certification authority - sevecek · certification authority admin accounts and groups create ca...

PLANNING CA HIERARCHY

Enterprise PKI

CA hierarchy?

Trust maintenance may be expensive to be trusted

may be even more expensive to revoke root

risk analysis

Revocation of subordinates

Distributed administration Qualified subordination

CRL (Certificate Revocation List)

OSCP (Online Certificate Status Protocol)

4

CA hierarchy?

GOPAS Root CA

GOPASLondon CA

GOPASParis CA

GOPASPrague CA

Leaf certificateLeaf certificate


Leaf certificate



Leaf certificate

CA hierarchy?

GOPAS RootLondon CA

GOPAS RootParis CA

GOPAS RootPrague CA



Leaf certificate



Leaf certificate

Trust maintenance

Risk assessment in Windows domain

Risk of AD Domain Controller

single DC compromised = whole forest compromised

Online AD integrated enterprise PKI cannot have higher risks than any DC

NTAuth CAs have the same level of risk as any DC

9

PKI Administrator

10

DC

domain-admin

Configuration

Certificate Templates

NTAuthCA

pki-admin

Logon

11

DOMAIN SECURITY

Certification Authority

Admin accounts and groups

Create CA Servers group

add EntCA and DC1 machines

Create PKI Admins group

members of Enterprise Admins for duration of the installation

Create two user accounts

pki-install

pki-admin

both members of PKI Admins

12

Connecting to domain

Connect EntCA to domain

Make PKI Admins members of local Administrators group

Remove Domain Admins from local Administrators

Disable builtin-admin

13

Basic domain security

Add workstation to domain: nobody

LDAP signing

SMB signing

NTLMv2 authentication

Passwords, Account Lockout

disable built-in Administrator

14

Basic domain security

Audit Account Logon Events

Windows Time

Disable EFS

Default Domain Policy

remove the default EFS Recovery Agent

15

Offline root time synchronization

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Co

nfig]

"MaxNegPhaseCorrection"=dword:ffffffff

"MaxPosPhaseCorrection"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Pa

rameters]

"NtpServer"="tik.cesnet.cz,0x9 tak.cesnet.cz,0x9"

"Type"="NTP"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Ti

meProviders\NtpClient]

"SpecialPollInterval"=dword:00000384

17

CA GPO SECURITY


Limit GPO and script effects

Local Profiles only

User GPO Loopback Processing Replace

Scripts No legacy scripts

No legacy run list

No legacy run once list

No autorun

Software Restriction Policies

Screensaver

18

RDP security

RDP redirection only for S/C

disable disk redirection

disable clipboard redirection

S/C removal

19

Block remote access

Disabled services Computer Browser Alerter Messenger WLAN Autoconfig Windows Remote Management Windows Management Instrumentation (or use firewall) Remote Registry

Disable C$, Admin$ HKLM\System\CurrentControlSet\Services\LanManServe

r\Parameters AutoShareServer = DWORD = 0

20

Auditing

Audit

Logon, Account Logon

Process Tracking

System Events

Account Management

Granular: Object access / Certification Services

Granular: Object access / File Share

21

22

NETWORK INFRASTRUCTURE


DNS server

• gopas.cz for CRL/AIA/OCSP reference

Active Directory Integrated zone?

No dynamic updates

pki.gopas.cz CNAME

pki.gopas.cz ZONE with A record

23

Public A record with split DNS

25

CA SERVER SECURITY


Physical security

Either physically secure

no unauthorized access to the hardware at all

And/Or use BitLocker

does not provide protection against hardware keyloggers

Virtual environment

supported

consider who is administrator of the virtualizinginfrastructure

26

Remote access

Either no remote access at all

Or use RDP with smart cards

don’t require smartcards for local logon to be able to troubleshoot

Can be used by Enrollment Agents to enroll client smart cards

27

Windows firewall

Enabled by default on Windows 2008+

Automatically configured

Allows any/any exceptions

being strict is always better

Windows firewall for RootCA

Block all incoming connections

no exceptions

Block all outgoing connections

except Ping

except SMB upload to \\pki.gopas.cz\CRL-Publish

prepare HTTP/S exception for occasional manual Windows Update

Encrypt SMB connections with IPSec

mutual authentication

Windows firewall for RootCA

Networking

Disable NetBIOS

Disable IPv6

32

PREPARING INSTALLATION


CAPOLICY.INF

To specify advanced options not available in GUI setup wizard

Placed into system folder

%windir%\capolicy.inf

CAPOLICY.INF for RootCA

[Version]

Signature= "$Windows NT$"

[CRLDistributionPoint]

[AuthorityInformationAccess]

[BasicConstraintsExtension]

PathLength=1

Critical=Yes

34

CAPOLICY.INF for subordinate

[Version]

Signature= "$Windows NT$"

[certsrv_server]

LoadDefaultTemplates = False

35

Example registry values in CAPOLICY.INF[certsrv_server]CRLPeriod=DaysCRLPeriodUnits=1

CRLDeltaPeriod=Hours

CRLDeltaPeriodUnits=1 CRLOverlapPeriod=Hours

CRLOverlapUnits=12

CRLDeltaOverlapPeriod=MinutesCRLDeltaOverlapUnits=30

ClockSkewMinutes=20 ValidityPeriodUnits=5

CAPOLICY.INF when renewing root CA certificate

[certsrv_server]

RenewalKeyLength=2048

RenewalValidityPeriod=Years

RenewalValidityPeriodUnits=30

; every value must be the same or longer than current certificate key-length/validity

Qualified subordination

Qualified = limited

Subordinate certificate contains restrictions on its use and contents of leaf certificates that it produces

CAPOLICY.INF and POLICY.INF extensions

Basic Constraints path length = 0 … only leaf certificates path length = 1 … one sub authority

Issuance Policies (Certificate Policies) must be present in CA certificate to be inserted into

leaf certificates supported by XP/2003 and newer

Name Constraints (subordinate only) limit namespaces in subject

Application Policies (subordinate only) limit EKU usage OIDs

Allowed Issuance Policies (Certificate Policies) in CA’s certificate

[PolicyStatementExtension]

Policies = ManualSubjectApproved, ManualSubjectUnapproved, AutomaticallyFromAD, PersonallyByAgent, PersonallyByAgentTwoIDs

CRITICAL = FALSE

[ManualSubjectApproved]

OID = 1.3.6.1.4.1.25005.17.1

[ManualSubjectUnapproved]

OID = 1.3.6.1.4.1.25005.17.2

[AutomaticallyFromAD]

OID = 1.3.6.1.4.1.25005.17.3

[PersonallyByAgent]

OID = 1.3.6.1.4.1.25005.17.4

[PersonallyByAgentTwoIDs]

OID = 1.3.6.1.4.1.25005.17.5

Notice = "Enrollment agent requires personal attendance and showing two IDs"

URL = https://www.sevecek.com/PKI/policies/PersonalByAgentTwoIDs.pdf

Explicitly allow all Issuance Policies (Certificate Policies) in CA’s certificate

PolicyStatementExtension]

Policies = AllIssuancePolicy

Critical = FALSE

[AllIssuancePolicy]

OID = 2.5.29.32.0

Modifying requests with CERTREQ

Qualified subordination

CERTREQ -policy -cert RootCaCN in.reqpolicy.inf out.req

Name Constraints in CERTREQ POLICY.INF

[NameConstraintsExtension]

Include = NameConstraintsPermitted

Exclude = NameConstraintsExcluded

Critical = True

[NameConstraintsPermitted]

DirectoryName = "DC=gopas, DC=virtual"

email = ""

DNS = .gopas.cz

UPN = @gopas.cz

URI = ftp://.gopas.virtual

IPAddress = 10.10.0.0/255.255.255.0

OtherName = 1.3.6.1.4.1.25005.1,{utf8}gopas

OtherName = 1.3.6.1.4.1.25005.2,{octet}55AB10

[NameConstraintsExcluded]

Application policy constraints in CERTREQ POLICY.INF

[ApplicationPolicyStatementExtension]

Policies = AppEmailPolicy, AppClAuthPolicy

Critical = False

[AppEmailPolicy]

OID = 1.3.6.1.5.5.7.3.4 ; Secure Email

[AppClAuthPolicy]

OID = 1.3.6.1.5.5.7.3.2 ; Client Authentication

[ApplicationPolicyConstraintsExtension]

RequireExplicitPolicy = 1

InhibitPolicyMapping = 1

45

GENERAL CA INSTALLATION NOTES


CA installation

Server Manager

Install-ADCSCertificationAuthority

Install-ADCSWebEnrollment

ca-install.vbs

46

CA types

Standalone

workgroup member

only offline requests

Enterprise

AD integrated

DCOM interface for online requests

every request must contain Certificate Template information

Enterprise CA on Standard edition OS

OS version Features included Features missing

Windows 2000 CSP keyscertificate templates v1web enrollment

template modification

Windows 2003 CSP keyscertificate templates v1web enrollment

template modificationkey recovery

Windows 2008 CSP or CNG keyscertificate templates v1web enrollment

template modificationrestricted Enrollment Agentrestricted Certific ate Managerkey recoveryOCSP responderweb service enrollment, NDES

Windows 2008 R2 CSP or CNG keyscertificate templates v1, v2, v3web enrollmentrestricted Enrollment Agentrestricted Certificate Manager

key recoveryOCSP responderwebservice enrollment, NDES

Windows 2012 all SKUs with all features

Supported Scenarios

Computer cannot be renamed

Computer cannot change domain membership not even un/install DC

Can be moved from 2003 to 2008 and newer step-by-step, same x64/x32

Can be moved from 2008 to other machines different name

same x64/x32

Cannot rename OS and change domain membership

CA installation parameters

20+ years for RootCA consider subCA validity

5+ years for SubCA renew several years before expiration

2048 RSA + SHA-1 supported on most clients since 2000

2048 RSA + SHA-2 supported partially on Windows XP SP3

completely on Vista and newer

51

Signatures example (simplified)

RootCA

SHA-1 RSA

SubCA

SHA-1 RSA

IssuingCA

SHA-256 ECDSA

IssuingCASHA-1 RSA

Compatible leaf

certificates

Compatible leaf

certificates

Compatible leaf

certificates

Compatible leaf

certificates

Compatible leaf

certificates

Secureleaf

certificates

RSA

ECDSA

RSA

RSA

RSA

ECDSA

Signatures example (does not make sense) (simplified)

RootCA

SubCA

SHA-384 RSA

IssuingCA

SHA-256 ECDSA

SHA-1 RSA

54

STEPS: ROOTCA INSTALLATION


RootCA #0

CAPOLICY.INF

Windows time synchronization

Set-ItemProperty'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Config' MaxPosPhaseCorrection 0xFFFFFFFF -Type Dword

Set-ItemProperty'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Config' MaxNegPhaseCorrection 0xFFFFFFFF -Type Dword

Set-ItemProperty'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient' SpecialPollInterval 900 -Type Dword

Set-ItemProperty'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters' NtpServer 'tik.cesnet.cz,0x9 tak.cesnet.cz,0x9' -Type String

Set-ItemProperty'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters' Type NTP -Type String

RootCA #1

RootCA #2

RootCA #3

RootCA #4

RootCA #5

RootCA #6

RootCA #7

RootCA #8

RootCA #9

CERTUTIL -setreg CA\ValidityPeriodUnits 5

RootCA #10

RootCA #11

Revocation intervals

Too frequent decreases reliability

can improve with CRL validity extension

Too infrequent decreases security

can improve with HTTP max-age header

For RootCA consider administrative overhead

cannot use flash USB

use write/once DVD

RootCA #12

RootCA #13

CA Failure Just Before CRL Publication

No matter how high-available

Should overlap CRL publications

CRLOverlapUnits

CERTUTIL -crl

RootCA #14

CRL/AIA upload script

source:D:\Sevecek\GOC173\crl-publish.batD:\Sevecek\GOC173\crl-publish.ps1

location: C:\Service\Jobs

schedule:CMD /C C:\Service\Jobs\crl-publish.batdaily, start 0:00, every 5 minutes, for 24 hours

RootCA #15

RootCA #16

RootCA #17

75

SUBORDINATE CA NOTES


CA signature algorithm

Root CA

used for self-signing root certificate

set in the registry for issued certificates

Subordinate CA

used only for signing the request

set in the registry for issued certificates


HKLM\System\CCS\Services\CertSvc Configuration\<caName>\CSP\

CNGHashAlgorithm SHA1, SHA256, …

HashAlgorithm 0x8004 = SHA-1

0x8003 = MD5

0x8002 = MD4

0x8001 = MD2

Used for signing issued certificates regardless of the signature of the request


Signatures example

RootCA

Certificate SHA-1 RSA

Signs with SHA-1

SubCA

Certificate SHA-1 RSA

Signs with SHA-256

IssuingCA

Certificate SHA-256 ECDSA

Signs with SHA-384

IssuingCA

Certificate

SHA-1 RSA

Signs with

SHA-1

Compatible leaf

certificates

Compatible leaf

certificates

Compatible leaf

certificates

Compatible leaf

certificates

Compatible leaf

certificates

Secureleaf

certificatesRSA 2048

RSA 4096

ECDSA 256

ECDSA 256

RSA 2048

RSA 2048

Request signature

Used only for signingthe request comingfrom client

CA signs according toits registry settings

Request public key type (CNG/KSP templates only) regardless ofCA certificate

82

STEPS: SUBORDINATE CA INSTALLATION


SubCA #0

GPS\pki-install

local Administrators

forest Enterprise Admins

SubCA #1

SubCA #2

SubCA #3

SubCA #4

SubCA #5

SubCA #6

SubCA #7

SubCA #8

SubCA #9

SubCA #10

SubCA #11

SubCA #12

SubCA #13

Take a look at the request

self-signed

CERTUTIL C:\entca.REQ

Subject

Signature RSA 2048/SHA256

SubCA #14

0x80090008: Signarute does not match public key

Invalid algorithm specified

SubCA #15

Install SHA-2 validation update on the 2003 RootCA

KB938397

SubCA #16

SubCA #16

SubCA #16 - events on RootCA (id 790: received a certificate request)

SubCA #16 - events on RootCA (id 793: set status of a certificate request to pending)

SubCA #16 - events on RootCA (id 791: approved a certificate request and issued a cert)

SubCA #17

SubCA #18

SubCA #19

SubCA #20

SubCA #21

AUDITPOL /set /subcategory:”Certification Services” /success:enable /failure:enable

CRL and OCSP paths

LDAP must be authenticated

only domain member computers and users

not available from internet and before authentication (802.1x)

HTTP can have faster re-caching

on Windows Vista/2008+

should be published on public URL only

109

SubCA #22

SubCA #23

SubCA #24

SubCA #25

CRL/AIA upload script

source:D:\Sevecek\GOC173\crl-publish.batD:\Sevecek\GOC173\crl-publish.ps1

location: C:\Service\Jobs

schedule:CMD /C C:\Service\Jobs\crl-publish.batreact to events 776 and 784 (Windows 2003)react to events 4872 and 4895 (Windows 2008+)

CrlOverlapUnits and CrlOverlapPeriod principle

CrlPeriodUnits

Effective date

Nextupdate

Microsoft specific extension

Next CRL Publish

CrlOverlapPeriodUnits

General CRL validity as seen from client perspective

CrlOverlapUnits and CrlOverlapPeriod principle (more often)

CrlPeriodUnits

Effective date

Nextupdate


Next CRL Publish

CrlOverlapPeriodUnits


SubCA #26

SubCA #27

CRL overlap periods increase availability and decrease incident response times

CERTUTIL -setreg CA\CRLOverlapUnits 4

CERTUTIL -setreg CA\CRLOverlapPeriod Days

CERTUTIL -setreg CA\CRLDeltaOverlapUnits 120

CERTUTIL -setreg CA\CRLDeltaOverlapPeriod Minutes

SubCA #28

CERTUTIL -sign

in case we have CA’s private key

manually sign a newly timed CRL

SubCA #29

SubCA #30

SubCA #31

SubCA #32

SubCA #33

SubCA #34

125

POST INSTALLATION STEPS


Configuration partition role separation

Delegate access to PKI Admins

CN=Public Key Services,CN=Services,CN=Configuration,DC=...

CN=Certificate Templates, CN=OID

manage templates and OIDs

CN=CDP

containers for each CA renewal version

SubCA renewa

126

SAN in offline requests

By default SAN is ignored in offline request uploads

web enrollment, .REQ file

accepted over DCOM by default

CERTUTIL -setreg Policy\EditFlags+EDITF_ATTRIBUTESUBJECTALTNAME2

Enable longer validity on enterprise CAs

By default limited to up to 2 years

Actual value based on certificate template setting

CERTUTIL -setreg CA\ValidityPeriodUnits 5

IIS hardening

IIS hardening with Dynamic IP Restrctionssince Windows 2012+ (IIS 8+)

HTTP max-age header

Keep expired certs on CRL

Default is to remove after certificate would expire normally

does not keep track later

CERTUTIL -setreg CA\CRLFlags+CRLF_PUBLISH_EXPIRED_CERT_CRLS

Accept STREET in Subject

By default only the following is included into certs

regardless of any other present in request

Email, CommonName, OrganizationalUnit, Organization, Locality, State, DomainComponent, Country

CERTUTIL -setreg CA\SubjectTemplate+StreetAddress

or others such as: GivenName, SurName, Initials, Title

Remove/Add Some Extensions

To remove some extensions from issued certificates

CERTUTIL -setreg policy\DisableExtensionList+1.3.6.1.4.1.311.20.2

To enable inclusion of extensions

CERTUTIL -setregPolicy\EnableRequestExtensionList+1.3.6.1.4.1.25005.1.2

134

CA using static TCP port

Component Services

CertSvc DCOM Access

CERTUTIL -setreg CA\InterfaceFlags+IF_NORPCICERTREQUEST

CA using static TCP port

Require encryption of DCOM request?

CERTUTIL -setreg CA\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST

Is not supported by Windows XP clients

Windows 2003 CA and clients support encryption

Do not require CRL checks on CA

CERTUTIL -setreg CA\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

Produce alternate signature formats

CERTUTIL -setregCA\CSP\AlternateSignatureAlgorithm 1

Supported by Windows 2008/Vista+

Allow volatile certificates

Certificate template option for volatilecertificates must be enabled CA wide first

Do not store certificates and requests in the CA database

certutil -setreg DBFlags+DBFLAGS_ENABLEVOLATILEREQUESTS

Specify CA signing certificate in requests

CERTUTIL -setregca\UseDefinedCACertInRequest

Request

Authority Key Id (AKI): 2.5.29.35

must point to Subject Key Id of the older CA certificate

Allow any Issuance Policy (Certificate Policies extension) to be issued into certificates

the CA normally does not issue any certificate template which requires a specific Issuance Policy while the Certificate Policy OID is not included in the CA’s own certificate as well

certutil -setreg CA\CRLFlags+CRLF_IGNORE_INVALID_POLICIES

or

use the AllIssuancePolicy in CA's cert

Solve last minute failure availability problem

Publish CRL more frequently than its validity period

CERTUTIL -CRL

SCHTASKS /Create /TN Crl-Fast-Publish /SC Minute/MO 17 /ST 00:03 /RU SYSTEM /TR "certutil -crl"

144

POST INSTALLATION GPOS


Post installation GPOs

Autoenrollment

for users and computers

CRL validation extension

cached CRLs and OCSPs will remain valid longer if they cannot be updated

Disable EFS

until strictly managed

145

Autoenrollment (Computers)

Autoenrollment (Users)

CRL validity extension

CrlOverlapUnits and CrlOverlapPeriod principle with GPO extension

CrlPeriodUnits

Effective date

Nextupdate


Next CRL Publish

CrlOverlapPeriodUnits Cached CRL validity extension from Group Policy


Disable EFS

CA debug logging

HKLM\System\CCS\Services\certsrv\Configuration

Debug = DWORD = 0xFFFFFFFF

certutil.exe -setreg ca\debug 0xffffffff

%systemroot%\certsrv.log

Delayed autostart

153

PLANNING


Certificate Clients

Site unaware

DCOM connection

sensitive to RTT and PLR

Single CA with 512 MB RAM

up to 2 000 000 certificates a day

Space consumptions

One CRL entry

~ 90 B

One OCSP request/response

130 B POST data

1450 B response data

One CER entry in DB

RSA 2048 or RSA 4096 = 17 KB

THANK YOU!

Ondřej Ševeček | PM Windows Server | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |

certification authority - sevecek · certification authority admin accounts and groups create ca...

Documents