows Vista and newer yes, preffered yes

Windows Pocket PC 4.0 and older no no



Windows Mobile 6.1 and newer yes, preffered yes

ISA Server 2006 and older no yes

TMG 2010 and newer yes, preffered yes

CRL checks in Internet Explorer

60

Version CRL and OSCP checking

4.0 and older no checks

5.0 and newer can check CRL, disabled by default

7.0 and newer can check OCSP (if supported by OS) and CRL, enabled by default

Windows Mobile 2003 and 5.0 trusted CAs

61

Company Certificate Name Windows Mobile

Cybertrust GlobalSign Root CA 2003 and 5.0

Cybertrust GTE CyberTrust Global Root 2003 and 5.0

Cybertrust GTE CyberTrust Root 2003 and 5.0

Verisign Class 2 Public Primary Certification Authority 2003 and 5.0

Verisign Thawte Premium Server CA 2003 and 5.0

Verisign Thawte Server CA 2003 and 5.0

Verisign Secure Server Certification Authority 2003 and 5.0

Verisign Class 3 Public Primary Certification Authority 2003 and 5.0

Entrust Entrust.net Certification Authority (2048) 2003 and 5.0

Entrust Entrust.net Secure Server Certification Authority 2003 and 5.0

Geotrust Equifax Secure Certificate Authority 2003 and 5.0

Godaddy http://www.valicert.com/ 5.0

Windows Mobile 6.0 trusted CAs

62

Comodo AAA Certificate Services

Comodo AddTrust External CA Root

Cybertrust Baltimore CyberTrust Root

Cybertrust GlobalSign Root CA

Cybertrust GTE CyberTrust Global Root

Verisign Class 2 Public Primary Certification Authority

Verisign Thawte Premium Server CA

Verisign Thawte Server CA

Verisign Secure Server Certification Authority

Verisign Class 3 Public Primary Certification Authority

Entrust Entrust.net Certification Authority (2048)

Entrust Entrust.net Secure Server Certification Authority

Geotrust Equifax Secure Certificate Authority

Geotrust GeoTrust Global CA

Godaddy Go Daddy Class 2 Certification Authority

Godaddy http://www.valicert.com/

Godaddy Starfield Class 2 Certification Authority

RSA 2048 browser support

63

Browser First Version

Internet Explorer 5.01

Mozila Firefox 1.0

Opera 6.1

Apple Safari 1.0

Google Chrome

AOL 5

Netscape Communicator 4.51

Rad Hat Linux Konqueror

Apple iPhone

Windows Mobile 2003

Windows CE 4.0

RIM Blackberry 4.3.0

PalmOS 5

Sony Playstation Portable

Sony Playstation 3

Nintendo Wii

Extended Validation browsers

64


Internet Explorer 7.0

Opera 9.5

Firefox 3

Google Chrome -

Apple Safari 3.2

Apple iPhone 3.0

S/MIME RSA 2048 client support

65


Microsoft Outlook 99

Mozila Thunderbird 1.0

Qualcomm Eudora 6.2

Lotus Notes 6

Netscape Communicator

4.51

Mulberry Mail

Apple Mail

Windows Mail

The Bat

66

CERTIFICATE STORES

Enterprise PKI

Registry keys

HKLM\Software\Microsoft\

EnterpriseCertificates

the same stores as local stores but pupulated from Group Policy

NTAuth store

SystemCertificates

local stores

Trusted Root Certification Authorities "Trust store"

what is here is trusted by definition

HKLM\Software\Microsoft\ …\SystemCertificates\ROOT

Also projects the following stores Third party root certification authorities

…\SystemCertificates\AuthRoot

Smart Card trusted root certification authorities …\SystemCertificates\SmartCard

Group Policy based certificates …\EnterpriseCertificates\Root

AD Configuration container Certification Authorities …\EnterpriseCertificates\Root

Intermediate Certification Authorities

All certificates from CA chains that cannot be downloaded during chain buildup when validating leaf certificates

…\SystemCertificates\CA

…\EnterpriseCertificates\CA

Personal and Remote Desktop

These may have private keys associated and stored on disk or in a smart card

…\SystemCertificates\MY

…\SystemCertificates\Remote Desktop

PowerShell

dir Cert:\LocalMachine\...

dir Cert:\CurrentUser\...

$myStore = Get-Item cert:\CurrentUser\My

$myStore.Open('IncludeArchived, ReadWrite')

$myStore.Certificates

72

CERTIFICATE FILES

Enterprise PKI

Certificate Files

PKCS #12 – .PFX, .P12 certificate + private key encrypted with a password

PKCS #7 – .P7B more/all certificates in a chain

DER X.509 – .CER, .CRT binary encoded certificate RSA 2048 ~ 1500 B RSA 4096 ~ 1750 B

Base64 X.509 – .CER, .CRT Base64 encoded

Group protected PFX

Windows 8/2012

requires at least one DC on Windows 2012

Add-KdsRootKey -EffectiveTime([DateTime]::Now.AddDays(-10))

Protected with DPAPI to an AD group

replicated among DCs as SAM secret

Group protected PFX

CERTUTIL -STORE

My – Personal

Root – Trusted Root Certification Authorities

CA – Intermediate Certification Authorities

TrustedPublisher – Trusted Publishers

CERTUTIL -User -ExportPFX

CERTUTIL -User -Store My outFile.cer

CERTUTIL -ImportPFX

CERTUTIL -AddStore My

77

CERTIFICATE REVOCATION AND AIA

Enterprise PKI

CRL and Authority URLs

78

Subject: Ondrej Sevecek

SAN: [email protected]


Validity: 2010



Serial #: 388


CDP: http://ca.idtt.com/ca.crl

AIA: http://ca.idtt.com/ca.cer

AIA: http://ca.idtt.com/ocsp

CRL (Certificate Revocation List)

List of revoked certificates' serial numbers

Issued by CA

directly the issuing CA

Signed by the CA's private key

Validity

cached since the download

CERTUTIL -urlcache CRL

Revoke certificate in CA

Revocation Reasons

GUI does not check revocation

CERTUTIL -user -verify -urlfetch

Certificate Hold

can be unrevoked

no information later about invalid use during period when revoked

Certificates not available for revocation after CA DB loss

CERTUTIL –importcert

81

CRL Distribution Point (CDP) extension

CRL Paths

LDAP

client must be authenticated

automatically replicated among DCs

usually accessible only from inside

HTTP

may be anonymous

can be balanced on a single name (NLB, DNS round robin)

should be published on a public DNS name

CRL and CA chain

RootCA

Sub1CA

Sub2CA

IssuingCA

Leaf cert

http://sub2/ca3.crl

http://sub1/ca2.crl

http://issuing/ca4.crl

http://root/ca1.crl

CRL validity and CA chain

RootCA

Sub1CA

Sub2CA

IssuingCA

Leaf cert

http://sub2/ca3.crl

http://sub1/ca2.crl

http://issuing/ca4.crl

http://root/ca1.crl 6 months

1 month

1 week

1 day

Root CA certificate and CRL

No CRL validation for root CA certificate

cannot revoke root CA

root CA always trusted unconditionally

Revoked CA cannot sign CRL

CRL signed with revoked CA is invalid

AIA chain

RootCA

Sub1CA

Sub2CA

IssuingCA

Leaf cert

http://sub2/ca3.crt

http://sub1/ca2.crt

http://issuing/ca4.crt

CRL and AIA support

Windows Vista/2008 and older

any number of HTTP, SMB/CIFS, FTP, LDAP paths

Windows Sever/2008 R2 and newer

only first entry for each protocol

88

Manual CRL re-signing

CERTUTIL -sign existing.crl newly-signed.crl

SerialNumberList

now+10:00

never

89

Authority Key ID

90

Subject: Ondrej Sevecek


Subject Key ID: 155D2B77


Authority Key ID: 311A86B5

AIA: http://ca.idtt.com/ca.cer

Subject: Verisign CA


Subject Key ID: 311A86B5

Online Certificate Status Protocol

OCSP may decrease overall CDP traffic and smooth its profile

Preferred method for Windows Vista+

OCSP Example - Public CA

200 kB CRL7 days validity500 000 000 clients per week

1500 B OCSP response7 days validity500 000 000 client per week5 OCSP responses per client

1,3 GBps 48 MBps

OCSP Example - Private CA

20 000 user certificates50 DC certificates5 000 CRL entries1 day validity

20 000 user certificates50 DC certificates1 day validity

5 000 x 90 B = 450 kB CRL20 050 x 450 kB= 835 kBps

20 000 x 50 + 50 x 20 000 = 2 000 0002000000 x 1500 B= 280 kBps

CERTIFICATE TEMPLATES

Certificates

Versions

Version 1

cannot be modified from GUI

msPKI-Private-Key-Flag Attribute

0x00000001 (1)CT_FLAG_REQUIRE_PRIVATE_KEY_ARCHIVAL

0x00000010 (16)CT_FLAG_EXPORTABLE_KEY

Version 2, 3, 4

Certificate Template Versions

Version Provider First CA OS Supported by Standard Edition CA

Modify Cannot be Enrolled or Used

1 CSP Windows 2000 yes no

2 CSP Windows 2003 Windows 2008 R2 yes Windows 2000

3 CNG Windows 2008 Windows 2008 R2 yes Windows 2000Windows 2003Wind0ws XPWeb EnrollmentEFS, EAP, TMG 2010, ...

4 CNG/CSP Windows 2012 Windows 2012 yes

97

CERTIFICATE REQUESTS

Certificates

Certificate request

98

CertificateRequest

CA

Public Key

Client

Private Key

Manual request (online)

DCOM/RPC

CERTUTIL -ping

Certsvc DCOM Access group

99

Manual request (online)

AD CS Enrollment Policy Web Service

AD CS Enrollment Web Service

Windows 7/2008 R2 and newer clients

limited autoenrollment

Manual request (offline)

CERTREQ and .REQ file

CERTREQ -submit -attrib"CertificateTemplate:User" kamil.req

HTTP web enrollment pages

same as submitting .REQ file

can enroll only for v1 and v2 templates

Direct import into AD CS console

101

Request completion

Import .CER manually into console

Pulse autoenrollment

102

103

AUTOENROLLMENT

Enterprise PKI

Autoenrollment

Must be enabled in GPO

Enrolls v2 templates for Windows XP and newer

Enrolls v3 templates for Windows Vista and newer

Template must be of a correct type

user/computer

104

Enroll new certificates

Manage existing certificates

Troubleshooting

GPUPDATE

updates trusted enterprise CA from AD

enables autoenrollment from GPO

CERTUTIL -pulse

CERTUTIL -user -pulse

HKLM / HKCU / HKU

Software\Microsoft\Cryptography\CertificateTemplateCache

Custom Request Attributes

Application/Policy/Exit Module Specific

CERTUTIL -view -restrict requestID=xx –out attrib:all

nebo CERTUTIL –view –restrict Disposition=9

CERTUTIL -view -v -out RawRequest

process name

machine name

user name

108

[email protected] | | … · verisign secure server certification authority 2003 and 5.0 ......

Documents