certification authority - sevecek · certification authority admin accounts and groups create ca...
TRANSCRIPT
CERTIFICATION AUTHORITY
Ondřej Ševeček | PM Windows Server | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |
Outline
CA hierarchy planning
Domain security
CA server security
Installation
Post installation steps
2
PLANNING CA HIERARCHY
Enterprise PKI
CA hierarchy?
Trust maintenance may be expensive to be trusted
may be even more expensive to revoke root
risk analysis
Revocation of subordinates
Distributed administration Qualified subordination
CRL (Certificate Revocation List)
OSCP (Online Certificate Status Protocol)
4
CA hierarchy?
GOPAS Root CA
GOPASLondon CA
GOPASParis CA
GOPASPrague CA
Leaf certificateLeaf certificate
Leaf certificateLeaf certificate
Leaf certificate
Leaf certificateLeaf certificate
Leaf certificateLeaf certificate
Leaf certificate
CA hierarchy?
GOPAS RootLondon CA
GOPAS RootParis CA
GOPAS RootPrague CA
Leaf certificateLeaf certificate
Leaf certificateLeaf certificate
Leaf certificate
Leaf certificateLeaf certificate
Leaf certificateLeaf certificate
Leaf certificate
Trust maintenance
Risk assessment in Windows domain
Risk of AD Domain Controller
single DC compromised = whole forest compromised
Online AD integrated enterprise PKI cannot have higher risks than any DC
NTAuth CAs have the same level of risk as any DC
9
PKI Administrator
10
DC
domain-admin
Configuration
Certificate Templates
NTAuthCA
pki-admin
Logon
11
DOMAIN SECURITY
Certification Authority
Admin accounts and groups
Create CA Servers group
add EntCA and DC1 machines
Create PKI Admins group
members of Enterprise Admins for duration of the installation
Create two user accounts
pki-install
pki-admin
both members of PKI Admins
12
Connecting to domain
Connect EntCA to domain
Make PKI Admins members of local Administrators group
Remove Domain Admins from local Administrators
Disable builtin-admin
13
Basic domain security
Add workstation to domain: nobody
LDAP signing
SMB signing
NTLMv2 authentication
Passwords, Account Lockout
disable built-in Administrator
14
Basic domain security
Audit Account Logon Events
Windows Time
Disable EFS
Default Domain Policy
remove the default EFS Recovery Agent
15
Offline root time synchronization
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Co
nfig]
"MaxNegPhaseCorrection"=dword:ffffffff
"MaxPosPhaseCorrection"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Pa
rameters]
"NtpServer"="tik.cesnet.cz,0x9 tak.cesnet.cz,0x9"
"Type"="NTP"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Ti
meProviders\NtpClient]
"SpecialPollInterval"=dword:00000384
17
CA GPO SECURITY
Certification Authority
Limit GPO and script effects
Local Profiles only
User GPO Loopback Processing Replace
Scripts No legacy scripts
No legacy run list
No legacy run once list
No autorun
Software Restriction Policies
Screensaver
18
RDP security
RDP redirection only for S/C
disable disk redirection
disable clipboard redirection
S/C removal
19
Block remote access
Disabled services Computer Browser Alerter Messenger WLAN Autoconfig Windows Remote Management Windows Management Instrumentation (or use firewall) Remote Registry
Disable C$, Admin$ HKLM\System\CurrentControlSet\Services\LanManServe
r\Parameters AutoShareServer = DWORD = 0
20
Auditing
Audit
Logon, Account Logon
Process Tracking
System Events
Account Management
Granular: Object access / Certification Services
Granular: Object access / File Share
21
22
NETWORK INFRASTRUCTURE
Certification Authority
DNS server
• gopas.cz for CRL/AIA/OCSP reference
Active Directory Integrated zone?
No dynamic updates
pki.gopas.cz CNAME
pki.gopas.cz ZONE with A record
23
Public A record with split DNS
25
CA SERVER SECURITY
Certification Authority
Physical security
Either physically secure
no unauthorized access to the hardware at all
And/Or use BitLocker
does not provide protection against hardware keyloggers
Virtual environment
supported
consider who is administrator of the virtualizinginfrastructure
26
Remote access
Either no remote access at all
Or use RDP with smart cards
don’t require smartcards for local logon to be able to troubleshoot
Can be used by Enrollment Agents to enroll client smart cards
27
Windows firewall
Enabled by default on Windows 2008+
Automatically configured
Allows any/any exceptions
being strict is always better
Windows firewall for RootCA
Block all incoming connections
no exceptions
Block all outgoing connections
except Ping
except SMB upload to \\pki.gopas.cz\CRL-Publish
prepare HTTP/S exception for occasional manual Windows Update
Encrypt SMB connections with IPSec
mutual authentication
Windows firewall for RootCA
Networking
Disable NetBIOS
Disable IPv6
32
PREPARING INSTALLATION
Certification Authority
CAPOLICY.INF
To specify advanced options not available in GUI setup wizard
Placed into system folder
%windir%\capolicy.inf
CAPOLICY.INF for RootCA
[Version]
Signature= "$Windows NT$"
[CRLDistributionPoint]
[AuthorityInformationAccess]
[BasicConstraintsExtension]
PathLength=1
Critical=Yes
34
CAPOLICY.INF for subordinate
[Version]
Signature= "$Windows NT$"
[certsrv_server]
LoadDefaultTemplates = False
35
Example registry values in CAPOLICY.INF[certsrv_server]CRLPeriod=DaysCRLPeriodUnits=1
CRLDeltaPeriod=Hours
CRLDeltaPeriodUnits=1 CRLOverlapPeriod=Hours
CRLOverlapUnits=12
CRLDeltaOverlapPeriod=MinutesCRLDeltaOverlapUnits=30
ClockSkewMinutes=20 ValidityPeriodUnits=5
CAPOLICY.INF when renewing root CA certificate
[certsrv_server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=30
; every value must be the same or longer than current certificate key-length/validity
Qualified subordination
Qualified = limited
Subordinate certificate contains restrictions on its use and contents of leaf certificates that it produces
CAPOLICY.INF and POLICY.INF extensions
Basic Constraints path length = 0 … only leaf certificates path length = 1 … one sub authority
Issuance Policies (Certificate Policies) must be present in CA certificate to be inserted into
leaf certificates supported by XP/2003 and newer
Name Constraints (subordinate only) limit namespaces in subject
Application Policies (subordinate only) limit EKU usage OIDs
Allowed Issuance Policies (Certificate Policies) in CA’s certificate
[PolicyStatementExtension]
Policies = ManualSubjectApproved, ManualSubjectUnapproved, AutomaticallyFromAD, PersonallyByAgent, PersonallyByAgentTwoIDs
CRITICAL = FALSE
[ManualSubjectApproved]
OID = 1.3.6.1.4.1.25005.17.1
[ManualSubjectUnapproved]
OID = 1.3.6.1.4.1.25005.17.2
[AutomaticallyFromAD]
OID = 1.3.6.1.4.1.25005.17.3
[PersonallyByAgent]
OID = 1.3.6.1.4.1.25005.17.4
[PersonallyByAgentTwoIDs]
OID = 1.3.6.1.4.1.25005.17.5
Notice = "Enrollment agent requires personal attendance and showing two IDs"
URL = https://www.sevecek.com/PKI/policies/PersonalByAgentTwoIDs.pdf
Explicitly allow all Issuance Policies (Certificate Policies) in CA’s certificate
PolicyStatementExtension]
Policies = AllIssuancePolicy
Critical = FALSE
[AllIssuancePolicy]
OID = 2.5.29.32.0
Modifying requests with CERTREQ
Qualified subordination
CERTREQ -policy -cert RootCaCN in.reqpolicy.inf out.req
Name Constraints in CERTREQ POLICY.INF
[NameConstraintsExtension]
Include = NameConstraintsPermitted
Exclude = NameConstraintsExcluded
Critical = True
[NameConstraintsPermitted]
DirectoryName = "DC=gopas, DC=virtual"
email = ""
DNS = .gopas.cz
UPN = @gopas.cz
URI = ftp://.gopas.virtual
IPAddress = 10.10.0.0/255.255.255.0
OtherName = 1.3.6.1.4.1.25005.1,{utf8}gopas
OtherName = 1.3.6.1.4.1.25005.2,{octet}55AB10
[NameConstraintsExcluded]
Application policy constraints in CERTREQ POLICY.INF
[ApplicationPolicyStatementExtension]
Policies = AppEmailPolicy, AppClAuthPolicy
Critical = False
[AppEmailPolicy]
OID = 1.3.6.1.5.5.7.3.4 ; Secure Email
[AppClAuthPolicy]
OID = 1.3.6.1.5.5.7.3.2 ; Client Authentication
[ApplicationPolicyConstraintsExtension]
RequireExplicitPolicy = 1
InhibitPolicyMapping = 1
45
GENERAL CA INSTALLATION NOTES
Certification Authority
CA installation
Server Manager
Install-ADCSCertificationAuthority
Install-ADCSWebEnrollment
ca-install.vbs
46
CA types
Standalone
workgroup member
only offline requests
Enterprise
AD integrated
DCOM interface for online requests
every request must contain Certificate Template information
Enterprise CA on Standard edition OS
OS version Features included Features missing
Windows 2000 CSP keyscertificate templates v1web enrollment
template modification
Windows 2003 CSP keyscertificate templates v1web enrollment
template modificationkey recovery
Windows 2008 CSP or CNG keyscertificate templates v1web enrollment
template modificationrestricted Enrollment Agentrestricted Certific ate Managerkey recoveryOCSP responderweb service enrollment, NDES
Windows 2008 R2 CSP or CNG keyscertificate templates v1, v2, v3web enrollmentrestricted Enrollment Agentrestricted Certificate Manager
key recoveryOCSP responderwebservice enrollment, NDES
Windows 2012 all SKUs with all features
Supported Scenarios
Computer cannot be renamed
Computer cannot change domain membership not even un/install DC
Can be moved from 2003 to 2008 and newer step-by-step, same x64/x32
Can be moved from 2008 to other machines different name
same x64/x32
Cannot rename OS and change domain membership
CA installation parameters
20+ years for RootCA consider subCA validity
5+ years for SubCA renew several years before expiration
2048 RSA + SHA-1 supported on most clients since 2000
2048 RSA + SHA-2 supported partially on Windows XP SP3
completely on Vista and newer
51
Signatures example (simplified)
RootCA
SHA-1 RSA
SubCA
SHA-1 RSA
IssuingCA
SHA-256 ECDSA
IssuingCASHA-1 RSA
Compatible leaf
certificates
Compatible leaf
certificates
Compatible leaf
certificates
Compatible leaf
certificates
Compatible leaf
certificates
Secureleaf
certificates
RSA
ECDSA
RSA
RSA
RSA
ECDSA
Signatures example (does not make sense) (simplified)
RootCA
SubCA
SHA-384 RSA
IssuingCA
SHA-256 ECDSA
SHA-1 RSA
54
STEPS: ROOTCA INSTALLATION
Certification Authority
RootCA #0
CAPOLICY.INF
Windows time synchronization
Set-ItemProperty'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Config' MaxPosPhaseCorrection 0xFFFFFFFF -Type Dword
Set-ItemProperty'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Config' MaxNegPhaseCorrection 0xFFFFFFFF -Type Dword
Set-ItemProperty'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient' SpecialPollInterval 900 -Type Dword
Set-ItemProperty'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters' NtpServer 'tik.cesnet.cz,0x9 tak.cesnet.cz,0x9' -Type String
Set-ItemProperty'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters' Type NTP -Type String
RootCA #1
RootCA #2
RootCA #3
RootCA #4
RootCA #5
RootCA #6
RootCA #7
RootCA #8
RootCA #9
CERTUTIL -setreg CA\ValidityPeriodUnits 5
RootCA #10
RootCA #11
Revocation intervals
Too frequent decreases reliability
can improve with CRL validity extension
Too infrequent decreases security
can improve with HTTP max-age header
For RootCA consider administrative overhead
cannot use flash USB
use write/once DVD
RootCA #12
RootCA #13
CA Failure Just Before CRL Publication
No matter how high-available
Should overlap CRL publications
CRLOverlapUnits
CERTUTIL -crl
RootCA #14
CRL/AIA upload script
source:D:\Sevecek\GOC173\crl-publish.batD:\Sevecek\GOC173\crl-publish.ps1
location: C:\Service\Jobs
schedule:CMD /C C:\Service\Jobs\crl-publish.batdaily, start 0:00, every 5 minutes, for 24 hours
RootCA #15
RootCA #16
RootCA #17
75
SUBORDINATE CA NOTES
Certification Authority
CA signature algorithm
Root CA
used for self-signing root certificate
set in the registry for issued certificates
Subordinate CA
used only for signing the request
set in the registry for issued certificates
CA signature algorithm
HKLM\System\CCS\Services\CertSvc Configuration\<caName>\CSP\
CNGHashAlgorithm SHA1, SHA256, …
HashAlgorithm 0x8004 = SHA-1
0x8003 = MD5
0x8002 = MD4
0x8001 = MD2
Used for signing issued certificates regardless of the signature of the request
CA signature algorithm
Signatures example
RootCA
Certificate SHA-1 RSA
Signs with SHA-1
SubCA
Certificate SHA-1 RSA
Signs with SHA-256
IssuingCA
Certificate SHA-256 ECDSA
Signs with SHA-384
IssuingCA
Certificate
SHA-1 RSA
Signs with
SHA-1
Compatible leaf
certificates
Compatible leaf
certificates
Compatible leaf
certificates
Compatible leaf
certificates
Compatible leaf
certificates
Secureleaf
certificatesRSA 2048
RSA 4096
ECDSA 256
ECDSA 256
RSA 2048
RSA 2048
Request signature
Used only for signingthe request comingfrom client
CA signs according toits registry settings
Request public key type (CNG/KSP templates only) regardless ofCA certificate
82
STEPS: SUBORDINATE CA INSTALLATION
Certification Authority
SubCA #0
GPS\pki-install
local Administrators
forest Enterprise Admins
SubCA #1
SubCA #2
SubCA #3
SubCA #4
SubCA #5
SubCA #6
SubCA #7
SubCA #8
SubCA #9
SubCA #10
SubCA #11
SubCA #12
SubCA #13
Take a look at the request
self-signed
CERTUTIL C:\entca.REQ
Subject
Signature RSA 2048/SHA256
SubCA #14
0x80090008: Signarute does not match public key
Invalid algorithm specified
SubCA #15
Install SHA-2 validation update on the 2003 RootCA
KB938397
SubCA #16
SubCA #16
SubCA #16 - events on RootCA (id 790: received a certificate request)
SubCA #16 - events on RootCA (id 793: set status of a certificate request to pending)
SubCA #16 - events on RootCA (id 791: approved a certificate request and issued a cert)
SubCA #17
SubCA #18
SubCA #19
SubCA #20
SubCA #21
AUDITPOL /set /subcategory:”Certification Services” /success:enable /failure:enable
CRL and OCSP paths
LDAP must be authenticated
only domain member computers and users
not available from internet and before authentication (802.1x)
HTTP can have faster re-caching
on Windows Vista/2008+
should be published on public URL only
109
SubCA #22
SubCA #23
SubCA #24
SubCA #25
CRL/AIA upload script
source:D:\Sevecek\GOC173\crl-publish.batD:\Sevecek\GOC173\crl-publish.ps1
location: C:\Service\Jobs
schedule:CMD /C C:\Service\Jobs\crl-publish.batreact to events 776 and 784 (Windows 2003)react to events 4872 and 4895 (Windows 2008+)
CrlOverlapUnits and CrlOverlapPeriod principle
CrlPeriodUnits
Effective date
Nextupdate
Microsoft specific extension
Next CRL Publish
CrlOverlapPeriodUnits
General CRL validity as seen from client perspective
CrlOverlapUnits and CrlOverlapPeriod principle (more often)
CrlPeriodUnits
Effective date
Nextupdate
Microsoft specific extension
Next CRL Publish
CrlOverlapPeriodUnits
General CRL validity as seen from client perspective
SubCA #26
SubCA #27
CRL overlap periods increase availability and decrease incident response times
CERTUTIL -setreg CA\CRLOverlapUnits 4
CERTUTIL -setreg CA\CRLOverlapPeriod Days
CERTUTIL -setreg CA\CRLDeltaOverlapUnits 120
CERTUTIL -setreg CA\CRLDeltaOverlapPeriod Minutes
SubCA #28
CERTUTIL -sign
in case we have CA’s private key
manually sign a newly timed CRL
SubCA #29
SubCA #30
SubCA #31
SubCA #32
SubCA #33
SubCA #34
125
POST INSTALLATION STEPS
Certification Authority
Configuration partition role separation
Delegate access to PKI Admins
CN=Public Key Services,CN=Services,CN=Configuration,DC=...
CN=Certificate Templates, CN=OID
manage templates and OIDs
CN=CDP
containers for each CA renewal version
SubCA renewa
126
SAN in offline requests
By default SAN is ignored in offline request uploads
web enrollment, .REQ file
accepted over DCOM by default
CERTUTIL -setreg Policy\EditFlags+EDITF_ATTRIBUTESUBJECTALTNAME2
Enable longer validity on enterprise CAs
By default limited to up to 2 years
Actual value based on certificate template setting
CERTUTIL -setreg CA\ValidityPeriodUnits 5
IIS hardening
IIS hardening with Dynamic IP Restrctionssince Windows 2012+ (IIS 8+)
HTTP max-age header
Keep expired certs on CRL
Default is to remove after certificate would expire normally
does not keep track later
CERTUTIL -setreg CA\CRLFlags+CRLF_PUBLISH_EXPIRED_CERT_CRLS
Accept STREET in Subject
By default only the following is included into certs
regardless of any other present in request
Email, CommonName, OrganizationalUnit, Organization, Locality, State, DomainComponent, Country
CERTUTIL -setreg CA\SubjectTemplate+StreetAddress
or others such as: GivenName, SurName, Initials, Title
Remove/Add Some Extensions
To remove some extensions from issued certificates
CERTUTIL -setreg policy\DisableExtensionList+1.3.6.1.4.1.311.20.2
To enable inclusion of extensions
CERTUTIL -setregPolicy\EnableRequestExtensionList+1.3.6.1.4.1.25005.1.2
134
CA using static TCP port
Component Services
CertSvc DCOM Access
CERTUTIL -setreg CA\InterfaceFlags+IF_NORPCICERTREQUEST
CA using static TCP port
Require encryption of DCOM request?
CERTUTIL -setreg CA\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST
Is not supported by Windows XP clients
Windows 2003 CA and clients support encryption
Do not require CRL checks on CA
CERTUTIL -setreg CA\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
Produce alternate signature formats
CERTUTIL -setregCA\CSP\AlternateSignatureAlgorithm 1
Supported by Windows 2008/Vista+
Allow volatile certificates
Certificate template option for volatilecertificates must be enabled CA wide first
Do not store certificates and requests in the CA database
certutil -setreg DBFlags+DBFLAGS_ENABLEVOLATILEREQUESTS
Specify CA signing certificate in requests
CERTUTIL -setregca\UseDefinedCACertInRequest
Request
Authority Key Id (AKI): 2.5.29.35
must point to Subject Key Id of the older CA certificate
Allow any Issuance Policy (Certificate Policies extension) to be issued into certificates
the CA normally does not issue any certificate template which requires a specific Issuance Policy while the Certificate Policy OID is not included in the CA’s own certificate as well
certutil -setreg CA\CRLFlags+CRLF_IGNORE_INVALID_POLICIES
or
use the AllIssuancePolicy in CA's cert
Solve last minute failure availability problem
Publish CRL more frequently than its validity period
CERTUTIL -CRL
SCHTASKS /Create /TN Crl-Fast-Publish /SC Minute/MO 17 /ST 00:03 /RU SYSTEM /TR "certutil -crl"
144
POST INSTALLATION GPOS
Certification Authority
Post installation GPOs
Autoenrollment
for users and computers
CRL validation extension
cached CRLs and OCSPs will remain valid longer if they cannot be updated
Disable EFS
until strictly managed
145
Autoenrollment (Computers)
Autoenrollment (Users)
CRL validity extension
CrlOverlapUnits and CrlOverlapPeriod principle with GPO extension
CrlPeriodUnits
Effective date
Nextupdate
Microsoft specific extension
Next CRL Publish
CrlOverlapPeriodUnits Cached CRL validity extension from Group Policy
General CRL validity as seen from client perspective
Disable EFS
CA debug logging
HKLM\System\CCS\Services\certsrv\Configuration
Debug = DWORD = 0xFFFFFFFF
certutil.exe -setreg ca\debug 0xffffffff
%systemroot%\certsrv.log
Delayed autostart
153
PLANNING
Certification Authority
Certificate Clients
Site unaware
DCOM connection
sensitive to RTT and PLR
Single CA with 512 MB RAM
up to 2 000 000 certificates a day
Space consumptions
One CRL entry
~ 90 B
One OCSP request/response
130 B POST data
1450 B response data
One CER entry in DB
RSA 2048 or RSA 4096 = 17 KB
THANK YOU!
Ondřej Ševeček | PM Windows Server | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |