Upload
nathan-winters
View
5.121
Download
5
Tags:
Embed Size (px)
DESCRIPTION
Roger Grimes
Citation preview
Roger A. GrimesMicrosoft
Presenter BIORoger A. Grimes CPA, CISSP, CEH, CISA, TICSA, MCSE: Security, yada,
yadaPKI installer for over 1o yearsTaught Microsoft PKI to VerisignPrincipal Security Architect for Microsoft InfoSec ACE
TeamInfoWorld Contributing Editor, Security Columnist,
Product Reviewer, and Blogger23-year Windows security consultant, instructor, and
authorAuthor of seven books on computer security, including:
Windows Vista Security: Security Vista Against Malicious Attacks (Wiley, 2007)
Professional Windows Desktop and Server Hardening (Dec. 2005)
Malicious Mobile Code: Virus Protection for Windows (O’Reilly, 2001)
Honeypots for Windows (Apress, December 2004)Author of over 300 national magazine articles on
computer security
Roger’s Books
Presentation SummaryQuick PKI Terminology OverviewW2K8\R2 New Features SummaryInstalling a W2K8 PKI CANew Features Review
New CiphersVersion 3 TemplatesRestricted KRA and Enrollment AgentsOCSPNDESWeb Enrollment ServiceCross-Forest EnrollmentClustering
Public Key Infrastructure
Quick Primer
Why PKI?Primarily, PKI exists to authenticate the
identities and their cryptographic keys involved in cryptographic transactions
PKI says to the consumer of PKI certs: If you trust me, then the certificate is who it says it is from and that is their encryption key
Principal=subject=user, computer, device, or service
Public Key Infrastructure Primer
Signed by Trusted CA Self Signed
Public Key Infrastructure Primer
Components of a PKICertificate and CAManagement ToolsCertificate and CAManagement Tools
Certification Authority
Certification Authority
Certificate and CRLDistribution PointsCertificate and CRLDistribution Points
Certificate Template
Certificate Template
Digital Certificate
Digital Certificate
Certificate Revocation List
Certificate Revocation List
Public Key-EnabledApplications and Services
Public Key-EnabledApplications and Services
Certification Authority (CA) Duties:Main: Confirm identity of certificate requestorConfigure Templates and Publish For subjects to enroll against (i.e. request)Issue CertificatesRevoke Certificates
Public Key Infrastructure Primer
Digital encryption keys are just a series of binary bits (1’s and 0’s) used (i.e. mathematically applied) to obscure plaintext contentComputers often represent keys as ASCII
or hexadecimal charactersToday, a typical key size ranges from a
few dozen bits to thousands128-bit to 4096-bit keys are very normal
Why can’t a hacker just guess the key?Because with good crypto, brute force
guessing would take more than “atoms in the known universe”
Public Key Infrastructure Primer
Example Digital Encryption Key
Public Key Infrastructure Primer
Two major types of encryption keys:Symmetric – same key used to lock and unlockAsymmetric – diff key used to lock and unlock
Called Private\Public Key Cryptography
Most programs using asymmetric ciphers also use symmetric ciphers as part of their encryption process
Public Key Infrastructure Primer
Popular Public Symmetric Encryption CiphersData Encryption Standard (DES)
56-bit strength (64-bit key)Improved versions: 3DES, DESX (DES Extended)
Advanced Encryption Standard (AES)Became U.S. gov’t standard in 2002Windows (and nearly every other OS) standard
today128-bit keys or larger. 256-bit or larger is normal
IDEABlowfishRC4, RC5, CAST-128
Public Key Infrastructure Primer
Popular Public Symmetric Encryption CiphersMost applications should strive to use
AES for symmetric encryptionWindows XP SP1 and later supports AES
If you have XP and don’t have SP1 or later installed, you probably don’t have AES
If you can’t use AES:Use 3DES (168-bit key, 112 effective bit length,
still FIPS certified); or DESX (184-bit key, 118 effective bits)
Don’t use DES (64-bit key, 56-bit effective) anymore
Public Key Infrastructure Primer
Symmetric key encryption has several benefits over asymmetric encryption:FasterMore secure for a stated key sizeBetter tested over time
Public Key Infrastructure Primer
Asymmetric CryptographySolves the problem of how to securely transmit
the secret key(s) between source and destination, plus adds non-repudiation (when used with hash/signature)
Private/public key pairOne key is used to encryptAnother key is used to decryptKeys are mathematically related and unique to each other
Public Key Infrastructure Primer
Asymmetric Cryptography
Private/public key pairCentral Point: What one key can encrypt, the other can decrypt
Besides the key pair, no other key can decrypt what the other key encrypted
All participating parties should have their own key pairs
Public Key Infrastructure Primer
Asymmetric Cryptography
Private keyOnly single owner/user should possess
No one else should ever seeNeeds to be protected against unauthorized use/viewing/change
Public keyThe “world” can possess and see
Public Key Infrastructure Primer
Asymmetric cryptoWhatever the public key encrypts, the private key can decryptEncryption
Whatever the private key encrypts, the public key can decryptSigning/Authentication
Public Key Infrastructure Primer
Popular Public Asymmetric Encryption CiphersRSADiffie-HellmanElGamalDSS/DSAElliptical Curve Cryptography (ECC)
RSA and Diffie-Hellman most popular, but ECC gaining
All are supported in today’s Windows OSs by default except ElGamal (which can be added by 3rd party)
Public Key Infrastructure Primer
Asymmetric Encryption Example-TLS/SSL
Public Key Infrastructure Primer
Public Key Infrastructure PrimerMixed Cipher Usage
Supported IE Ciphers (XP and before)TLS_RSA_WITH_DES_CBC_SHATLS_DHE_DSS_WITH_DES_CBC_SHATLS_RSA_EXPORT1024_WITH_RC4_56_SHATLS_RSA_EXPORT1024_WITH_DES_CBC_SHATLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SH
ATLS_RSA_EXPORT_WITH_RC4_40_MD5SSL_CK_DES_64_CBC_WITH_MD5SSL_CK_RC4_128_EXPORT40_WITH_MD5
Mixed Cipher Usage
Supported IE Ciphers (Vista and later), in preference order
TLS w/RSA w/128-bit AES, then 256-bit AESTLS w/RSA w/RC4, then 3DESTLS w/ECC w/128-bit AES, then 256-bit AES
SHA 256-bit to 521-bitTLS w/ECC/RSA w/AES and SHATLS w/DSS w/128-bit AES, then 256-bit AESMixture of (mostly) TLS intermingled with SSL
Crypto ProvidersCrypto Providers are software programs
that provide cryptographic services, ciphers, and generate cryptographic keys
Crypto providers which use the legacy Cryptographic API (CAPI) are called Cryptographic Service Providers (CSPs)
Crypto providers that use Cryptographic Next Generation (CNG) API are called Key Storage Providers (KSPs)KSPs appear in Vista and later
Public Key Infrastructure Primer
Crypto Providers (CSP/KSP)CSPs/KSPs determine what cipher algorithms
(e.g. AES, RSA, sizes, etc.) are available to useWindows comes with many default CSPs
Prior to Vista, only CSPs by defaultWith Vista and later, both CSPs and KSPs can be
usedOnly Vista and later recognizes KSPsCan use the default ones in Windows or 3rd party
vendors can install their ownOften you can choose between Windows
defaults or vendor supplied CSP\KSP
Public Key Infrastructure Primer
Crypto Provider ExampleTo use a smart card:You need a smart cardPKI to issue certs to smart cardSmart card readerKSP/CSP that works with smart cardsSmart card reader and KSP/CSP must be
installed where ever you plan to use smart card plus on CA where templates are created or published
Public Key Infrastructure Primer
Crypto in Microsoft Certificate ServicesCan use any cipher provided by a Crypto
Provider (KSP\CSP) module installedDefaults are:
Diffie-Hellman, RSA, ECCDSSMD5, SHA1AES, DES, 3DES, DESX
Public Key Infrastructure Primer
Suite BSet of algorithms required by US gov’t
starting in 2007AES 128 and 256, SHA-2 (SHA-256, SHA-384, SHA-512)ECC
Vista and later is Suite B compliant
Public Key Infrastructure Primer
Certificates in WindowsWays to Request Certificates
• Autoenrollment (XP and above)• Automatic Certificate Requests (Windows
2000 machine certs)• Certificate Manager (certmgr.msc) GUI• Web Enrollment• Certreq.exe• Programmatically• Email (manual process, can be automated)• Network Device Enrollment Service (NDES)• Manually (sneaker net)• Registration Authority (eg. CLM/ILM/FIM)
Certificates in Windows
PKI Security Statements• (In most scenarios) You should have at least
two CAs• Offline Root and one or more online
issuing CAs• No other server roles on any CA• If your root CA has been connected to your
network, it should be considered compromised, and the entire PKI and every valid issued cert replaced
W2K8\R2Certificate Services
New Feature Summary
Certificate Services 2008 vs. 2003
Main New “Feature” Now known as ADCS
Active Directory Certificate Services
Certificate Services 2008 vs. 2003
Certificate Services is 90% the same between versions. An admin on one can easily do most of the basics on the other
Certificate Services is now a W2K8 server “role”
Uses Cryptographic Next Generation API
CryptoAPI is legacy (also present)
Supports Suite B ciphers Supports version 3 certificate templates
With new KSPs and Suite B ciphers
Certificate Services 2008 vs. 2003
More Secure W2K8 and Certificate Services is more
secure W2K8 is significantly more secure More secure defaults Windows Firewall (enabled by default) Improved ciphers Improved key protection, not that keys
were ever compromised in the wild anyway
Certificate Services 2008 vs. 2003
Online Certificate Status Protocol Improved revocation checking protocol W2K8 can be an OCSP Responder
New CA role service Deployed as an IIS ISAPI application
W2K8 is an OCSP client, too, along with Vista and later
New OCSP tools
Certificate Services 2008 vs. 2003
Restricted KRAs and Enrollment Agents Restricted KRAs Restricted Enrollment Agents
In W2K3 KRAs and Enrollment agents were global
In W2K8, they can be restricted by template or security group
Not available on Standard CA
Certificate Services 2008 vs. 2003
Template Changes 2 new default templates
Kerberos Authentication (supercedes DC certs)
OCSP Response Signing LoadDefaultTemplates=0
Put in CApolicy.inf to prevent auto-publishing of default templates
In W2K3 SP1, too (Standalone CAs only)
Certificate Services 2008 vs. 2003
Template Changes (con’t) Version 3 Certificate Templates
For Vista and later (don’t use with XP and W2K3)
Uses new CSPs -CryptoNextGeneration (CNG)
New Cryptography tab for detailing crypto V.2.0 templates have a CSP button with less choices
Uses AES-256 to transport private key to and from enrollment client (instead of 3DES)
New field to allow Network Service to have Read permission to templates
Helps machine-based certs in certain scenarios
Certificate Services 2008 vs. 2003
Network Device Enrollment Service (NDES) For issuing certs to SCEP-compatible
devices Simple Certificate Enrollment Protocol Invented by Cisco
Receives and processes SCEP enrollment requests on behalf of software running on network devices.
Retrieves pending requests from the CA Generates and provides one-time
enrollment passwords to administrators.
Certificate Services 2008 vs. 2003
Network Device Enrollment Service (NDES)
(con’t) Now a built-in role
Was a W2K3 add-on called MSCEP Runs as an IIS ISAPI app Can run on non-CA servers Enhanced security
For example, can require a password Wide range of template use Can now renew NDES certs
Certificate Services 2008 vs. 2003
Web Enrollment Website UpdatedSome good and interesting changesNow easier to put on non-CA serverUses Certenroll.dll instead of xenroll.dll
Pre-Vista OS must use older dll Can install both on web enrollment server
Unfortunately, does not support some new features (like KSP, v.3 templates, Suite B, etc.)Web enrollment web site included by Microsoft is probably being discontinued
Certificate Services 2008 vs. 2003
Supports Issuer Distribution Point (IDP) for partitioned CRLs
Credential Roaming built-in (client-side) Requires schema updates on older domains
Supports clustering (W2K3 and earlier didn’t)
Replaceable random number generator Better auditing
Certificate Services 2008 vs. 2003
Client-can enroll on behalf of someone else
You can rename CA servers nowNew template field to allow Network
Service to have Read permission to templatesHelps machine-based certs in certain
scenarios
Certificate Services 2008 vs. 2003
DiscreteSignatureAlgorithmSupport for newer PKCS#1 V2.1 signature
format for CA certificate (Vista and later)
3 new assurance levels besides low, medium, and high
KRA-archived keys can be protected by AES instead of 3DES
New Microsoft smart card KSP (in Vista, too)
Supports date setting during revocation
Certificate Services 2008 vs. 2003
Tools Supports Powershell PKIView.msc built-in now
Used to have to install separately Improved functionality and bug fixes
Supports CAPI2 diagnostics More tools, more scripts available Bad: Key Recovery Tool gui gone
Use certutil.exe instead
Certificate Services 2008 vs. 2003
Pushing Certs Using GPO Trusted root CA certificates (W2K3 too) Enterprise trust certificates (W2K3 too) Intermediate CA certificates Trusted publisher certificates Untrusted certificates Trusted people (peer trust certificates)
NewW2K8 R2Features
Certificate Services 2008 vs. 2003
W2K8R2 Certificate Enrollment Services (CES)Don’t confuse with web enrollment web site!Website enrollment is for browser interactive sessionsProblem to Solve: All legacy enrollment services required RPC and DCOM, and lots of open RPC ports
Even web enrollment web site uses DCOM to back-end CA
Firewall nightmare Didn’t work well across the Internet,
forests, non-domain joined machines, etc.
Certificate Services 2008 vs. 2003
W2k8 R2 Certificate Enrollment Services (con’t)New method is a web service, less interactiveUses TLS over 443New method works well in almost all scenarios (if the client enrollment process uses the new enrollment method)
Windows 7\W2K8R2 and laterUses two new services:Certificate Enrollment Policy Web Service
the policy serviceCertificate Enrollment Web Service
the enrollment service
Certificate Services 2008 vs. 2003
W2k8 R2 Certificate Enrollment Services (con’t)Certificate Enrollment Web Service
Provides enrollment services, main serviceCertificate Enrollment Policy Web Service
Client contacts to get certificate policy information consisting of the types of certificates it can enroll for, which enrollment services to contact to enroll for them, and what type of authentication to use for each service. The client must first be configured with information about which policy server(s) to contact and how to authenticate to them
Certificate Services 2008 vs. 2003
W2k8 R2 Enrollment Services (con’t)Once configured, during interactive enrollments, you’ll see this
Certificate Services 2008 vs. 2003
W2k8 R2 Enrollment Services (con’t)CES are server roles
Certificate Services 2008 vs. 2003
W2k8 R2 Enrollment Services (con’t)Service Uses SSL\TLS
Certificate Services 2008 vs. 2003
W2k8 R2 Enrollment Services (con’t)Service Uses SSL\TLS
Certificate Services 2008 vs. 2003
W2k8 R2 Enrollment Services (con’t)Clients must be configured to connect to web site
Certificate Services 2008 vs. 2003
W2k8 R2 Enrollment Services (con’t)CES must be linked to issuing CA
Certificate Services 2008 vs. 2003
W2k8 R2 Enrollment Services (con’t)CES web site(s)
Common Web Service Scenario
ca.corp.contoso.com
running ADCS role, but not a CA;
running CES and CEP role services
certificate requests are
‘proxyed’ through CES to
back end CA
corp.contoso.comdmz.contoso.com
get-certs.contoso.com
policy requests are ‘proxyed’
through CEP to back end
Domain Controller
users and computer, both domain joined and not, connect
over HTTPS without a VPN
Certificate Services 2008 vs. 2003
W2k8 R2 Enrollment Services (con’t)Can configure client auth method
Certificate Services 2008 vs. 2003
New R2 StuffSupport cross-forest servicingOld CA versions required separate PKI per forest; or limited service using cross-forest trusts and lots of pre-work
Didn’t work well off-intranetNew version can support multiple forests with one PKI
Works well off-netBut requires cross-forest trusts, Kerberos
auth, and Win7\W2K8R2 or later clients
Cross Forest Servicing
ca.corp.contoso.com
rootca.contoso.com
A single CA in one forest is able to issue certificates to end entities in any trusting forest
corp.contoso.com dev.contoso.com test.contoso.com
Certificate Services 2008 vs. 2003
New R2 StuffSupports “renewal-only” mode for Internet-facing CAs
Using Certificate Enrollment ServiceSupports static port 80 CA interactions (Enrollment/renewal/revocation)Supports internet clients for enrollment/renewal/revocation when off the corporate network (great for mobile users)
Certificate Services 2008 vs. 2003
Is A Schema Update Needed for W2K8 CAs?
Schema update not needed to use almost all functionality of W2K8 CA
Schema update needed for Credential Roaming support, or CLM/ILM/FIM
ACL update (using adprep /forestprep) on Domain Controller template to let RODC get issued DC certs)
Installing ADCS
Install W2K8 CAUnfortunately, still need to place a
CAPolicy.inf file on CA server before installing
Microsoft Certificate Services
CAPolicy.inf FileExample - Bare Minimum for Issuing CA[Version]Signature= "$Windows NT$"[Certsrv_Server]RenewalKeyLength=4096RenewalValidityPeriod=YearsRenewalValidityPeriodUnits=10[CRLDistributionPoint]URL = “LDAP:///CN=%7,CN=CDP,CN=Public Key Services,
CN=Services,%6,%10”URL = http://W2K8IssuingCA1.contoso.ad/PKI/IssuingCA1.crlURL = “http://www.contoso.com/PKI/IssuingCA1.crl”[AuthorityInformationAccess]URL = “LDAP:///CN=%7,CN=AIA,CN=Public Key Services,
CN=Services,%6,%11”URL = “http://www.contoso.ad/PKI/ContosoCA.cer”
Install W2K8 CA13.In Configuration Task wizard and click on Add roles
Microsoft Certificate Services
Installing Microsoft Certificate Services
Install W2K8 CA14.Click Next
Microsoft Certificate Services
Installing Microsoft Certificate Services
Install W2K8 CA15.Click on Active Directory Certificate Server and Next
Microsoft Certificate Services
Installing Microsoft Certificate Services
Install W2K8 CA16.Click on Next
Microsoft Certificate Services
Installing Microsoft Certificate Services
Install W2K8 CA17.Keep default of Certification Authority and Next
Microsoft Certificate Services
Installing Microsoft Certificate Services
Install W2K8 CA18.Accept default of Standalone and click on Next
Microsoft Certificate Services
Installing Microsoft Certificate Services
Install W2K8 CA19.Accept default of Root CA and click on Next
Microsoft Certificate Services
Installing Microsoft Certificate Services
Install W2K8 CA20.Accept default and click on Next
Microsoft Certificate Services
Installing Microsoft Certificate Services
Install W2K8 CA21.Use the options shown here and click on Next
Microsoft Certificate Services
Installing Microsoft Certificate Services
Install W2K8 CA22.Type in a better Common Name and then Next
Microsoft Certificate Services
Installing Microsoft Certificate Services
Install W2K8 CA23.Change validity period to 20 years and then Next
Microsoft Certificate Services
Installing Microsoft Certificate Services
Install W2K8 CA24.Accept the default locations and click on Next
Microsoft Certificate Services
Installing Microsoft Certificate Services
Install W2K8 CA25.Select Install
Microsoft Certificate Services
Installing Microsoft Certificate Services
Install W2K8 CAWait while it installs...
Microsoft Certificate Services
Installing Microsoft Certificate Services
Install W2K8 CA27.Click Close to end install
Microsoft Certificate Services
Installing Microsoft Certificate Services
Install W2K8 CA28.Confirm new and only role is installed, then Close
Microsoft Certificate Services
Installing Microsoft Certificate Services
29.Open the Certification Authority console under Administrative Tools to verify the install.
Microsoft Certificate Services
Version 3.0 Templates
Certificate Template Version 3A certificate based on a version 3
certificate template can only be issued by an enterprise CA running on Windows Server 2008 (or later), Enterprise Edition.
Version 3 templates contain more options, and stronger crypto
Version 3 templates can only be published on W2K8 CAs
V3 templates do not work with Windows OSs prior to Windows Vista
Microsoft Certificate Services
Certificate Template Version 3Windows 2000, XP, and 2003 will not
enroll against V3 templatesOnly Vista and later understands SHA-2
hashes and ECC ciphersXP SP3 can verify certificates containing
SHA-256 ciphers, but not all applications can, so be careful in using any cipher above SHA-1
V3 templates will not show up on web enroll site
**To be safe, only use V3 templates with Windows Vista and later
Microsoft Certificate Services
Creating Certificate Templates Choose what version template you want to create
Version 2Version 3
New Certificate Template AttributeAdd Read permissions to Network Service on the
private key... (version 3.0 and later templates only)
New Certificate Template AttributeCryptography tab (version 3.0 templates and later)
Certificate RevocationCRLsand
OCSP
Certificate RevocationCertificate RevocationUsed to indicate digital certificate is
invalidAny revoked certificate is to be
considered (very) untrustedApp may “break” if it can’t find
revocation point or revocation is negativeUnfortunately, certificate revocation
doesn’t always work (not all applications or users check for revocation)
Certificate RevocationCertificate RevocationCertificates are revoked when:CA or other CAs in path (e.g. issuing)
have been compromisedEntity issued certificate is discovered to
be a fraudTo prematurely end certificate’s useful
lifeFor any other reason the CA wants (e.g.
customer didn’t pay their bill)
Certificate RevocationChecking Certificate RevocationIn order for revocation to be checked, the
certificate being verified must include valid revocation information (e.g. revocation list location, etc.) and the resulting information must be reachable by the client/application investigating
• Called certificate chaining• Certificate information is usually checked
back to just before Root CA (root is offline)
Certificate RevocationCertificate RevocationRevocation checking not always done,
depends on the PKI-participating application and/or its settings
Sometimes even when it is done/required, application only reports if certificate is revoked (and not, unfortunately, if the revocation information can’t be confirmed)
But can also cripple your organization if revocation is not working!!!
Certificate RevocationCertificate RevocationSome Apps Allow Turning On and Off
Certificate RevocationCertificate Revocation• In IE (with revocation checking enabled),
if the cert’s revocation information isn’t valid or reachable, IE won’t report an error by default
• Although when using Secure Socket Tunneling Protocol (SSTP), IE will check and absolutely require correct revocation information in the VPN server’s cert
Certificate RevocationChecking Certificate RevocationWays Revocation Can Be CheckedCertificate Revocation List (CRL)
Full and deltasOnline Certificate Status Protocol (OCSP)Application checks (depends on app)Manually using Certutil.exeProgrammaticallyStored locally in revocation database
Certificate RevocationCertificate Revocation List (CRL)List of revoked certificates (revocation).CRL is placed at CDP (CRL distribution
point) so clients can check. CDP is hard wired into certificateCRL’s can be published to Active Directory
so it is available to everyone.CRLs can be full base or delta.HTTP references should not be HTTPS-
enabled
Microsoft Certificate Services
OCSPOCSP (RFC 2560)
Online Certificate Status ProtocolReplacement for older CRL revocation
checking methodOCSP Responder collects CRL entries
and stores them in a databaseCan be queried for a particular certAllows OCSP clients (Vista and later) to
quickly query/verify certificate status, instead of relying on and downloading entire CDP/CRL.
OCSPOCSP (RFC 2560)
Online Certificate Status ProtocolOCSP Online Responder Service can be
installed stand-alone or on CA W2K8 server
OCSP Responder available for Windows Server 2008, but can respond for W2K3 also
OCSPBasic OCSP Setup
OCSP Process
1.Bob gets certificate/public key from Alice2.Alice’s digital certificate contains OCSP
extension3.Bob sends fingerprint of Alice’s public key to
Alice’s defined OCSP responder4.OCSP responder confirms status (success or
revoked) or sends backup unknown message5.OCSP sends back signed OCSP response6.Bob reads status and handles accordingly
OCSPMore Complex
OCSP Setup
OCSP (RFC 2560) con’tOCSP uses HTTPOCSP Responder location should be
hardcoded into OCSP-enabled digital certificates in AIA location
OCSP Standard can connect directly to CA database or use CRLsWindows OCSP relies on CA CRLs
Client must be OCSP-aware and be able to reach OCSP responder
OCSP (RFC 2560) con’tVista/W2K8 and later has OCSP client
built in and will resolve using OCSP first vs. CRLsLegacy clients will need to use 3rd party
OCSP clientW2K8 can serve as an OCSP Responder
for W2K8/W2K3 serversOCSP Responder was a separate
download in W2K3
OCSP
Online Certificate Status ProtocolApplication must be coded to look for
OCSP extension in certificateIE 7 and later, on Vista and laterAll versions of Firefox support OCSP,
v.3.0 turns it on by defaultSafari and Opera support itGoogle’s Chrome does not (as of 3/09)
OCSP
Online Certificate Status ProtocolBy default:OCSP will be checked first if OCSP
extension is foundIf no OCSP response, then CRL triedDefault behavior can be reversed
OCSPOnline Certificate Status ProtocolComputer Configuration\Policies\Windows Settings\
Security Settings\Public Key Policies\Certificate Path Validation Settings
Microsoft Certificate Services
OCSPInstalling OCSPConfigure OCSP Response Signing
Certificate Template and PublishModify AIA on Issuing CA to point to
OCSP Responder virtual directoryInstall OCSP Responder and configureTest
OCSPPublish OCSP Response Signing Certificate1.Logon to W2K8IssuingCA1 as local Administrator
and start Certification Authority console
OCSPPublish OCSP Response Signing Certificate2.Right-click Certificate Templates and
choose Manage
OCSPPublish OCSP Response Signing Certificate3.Right-click the OCSP Response Signing
template and choose Duplicate Template
OCSPPublish OCSP Response Signing Certificate4.Choose Windows Server 2008, Enterprise
Edition and then select OK
OCSPPublish OCSP Response Signing Certificate5.Type in a new template name and then click
on the Security tab.
OCSPPublish OCSP Response Signing Certificate6.On the security tab, add the W2K8IssuingCA1
computer account (as OCSP Responder)
OCSPPublish OCSP Response Signing Certificate7.Give Read and Enroll permissions to the
W2K8IssuingCA1 computer account, OK, then Close
OCSPPublish OCSP Response Signing Certificate8.In the Certification Authority console,
right-click Certificate Templates, New, Certificate Template to Issue
OCSPPublish OCSP Response Signing Certificate9.Select the new OCSP certificate template
and then OK
OCSPPublish OCSP Response Signing Certificate10.Minimize or close the Certification
Authority console
OCSPPublish OCSP Response Signing Certificate
11.At the command prompt on the CA server, type:certutil –setreg CA\UseDefinedCACertInRequest
1 11.Close prompt12.Restart the CA service
OCSPInstalling OCSPYou need to install OCSP Responder service, and
then configure a Revocation Provider Configuration entry for each Revocation Provider that you want the OCSP Responder to respond for
OCSPInstalling OCSP1.Logon to W2K8IssuingCA1 as local
Administrator and start Server Manager. Choose Add Role Services
OCSPInstalling OCSP
2.Select Online Responder and then Next
OCSPInstalling OCSP
3.Choose Install
OCSPInstalling OCSPIf you install IIS 7 separately, the following
IIS/Web Server components are required:
Common HTTP Features: Static Content, ,Default Document, Directory Browsing, Http Errors, Http RedirectionApplication Development: .NET Extensibility, ISAPI ExtensionsHealth and Diagnostics: Http Logging, Logging Tools, Request Monitor, TracingSecurity: Request FilteringPerformance: Static Content CompressionManagement Tools: IIS Management Console, IIS 6 Management Compatibility, IIS Metabase Compatibility
OCSPInstalling OCSP
4.Choose Close and close Server Manager
OCSPInstalling OCSP5.Choose Start, Administrative Tools and
Online Responder Management
Microsoft Certificate Services
OCSPInstalling OCSP
6.Right-click Revocation Configuration
OCSPInstalling OCSP
7.And choose Add Revocation Configuration
OCSPInstalling OCSP
8.Click on the Next button
OCSPInstalling OCSP
9.Type in a name and then the Next button
OCSPInstalling OCSP
10.Keep the default option and then choose Next
OCSPInstalling OCSP
11.Keep the default option and then choose Browse
OCSPInstalling OCSP
12.Select W2K8IssuingCA1 and then choose OK
OCSPInstalling OCSP
13.Click on Next
Microsoft Certificate Services
OCSPInstalling OCSP
14.Select correct template and the click on Next
OCSPInstalling OCSP
15.Click on Finish
OCSPInstalling OCSP16.Confirm Revocation Configuration Status by
clicking on revocation configuration object and choosing Edit Properties
OCSPInstalling OCSP17.Review Revocation Configuration, confirm Base
CRLs and then click OK. (No need to define deltas)
OCSPInstalling OCSP
Example Certificate with OCSP Extension
OCSPInstalling OCSP18.Right-click OCSP server name and choose
Responder Properties
OCSPInstalling OCSP
19.On the Audit tab, enable all auditing options, OK
OCSPInstalling OCSP20.Give Enterprise PKI Publishers Manage Online
Responder and Read permissions, then OK
Microsoft Certificate Services
OCSPInstalling OCSP
21.Close the OCSP Responder console
OCSPInstalling OCSP22.Confirm Windows Firewall has inbound
rules for OCSP
OCSPConfigure OCSP Extensions
1.Open up Certification Authority console
OCSPConfigure OCSP Extensions
2.Right-click on CA name and choose Properties
OCSPConfigure OCSP Extensions3.Click on the Add button under the Extensions
tab and choose the AIA extension option
OCSPConfigure OCSP Extensions4.Add http://W2K8IssuingCA1.contoso.ad/ocsp
and enable both AIA and OCSP options, then OK
OCSPConfigure OCSP Extensions5.Close or minimize the Certification
Authority console
OCSPTesting OCSPPKIView.msc (W2K8 or later)Generate a new cert and verify correct http
path in OCSP extension in the AIA extensionForce CRL checking in application using
certificateCertutil –verify <certname>
OCSPOCSP ArraysIt is easy to create a fault-tolerant array of
OCSP RespondersEnable Network Load Balance (NLB) serviceDefine OCSP extension with a name that will
resolve with the NLB’s cluster IP addressThen defined in the Array Configuration
option in the OCSP Responder gui
OCSPIs Schema Update Needed?W2K3 AD schema or later is needed for OCSP
W2K8 schema update is not needed if schema has been updated to W2K3
A Windows 2000 domain is OK, as long as the AD schema has been upgraded to Windows 2003 AD schema.
Need at least one W2K8 server joined to the domain, and to have a domain admin execute the template snap-in from the Windows 2008 server to get the new OCSP Responder Signing template(s) installed in AD.
OCSPFor More Readinghttp://technet.microsoft.com/en-us/library/cc770413.aspx
Questions?
Fault Tolerance,Backup
and Disaster Recovery
Fault ToleranceWhen would end-users notice a problem?If Issuing CAs are down:When users request new cert or try to renew
expiring cert
If AIA or CDP publication points are down:When application end-user is using checks
certificate revocation
Fault ToleranceRequiredAlways have a minimum of two issuing CAs
with same templates publishedCAs should have fault-tolerant disksCRLs should be redundant
Internally redundant LDAP, and multiple http locations?
Externally redundant, if certs used externallyOCSP Responders should be redundant
Microsoft Certificate Services
Fault ToleranceOptionalClusteringRedundant hardware?Cold standby?Virtual machine standby?
Microsoft Certificate Services
Fault ToleranceCA Clustering
Microsoft Certificate Services
Fault ToleranceCA ClusteringAvailable in Windows Server 2008
Enterprise editionOnly supports two-node Active/Passive
clusterMust share same database and log filesCan’t mix W2K8 and W2K3Many HSMs support clusteringMust load balance (using NLB, etc.)
other things: CDP, OCSP Responders, NDES, web enrollment, etc.
Microsoft Certificate Services
Fault ToleranceWhy Clustering?If multiple issuing CA servers can issue the
same types of certs, why cluster CA servers?Answer:They don’t issue the same certs or share the
same databaseCan’t revoke a cert you can’t “find”If one goes down, there can be problems
when base or delta CRLs expire (can break the revocation chain and break applications that depend on revocation checking
Microsoft Certificate Services
Enrolling on Behalf of Another User
Certificate Request Wizard
Enrolling on Behalf of Another User
Useful for:• Smart card certificates• S/MIME certificates• Enrolling for offline users and computers
Certificate Services
Certificate Request Wizard
Enrolling on Behalf of Another UserMust already have Enrollment Agent cert
Can also issue Enrollment Workstation certificate and require that Enrollment Agents be logged on at approved Enrollment workstations to enroll on the behalf of others
Certificate Services
Certificate Request Wizard
Enrolling on Behalf of Another UserMust already have Enrollment Agent cert
Certificate Services
Certificate Request Wizard
Enrolling on Behalf of Another UserMust already have Enrollment Agent cert
Certificate Services
Certificate Request Wizard
Enrolling on Behalf of Another User
Certificate Services
Certificate Request Wizard
Enrolling on Behalf of Another User
Certificate Services
Certificate Request Wizard
Enrolling on Behalf of Another User
Certificate Services
Certificate Request Wizard
Enrolling on Behalf of Another User
Certificate Services
Certificate Request Wizard
Enrolling on Behalf of Another User
Certificate Services
Certificate Request Wizard
Enrolling on Behalf of Another User
Certificate Services
Certificate Request Wizard
Enrolling on Behalf of Another User
Certificate Services
Certificate Request Wizard
Enrolling on Behalf of Another User
Certificate Services
New PKI FeaturesQuestions