[email protected] | | … · verisign secure server certification authority 2003 and 5.0 ......
TRANSCRIPT
CERTIFICATES
Ondřej Ševeček | PM Windows Server | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |
INTRODUCTION TO CERTIFICATES
Certificates
Certificate
Data structure (file) which holds public key
subject, validity, issuer, key usage
Digitally signed
by a CA's private key
by its own private key (self-signed)
Private key is separate from certificate
certificate in registry
private key in a file on disk or key container in a smart card
Sample certificate
Certificate (key) types
Signature keys
documents
files, executables, scripts
Online transaction keys
TLS, IPSec
client authentication
Encrypted data
files, BitLocker, S/MIME
key recovery
Private key "backup"?
Signature keys
no
Transport keys
no
Encryption keys
backup
key recovery
data recovery
6
Validity and crypto operations
Valid certificate
Can sign new data with private key
Can encrypt new data with public key
After certificate expires, the Subject is not responsible for its private key anymore
Expired/revoked certificate
Can verify signature with its public key
Can decrypt data with its private key
7
Certificate authenticationDifferent subject name
Certificate authenticationExpired or not yet valid
Certificate authenticationRoot/Issuer/Self-Signed not trusted
Certificate authenticationRevoked yet before expiration
RDP client also prevents connecting to explicitly revoked certificates (even if Kerberos authentication of server identity is possible)
X.509 v1 certificate
15
Subject: E = [email protected]
Public key: 37A1B883C19...
Validity: 2010
Verified by: Verisign CA
Thumbprint SHA-1: 155D1A89
Serial #: 388
Signature RSA: 6E33FD12
Key Usage: Signature
Key Usage
Signature
signature (RSA + ECDH)
non-repudiation
certificate signing
Encryption
key encipherment (RSA-KE)
key agreement (ECDSA + ECDH)
data encipherment
Valid combinations for TLS server
DSS + signature + DH
you cannot do any kind of encryption with DSS
RSA + key encipherment + RSA-KE
you cannot do key agreement with RSA
RSA + signature + ECDH
EC + key agreement + ECDH
you cannot do key encipherment with EC
Certification Authority
Self-signed certificate
Trusted third party organization
manually installed into trust store
distributed with OS/application
mobile devices, browsers
Automatically updated
Microsoft Root CA Program
Windows 2003- with Windows Update
Windows Vista+ dynamically
Self-signed certificates
RootCA certificateis always self-signed
Subject = Issuer
Never use the sameSubject and Issueron non-selfsignedcertificates
CA hierarchy example
CA hierarchy/chain/path
Root CA
PolicySubordinateIntermediate
CA
PolicySubordinateIntermediate
CAPolicy
SubordinateIntermediate
IssuingCA
LeafEnd entityEndpoint
Certificate
Qualified Subordination
???
name constraintsEKU constraints
path length constrains
PolicySubordinateIntermediate
IssuingCA
Trusted CAs (physical computer stores)
Untrusted certificates (Windows 2003/XP)
Untrusted certificates (CTL – certificate trust list - since Windows 2012/8)
Automatic CA update
Windows XP/2003/2000
hard import from Windows Update or WSUS
Windows Vista+
dynamic import from Windows Update online/cached CTL
cannot use WSUS
Disable automatic update
Automatic Updating on XP/2003
IIS can generate self-signed web server certificates
In principleCA certificate
Must be trustedindividually
Install the self-signed certificate into Trusted Root Certificate Authorities
Install the self-signed certificate into Trusted Root Certificate Authorities
Test HTTPS connection from Client7https://wfe1.gopas.virtual
Chrome requires SAN since 2017NET::ERR_CERT_COMMON_NAME_INVALID
X.509V3 CERTIFICATE CONTENT
Certificates
Subject
CA guarantees that the information in the Subject is related to the real owner of the certificate
CA implements certification policies under which is verifies the Subject
called Certificate Template in Windows
Subject
CN = Common Name
E = Email
G = Given Name, SN = Surname
OU = Organizational Unit
O = Organization
L = Locality (city), STREET = Street
S = State (either Washington or Czech Republic)
C = Country (CZ, US, UK, only two letters) ISO-3166-1, X520CountryName
41
Subject validation by CAs
Domain control validation domain registry + administrative contact email
DNS TXT record
Higher validation not supported by all browsers
identity, address, etc.
Extended validation (EV) standard by W3C consortium
green bar
DNS name + company registration
Extended validation (EV) supported by browsers
More DNS names in Subject
Later IE is able to parse more CN components in subject, but not supported on all clients
Not all clients support wildcard CNs such as *.sevecek.com
Wildcard CN does not apply to domain CN
*.sevecek.com
sevecek.com
More names can be present in SAN (Subject Alternative Name)
46
Subject Alternative Name (SAN)
SAN:[email protected] (Principal Name) SAN:[email protected] (RFC822 Name) SAN:dns=www.idtt.com (DNS Name) SAN:dn=“CN=Ondra,OU=Company,DC=iddt,DC
=local” SAN:url=http://www.idtt.com/smartcards SAN:ipaddress=10.10.0.16 SAN:guid=f7c3ac41-b8ce-4fb4-aa58-
3d1dc0e36b39 SAN:[email protected]&email=ondrej@idt
t.com
49
Subject in EV certificates
1.3.6.1.4.1.311.60.2.1.3 = jurisdictionOfIncorporationCountryName
CZ, UK, US, ...
SERIALNUMBER = Legal ID
IČO
50
Subject Alternative Name (SAN)
Can contain more than a single CN in Subject
Should contain also the Subject CN again
If SAN present, Subject is not processed at all
AD CS
must be enabled for offline request which supply custom subject alternative names
certutil –setreg policy\EditFlags+EDITF_ATTRIBUTESUBJECTALTNAME2
51
X.509 v3 certificate
52
Subject: CN = Ondrej Sevecek
Public key: 37A1B883C19...
Validity: 2010
Verified by: Verisign CA
Thumbprint SHA-1: 155D1A89
Serial #: 388
Signature RSA: 6E33FD12
SAN: [email protected]
EKU: Secure Email
Certificate Policies: 1.3.6.1.4.1.25005.30.11.3.6.1.4.125005.30.2
Enhanced Key Usage (EKU) extension
Secure Email Server Authentication Client Authentication
Smart Card Logon
Encrypting File System Document Signing
Code Signing
Remote Desktop Authentication Enrollment Agent
Key Recovery Agent
IPSec IKE Intermediate
53
EKU in CA certificates - the root
EKU in CA certificates - subordinate
Special EKUs
- eku not present - leaf certificate - use for all purposes
Any purpose (anyExtendedKeyUsage) 2.5.29.37.0 leaf certificate - use for all purposes
All application policies = All purpose XCN_OID_ANY_APPLICATION_POLICY
1.3.6.1.4.1.311.10.12.1 CA certificate - qualified subordination example: not allowed in MS Root CA program
http://technet.microsoft.com/en-us/library/cc751157.aspx
57
CLIENT SUPPORT
Enterprise PKI
Support for SAN and wildcards
58
Application Supports * Supports SAN
Internet Explorer 4.0 and older no no
Internet Explorer 5.0 and newer yes yes
Internet Explorer 7.0 yes yes, if SAN present Subject is ignored
Windows Pocket PC 3.0 a 4.0 no no
Windows Mobile 5.0 no yes
Windows Mobile 6.0 and newer yes yes
Outlook 2003 and newer yes yes
RDP/TS proxy yes yes, if SAN present Subject is ignored
ISA Server firewall certificate yes yes
ISA Server 2000 and 2004 published
server certificateno no
ISA Server 2006 published server
certificateyes yes, only the first SAN name
OCSP and Delta CRL
59
System Checks OCSP Delta CRL
Windows 2000 and older no no
Windows XP and older no yes
Windows Vista and newer yes, preffered yes
Windows Pocket PC 4.0 and older no no
Windows Mobile 5.0 no yes
Windows Mobile 6.0 no yes
Windows Mobile 6.1 and newer yes, preffered yes
ISA Server 2006 and older no yes
TMG 2010 and newer yes, preffered yes
CRL checks in Internet Explorer
60
Version CRL and OSCP checking
4.0 and older no checks
5.0 and newer can check CRL, disabled by default
7.0 and newer can check OCSP (if supported by OS) and CRL, enabled by default
Windows Mobile 2003 and 5.0 trusted CAs
61
Company Certificate Name Windows Mobile
Cybertrust GlobalSign Root CA 2003 and 5.0
Cybertrust GTE CyberTrust Global Root 2003 and 5.0
Cybertrust GTE CyberTrust Root 2003 and 5.0
Verisign Class 2 Public Primary Certification Authority 2003 and 5.0
Verisign Thawte Premium Server CA 2003 and 5.0
Verisign Thawte Server CA 2003 and 5.0
Verisign Secure Server Certification Authority 2003 and 5.0
Verisign Class 3 Public Primary Certification Authority 2003 and 5.0
Entrust Entrust.net Certification Authority (2048) 2003 and 5.0
Entrust Entrust.net Secure Server Certification Authority 2003 and 5.0
Geotrust Equifax Secure Certificate Authority 2003 and 5.0
Godaddy http://www.valicert.com/ 5.0
Windows Mobile 6.0 trusted CAs
62
Comodo AAA Certificate Services
Comodo AddTrust External CA Root
Cybertrust Baltimore CyberTrust Root
Cybertrust GlobalSign Root CA
Cybertrust GTE CyberTrust Global Root
Verisign Class 2 Public Primary Certification Authority
Verisign Thawte Premium Server CA
Verisign Thawte Server CA
Verisign Secure Server Certification Authority
Verisign Class 3 Public Primary Certification Authority
Entrust Entrust.net Certification Authority (2048)
Entrust Entrust.net Secure Server Certification Authority
Geotrust Equifax Secure Certificate Authority
Geotrust GeoTrust Global CA
Godaddy Go Daddy Class 2 Certification Authority
Godaddy http://www.valicert.com/
Godaddy Starfield Class 2 Certification Authority
RSA 2048 browser support
63
Browser First Version
Internet Explorer 5.01
Mozila Firefox 1.0
Opera 6.1
Apple Safari 1.0
Google Chrome
AOL 5
Netscape Communicator 4.51
Rad Hat Linux Konqueror
Apple iPhone
Windows Mobile 2003
Windows CE 4.0
RIM Blackberry 4.3.0
PalmOS 5
Sony Playstation Portable
Sony Playstation 3
Nintendo Wii
Extended Validation browsers
64
Browser First Version
Internet Explorer 7.0
Opera 9.5
Firefox 3
Google Chrome -
Apple Safari 3.2
Apple iPhone 3.0
S/MIME RSA 2048 client support
65
Browser First Version
Microsoft Outlook 99
Mozila Thunderbird 1.0
Qualcomm Eudora 6.2
Lotus Notes 6
Netscape Communicator
4.51
Mulberry Mail
Apple Mail
Windows Mail
The Bat
66
CERTIFICATE STORES
Enterprise PKI
Registry keys
HKLM\Software\Microsoft\
EnterpriseCertificates
the same stores as local stores but pupulated from Group Policy
NTAuth store
SystemCertificates
local stores
Trusted Root Certification Authorities "Trust store"
what is here is trusted by definition
HKLM\Software\Microsoft\ …\SystemCertificates\ROOT
Also projects the following stores Third party root certification authorities
…\SystemCertificates\AuthRoot
Smart Card trusted root certification authorities …\SystemCertificates\SmartCard
Group Policy based certificates …\EnterpriseCertificates\Root
AD Configuration container Certification Authorities …\EnterpriseCertificates\Root
Intermediate Certification Authorities
All certificates from CA chains that cannot be downloaded during chain buildup when validating leaf certificates
…\SystemCertificates\CA
…\EnterpriseCertificates\CA
Personal and Remote Desktop
These may have private keys associated and stored on disk or in a smart card
…\SystemCertificates\MY
…\SystemCertificates\Remote Desktop
PowerShell
dir Cert:\LocalMachine\...
dir Cert:\CurrentUser\...
$myStore = Get-Item cert:\CurrentUser\My
$myStore.Open('IncludeArchived, ReadWrite')
$myStore.Certificates
72
CERTIFICATE FILES
Enterprise PKI
Certificate Files
PKCS #12 – .PFX, .P12 certificate + private key encrypted with a password
PKCS #7 – .P7B more/all certificates in a chain
DER X.509 – .CER, .CRT binary encoded certificate RSA 2048 ~ 1500 B RSA 4096 ~ 1750 B
Base64 X.509 – .CER, .CRT Base64 encoded
Group protected PFX
Windows 8/2012
requires at least one DC on Windows 2012
Add-KdsRootKey -EffectiveTime([DateTime]::Now.AddDays(-10))
Protected with DPAPI to an AD group
replicated among DCs as SAM secret
Group protected PFX
CERTUTIL -STORE
My – Personal
Root – Trusted Root Certification Authorities
CA – Intermediate Certification Authorities
TrustedPublisher – Trusted Publishers
CERTUTIL -User -ExportPFX
CERTUTIL -User -Store My outFile.cer
CERTUTIL -ImportPFX
CERTUTIL -AddStore My
77
CERTIFICATE REVOCATION AND AIA
Enterprise PKI
CRL and Authority URLs
78
Subject: Ondrej Sevecek
SAN: [email protected]
Public key: 37A1B883C19...
Validity: 2010
Verified by: Verisign CA
Thumbprint SHA-1: 155D1A89
Serial #: 388
Signature RSA: 6E33FD12
CDP: http://ca.idtt.com/ca.crl
AIA: http://ca.idtt.com/ca.cer
AIA: http://ca.idtt.com/ocsp
CRL (Certificate Revocation List)
List of revoked certificates' serial numbers
Issued by CA
directly the issuing CA
Signed by the CA's private key
Validity
cached since the download
CERTUTIL -urlcache CRL
Revoke certificate in CA
Revocation Reasons
GUI does not check revocation
CERTUTIL -user -verify -urlfetch
Certificate Hold
can be unrevoked
no information later about invalid use during period when revoked
Certificates not available for revocation after CA DB loss
CERTUTIL –importcert
81
CRL Distribution Point (CDP) extension
CRL Paths
LDAP
client must be authenticated
automatically replicated among DCs
usually accessible only from inside
HTTP
may be anonymous
can be balanced on a single name (NLB, DNS round robin)
should be published on a public DNS name
CRL and CA chain
RootCA
Sub1CA
Sub2CA
IssuingCA
Leaf cert
http://sub2/ca3.crl
http://sub1/ca2.crl
http://issuing/ca4.crl
http://root/ca1.crl
CRL validity and CA chain
RootCA
Sub1CA
Sub2CA
IssuingCA
Leaf cert
http://sub2/ca3.crl
http://sub1/ca2.crl
http://issuing/ca4.crl
http://root/ca1.crl 6 months
1 month
1 week
1 day
Root CA certificate and CRL
No CRL validation for root CA certificate
cannot revoke root CA
root CA always trusted unconditionally
Revoked CA cannot sign CRL
CRL signed with revoked CA is invalid
AIA chain
RootCA
Sub1CA
Sub2CA
IssuingCA
Leaf cert
http://sub2/ca3.crt
http://sub1/ca2.crt
http://issuing/ca4.crt
CRL and AIA support
Windows Vista/2008 and older
any number of HTTP, SMB/CIFS, FTP, LDAP paths
Windows Sever/2008 R2 and newer
only first entry for each protocol
88
Manual CRL re-signing
CERTUTIL -sign existing.crl newly-signed.crl
SerialNumberList
now+10:00
never
89
Authority Key ID
90
Subject: Ondrej Sevecek
Public key: 37A1B883C19...
Subject Key ID: 155D2B77
Verified by: Verisign CA
Authority Key ID: 311A86B5
AIA: http://ca.idtt.com/ca.cer
Subject: Verisign CA
Public key: 37A1B883C19...
Subject Key ID: 311A86B5
Online Certificate Status Protocol
OCSP may decrease overall CDP traffic and smooth its profile
Preferred method for Windows Vista+
OCSP Example - Public CA
200 kB CRL7 days validity500 000 000 clients per week
1500 B OCSP response7 days validity500 000 000 client per week5 OCSP responses per client
1,3 GBps 48 MBps
OCSP Example - Private CA
20 000 user certificates50 DC certificates5 000 CRL entries1 day validity
20 000 user certificates50 DC certificates1 day validity
5 000 x 90 B = 450 kB CRL20 050 x 450 kB= 835 kBps
20 000 x 50 + 50 x 20 000 = 2 000 0002000000 x 1500 B= 280 kBps
CERTIFICATE TEMPLATES
Certificates
Versions
Version 1
cannot be modified from GUI
msPKI-Private-Key-Flag Attribute
0x00000001 (1)CT_FLAG_REQUIRE_PRIVATE_KEY_ARCHIVAL
0x00000010 (16)CT_FLAG_EXPORTABLE_KEY
Version 2, 3, 4
Certificate Template Versions
Version Provider First CA OS Supported by Standard Edition CA
Modify Cannot be Enrolled or Used
1 CSP Windows 2000 yes no
2 CSP Windows 2003 Windows 2008 R2 yes Windows 2000
3 CNG Windows 2008 Windows 2008 R2 yes Windows 2000Windows 2003Wind0ws XPWeb EnrollmentEFS, EAP, TMG 2010, ...
4 CNG/CSP Windows 2012 Windows 2012 yes
97
CERTIFICATE REQUESTS
Certificates
Certificate request
98
CertificateRequest
CA
Public Key
Client
Private Key
Manual request (online)
DCOM/RPC
CERTUTIL -ping
Certsvc DCOM Access group
99
Manual request (online)
AD CS Enrollment Policy Web Service
AD CS Enrollment Web Service
Windows 7/2008 R2 and newer clients
limited autoenrollment
Manual request (offline)
CERTREQ and .REQ file
CERTREQ -submit -attrib"CertificateTemplate:User" kamil.req
HTTP web enrollment pages
same as submitting .REQ file
can enroll only for v1 and v2 templates
Direct import into AD CS console
101
Request completion
Import .CER manually into console
Pulse autoenrollment
102
103
AUTOENROLLMENT
Enterprise PKI
Autoenrollment
Must be enabled in GPO
Enrolls v2 templates for Windows XP and newer
Enrolls v3 templates for Windows Vista and newer
Template must be of a correct type
user/computer
104
Troubleshooting
GPUPDATE
updates trusted enterprise CA from AD
enables autoenrollment from GPO
CERTUTIL -pulse
CERTUTIL -user -pulse
HKLM / HKCU / HKU
Software\Microsoft\Cryptography\CertificateTemplateCache
Custom Request Attributes
Application/Policy/Exit Module Specific
CERTUTIL -view -restrict requestID=xx –out attrib:all
nebo CERTUTIL –view –restrict Disposition=9
CERTUTIL -view -v -out RawRequest
process name
machine name
user name
108
THANK YOU!
Ondřej Ševeček | PM Windows Server | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |