... on a pentesting platform. that became my main 'social network'!
It feels like the natural progression from my walking down the stack: In the last year I re-lived my history of a physicist in IT or an IT security specialist trained as a physicist. I investigated the security of embedded systems and sniffed network traffic - mostly related to monitoring and control of physical devices for 'generating' or storing energy.
I wanted to fill in gaps of knowledge, I turned to classic introductions to computer science, and I caught up on C/C++ and Python. But trying to hack systems is still another kind of skill: I had been a 'defender' for many years, explaining to others how to secure their systems, but I lacked the skills of an attacker.
After I had dabbled in forensics of unknown files and in using automated testing tools with modest success, I decided I want to learn this craft thoroughly. Or was it? Maybe I just want to play and see how far I can get. It was a surprise that I was actually able to hack the entry challenge for that pentesting platform. Fast-forward: I had hacked more than 80% of the active boxes.
My experiences there are both very humbling and very gratifying. Sometimes I struggle with even getting an exploit tool to run as I lack some basic knowledge of compile switches. But sometimes I discover I can leverage some things I didn't even realize consciously or ancient things buried deep in my memory. Who knew that ASP and VBScript would ever be useful again? And my preferences of Python and C++ (for non-destructive purposes) feels eerie now - I could not have picked the languages for my exploit tools better! My adventures with learning SQL Server a few years ago also come in handy, and what I considered my most unprofessional hacks turned out to be most useful: Stringing together 'applications' from scripts and compiles code in different languages, burying one into the other, not being afraid of loads of different quotes embracing each other. As a side effect, I am also more daring when it comes to my non-malicious code now: I have no problems any more to state publicly that I write an application in C# that adds VBA macros to Excel and executes them!
My immersion in this addictive platform also told me something about my learning preferences ... again. I had known it but it was not that explicit: I want to learn from solving problems. That was my intuitive answer once, when colleague had asked how I make myself familiar with new technologies, a freshly released operating system at that time. I replied that I try to solve one specific problem on that new system (involving X.509 certificates then) - and then expand my knowledge from there. I have pontificated about my love of reading textbooks and immersing myself in abstract theory, and this is not a contradiction: Hadn't I ploughed through the later chapters of Structure and Interpretation of Computer Programs - the ingenious explanation how compilers and assembly works - I might not enjoy my attempts to create buffer overflows that much. Which is a topic I need much much more reading and playing with, by the way.
I know am saying the same things again and again and again - here, on my blog, and on social media. It seems my websites have run their course for the time being - I am not actively trying to search for new content to create, and I feel like writing articles that flow naturally, rather than writing semi-scholarly papers with code and data. So I am leaving this article here, on the site that nobody reads, as a hidden away note maybe.
Recently I've changed my story at some social profiles again - to this:
Specializing in: Control systems, software development for measurement data analysis, IT security, troubleshooting and reverse engineering systems with physical (hydraulic) and software (control) components.
I am running a small engineering consultancy together with my husband. We are both physicists, and we focus on designing, programming, and troubleshooting control systems for heating / solar systems, especially heat pump systems with a combination of uncommon heat sources and custom control. For more than 10 years I have implemented, reviewed, and troubleshooted public key infrastructures, and I still do this for some long-term clients.
I am blogging about this and about related science and engineering topics at https://elkement.blog.
In contrast to this blog, this site here is more of an extended profile / About Me page. It is my hand-crafted whoami machine.
I think about my exploration of layers of software. tl;dr: I am gradually moving down / back to the lower levels of software, the ones closer to hardware, electronics, control, field bus systems etc.
I've started out learning about micro-controllers in electronics class as a physics student. Then I programmed sensors and actuators for measuring the low-temperature electrical properties of superconductors as a staff scientist at the university (in Turbo Pascal). Yet I jumped up to the top of the software stack and switched to Microsoft scripting languages: VBA, VBScript, ASP when I went 'from research to IT'. Even the first version of my numerical simulation for our heat pump system was an Excel spreadsheet, then a VBA application using spreadsheets.
It seems I needed to trade 'IT' again officially for 'renewable energies' to be motivated to move down the stack again. When I was a non-traditional 'post-graduate' student in in energy engineering I was always been the 'Excel programmer' in group projects. Buth then I went down rabbit holes: Learning SQL Server and Transact-SQL for analyzing our measurement data. Re-writing the simulation software, now based on Visual Basic .NET, for the first time using a true object-oriented design. To get ready for this, I had re-written this website from scratch in .NET before. My so-called Data Kraken uses a combination of Powershell and SQL scripts today.
I finally learned to utilize all my processors in my simulation, and I fixed lots of performance issues. I read Joel on Software cover to cover to re-live the period I 'was in IT' and to catch up on fundamentals. He pointed me to Structure and Interpretation of Computer Programs which I consider the single best ever lecture / course I've ever 'attended'. It is both so deep and philosophical, and at the same time so useful: My simulations became faster by a large factor.
And all the time, I did reverse engineering and debugging. I think I have done this ever since, but always at the level I understood software at the time. Of all the tasks I had as an IT Security / Public Key Infrastructure consultant, troubleshooting weird issues with X.509 certificates was maybe the best one: Digging deep into network traces, reading up on RFCs. Every time I was theoretically only a user of software and services, I ended up debugging in detail - like using Wireshark to track down a weird compatibility issue between my e-mail client and a mail server, when just trying to sign my invocies via a digital signature solution using SMTP.
Then I finally learned C and C++, and I read about Assembly and the art of reverse engineering and malware analysis - to really appreciate the final chapters of SICP, about the self-referential wonders of compilers and interpreters.
Trying to visualize the stack and what happens to the registers, I picked up a very old book - the one I used decades ago in my electronics class - and I jumped into the chapter about micro-controllers. And then it hit me: Those fundamentals, they have not changed much. Yes, different processors have different instruction sets and you might have 8bit, 16bit, or 32bit. But the explanation about the stack, and how to return from a function - this has always been an eternal truth since that electronics book and SICP had been released.
All falls into place: Understanding C is really the pre-requisite for understanding field bus communications, and that is what control units use. Debugging skills are essential when dealing with abandoned engineering software from the stone age.
So I finally found the most logical connection between physics and IT, the place to be as a physicist in IT or in engineering or whatever.
Onword to Python!
I will try to explore my relationship with IT / software / computers / computer science / software engineering or whatever the best term is to describe it. I am in a mode of looking back with content, and making small changes, learning a bit more.
As often, thinking in 'opposites' comes most natural to me:
Self-study versus formal education. The IT and software industry is young and - I believe - had originally been populated by people without a formal training in computer science as this did not yet exist as an academic discipline. The community was open to outsiders with no formal training or unrelated experience. As a former colleague with a psychology background put it: In the old times, anybody who knew how to hold a computer mouse correctly, was suddenly considered an expert.
I absorbed the hacker ethics of demonstrating your skills rather than showing off papers, and I am grateful about the surprisingly easy start I had in the late 1990s. I just put up a sign in a sense, saying Will Do Computers, and people put trust in me.
I am not 'against' formal education though. Today I enjoy catching up on computer science basics by reading classics like Structure and Interpretation of Computer Programs.
Breaking versus building things. I have been accountable for 'systems' for a long time, and I have built stuff that lasted for longer than I expected. Sometimes I feel like a COBOL programmer in the year of 2000.
But I believe what interested me most is always to find out how stuff works - which also involves breaking things. Debugging. Reverse Engineering. Troubleshooting. All this had always been useful when building things, especially when building on top of or interfacing with existing things - often semi-abandoned blackboxes. This reverse engineering mentality is what provided the connection between physics and IT for me in the first place.
It was neither the mathematical underpinnings of physics and computer science, or my alleged training in programming - I had one class Programming for physicists, using FORTRAN. It was the way an experimental physicist watches and debugs a system 'of nature', like: the growth of thin films in a vacuum chamber, from a plasma cloud generated by evaporating a ceramic target bombarded with laser pulses. Which parameter to change to find out what is the root cause or what triggers a system to change its state? How to minimize the steps to trace out the parameter space most efficiently?
Good-enough approach versus perfectionism. 80/20 or maybe 99/1. You never know or need to know anything. I remember the first time I troubleshooted a client's computer problem. I solved it. Despite knowing any details of what was going on. I am sort of embarrassed by my ignorance and proud at the same time when I look back.
In moment like this I felt the contrast between the hands-on / good-enough approach and the perfectionism I applied in my pervious (academic) life. I remember the endless cycles of refinement of academic papers. Prefixing a sentence with Tentatively, we assume,... just to be sure and not too pretentious though I was working in a narrow niche as a specialist.
But then - as a computer consultant - I simply focused on solving a client's problem in a pragmatic way. I had to think on my feet, and find the most efficient way to rule out potential root causes - using whatever approach worked best: Digging deep into a system, clever googling, or asking a colleague in the community (The latter is only an option if you are able to give back someday).
Top-down, bottom-up, or starting somewhere in the middle. I was not a typical computer nerd as a student. I had no computer in high school except a programmable calculator - where you could see one line of a BASIC program at a time. I remember I had fun with implementating of the Simplex algorithm on that device.
However, I was rather a user of systems, until I inherited (parts of) an experimental setup for measuring electrical properties of samples cooled down by liquid nitrogen and helium. I had to append the existing patchwork of software by learning Turbo Pascal on the job.
Later, I moved to the top level of the ladder of abstraction by using *shock, horror* Visual Basic for Applications, ASP, and VBScript. In am only moving down to lower levels now, finally learning C++, getting closer to assembler and thus touching the interface between hardware and software. Which is perhaps where a one should be, as a physicist.
Green-field or renovation (refactoring). I hardly ever had the chance to or wanted to develop something really from scratch. Constraints and tough limiting requirements come with an allure of their own. This applies to anything - from software to building and construction.
So I enjoy systems' archaeology, including things I have originally created myself, but not touched in a while. Again the love for debugging complements the desire to build something.
From a professionals' point of view, this is a great and useful urge to have: Usually not many people enjoy fiddling with the old stuff, painstakingly researching and migrating it. It's the opposite of having a chance to implement the last shiny tool you learned about in school or in your inhouse presentation (if you work for a software vendor).
In awe of the philosophy of fundamentals versus mundane implementation. I blogged about it recently: Joel Spolsky recommended, tongue-in-cheek, to mention that Structure and Interpretation of Computer Programs brought you to tears - when applying for a job as a software developer.
But indeed: I have hardly attended a class or read a textbook that was at the same time so profoundly and philosophically compelling but also so useful for any programming job I was involved in right now.
Perhaps half of older internet writing reflects my craving for theses philosophical depths versus the hard truth of pragmatism that is required in a real job. At the university I had been offered to work on a project for optimizing something about fluid dynamics related to the manufacturing of plastic window frames. The Horror, after I had read Gödel, Escher, Bach and wanted to decode the universe and solve the most critical problems of humanity via science and technology.
I smile at that now, with hindsight. I found, in a very unspectacular way, that you get passionate about what you are good at and what you know in depth, not the other way round. I was able to possibly reconnect with some of my loftier aspirations, like I could say I Work In Renewable Energy. However, truth is that I simply enjoy the engineering and debugging challenge, and every mundane piece of code refverberates fundamental truths as the ones described in Gödel, Escher, Bach or Structure and Interpretation.
Since 2012 I have published PKI status updates here, trying to answer the question 'Do you still do PKI?' (or IT). I have re-edited them often, and my responses were erratic - I was in a Schrödinger-cat-like superposition state of different professional identities.
Now and then I still get these questions. Can I answer it finally? I am still in a superposition state - I don't expect the wave-function to break down any time soon. I enjoy this state! But my answer to IT-related requests is most often no.
So yes, I am still 'working with IT' and 'with IT security' professionally. Not necessarily 'in IT'.
I am supporting a few long-term clients with their Windows PKI deployments and related X.509 certificate issues (after having done that for more than 10 years exclusively). Those clients that aren't scared off by my other activities, and clients I had always worked with informally and cordially. But I don't have any strong ties with specific PKI software vendors anymore, and I don't know about latest bugs and issues. So I don't present myself as a Windows PKI consultant to prospects, and I decline especially requests by IT security partner companies who are looking for a consultant to pitch or staff their projects. I am also not interested in replying to Request for Proposals for PKI or identity management and 'offering a solution', competing with other consultants and especially with other companies that have full time stuff doing business development (I hardly did this in my PKI-only time). I am not developing software anymore that might turn into an 'enterprise solution'.
Today I am working 'with IT' more than 'in IT' in the sense that I returned where I came from, as an applied physicist who was initially drawn into IT, armed only with experience in programming software for controlling experimental setups and analyzing my data: I call myself the 'theoretical department' of our small engineering consultancy - I am developing software for handling Big Monitoring Data. I am also tinkering with measurement technology, like connecting a Raspberry Pi to a heat pump's internal CAN bus.
Security is important of course: I have fun with awkward certificates on embedded devices, I sniff and reverse engineer protocols, and I could say I am working with the things in the Internet of Things. But I am not doing large-scale device PKIs or advising the IT departments of major engineering companies: My clients are geeky home owners, and we (the two of us) are planning and implementing our special heat pump system for them. An important part of such projects is monitoring and control.
So every time I feel that somebody is searching for 'a PKI consultant' I am the wrong person. But if somebody stumbles upon my CV or hears my story at full length - and absolutely wants to hire me just because of the combination of this - I might say yes.
But it is no good rationalizing too much: Finally it is a matter of gut feeling; I am spoilt or damaged by our engineering business. Our heat pump clients typically find our blog first - which has been mistaken for a private fun blog by friends. Prospects are either 'deflected' by the blog (and we never hear from them), or they contact us because of the blog's weird style. Having the same sense of humor is the single best pre-requisite for a great collaboration. So whenever I get any other project request, not mediated by a weird website, I try to apply the same reasoning. Years ago I a colleague I had not met before greeted me in the formal kick-off meeting, in front of all others, with: You are the Subversive Element, aren't you? (Alluding to my Alter Ego on subversiv.at). That's about the spirit I am looking for.
I had been a PKI consultant since 2002, mainly working with European enterprise customers on designing and implementing their PKIs run inhouse. Now I am supporting some long-term existing clients with their PKI / X.509 issues but I don't take on new clients.
As a former Microsoft employee I have focused mainly on the Microsoft PKI, versions Windows 2000 / 2003 / 2008 / R2 / 2012 R2 - but I also had some exposure to various other PKI-enabled applications and devices. The fun part of PKI projects is in debugging weird issues that exotic or allegedly 'industry-grade' applications have with validating certificate paths, using keys etc.
Here is the often requested one A4 page summary, and here you can see that those PKI services are part of an ... uhm... odd combination of IT services.
- I try to keep track of links, books, papers etc. I found useful and add them to this list. This is not intended to be the perfectly structured, 'educational' collection. I rather pick and add what I stumbled upon while working on PKI issues or discussing with other security freaks.
- I started logging PKI issues here. The idea is to described them most concisely, in TXT format.
- Struck by vanity I made the collection of my modest own contributions a page in its own right. I am also trying to keep track of my postings to security forums in order to use those as my knowledge base.
I am originally a physicist (completed PhD in 1995), worked in R&D and switched to IT security. In 2013 I have completed another master's degree called Sustainable Energy Systems and did a master thesis on smart metering and security (LinkeIn profile). Now I am consulting engineer working with heat pumps that use a special heat source. Yes, I know - it is weirder to combine that with PKI.
The security of the smart grid and internet of things [add more buzz words here] provide options to re-use my security know-how in the context of my new field. Such heat pumps may use control units connected to 'the internet' and all kinds of certificate-/PKI-enabled stuff might be involved here.
For five years I have given a yearly lecture in a master's degree program, then called Advanced Security Engineering at FH Joanneum. Here is the last version of the slides.
This is an image I called PKIs in the real world in this post.
This is a compilation of threads in Technet forums, organized by topic.
Chain validation and revocation checking issues
Chaining and hierarchies
- 3 Tier CA Hierachy - Configuring the 2nd Tier. I recommend Microsoft's own PKI showcase and reading Technet forums discussions about policy OID 'inheritance' and avoiding the Invalid Issuance Policies error.
- How to force clients to trust a Windows Enterprise CA? GP Update, check pkiview.msc, publish the CA certificate to AD if it had not been published.
- Population of the Root CA certificate store with CAs certified in the MS Root Program. Done on demand since Vista; it can happen that not all EKUs are finally checked.
- Maintaining Root Certs on Server Without Internet - like subscribing to a list of required CAs in the MS Root Program (and being informed about their 'revocation'). Not an option, unfortunately.
- How to configure and offline policy CA: Standalone CA, not a domain member, better not use LDAP URLs pointing to a location in AD.
- Cross-Certification for Non-Windows Clients - discussions of things to consider when trying to cross-certify a new CA (in this case a SHA256 signed Root CA) by an existing CA (SHA1 signed Root). It seems my conclusions from bifurcated certitficate chains can't generalized to all scenarios.
- What happens to issued certificates when a CA is renewed? The stay valid unless something wird was done in configuring CDP / AIA.
- CRL validation for CACert certificate fails despite accessible CRL. The CRL is large but I believe the main issue is using an HTTPS URL for one of the CDP. Even if it is redirected to HTTP the certutil client might refuse to follow the recursions which is OK as per RFC 5280.
- Processing of policy OIDs in capolicy.inf. It seems in this case the file has not been processed.
- Can an Enterprise Root CA be converted to an intermediate CA? It cannot but a new intermediate CA can be setup with a new certificate and the same key as the former Root CA.
- Authoritative list of public CAs. There is not a single list but different certification programs
- Which names used for / with a CA can be changed on renewal.
- What is 'verification' of a Root CA certificate?
- Adding the Intermediate CA certificate to Trusted Root store can cause an error 403.16 in IIS and thus break certificate validation. (Side-track of OCSP-related 'case')
- Allegedly corrupt signature: Due to certificate chain built just on name matching as the wrong issuer CA certificate (wrong key but same name) had been imported.
Time validity
Revocation lists
(For issues with SCEP and EFS, see the sections on applications at the bottom of this page.)
- Configuration of UNC paths as CRL publication URLs.
- White papers on how to make OCSP servers and CRL web servers high-available?
- pkiview errors as the Root CAs CRL has not been published manually to the web server. A PKI left as a legacy to the next admin.
- 802.1x authentication error after CA had been migrated to another machine. Reason was: The new instance of the CA haven't published CRLs to the old locations. Note the pkiview.msc keeps seeing the old locations even though all issued certificates (including CAExchange) already show the new ones.
- Disadvantages of LDAP CDP and AIA URLs, and how to populate HTTP URLs via publishing to UNC paths.
- How to configure delta CRLs - properties of extensions, publication options
- How to fix issues with revocation lists using LDAP URLs after a DC had been renamed that also hosted the CA service.
- Sorting out different ways of caching validation info: CRL caching, OCSP response caching, OCSP web proxy..
- CRL validity period and overlap - basics.
- CRL has not been copied to the CRL server denoted in the CDP or the defaults have been used and the URL points to the Root CA itself. [ref]
Windows PKI design, implementation, and maintenance
PKI AD integration and clean-up
- CA migration from Windows 2003 to 2012 R2. Brief summary, link to migration guide.
- Move a CA from a DC to another machine. Mind tweaking the CDP URLs accordingly!
- Backup and recovery and high-availability options - for a CA issuing VPN client certificates.
- Migrating a CA to a machine with a different host name. Discussion of the detailed migration procedures, especially about how to tweak AIA and CDP URLs.
- Cleaning up DC certificates, changing 'preferred CA'. There is not really a preferred CA, it depends on the CA templates are published to.
- Removal of unwanted Root CA certificates - by cleaning up AD stores.
- How to fix issues with revocation lists using LDAP URLs after a DC had been renamed that also hosted the CA service.
- References to the CA's machine name in the Enrollment Services Object in AD versus the once used in certdat.inc.
- What happens when a CA is retired.
- What happens to Active Directory if you install an Enterprise CA
- Impact of Enterprise CA removal on AD replication.
- Clean-up after removing CAs - for an extinct CA and another one that has been restored but is not used.
CA migration, backup and restore and high-availability
- How to migrate the CA's configuration to another machine. Either re-do it (Scripts, certsrv.msc) or export the CertSvc registry key and edit it: Leave only the relevant settings (validity periods, typically).
- Make a PKI high-available that is currently running on a DC. Migration is an option (but CDPs will get messy); starting all over is preferred.
- CA cannot start after 2003 to 2008 upgrade to an issue with incompatible log file format. I guessed wrong - it was not the case-sensitive entry for the hash algorithm in the registry this time.
- Windows CA redundancy - not really possible. Options: Windows clustering (shared database), just make the certificate issuance service high-available with a second CA, proper CRL periods and overlaps, long-lived emergency CRLs.
- How to migrate to a new CA: In this case because the existing CA used DSA instead of RSA.
- CA migration and required actions for EFS Recovery Agents.
- CA in another AD forest.
- Certificate Services backup and restore - short overview.
- Migration to a CA with a different host name.
- Does a second CA help? Only to make certificate issuance HA. Recommendation: Tweak CRL life times. [ref]
- Migration from non-clustered CA into cluster - same issues as with other migrations when the host name has been part of CDP and AIA URLs. [ref]
Scripts and automation
Certificate generation and deletion (in personal stores)
- How to delete certificates from local machines' stores. The problem had been caused by accidental issuance of machine certificates. Command to delete certificates: certutil -delstore my [OID of the template]
- How to delete a bunch of certificates from the Windows CA's database, based on their status (disposition) and start or expiry date.
- Computer certificates for non-domain machines - an outline of how to create those, including links to more detailed articles.
- Automated generation of certificates for non-Windows clients.
Searching the CA's databased and expiration notifications.
- Monitoring expiring certificates - I am aware of two companies who offer Windows PKI add-ons doing that
- Question of mine: How to query large Windows CA databases efficiently.
PKI configuration
- Sanitize AIA URLs from machines' host names - discussion of sample CMD scripts.
- Troubleshooting access to CRLs and configuration of the CA using variables. An old thread - I just responded to a comment on allegedly new syntax used for these variables.
- How to use replacement tokens in CMD scripts.
Third-party CAs, compatibility
- Import of the data of a non-Microsoft CA to a Windows CA. It might be doable but there is no simple wizard.
- Import of an existing wild card web server certificate for an Exchange server - from non-Windows machine.
- Definitions: certificates, key stores, requests, protocols. [ref]
Windows PKI components and features - and related troubleshooting
Web Enrollment (ASP pages)
- Issued certificates not showing in client's browser 'View the status of a pending certificate request'. This list is created from cookies at the client. Requests would not show up if the cookie had expired or the cookie don't work, e.g. because a non-standard directory (other than certsrv) had been used.
- Inherited CA with certsrv enrollment issues - create certificate for exchange though. I'd recommend submitting the CSR manually locally at the CA using certreq.
- Issued certificates not showing in client's browser 'View the status of a pending certificate request'. This list is created from cookies at the client. Requests would not show up if the cookie had expired or the cookie don't work, e.g. because a non-standard directory (other than certsrv) had been used.
- certsrv application cannot be accessed on CA machine with unknown history. I recommend using certreq instead for urgent submissions, then fix / rebuild the PKI.
- Missing certsrv application directory. Idea: Role service not configured yet.
- Kerberos issues prevent using the /certsrv web enrollment application. Another expert found the solution - it was a pesky SPN issue. As a workaorund Kerberos could be disabled by giving NTLM a higher priority.
- Web enrollment pages do not work. Solved by re-installation of the OS.
- Issues with key size mismatch when using the certsrv web application.
- Certsrv web application not configured for the correct physical directory by default. Seems like a bug to be - the config. did not point to the directory en-US but to a directory one level up instead.
Simple Device Enrollment Protocol (SCEP) AKA Network Device Enrollment Service (NDES)
- NDES (SCEP) authentication problems: Turned out as an UAC issue.
- NDES (SCEP) cannot distinguish certificate requests based on certificate templates but only based on key usage.
- Troubleshooting of the Microsoft implementation of SCEP / NDES (Simple Certificate Enrollment Protocol, Network Device Enrollment Service). NDES fails to start with a message that indicates it is not happy with its certificates - an issue with the missing revocation list signed by the Root CA as the service does revocation checking.
- SCEP/NDES: Unexpected passphrase asked for HSM software.
- Certificates to be used with NDES
Windows OCSP: Errors and Pitfalls
- White papers on how to make OCSP servers and CRL web servers high-available? There is an article for OCSP, for CRLs it is just a plain simple web server.
- /ocsp/ application directory is not created before the role service had been configured. However, revocation configurations can be created before using the MMC - this causes and HTTP error 404 despite the Online Responder Management reports 'all green'. [ref]
- Third-party validator (Axway) causes CryptoAPI to look only for OCSP URLs but OCSP is not used. Root cause finally was: CRL not accessible to the validator. [ref]
- OCSP Responder issues: Misunderstanding about how to use one Responder for different CAs, and how an array should work. Additional interesting issue: Adding the Intermediate CA certificate to Trusted Root store can cause an error 403.16 in IIS and thus break certificate validation!
- OCSP design: Use a dedicated OCSP server?
HTTPS-based enrollment via CEP/CES
- How / when to use CEP and CES for supporting users in different ADs, but with an account in a hosted forest. I think this is the perfect scenario CEP/CES had been designed for.
(Auto-)enrollment troubleshooting
- RPC enrollment error after removal of a machine from AD. Perhaps an issue related to a remaining Enrollment Services object?
- Testing auto-enrollment with very short validity periods. Which is not supported by MS as I learned from this thread. Plus: Adding all usual things to test and troubleshoot. Use case: Smart auto-renewal with valid existing certificate.
- MMC Enrollment fails with an error message about a missing trusted CA or missing permissions:
- ASN encoding issues with request submitted to a Windows CA in certsrv. There can't be done much more than analyzing the request and asking for a new one - which solved the issue. ASN encoding issues with request submitted to a Windows CA in certsrv. There can't be done much more than analyzing the request and asking for a new one - which solved the issue.
- Kerberos troubleshooting triggered by an issue with enrolling for certificates at a CA migrated to Windows 2012 R2. After checking for common Kerberos issues with Service Principal Names and computer passwords it finally turned out that it was an issue with incompatible encryption algorithms (etype) that can be fixed by un-joining and re-joining machines to the domain.
- Summary on autoenrollment troubleshooting. There are many potential root causes, such as GPO or DCOM issues.
- Enrol on behalf fails: Application Policy configured in Issuance Requirements of the user's certificate template is set to Smart Card Logon, but not to Certificate Request Agent.
- DCOM permissions, more detailed DCOM permissions troubleshooting.
- Why an Issuing CA certificate shows up in the local CA store.
- RPC Server offline because the CA service could not start. [ref]
- Check if Do not re-enroll if a duplicate certificate exists in AD has been set. [ref]
Kerberos troubleshooting
- ADCS Web Page returns "The RPC server is unavailable" - when accessing the certsrv application from the CA machine.
- Kerberos issues prevent using the /certsrv web enrollment application. Another expert found the solution - it was a pesky SPN issue. As a workaorund Kerberos could be disabled by giving NTLM a higher priority.
- Troubleshooting Kerberos delegation for the web enrollment role service installed on a different machine than the CA. Cross-checking delegation settings.
Certificate templates
- Duplicate certificate templates - most likely and AD replication issue.
- When are certificate templates not available on the certsrv website? Permissions, v3 templates, machine templates configured for retrieval of the name from AD.
- Certificate templates for machines that do require the subject name to be retrieved from AD (such as Workstation Authentication or Computer) are not shown by the Web Enrollment pages. So the template needs to be copied an configured for the name to be supplied in the request - then an admin can enroll it, and later import the PFX file to the machine's store.
- Powershell shows templates to be added but certtmpl.msc does not. New question in an older thread - weird as any tool has to check AD's configuration container for the list of templates.
- CA cannot issue certificates as the templates in AD don't have the OID attribute set. The solution was to delete the failed default templates and re-install them with certutil -installdefaulttemplates.
- Certificate templates on Windows Server 2012 R2 CAs - a whole lot of new options and combinations.
- Subordinate Certification Authority template not found in certstrv.
- Web Server template not available for issuing certificates via the MMC
Pre-requisites
- Windows CA and AD schema: W2K3 CAs can operate in a 2012 forest.
Certificate and request attributes and extensions, and how to create requests
Certificate Subject Name and Subject Alternative Name, and tools and processes for CSR creation. Overlap with section on Scripts and automation.
- Blank Friendly Name. Should not be an issue as the Friendly Name is a store property, not an attribute or extension.
- Adding a custom OID to a certificate. Not sure what the requirement is exactly as OIDs are used for 'any' PKI-related object. I learned something about the EDITF_ATTRIBUTESUBJECTALTNAME2 flag - it is not required if a SAN is added to a CSR but only if a SAN is added to an existing request (e.g. using the /certsrv app.)
- MMC Enrollment: Missing additional information The MMC asks for (another) certificate because the template had been configured for an authorized signature / an Enrollment Agent.
- How subject names in machine certificates are built from AD attributes. Special logic applied by the Windows CA policy module.
- Putting a custom serial number user certificates: 1) Name in the request was too long - set the EnforceX500NameLengths flag to 0, 2) add the DeviceSerialNumber value to the SubjectTemplate registry key 3) but use SERIALNUMBER when referring to the subject name in the INF file used with certreq.
- Limitations of using different strings and AD attributes when building subject names.
- How to request a certificate with a custom name
- How to create certificate requests (with various tools) and send them to enterprise or standalone CAs (using various tools).
- Behavior of the Windows CA's policy module - no elaborate parsing of Subject Alternative Names.
- Wildcard certificates in ISA server - possible, but I am wary. [ref]
OIDs
Hash algorithms
- Can the SHA algorithm to be used to sign a certificate defined in the CSR? No, this has to be configured at the CA.
- Migrate SHA-1 Hash Algorithm SSL certificates to SHA-2.
- Picking key sizes and hash algorithms for a new CA. There are always issues with (a few) older applications but I'd rather use the more secure settings in a green-field project.
- Changing the hash algorithm of a Windows CA from SHA1 to SHA256. It can be done by editing a registry and restarting the CA. Then it will sign anything - including its own renewed CA certificate - using the new algorithm. But since CRLs will also be affected the applications' compatibility has to be checked for - and thus it would be better to follow the best practive of setting up a whole new PKI hierarchy using the new algorithm in parallel.
- Checking and changing the hash alrgorithm used by a Windows CA as only Windows 2008 clients are able to see templates to be enrolled for while Windows 2003 and XP clients don't.
- How to switch to SHA256.
Cross-forest certificate enrollment and multiple domains.
- Use an OCSP responder cross AD forests. I proposed manual enrollment, perhaps with extended validity periods. I was in error about using CEP/CES enrollment as this will not work with the OCSP responder's specific type of auto-enrollment. But I learned that the Windows implementation of OCSP allows for using a signing certificate that is not signed by the respective CA - the simples solution in this case.
- Obtaining certificates for RADIUS servers - via cross-forest enrollment.
- Requirements for cross-forest enrollment.
- In the old times: Automate submission (fetch CSRs from target forest) or use a user living in the target forest [ref].
- Limit PKI usage to one domain - how to set permissions
PKI Applications
SCEP is listed unter Windows PKI components.
Logon against AD
- Adding a custom DN to a certificate, and certificate mapping.
- How to use certificates with Kerberos.
- Overview on how to implement smart card authentication.
SSL web servers
See also the section on Certificate and request attributes and extensions above.
- SSL certificate error: 'mismatched address'. Unresolved - this error could be due to putting the full URL in the common name but this was not the issue here.
- SSL handshake fails if clients proposes RSA, while DH is fine. No solution yet - the CSP does not seem to be the culprit.
- Troubleshooting IIS error 403.13 that is most likely related to an inaccessible OCSP URL.
- Overcoming certificate validation issues by adding SSL client authentication certificates to the web server's Trusted People store... should not be required. I spotted two issues with CDP / AIA URL: Unsupported file URLs and an uncommon LDAP issue - perhaps to AD MaxPageSize.
- Options to use certificates to restrict access to IIS websites - requiring certificates versus (different flavors of) certificate mapping.
- The simplest way to create a single SSL certificate - is buying one. But I'd also dare to consider a self-signed SSL certificate here (Internal RADIUS server certificate).
- Issuing certificates for Linux servers from a Windows CA - not an issue, can also be done using an AD-integrated Enterprise CA (which is actually more secure than the standalone CA option).
- Certificates for load-balanced web servers.
LDAPs, DC certificates
- Concerns re expired DC certificates. Can a DC be rebooted safely? Yes, as certificates are not required for 'standard AD functions'.
- Easy-to-manage solution for LDAPs (only) - PKI to be avoided (?) Theoretically one might distribute a self-signed server certificate (with multiple SANs) just as a CA. I would not try to re-use an existing server's certificate as a CA certificate. As usual, I am wary about non-SSL-capable crypto providers. In case a simple 1-tier PKI is created today, templates could be moved to a well-planned 2-tier PKI later.
- Domain Controller uses the wrong certificate for LDAPs. My suggestion was to supersede the current template with one that allows for issuance of certificates that will expire after the unwanted third-party certificate. Another user provided instructions on how to use the AD (NTDS) service's certificate store instead of the machine's store.
RADIUS / NPS and 802.1x
- NPS cannot do 'two-factor-style' check of a computer account logon and a domain user logon belonging to the same 'connection'. You can only OR connect the conditions of requiring memberships in users versus machine groups (otherwise, by trying to AND connect the group every machine and every user would need to be member of both user and machine groups). Thus a client that does not attempt to logon as a machine is only checked for the user's membership in the permitted user group.
- NPS 'two-factor' authentication and sending clients to VLANs. The former is not possble, the VLAN issue turned to be due to hex used instead of string in the tag attribute.
- What are computer certificates used for? Question related to avoiding administrative efforts in case they are not needed for AD operations / Kerberos authentication.
- NPS network policies: How to combine user and machine groups. They can only be OR combined which means this is not a two-factor-style check.
- How do I setup redundant Radius Servers without the end user having to accept another certificate? Unfortunately wild card certificates will not work.
- Does NPS recognize a CN in a certificate in a policy? The idea is to craft a CN from a device's MAC address.
- Troubleshooting WLAN 802.1x EAP issues. Not sure what the issue is as PEAP is used (?) but the client has a certificate - I just suggested creating a test policy target to a specific client and only allow either PEAP-MS-CHAPv2 or EAP-TLS.
- NPS authentication and logging on with a local user. It seems the machine is logged on (again) or stays logged on after a failed logon with a local user.
- Authenticate external users at NPS server, using username and password. Idea: Create AD shadow accounts for them and provide them with credentials.
- 802.1x design for branch offices without local radius servers: Concerns: CRLs not accessible for certificates; computers cannot access the local LAN if the WAN does not work.
- NPS authentication can fail due a really weird issue: The shared secret need to be all case letters.
- WLAN authentication issues after the DC's certificate has been renewed. Potential issues: Switch to a new template without a subject CN, or the new certificate is not yet used in the NPS' config.
- NPS: Issues with using MS-EAP MS-Chapv2 used by a CISCO 2960 supplicant. Interesting result posted by the OP, based on a support case: NPS does not support EAP-MSCHAP with 802.1x (as PEAP should be used), so supposedly deprecated EAP-MD5 had been configured.
- How to authenticate machines instead of users by NPS
- Troubleshooting certificate validation in relation to NPS and PEAP authentication. Standard troubleshooting using certutil -verify -urlfetch cert.cer and PEAP-MS-CHAP-v2 versus PEAP-TLS.
- Usability of Windows PEAP client in BYOD scenario - too much to configure on behalf of the user?
- Feasibility: NPS offering PEAP-MSCHAPv2 for domain joined and non-domain-joined machines.
- Can NPS do two-factor authentication of 1) machines and 2) users. Unfortunately it cannot.
- Intermittent problems with computer re-authentication: Finally resolved by disabling re-authentication.
- Selection of WLAN certificate by a Windows machine when talking to radius servers on different networks? TThe client should be able to use an external via an internal certificate. No solution.
- Which certificate to use for RADIUS (NPS) servers.
- How PEAP works and why the Radius server needs a certificate
- Overview: WLAN 802.1x authentication with certificates.
- That annoying popup: Public CA's certificate for RADIUS server, Certificate for iPhones - popup asking for confirmation of the radius server's certificate
Exchange Server
- Exchange server does not use CA-signed certificate for secure SMTP although those should take precedence over self-signed ones
Outlook and SMIME
- E-Mail Encryption certificate not found by Outlook - again due to not yet upated offline address book.
- Revocation error in Outlook - seems to be an issue with the client not being able to access CRLs or CRLs having expired.
- Mail recipient's encryption certificate in AD not found by Outlook. The Offline Addressbook had not yet been downloaded.
- Erratic problems with encrypting e-mail with Outlook - Sync or caching issue?
EFS - Encrypting File System
- Encrypting shared folder (using EFS). Implications: Users need to have keys stored on the server, only feasible with Roaming Profiles. In this case the workaround was to have all users use the same local user accounts to access files on a workgroup server.
- Revocation checking and Encrypting File System. A CRL signed by th Root CA in a two-tier PKI hierarchy was expired.
- Configuration of color of names of EFS encrypted files in Windows Explorer - can be configured in the GUI or via GPO.
- Data Recovery Agents versus Key Recovery Agents. Both can be used with EFS - you either recover the files directly or the users' asymmetric keys.
- EFS certificate creation cannot be triggered by GPO with the error Element not found. With Windows 2008 templates a ECDH algorithm needs to be selected and the hash of the EFS certificate needs to be edited manually in the registry.
- EFS decryption problem: due to lack of trust in the user's own certificate - solution: import the user's certificate to the Trusted People store.
BitLocker
- Usage of different keys and passwords with Bitlocker - passwords, recovery key, key on the TPM chip.
SAP
- Creating user certificates for SAP - where to put in which name?
Third-party LDAP clients
- LDAPs does not work when accessing a DC from a third-party client (WatchGuard). Ideas: Wrong or missing subject name (third party clients often don't like only the SAN being populated though this is in line with standards), and WatchGuard seems to use its own certificate store to which the chain needs to be imported to.
RDP / RDS
- RDP server certificate is re-created automatically after accidental deletion. I did some tests to be sure - a reboot may be required.
- Fixing issues with validation of RDS certificates. Resolved by using the FQDN specified in the self-signed certificate.
- Inquiry for built-in method to logon via RDP using a certificate but no (expensive) hardware. Unfortunately certificate logon via RDP requires smartcards or a TMP chip.
CISCO VPN
- How to use certificate authentication with CISCO ASA and Microsoft NPS?
- Certificate requirements for CISCO ASA VPN server. Best practices for CRLs, purge the cache in ASA more often. Certificate types used by ASA (VPN versus SSL).
Windows VPN client
- The Windows 7 VPN client is not able to use a particular user certificate for logging on using IKEv2. The error message says the the certificate cannot loaded.
IPsec
- Intermittent issue with Kerberos authentication used with IPSec resolved by restarting the Windows Firewall
Office Macro and document signing
- Use CRTs not PFX files to populate public stores - in this case Trusted Publishers.
- Office 2007 cannot use SHA256 certificates for macro signing. Fixed in Office 2010.
- General question on signing and encrypting office documents.
- Time-stamping recommended. [ref]
Key stores and cryptographic providers
Crypto general
Software stores
- CA cannot start because of issues with access to the private key (or missing key). There is often no other way than restoring the key from the hopefully existing backup.
- Error This CSP cannot be opened in silent mode on doing EAP-TLS authentication, addition to an older thread. I am just guessing: An issue with having Strong Key Protection turned on?
- Change of the crypto provider used with the CA's key. This is doable (using certutil -csp [CSP Name] -importpfx keyfile.pfx) - however from the question I cannot say if it is really an issued with the CA's key store or rather with the CSP used to generate a key on behalf of CISCO's ASA.
- Decryption error for NPS server. Not resolved - problem an issue with the CSP or lack of access (permissions) to the server's private key.
- Certificate cannot be exported. It seems the key is available as a file (PKCS#1) but not in a Windows personal certificate store.
- SSL certificate does not work because of missing private key. CRT files do not contain a private key, and the certificate obtained from the certificate provider needs to be imported at the machine where the request had been generated.
- Logon to WLAN via PEAP fails due to issues with the NPS' certificate. Root cause: The CA certificate had been used in the NPS policy and this had most likely a crypto provider not suitable for SSL (SChannel errors.)
- Access to remote machine's certificate store via MMC does not work as expected.
- Certificate enrollment of certificates configured for private key archival fails specifically for Windows 8.1 - probably due to the new options reusage of TPM chips as key stores?
- Issues with 802.1x WLAN user certificatet likely a SChannel provider problem.
Using an HSM as key store
- Importing software key to HSM and re-associating certificate with the new instance of the key. Walking through commands: Backup software key, delete certificate, import certificate again using the -csp option.
- An offline CA can still use a network HSM - provided it uses a private network.
- nCipher HSM - issues with migrating the key to a new CA: The new HSM client cannot use the key as the counter had been enabled at the old machine.
In 2014 I had resumed posting to security forums in the Microsoft Technet community. I have been using these threads as my personal knowledge base.
Here is a feed on recent activity. Seems my mission has come to an end by the end of 2014!
A list of all my threads is also generated automatically but I am hand-curating them here again.
I am not using the original thread title but another one that makes me remember the discussion more easily; and I add a short summary. The date is the date of my first reply in this thread.
(Last changed: April 1, 2015. Added last threads I contributed to in December 2014.)
- [2014-12-23] NDES (SCEP) authentication problems: Turned out as an UAC issue.
- [2014-12-23] Duplicate certificate templates - most likely and AD replication issue.
- [2014-12-02] Error 'No mapping between account names and security ID' when requesting a certificate for IIS. Not reproducible.
- [2014-12-02] Configuration of UNC paths as CRL publication URLs.
- [2014-11-28] When are certificate templates not available on the certsrv website? Permissions, v3 templates, machine templates configured for retrieval of the name from AD.
- [2014-11-26] Maintaining Root Certs on Server Without Internet - like subscribing to a list of required CAs in the MS Root Program (and being informed about their 'revocation'). Not an option, unfortunately.
- [2014-11-22] Concerns re expired DC certificates. Can a DC be rebooted safely? Yes, as certificates are not required for 'standard AD functions'.
- [2014-11-22] Importing software key to HSM and re-associating certificate with the new instance of the key. Walking through commands: Backup software key, delete certificate, import certificate again using the -csp option.
- [2014-11-17] Issued certificates not showing in client's browser 'View the status of a pending certificate request'. This list is created from cookies at the client. Requests would not show up if the cookie had expired or the cookie don't work, e.g. because a non-standard directory (other than certsrv) had been used.
- [2014-11-12] How to force clients to trust a Windows Enterprise CA? GP Update, check pkiview.msc, publish the CA certificate to AD if it had not been published.
- [2014-11-11] SSL certificate error: 'mismatched address'. Unresolved - this error could be due to putting the full URL in the common name but this was not the issue here.
- [2014-11-07] Population of the Root CA certificate store with CAs certified in the MS Root Program. Done on demand since Vista; it can happen that not all EKUs are finally checked.
- [2014-11-07] 3 Tier CA Hierachy - Configuring the 2nd Tier. I recommend Microsoft's own PKI showcase and reading Technet forums discussions about policy OID 'inheritance' and avoiding the Invalid Issuance Policies error.
- [2014-11-07] RPC enrollment error after removal of a machine from AD. Perhaps an issue related to a remaining Enrollment Services object?
- [2014-11-07] Blank Friendly Name. Should not be an issue as the Friendly Name is a store property, not an attribute or extension.
- [2014-11-06] Inherited CA with certsrv enrollment issues - create certificate for exchange though. I'd recommend submitting the CSR manually locally at the CA using certreq.
- [2014-11-03] RDP server certificate is re-created automatically after accidental deletion. I did some tests to be sure - a reboot may be required.
- [2014-10-31] certsrv application cannot be accessed on CA machine with unknown history. I recommend using certreq instead for urgent submissions, then fix / rebuild the PKI.
- [2014-10-31] Testing auto-enrollment with very short validity periods. Which is not supported by MS as I learned from this thread. Plus: Adding all usual things to test and troubleshoot. Use case: Smart auto-renewal with valid existing certificate.
- [2014-10-31] NPS 'two-factor' authentication and sending clients to VLANs. The former is not possble, the VLAN issue turned to be due to hex used instead of string in the tag attribute.
- [2014-10-31] What are computer certificates used for? Question related to avoiding administrative efforts in case they are not needed for AD operations / Kerberos authentication.
- [2014-10-28] Revocation error in Outlook - seems to be an issue with the client not being able to access CRLs or CRLs having expired.
- [2014-10-28] Use CRTs not PFX files to populate public stores - in this case Trusted Publishers.
- [2014-10-27] Change of the crypto provider used with the CA's key. This is doable (using certutil -csp [CSP Name] -importpfx keyfile.pfx) - however from the question I cannot say if it is really an issued with the CA's key store or rather with the CSP used to generate a key on behalf of CISCO's ASA.
- [2014-10-24] 802.1x authentication error after CA had been migrated to another machine. Reason was: The new instance of the CA haven't published CRLs to the old locations. Note the pkiview.msc keeps seeing the old locations even though all issued certificates (including CAExchange) already show the new ones.
- [2014-10-22] CA cannot start after 2003 to 2008 upgrade to an issue with incompatible log file format. I guessed wrong - it was not the case-sensitive entry for the hash algorithm in the registry this time.
- [2014-10-22] CA cannot start because of issues with access to the private key (or missing key). There is often no other way than restoring the key from the hopefully existing backup.
- [2014-11-22] An offline CA can still use a network HSM - provided it uses a private network.
- [2014-10-20] How / when to use CEP and CES for supporting users in different ADs, but with an account in a hosted forest. I think this is the perfect scenario CEP/CES had been designed for.
- [2014-10-20] Overcoming certificate validation issues by adding SSL client authentication certificates to the web server's Trusted People store... should not be required. I spotted two issues with CDP / AIA URL: Unsupported file URLs and an uncommon LDAP issue - perhaps to AD MaxPageSize.
- [2014-10-20] Easy-to-manage solution for LDAPs (only) - PKI to be avoided (?) Theoretically one might distribute a self-signed server certificate (with multiple SANs) just as a CA. I would not try to re-use an existing server's certificate as a CA certificate. As usual, I am wary about non-SSL-capable crypto providers. In case a simple 1-tier PKI is created today, templates could be moved to a well-planned 2-tier PKI later.
- [2014-10-17] E-Mail Encryption certificate not found by Outlook - again due to not yet upated offline address book.
- [2014-10-15] SSL handshake fails if clients proposes RSA, while DH is fine. No solution yet - the CSP does not seem to be the culprit.
- [2014-10-15] pkiview errors as the Root CAs CRL has not been published manually to the web server. A PKI left as a legacy to the next admin.
- [2014-10-15] White papers on how to make OCSP servers and CRL web servers high-available? There is an article for OCSP, for CRLs it is just a plain simple web server.
- [2014-10-09] NPS cannot do 'two-factor-style' check of a computer account logon and a domain user logon belonging to the same 'connection'. You can only OR connect the conditions of requiring memberships in users versus machine groups (otherwise, by trying to AND connect the group every machine and every user would need to be member of both user and machine groups). Thus a client that does not attempt to logon as a machine is only checked for the user's membership in the permitted user group.
- [2014-10-09] How to configure and offline policy CA: Standalone CA, not a domain member, better not use LDAP URLs pointing to a location in AD.
- [2014-10-08] How to migrate the CA's configuration to another machine. Either re-do it (Scripts, certsrv.msc) or export the CertSvc registry key and edit it: Leave only the relevant settings (validity periods, typically).
- [2014-10-07] Certificate templates for machines that do require the subject name to be retrieved from AD (such as Workstation Authentication or Computer) are not shown by the Web Enrollment pages. So the template needs to be copied an configured for the name to be supplied in the request - then an admin can enroll it, and later import the PFX file to the machine's store.
- [2014-10-04] Encrypting shared folder (using EFS). Implications: Users need to have keys stored on the server, only feasible with Roaming Profiles. In this case the workaround was to have all users use the same local user account (the one associated with a scanner) to access files on a workgroup server.
- [2104-10-03] Life-time testing for renewed CA certificates. If you want to issue server certificates with a life time of 4 years your CA's life time could e.g. be 8 years, to be renewed every 4 years, or 6 years, to be renewed every 2 years
- [2014-10-03] Cross-Certification for Non-Windows Clients - discussions of things to consider when trying to cross-certify a new CA (in this case a SHA256 signed Root CA) by an existing CA (SHA1 signed Root). It seems my conclusions from bifurcated certitficate chains can't generalized to all scenarios.
- [2014-10-03] What happens to issued certificates when a CA is renewed? The stay valid unless something wird was done in configuring CDP / AIA.
- [2014-10-01] Can the SHA algorithm to be used to sign a certificate defined in the CSR? No, this has to be configured at the CA.
- [2014-10-01] CA migration from Windows 2003 to 2012 R2. Brief summary, link to migration guide.
- [2014-10-01] Revocation checking and Encrypting File System. A CRL signed by th Root CA in a two-tier PKI hierarchy was expired as the validity period had been equal to the default value of 1 week; so users were not able to add other users' certificate. Remaining puzzle: Why did it work for some months? The Sub CA had been fixed by turning off revocation checking.
- [2014-09-30] CRL validation for CACert certificate fails despite accessible CRL. The CRL is large but I believe the main issue is using an HTTPS URL for one of the CDP. Even if it is redirected to HTTP the certutil client might refuse to follow the recursions which is OK as per RFC 5280.
- [2014-09-28] Fixing issues with validation of RDS certificates, and some general questions about certificate stores (when to use PFX files, where is the private key...). The issues was resolved by using the FQDN specified in the self-signed certificate.
- [2014-09-27] EXE can't be run from remote share using PSEXEC. Try to recommend a registry key I found useful in a related scenario - to no avail.
- [2014-09-26] Processing of policy OIDs in capolicy.inf. It seems in this case the file has not been processed so the OID does not show up in the CA certificate.
- [2014-09-26] Missing certsrv application directory. Idea: Role service not configured yet - but then it turned out this is 2008. The issue is weird but in any case the web application could be hand-crafted by making all the settings manually, including ASP configuraton for parent paths.
- [2014-09-23] NPS network policies: How to combine user and machine groups. They can only be OR combined which means this is not a two-factor-style check.
- [2014-09-22] Disadvantages of LDAP CDP and AIA URLs, and how to populate HTTP URLs via publishing to UNC paths.
- [2014-09-19] Migrate SHA-1 Hash Algorithm SSL certificates to SHA-2
- [2014-09-19] Sanitize AIA URLs from machines' host names - discussion of sample CMD scripts.
- [2014-09-19] How do I setup redundant Radius Servers without the end user having to accept another certificate? Unfortunately wild card certificates will not work.
- [2014-09-18] Can an Enterprise Root CA be converted to an intermediate CA? It cannot but a new intermediate CA can be setup with a new certificate and the same key as the former Root CA. This keeps chains and CRL publication intact.
- [2014-09-18] Configuration of color of names of EFS encrypted files in Windows Explorer - can be configured in the GUI or via GPO.
- [2014-09-17] ADCS Web Page returns "The RPC server is unavailable" - when accessing the certsrv application from the CA machine.
- [2014-09-17] OCSP fails with HTTP error 404 as the application directory has not been created yet. Reason: Revocation configurations had been configured before the role service as such had been configured ('activated').
- [2014-09-14] Usage of different keys and passwords with Bitlocker - passwords, recovery key, key on the TPM chip. Different credentials can be used to encrypt the same key that is used to encrypt the volume finally.
- [2014-09-12] Troubleshooting IIS error 403.13 that is most likely related to an inaccessible OCSP URL.
- [2014-09-12] Options to use certificates to restrict access to IIS websites - requiring certificates versus (different flavors of) certificate mapping.
- [2014-09-10] Adding a custom DN to a certificate, and certificate mapping. The CA is an Entrust CA and the respective enrollment client adds a custom DN that is not equal to the AD DN. Plus: Interesting discussion about mapping of certificates to users when logging on to AD. AFAIK that mapping is always done based on a string, not on a comparison of the binary certificate presented with a certificate file published to AD. But you can map on strings such as SKI or hash value which should provide the same level of security.
- [2014-09-10] The simplest way to create a single SSL certificate - is buying one. But I'd also dare to consider a self-signed SSL certificate here (Internal RADIUS server certificate).
- [2014-09-09] Mail recipient's encryption certificate in AD not found by Outlook. It turned out it was one of the common caching / replication issues: The Offline Addressbook had not yet been downloaded.
- [2014-09-08] Adding a custom OID to a certificate. Not sure what the requirement is exactly as OIDs are used for 'any' PKI-related object. I learned something about the EDITF_ATTRIBUTESUBJECTALTNAME2 flag - it is not required if a SAN is added to a CSR but only if a SAN is added to an existing request (e.g. using the /certsrv app.)
- [2014-09-08] Make a PKI high-available that is currently running on a DC. Migration is an option (but CDPs will get messy); starting all over is preferred.
- [2014-09-08] Does NPS recognize a CN in a certificate in a policy? The idea is to craft a CN from a device's MAC address. I would go for AD shadow accounts for such devices.
- [2014-09-05] Move a CA from a DC to another machine. Mind tweaking the CDP URLs accordingly! If the old HTTP URLs should still work the CA would need to publish to a re-created /CertEnroll directory that is still on the DC. However, certificates issued from the migrated CA should not contain such CDPs.
- [2014-09-02] How to use certificate authentication with CISCO ASA and Microsoft NPS? A question appended to an older thread. CISCO clients can use either machine or user certificates and NPS can authorize clients based on memberships in user or machine groups. Note that this is not really 'two-factor authentication'.
- [2014-08-29] Data Recovery Agents versus Key Recovery Agents. Both can be used with EFS - you either recover the files directly or the users' asymmetric keys.
- [2014-08-27] Backup and recovery and high-availability options - for a CA issuing VPN client certificates. Discussion of the backup and restore process and various related configurations. There is not hot-standby option, but you make DR easier by planning for longer CRL validity periods and overlap - and use CISCO's CRL purging feature in addition.
- [2014-08-26] Kerberos issues prevent using the /certsrv web enrollment application. Another expert found the solution - it was a pesky SPN issue. As a workaorund Kerberos could be disabled by giving NTLM a higher priority.
- [2014-08-24] Issuing certificates for Linux servers from a Windows CA - not an issue, can also be done using an AD-integrated Enterprise CA (which is actually more secure than the standalone CA option).
- [2014-08-24] Troubleshooting WLAN 802.1x EAP issues. Not sure what the issue is as PEAP is used (?) but the client has a certificate - I just suggested creating a test policy target to a specific client and only allow either PEAP-MS-CHAPv2 or EAP-TLS.
- [2014-08-24] Windows CA redundancy - not really possible. Options: Windows clustering (shared database), just make the certificate issuance service high-available with a second CA, proper CRL periods and overlaps, long-lived emergency CRLs.
- [2014-08-24] Error This CSP cannot be opened in silent mode on doing EAP-TLS authentication, addition to an older thread. I am just guessing: An issue with having Strong Key Protection turned on?
- [2014-08-22] Why are Symmetric keys shorter than Asemmetric keys and provide the same level of security? With symmetric keys you basically would have to try any potential key, with asymmetric keys only a subset of keys would work because the requirement of being a product of two primes has to be met.
- [2014-08-20] Use an OCSP responder cross AD forests. I proposed manual enrollment, perhaps with extended validity periods. I was in error about using CEP/CES enrollment as this will not work with the OCSP responder's specific type of auto-enrollment. But I learned that the Windows implementation of OCSP allows for using a signing certificate that is not signed by the respective CA - the simples solution in this case.
- [2014-08-19] Picking key sizes and hash algorithms for a new CA. There are always issues with (a few) older applications but I'd rather use the more secure settings in a green-field project.
- [2014-08-19] NPS authentication and logging on with a local user. It seems the machine is logged on (again) or stays logged on after a failed logon with a local user.
- [2014-08-17] Web enrollment pages do not work. Often this is lack of HTTPS or some browser security issue. In this case an re-installation of the OS resolved it.
- [2014-08-14] Migrating a CA to a machine with a different host name. Discussion of the detailed migration procedures, especially about how to tweak AIA and CDP URLs. I recommend having the new CA publish to the old locations but not adding those to new certificates.
- [2014-08-11] Cleaning up DC certificates, changing 'preferred CA'. There is not really a preferred CA, it depends on the CA templates are published to. DC certificates could be cleaned up by deletion and re-issuance or by using an new template superseding the old ones. I recommend using a template that has the Subject Name populated as third-party apps. might not like the empty Subject Name as configured when Domain Controller Authentication is used. Learned about an unrelated SHA512 bug wuth TLS1.2.
- [2014-08-11] Changing the hash algorithm of a Windows CA from SHA1 to SHA256. It can be done by editing a registry and restarting the CA. Then it will sign anything - including its own renewed CA certificate - using the new algorithm. But since CRLs will also be affected the applications' compatibility has to be checked for - and thus it would be better to follow the best practive of setting up a whole new PKI hierarchy using the new algorithm in parallel.
- [2014-08-09] Decryption error for NPS server. Not resolved - problem an issue with the CSP or lack of access (permissions) to the server's private key.
- [2014-08-09] Authoritative list of public CAs. There is not a single list but different certification programs - added links for MS and Mozilla.
- [2014-08-09] Authenticate external users at NPS server, using username and password. Idea: Create AD shadow accounts for them and provide them with credentials.
- [2014-08-09] How to configure delta CRLs - properties of extensions, publication options (variables, 'checkboxes').
- [2014-08-08] Monitoring expiring certificates - I am aware of two companies who offer Windows PKI add-ons doing that, adding some links.
- [2014-08-07] Certificate cannot be exported. It seems the key is available as a file (PKCS#1) but not in a Windows personal certificate store. So it cannot be exported from there.
- [2014-08-04] Windows CA and AD schema: W2K3 CAs can operate in a 2012 forest.
- [2014-08-04] MMC Enrollment: Missing additional information The MMC asks for (another) certificate because the template had been configured for an authorized signature / an Enrollment Agent.
- [2014-07-31] Powershell shows templates to be added but certtmpl.msc does not. New question in an older thread - weird as any tool has to check AD's configuration container for the list of templates.
- [2014-07-31] Removal of unwanted Root CA certificates - by cleaning up AD stores.
- [2014-07-29] Checking and changing the hash alrgorithm used by a Windows CA as only Windows 2008 clients are able to see templates to be enrolled for while Windows 2003 and XP clients don't.
- [2014-07-29] Intermittent issue with Kerberos authentication used with IPSec resolved by restarting the Windows Firewall (I didn't know this effect.)
- [2014-07-28] 802.1x design for branch offices without local radius servers: Concerns: CRLs not accessible for certificates; computers cannot access the local LAN if the WAN does not work. PEAP instead of EAP-TLS mitigates the first risk, but I would not rely too much on configuration items (session timout etc.) that should allow for keeping a machine connected even if the WAN line breaks.<7li>
- [2014-07-27] How to delete certificates from local machines' stores. The problem had been caused by accidental issuance of machine certificates. Command to delete certificates: certutil -delstore my [OID of the template]
- [2014-07-25] How to delete a bunch of certificates from the Windows CA's database, based on their status (disposition) and start or expiry date.
- [2014-07-25] NPS authentication can fail due a really weird issue: The shared secret need to be all case letters.
- [2014-07-25] NDES (SCEP) cannot distinguish certificate requests based on certificate templates but only based on key usage. I would rather recommend using different 'instances' of the SCEP application.
- [2014-07-24] How to fix issues with revocation lists using LDAP URLs after a DC had been renamed that also hosted the CA service. If the LDAP object has got deleted, but it could be re-created using certutil -dspublish -f [CA].crl
- [2014-07-24] Issues with key size mismatch when using the certsrv web application. Not sure if I understood the issue correctly. One workaround in case the web app. does really not allow for selecting a higher key size is use the Certificates MMC or the IIS Wizard in order to create a CSR and then submit it using the web application. Plus: Some discussion on how the app. is used with Firefox versus IE (FF uses the keygen tag)
- [2014-07-24] Troubleshooting of the Microsoft implementation of SCEP / NDES (Simple Certificate Enrollment Protocol, Network Device Enrollment Service). NDES fails to start with a message that indicates it is not happy with its certificates - an issue with the missing revocation list signed by the Root CA as the service does revocation checking.
- [2014-07-23] How to migrate to a new CA: In this case because the existing CA used DSA instead of RSA.
- [2014-07-23] SSL certificate does not work because of missing private key. CRT files do not contain a private key, and the certificate obtained from the certificate provider needs to be imported at the machine where the request had been generated. Check with certutil -store my if the key is present, if yes repair with certutil -repairstore my "<Serial Number>"
- [2014-07-23] nCipher HSM - issues with migrating the key to a new CA: The new HSM client cannot use the key as the counter had been enabled at the old machine.
- [2014-07-23] MMC Enrollment fails with an error message about a missing trusted CA or missing permissions: Either really due to missing CA or missing permissions, but it can be a timing issue as well.
- [2014-07-23] Certsrv web application not configured for the correct physical directory by default. Seems like a bug to be - the config. did not point to the directory en-US but to a directory one level up instead.
- [2014-07-22] The Windows 7 VPN client is not able to use a particular user certificate for logging on using IKEv2. The error message says the the certificate cannot loaded. The certificate chain looks find. Potential issue maybe: Configuration of the client for smart card instead of certificate.
- [2014-07-21] CA cannot issue certificates as the templates in AD don't have the OID attribute set. The solution was to delete the failed default templates and re-install them with certutil -installdefaulttemplates
- [2014-07-18] WLAN authentication issues after the DC's certificate has been renewed. Potential issues: Switch to a new template without a subject CN, or the new certificate is not yet used in the NPS' config.
- [2014-07-17] Domain Controller uses the wrong certificate for LDAPs. My suggestion was to supersede the current template with one that allows for issuance of certificates that will expire after the unwanted third-party certificate. Another user provided instructions on how to use the AD (NTDS) service's certificate store instead of the machine's store.
- [2014-07-16] NPS: Issues with using MS-EAP MS-Chapv2 used by a CISCO 2960 supplicant. Interesting result posted by the OP, based on a support case: NPS does not support EAP-MSCHAP with 802.1x (as PEAP should be used), so supposedly deprecated EAP-MD5 had been configured.
- [2014-07-16] Troubleshooting access to CRLs and configuration of the CA using variables. An old thread - I just responded to a comment on allegedly new syntax used for these variables. The syntax has not changed but the GUI just shows variables in a nicer way.
- [2014-07-15] Troubleshooting Kerberos delegation for the web enrollment role service installed on a different machine than the CA. I could not nail down the root cause but I try to give very detailed advice on what to check for: SPNs for NetBIOS and FQDN machine names, check for duplicate SPNs, check for details of the Kerberos errors.
- [2014-07-15] Computer certificates for non-domain machines - an outline of how to create those, including links to more detailed articles. For creation of key and request the Certificates MMC could be used, then the request can be sent to the CA via the certsrv application in the context of a user with enrollment permission on the intended certificate template (e.g. Web Server).
- [2014-07-15] Certificate templates on Windows Server 2012 R2 CAs - a whole lot of new options and combinations. I still recommend using good old "XP / 2003" templates using RSA for maximum compatibility.
- [2014-07-14] Certificates for load-balanced web servers. My suggestion is to use the cluster in the subject CN and the subject alternative and put all other names (node name IP address) into the SAN.
- [2014-07-09] Certificate requirements for CISCO ASA VPN server. Best practices for CRLs (I recommend using longer validity periods but purge the cache in ASA more often) and certificate types used by ASA (VPN versus SSL). Plus general advice on why not to co-locate a CA on a DC.
- [2014-07-09] How to authenticate machines instead of users by NPS - configure a Group Policy for WLAN or wired 802.1x.
- [2014-07-08] EFS certificate creation cannot be triggered by GPO with the error Element not found. With Windows 2008 templates a ECDH algorithm needs to be selected and the hash of the EFS certificate needs to be edited manually in the registry.
- [2014-07-08] ASN encoding issues with request submitted to a Windows CA in certsrv. There can't be done much more than analyzing the request and asking for a new one - which solved the issue.
- [2014-07-07] Kerberos troubleshooting triggered by an issue with enrolling for certificates at a CA migrated to Windows 2012 R2. After checking for common Kerberos issues with Service Principal Names and computer passwords it finally turned out that it was an issue with incompatible encryption algorithms (etype) that can be fixed by un-joining and re-joining machines to the domain.
- [2014-07-07] Inquiry for built-in method to logon via RDP using a certificate but no (expensive) hardware. Unfortunately certificate logon via RDP requires smartcards or a TMP chip.
- [2014-07-07] Autoenrollment troubleshooting. There are many potential root causes, such as GPO or DCOM issues.
- [2014-07-04] Which names used for / with a CA can be changed on renewal. It was not entirely clear to me to which name the question referred to: Subject names cannot be changed on renewal, but FQDNs in AIA or CDP URLs can.
- [2014-07-03] Logon to WLAN via PEAP fails due to issues with the NPS' certificate. Root cause: The CA certificate had been used in the NPS policy and this had most likely a crypto provider not suitable for SSL (SChannel errors.)
- [2014-07-03] Subordinate Certification Authority template not found in certstrv: An old thread re-surrected with a new question - I guess the issue is related to template not having been published or missing permissions.
- [2014-07-03] LDAPs does not work when accessing a DC from a third-party client (WatchGuard). Ideas: Wrong or missing subject name (third party clients often don't like only the SAN being populated though this is in line with standards), and WatchGuard seems to use its own certificate store to which the chain needs to be imported to.
- [2014-07-02] Troubleshooting certificate validation in relation to NPS and PEAP authentication. Standard troubleshooting using certutil -verify -urlfetch cert.cer but also trying to clarify some misunderstanding about which certificates are needed (no client certificates for PEAP (most often = PEAP-MS-CHAP-v2), but only for PEAP-TLS and how network policies are configured.
- [2014-07-02] Office 2007 cannot use SHA256 certificates for macro signing. Fixed in Office 2010, but for 2007 you need to re-configure the CA for SHA1, issue the certificate, and then change the algorithm (registry key) back.
- [2014-07-01] Usability of Windows PEAP client in BYOD scenario - too much to configure on behalf of the user? Philosophical discussion, my take is that PEAP has rather been designed with a domain environment in mind.
- [2014-07-01] Feasibility: NPS offering PEAP-MSCHAPv2 for domain joined and non-domain-joined machines: Yes, possible - in the Network Policy only Domain Users are configured to be entitled for logon. Also on non-domain-joined machines (iPhones etc.) users will be asked to enter their domain credentials.
- [2014-07-01] General question on how to use certificates with Kerberos, and on Directory E-Mail Replication certificates. The latter are only needed for (uncommon) replication over SMTP. As for Kerberos and logon, this is my favorite white paper.
- [2014-07-01] CA migration and required actions for EFS Recovery Agents. User certificates and keys should be exported from profiles at the CA server (they are not tied to this machine anyway), and the Key Recovery Agents' configuration is migrated as part of the CA migration.
- [2014-06-30] Enrol on behalf fails because of two distinct issues: 1) The Application Policy configured in Issuance Requirements of the user's certificate template is set to Smart Card Logon, but not to Certificate Request Agent. 2) A third-party validator (Axway) is used that causes CryptoAPI to look only for OCSP URLs but OCSP is not used. Root cause finally was: CRL not accessible to the validator.
- [2014-06-30] Overview on how to implement smart card authentication: An outline based on the assumption that native Kerberos logon with smart cards should be used.
- [2014-06-28] Best practices for life time nesting of CAs in a hierarchy. Typically, each CA would be renewed after have of the validity of its certificate had been expired and the maximum life time of a CA or end-entity is half the period of its superior. Reason: To allow for adding new CAs or issuing end-entity certificates at any time with the maximum life time.
- [2014-06-28] CA in another AD forest. Not sure if the question was related to enrolling against a CA in another forest (only possible with an additional component in place) of if the CA can be migrated (yes it can but populating old LDAP URLs in the other AD would get messy.
- [2014-06-27] SCEP/NDES: Unexpected passphrase asked for HSM software. Not clear where exactly the popup is encountered. If it is at the NDES machine perhaps the HSM's crypto provider has been used with the RA certificates.
- [2014-06-26] How subject names in machine certificates are built from AD attributes. Special logic applied by the Windows CA policy module: You don't get the NetBIOS name of the FQDN form the dNSHostName attribute. Using the Full DN from the directory did not meet the actual which was to RDP to a server using its NetBIOS name. Manual initial creation of a certificate with the NetBIOS name included in the list of DNS names in the SAN solved the issue Follow-up issue: Autoenrollment triggered within 1 hour renewal time - solution: Trigger AE manually as GPOs would not be updated often enough.
- [2014-06-26] Can NPS do two-factor authentication of 1) machines and 2) users. Unfortunately it cannot. If you entitle user and machine groups it does not watch out for these two pieces being provided by a specific machine. It just says that either machines and/or users are allowed to authenticate. If a user manages to configure his or her private machine for just user authentication entering domain user credentials would be sufficient.
- [2014-06-26] General question on signing and encrypting office documents. Office is generous in accepting different types of user certificates for signing but you can filter by EKU or issuer name.
- [2014-06-24] What is 'verification' of a Root CA certificate? The Root CA certificate is the only certificate in a chain that has to be trusted explicitly (e.g. by comparing hash values) - or you trust the vendor of browsers or operating systems.
- [2014-06-24] Access to remote machine's certificate store via MMC does not work as expected. A key has been created when connected to the other machine but it seems the other machine actually lacks the key. Copying over the key file (as identified via the key container name) results in an Access Denied messages, so most likely the key is encrypted with the wrong machine's DPAPI master key.
- [2014-06-24] References to the CA's machine name in the Enrollment Services Object in AD versus the once used in certdat.inc. It seems a new CA has been installed that has the same subject name as an extinct one but the new instance was not able to get access to the pkiEnrollment object. Suggestion: Since certutil -ping is successful if the actual host name of the new CA is used I would recommend editing the dnsHostName attribute of the enrollment object.
- [2014-06-24] Import of the data of a non-Microsoft CA to a Windows CA. It might be doable but there is no simple wizard: Import CA keys and certificates, import all certificates one by one, re-configure CDP and AIA URLs.
- [2014-06-24] Access another Windows computer in a Workgroup environment: It still works with pass-through authentication - just create a user with same user name and same password on source and target machines.
- [2014-05-23] Intermittent problems with computer re-authentication: Finally resolved by disabling re-authentication. I just added some thought on why re-authentication is used (under the false impression that it would add something like two-factor authentication) so why not disable it!
- [2014-06-23] Import of an existing wild card web server certificate for an Exchange server. The wild card certificate is available on another non-Windows machine but as long as key and certificate could be exported (e.g. using openSSL) as a PKCS#12 / PFX file this should not be an issue.
- [2014-06-20]
OCSP Responder issues:
Extensive troubleshooting and walking through the OCSP configuration. One
main issue was a misunderstanding about how to use one Responder for
different CAs, and how an array should work. The same configuration would be
replicated to the other member in the array, and the same two confguration
items (revocation configuration) would then be visible at both Responders.
Additional interesting issue: Adding the Intermediate CA certificate to
Trusted Root store can cause an error 403.16 in IIS and thus break
certificate validation!
Update on 2014-08-14 - 'case opened again' as this PKI had to be rebuilt. I tried to explain how to use CAPI2 logging. - [2014-06-23] OCSP design: Use a dedicated OCSP server? This could make sense from performance perspective. The OCSP machine just needs access to the CDP URLs where the CRLs are published. An intermittent error was resolved by re-issuing the CAExchange certificate (so pkiview.msc might have had outdated information due to the old URLs in the previous CAExchange certificate).
- [2014-06-20] Can a bogus proxy set with proxycfg block users from accessing the internet? So as a proxy set with proxycfg or netsh is just available when access to the internet is made in the context of a machine, not in the context of a user.
- [2014-06-18] Selection of WLAN certificate by a Windows machine when talking to radius servers on different networks? The idea was that the client should be able to use an external via an internal certificate. No solution - I am afraid the clients just picks any or the first one whatever that means. It seems from the test results that the choice of client certificates is not limited by the CAs the NPS server trusts as it would be suggested by the TLS standard.
- [2014-06-17] Web Server template not available for issuing certificates via the MMC (old thread resurrected) Not sure that the issue finally way but most likely a combination of: Template not yet published, no permissions for the machine (as this is MMC enrollment), or delay by AD replication, missing GPO update.
- [2014-06-16] EFS decryption problem: These can also be due to lack of trust in the user's own certificate -the solution was to import the user's certificate to the Trusted People store. EFS checks this store if validation of the certificate chain fails so in addition to this quick fix any issues with the chain should be investigated.
- [2014-06-16] Putting a custom serial number user certificates: Interesting question re to creating certificates compliant with local legislation (Paraguay). Actions needed: 1) Name in the request was too long - set the EnforceX500NameLengths flag to 0, 2) add the DeviceSerialNumber value to the SubjectTemplate registry key 3) but use SERIALNUMBER when referring to the subject name in the INF file used with certreq.
- [2014-06-13] Weird PEAP authentication issue with certificates though no certificates should be required - if I understood the question correctly and assuming that PEAP-MS-CHAP-v2 should be used. No solution - I suggested to check NPS log files.
- [2014-06-13] Certificate Services backup and restore - short overview and backing up the three required components: CA database, CA key and certificate, and the configuration (registry key).
- [2014-06-13] Windows NTLM pass-through authentication: Re-discovered and considered a security issue but this is as it works by design: With a standard local admin password you can access all those machines remotely.
- [2014-06-13] Allegedly corrupt signature: Due to certificate chain built just on name matching as the wrong issuer CA certificate (wrong key but same name) had been imported.
- [2014-06-12] (Info only:) Release of an interesting white paper by Microsoft - quite comprehensive, this should supersede many of the existing resources.
- [2014-06-05] Revoking the old CA certificate immediately after renewal causes an error. Just to be sure certificates can still be validated (as renewal was done with a new key, so there is a chance new certificates might chain to the old CA certificate) several checks have been done. Certificates are fine - actually NPS does not seem to recognoze revoked client certificates. Reason most likely: The server side (web proxy) cache of OCSP - CRLs and OCSP responses can be cached in different places.
- [2014-06-03] Certificate enrollment of certificates configured for private key archival fails specifically for Windows 8.1 clients while Windows 7 is fine. After checking enrollment and the validation of the CAExchange certificate extensively my finaly suggestion (unanswered) was to check if probably the TPM (new feature in 8.1.) is used to store the certificate. The cypto provider will not allow export of the key from the chip for archival purposes.
- [2014-06-03] Creating user certificates for SAP - and where to put in which name? I cross-checked and translated documentation by SAP and it seems they need the UPN in the subject alternative name. Unclear: Do they map based on binary certificate (as the certificate is sort of imported to a table) or does the mapping wizard just read a name string from the certificate and enter that into the actual mapping table.
- [2014-06-12] Limitations of using different strings and AD attributes when building subject names. The Windows CA can either take DN components from a request or the whole DN can be built from the DN of the object in AD. Not possible: Add custom strings in addition to AD attributes or add other AD attributes not in the AD DN, such as O= or OU= unless OU is a container.
- [2014-06-10] Obtaining certificates for RADIUS servers - via cross-forest enrollment actually which requires the deployment of an additional solution - either CEP/CES HTTP-based enrollment services or the older cross-forest solution that is based on syncing PKI objects cross-forest. Both require a two-way forest trust. If a radius proxy would be used in authentication no trust would be required.
- [2014-06-10] What happens when a CA is retired and when certificates finally expire. I recommend creating a long-lived CRL and keep it at the CDP embedded in the end-entities' certificates. When the CA will have been expired all client certificates must have been expired, too, and all objects could be removed.
- [2014-06-10] Which certificate to use for RADIUS (NPS) servers, description of the details of the enrollment process for a web server SSL certificate, e.g. using the Certificates MMC. This thread is related to the other one on cross-forest enrollment of radius certificates, dated also 2014-06-10.
- [2014-06-09] SChannel errors - an old thread. Just added a wild guess that these may be related to using a crypto provider that cannot be used with SSL (so use RSA SChannel... instead).
- [2014-06-06] Issues with 802.1x WLAN user certificate, most likely a SChannel / provider problem as the chosen provider was not SSL-capable: Switching from a Windows 2008 to a Windows 2003 template resolved the issue
- [2014-06-05] How to request a certificate with a custom name for a web server - summary of all options (Certificates MMC, certreq) and link to this article.
- [2014-06-05] Certificates to be used with NDES (SCEP). The templates CEP Encryption and Exchange Enrollment Agent are used by the NDES services itself, the template IPSec(Offline request) or a copy of it is for devices. Clients cannot request certificates from different templates as the request from the device is anonymous from SCEP's perspective. Follow-up question: Version 3 certificate templates are not available in the certsrv tool as this does not support the new algorithms.
- [2014-06-03] When dragging and dropping images into a Word document the original locations show later up in tool tips in a PDF created from that doc. I re-discovered this bug and just added my comment to an old thread. You have to edit the ALT Text attribute of every image.
- [2014-05-31] How to create certificate requests (with various tools) and send them to enterprise or standalone CAs (using various tools). I tried to give a comprehensive summary of all the options, the question was about SAP certificates for Mac clients: Creation by the user versus by an enrollment agent, creating the CSR on a Mac or using a Windows PC as an enrollment station. Names could be added to the request (all tools) or retrieved from AD if a Windows client is used.
- [2014-05-30] Exotic issues with private key or CSP - unfortunately the answer was not clear. I had seen issues with third-party software for hardware dongles posing as a fake CSP but in this case the OP reported back that also a support case with MS did not solve the issue the key / certificate in question could not be repaired.
- [2014-05-30] Troubleshooting DCOM permissions related issues after CA migration. Detailed investigation - mainly cross-checking default DCOM permissions: CertSrv Request object, COM Security, DCOM group policy, Certificate Service DCOM Access group. Finally the issue was related to missing permission on a DCOM-related registry key which had been indicated by the Edit Limits... button in COM Security being greyed out.
- [2014-05-23] Autoenrollment troubleshooting. First there was some confusion about where private key should be generated (Autoenrollment triggers the client to create keys locally), and the issue as such boiled down to a DCOM issue: The Certificate Service DCOM Access group did not contain Authenticated Users.
- [2014-06-02] Why an Issuing CA certificate shows up in the local CA store after installing a new certificate: Checking the Certificate Enrollment Protocol: in the section in the section about the CA's response they refer to RFC 3852 that states the CA's response MAY include the full chain...
- [2014-05-30] Question of mine: How to query large Windows CA databases efficiently: I have been given terrific advice on how to optimize code. Some weeks later I followed up with my test results, based on a CA DB with a million certificates: My main issue was that I sorted that DB by Request ID, under the false assumption that - when applying a filter in addition - results would first be filtered and then sorted.
- [2014-05-28] Behavior of the Windows CA's policy module - no elaborate parsing of Subject Alternative Names for e-mail addresses. If the CA is configured for accepting SANs (Mind the security implications for UPNs!) the policy module just passes on the submitted SAN. If more checks need to be done a custom policy module is needed or parsing capabilities could be added to a web frontend (modified version of certsrv pages).
- [2014-05-28] How to test an ODBC connection. The simplest thing I can think of is creating an ASP pages, creating an ADODB connection and opening it using that ODBC connection string
- [2014-05-27] What happens to Active Directory if you install an Enterprise CA. Several objects are created in configuration container (usually harmless), and default templates would be published unless this is prevented by setting the LoadDefaultTemplates key.
- [2014-05-26] Erratic problems with encrypting e-mail with Outlook. Added my anecdotes to an old thread: I also have seen this and attribute it to the various sources outlook could retrieve the recipient's certificate from - AD LDAP user object, cached offline addressbook, an Outlook contact based on the GAL entry, those older attributes used to hold certificates (userCertificate populated by an enterprise PKI versus userSMIMECertificate populated by users themselves versus the even older userCert).
- [2014-05-23] Exchange server does not use CA-signed certificate for secure SMTP although those should take precedence over self-signed ones. No resolution.
- [2014-05-22] WLAN 802.1x authentication with certificates: Summary of how this is done: NPS as radius server with a SSL certificate to protect the authentication. Clients can authenticate using certificates (EAP-TLS) or user / machine names and passwords (PEAP-MS-CHAPv2). Link to this more detailed article.
- [2014-05-21] Certificate for iPhones and that annoying popup asking for confirmation of the radius server's certificate - even if that one has been issued by a public CA. This is by design and I consider this similar to the requirement valid for Code Signing certificates - they also need to be trusted individually.
- [2014-05-20] Issues with certificate renewal and 802.1x authentication. The first one - RPC server offline - was resolved by having the CA restored and taking it online again. Remaining issue in using the certificates that had to be renewed: NPS throws an error 18 when clients try to authenticate, probably an issue with the message digest. Escalated to CISCO.
- [2014-05-20] How PEAP works and why the Radius server needs a certificate. Brief summary focusing on the fact that the server needs a certificate to protect the authentication channel.
- [2014-05-19] How to switch to SHA256 in a Windows PKI hierarchy. As the hash algorithm is a CA-wide setting I would always recommend setting up a parallel new hierarchy.
- [2014-05-16] Requirements for cross-forest enrollment. Two options: CES/CEP role services of the CA (HTTP enrollment) or the older solution based on Powershell scripts syncing AD objects.
- [2014-05-15] Automated generation of certificates for non-Windows clients, using a Windows client as an 'enrollment station'. Some code snippets for looping through an input file of computer or user names. This input would be used to create an INF file, use certreq to create key and CSR and submit it to the CA, retrieve the certificate, install it, and export key and certificate as a PFX file.
- [2014-05-15] The OID shows up instead of the template's name in the CA's database. That simply could be a timing issue as the mapping is done via objects in AD.
- [2014-05-14] Clean-up after removing CAs - for an extinct CA and another one that has been restored but is not used. I suggest to play it safe and keep CRLs as long as the CAs certificates are valid, and I would not revoke all end-entity certificates as recommend in an MS KB article.
- [2014-05-14] Public CA's certificate for RADIUS server, validation by iPads. 1) Detailed installation instruction of the cert. chain at the radius server 2) Investigating that popup asking for a confirmation of the NPS certificate although it chains to a trusted public CA. The latter is by design as the OP found out.
- [2014-05-14] Migration to a CA with a different host name. I would recommend sanitizing the CDP and AIA URLs (removing references to the host name) as the configuration has to be touched anyway.
- [2014-05-12] Impact of Enterprise CA removal on AD replication. There should be none unless certificate are really used for AD SMTP replication (uncommon). Otherwise I would recommend to setup a replacement PKI.
Insert some years during which I was just busy doing PKI but not contributing to the community. I try to compensate for that now!
- [2009-07-16] What is PKI compatibility? It depends on what is compared: Certificates and their fields, key stores and access methods, request structure, protocols to enroll for certificates,...
- [2009-07-16] Notification e-mails sent by the SMTP Exit module contain variables instead of values. Might be an issue of using the variables in a scripts versus running the commands interactively. In a script the % needs to be masked by another %.
- [2009-07-16] Windows CA and redundancy: Does a second CA help? Templates are redundant in AD anyway. A second CA does not help as it uses a different key and cannot sign CRLs on behalf of a failed first CA automatically. For risk mitigation the CRL validity period should be configured for a few days or whatever is needed to detect and fix an issue in the worst case. Redundancy could be achieved with fail-over clustering.
- [2008-11-09]
Planning fail-over clustering for a CA, in particular how to migrate an
existing non-clustered CA into the cluster. Clustering is only supported
with HSMs(*). As for the names it can be done but the legacy of LDAP objects
and HTTP URLs that contain the old machine name makes that rather messy.
Suggestion: Use a new clustered CA setup from scratch with proper names and
create a long-lived CRL for the existing CA before retiring it.
(*) Learned in 2014 that this is not true (anymore?) - [2008-10-01] How to configure CRL URLs for offline CAs. It seems either a CRL has not been copied to the CRL server denoted in the CDP or the defaults have been used and the URL points to the Root CA itself. Brief outline of process.
- [2008-09-23] Variables in CA configuration (starting with %) do not get replaced by their values. Turned out to be a copy and paste error as the lines have been copied to the command window directly.
- [2008-09-19] Limit PKI usage to one domain - how to set permissions. The CA is a forest resource but permission for domain-specific groups can be set at the CA (Request Certificates right), or permissions on all templates could be limited to groups from this domain
- [2008-09-18] Time zones and clock skew. Date formats in certificates are in Universal Time format including time zone information. There is only a clock skew of 10 minutes applied by default to avoid false not-yet-valid messages.
- [2008-07-28] Checking and changing validity periods of CRLs as the default period of a week is too short for a typical Root CA. Overview on how to set the validity period in Properties of Revoked Certificates and - optionally - overlap by editing the registry.
- [2008-07-28] Requirements for macro signing certificates. I suggest to time-stamp macros as otherwise (even if signed) signature would be considered invalid when the signer's certificate has been expired.
- [2008-07-26] Certificate services simply fails to start after setup. Not clarified but another user indicated that in his certocm.log a permissions error was logged when he saw the same error - using the domain admin resolved it.
- [2008-07-26] Sending certificate requests to an untrusted forest. Ideas: Automate the creation of requests and let a service user account from the CA forest fetch the requests, send them to the CA, and collect the certificates. Alternative: Simply use an AD user of the forest where the CA resides and use the certsrv web application to create keys and requests.
- [2008-07-12] Autoenrollment issues - an XP client does not autoenroll through manual enrollment works and the event log says that Autoenrollment has been completed successfully. Potential root causes: 1) There is already a certificte of that type in the store and the setting Do not re-enroll if a duplicate certificate exists in AD has been set 2) Weird but known issue with credential roaming sometimes falsely archiving certificates.
- [2008-07-01] Wild-card certificates - feasible but not recommended as there is a slight chance clients may not recognized the wild-card character.
I had created radices.net as a German-only site in 2003, with the intention to dump my pseudo-philosophical musings on science, philosophy, and culture somewhere. radices should remind me of my roots - in physics. Since I am already maintaining too many websites and blogs, in German or in English or in both languages, it took more than 10 years since I finally started an English version of this site.
About radices.net
radices is roots in Latin. And accidentally there is a pun, perhaps as hackneyed as roots of all evil. As a security consultant I built lots of Root CAs, the top anchor in the hierarchies that are called Public Key Infrastructures.
radices.net shall now be dedicated to what online gurus and internet philosophers call curating today. Which means I just dump links to stuff I am interested in to add some basic structure of headers. radices was a German science pseudo-blog but it also was an experiment in organizing content - so I have come full circle.
About my PKI activities
I had been a PKI consultant since 2002, mainly working with European enterprise customers on designing and implementing their PKIs run inhouse. Now I am supporting some long-term existing clients with their PKI / X.509 issues but I don't take on new clients.
As a former Microsoft employee I have focused mainly on the Microsoft PKI, versions Windows 2000 / 2003 / 2008 / R2 / 2012 R2 - but I also had some exposure to various other PKI-enabled applications and devices. The fun part of PKI projects is in debugging weird issues that exotic or allegedly 'industry-grade' applications have with validating certificate paths, using keys etc.
Here is the often requested one A4 page summary, and here you can see that those PKI services are part of an ... uhm... odd combination of IT services.
- I try to keep track of links, books, papers etc. I found useful and add them to this list. This is not intended to be the perfectly structured, 'educational' collection. I rather pick and add what I stumbled upon while working on PKI issues or discussing with other security freaks.
- I started logging PKI issues here. The idea is to described them most concisely, in TXT format.
- Struck by vanity I made the collection of my modest own contributions a page in its own right. I am also trying to keep track of my postings to security forums in order to use those as my knowledge base.
I am originally a physicist (completed PhD in 1995), worked in R&D and switched to IT security. In 2013 I have completed another master's degree called Sustainable Energy Systems and did a master thesis on smart metering and security (LinkeIn profile). Now I am consulting engineer working with heat pumps that use a special heat source. Yes, I know - it is weirder to combine that with PKI.
The security of the smart grid and internet of things [add more buzz words here] provide options to re-use my security know-how in the context of my new field. Such heat pumps may use control units connected to 'the internet' and all kinds of certificate-/PKI-enabled stuff might be involved here.
For five years I have given a yearly lecture in a master's degree program, then called Advanced Security Engineering at FH Joanneum. Here is the last version of the slides.
My lecture slides on PKI and security are a bit dated already, I add them for completeness though.
Articles on my blog are targeted to a broader audience - perhaps they are too 'philosophical' for security experts. See the complete list of postings below, after the image.
- Between 2007 and 2010 I gave a lecture called Authentication, Authorization and PKIs in a master's degree programme at University of Applied Sciences FH Joanneum, then called Advanced Security Engineering (ASE).
- Public Key Infrastructures - Vision, Trends and Real-World Implementation - talk I gave in April 2007 at the opening event of that degree program.
- German lecture Verschlüsselungs- und Signaturtechnologien - von den theoretischen Grundlagen bis zur praktischen Umsetzung, given 2006 at ditact, on IT summer school for female students.
- German talk at .NET Conference in Vienna 2002 - PKI Implementierung. Effectively introducing new features of the Windows 2003 PKI.
Last link changed: Migration of classical CSP to CNG / KSP, and old but good MS overview on certificates for network authentication of devices.
This is my list of Links to white papers and the like that I have found useful (restarted 2014). It is not an attempt to create a balanced or educational list. I am adding what I need right now!
Comprehensive reviews of PKI issues
Analysis by Peter Gutmann who likes to throw rocks at PKI according to his bio:
- Everything you Never Wanted to Know about PKI but were Forced to Find Out
- Book Draft, see chapter on PKI: Engineering Security
- X.509 Certificates - part of the crypto tutorial.
- The legendary X.509 Style Guide
- PKI: Lemon Markets and Lemonade: Incl. many examples of certificates invalid in different respects but yet recognized by PKI applications.
Certificate validation
Request for Comments:
- RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. Including an algorithm for X.509 certification path validation.
- RFC 4158: Internet X.509 Public Key Infrastructure: Certification Path Building. In an alternate universe in which Richard Feynman had become a computer scientist, he would have written such RFCs instead of inventing his Feynman diagrams.
- Strict RFC compliance re validation of Certificate Policies OIDs enforced in Windows 2008 R2.
In Windows systems:
- Certificate Revocation Checking in Windows Vista and Windows Server 2008 - interesting: pre-fetching or CRLs and support for OCSP signing certificates signed by another CA.
- Troubleshooting Certificate Status and Revocation: explaining in detail how Windows clients build certificate chains, such as matching names based on a binary comparison or doing a name match only when AKI is not populated - which does not match my experience for Windows 2008 - I seen it agressively doing name matching despite non-matching AKI/SKI and this resulting in a alleged 'corrupt signatures'. But don't take my word on this - I might habe messed something up on testing. Anyway, this paper also demonstrates how awfully complicated it is to check certificate paths. Windows 2000 and XP did it differently (see at the middle of the document) - so this has probably changed again.
- Troubleshooting PKI Problems on Windows Vista
- How Certificate Revocation Works
- Windows XP: Certificate Status and Revocation Checking
Cross-certification and hierachies
- Planning and Implementing Cross-Certification and Qualified Subordination Using Windows Server 2003: On cross-certificates and constraints.
- Microsoft's own showcase. They went from a 3-tier internal PKI to a simple 2-tier infrastructure.
-
Cross-certification of inhouse CAs by Verizon (former
Cybertrust), solution name formerly known as 'Omniroot'.
This case study still shows this name):
More case studies:- Study Louisiana State University: Details, summary.
- Microsoft's internal PKI as per the time of this white paper. The GTE Cybertrust Root depicted in figure 2.
Certificate enrollment
Links for Microsoft's autoenrollment are provided in more MS-related sections
- Simple Certificate Enrollment Protocol: The eternal draft (?) of a protocol originally developed by CISCO.
Weird, hacked, forged certificates
- Legendary X.509 certificate by Markku-Juhani Saarinen with: invalid dates, a public key exponent of 1, a huge RSA modulus whose BASE64 version includes a funny message (I found this gem quoted in Peter Gutmann's various PKI slides, e.g. these ones). Validated correctly on Windows systems in 2000 - just tested: as per 2014 it stil does.
- MD5 considered harmful today - Creating a rogue CA certificate: Epic and educational hack, based on a combination of the algorithm's weakness and out-of-the-box thinking / social engineering. A rogue CA cert., hash-colliding with a legitimate cert. issued by a SSL CA that was not very creative in creating serial numbers and validity dates.
- Null Prefix Attacks Against SSL/TLS Certificates by Moxie Marlinspike. How inserting NULL characters into the subject name and adding some domain you own after this character will result in great certificates for phishing purposes.
PKI planning
Somewhat Microsoft-centric:
- Active Directory Certificate Services Step-by-Step Guide
- Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure: Old but still good.
- Securing Wireless LANs with Certificate Services: Again old but good. Comparing this to Securing Wireless LANs with PEAP and Passwords shows that PKI is by far the most time-consuming part of the infrastructure
- Active Directory Certificate Services Migration Guide: The CA is migrated by moving key, database, and conifguration over to a machine - which probably runs on a different operating system. The guide is for software-based key stores. With an HSM the migration is essentially the same once the HSM crypto provider has been configured and the HSM connected to the new machine.
- Windows CA Performance Numbers and Evaluating CA Capacity, Performance, and Scalability
Windows PKI: Features and management
After I started compiling my own list, I found this - I will keep picking some of the microsoft.com links and publish them to this page though:
- Windows PKI Documentation Reference and Library: Comprehensive overview of all MS resources related to the Windows CA ('Active Directory Certificate Services').
Some of the features required to run a Microsoft PKI in a larger, corporate environment:
-
Certificate Templates:
- Windows Server 2012: Certificate Templates and Options - templates are classified in a new way, by the combination of the OSs of CA and certificate subscriber. The schema version is derived from these OS versions and the intended cryptographic providers.
- Note that version 3 templates are not available via the web enrollment (ASP) pages.
- Implementing and Administering Certificate Templates - for CAs <= 2008 R2
- Certificate Enrollment Web Services in Windows Server 2008 R2: This is to solve the issue with (not) allowing clients to use RPC/DCOM for certificate enrollment. These PKI roles allow for HTTPs-based enrollment via a 'proxy' instead. The HTML version of the paper. Starting with Windows 2012 key based renewal is supported - so non-domain joined machines only need to enroll for the intial certifiate manually.
- Active Directory Certificate Services PKI - Key Archival and Management: Storing private keys to the CA database, using split administration.
- Credential Roaming: Using Active Directory for roaming and backing up users's keys and certificates.
- Certificate Autoenrollment in Windows Server 2003: Especially the section on troubleshooting is interesting.
- Online Responder Installation, Configuration, and Troubleshooting Guide: Most interesting is how long response live: They are generated from CRLs and live as long this CRL or the OCSP signing certificate whatever is more short-lived. In addition, the cache time for responses served can be configured. How to make OCSP responders high-available.
- Network Device Enrollment Service - Microsoft's implementation of SCEP, Simple Enrollment Protocol. Starting with Windows Server 2012 R2 a custom policy module can be used with NDES.
- Failover Clustering and Active Directory Certificate Services: Clustering is supported if an HSM is used as a keystore. Then, actually, the HSM should be clustered as well.
- Evaluating CA Capacity, Performance, and Scalability: Performance of the Windows 2003 CA in terms of certificates issued per time and database size. Database performance in terms of creating views is not given.
Windows PKI 2008 R2 versus 2012 R2 and upgrade of hash algorithms
New features in 2012! Note I started added some the detailed articles about specific features - NDES, templates - also to other sections. This section is for overviews covering many new features or cryptograpy / algorithms in particular.
- What's New in Certificate Services in Windows Server 2012
- Windows Server 2012: Certificate Template Versions and Options - probably the change the PKI admin notices first.
New ways to leverage a TPM chip - key attestation by validation of an endorsement key. You could have used a TPM chip as a custom key store for the machine / SYSTEM in earlier versions of Windows (basically like a 'smartcard for machines) in case the vendor of the TPM chip or a vendor of crypto software provided a suitable CSP / CNG provider. Starting with Windows 8.1 as the end-entity's OS the CA (2012 R2) is able to check if the private key had really been stored to a TPM chip.
New algorithms:
- Changing public key algorithm of a CA certificate - only the hash algorithm can be changed (for CNG providers), not the provider itself.
-
Upgrade Certification Authority to SHA256
- after the change of a registry key the CA signs anything with the new
algorithm, including CRLs and its own CA certificate when renewed (Step-by-step-instructions).
Attention - according to my experiences with 2008 R2 the registry value for hash values is case-sensitive. Good: The change of the hash algorithm can be reverted easily. Bad: This is a per-CA settings, so once the algorithm has been changed all certificates and CRLs issued by that CA are signed using the new algorithm.
Certificate and key stores
Windows client-side stores:
- Migrating a Certification Authority Key from a Cryptographic Service Provider (CSP) to a Key Storage Provider (KSP)
- Key Storage and Retrieval: CNG architecture and location of keys in the file system.
- Windows Data Protection: Private key files are encrypted using a master key generated from a user's or machine's SID and password. DPAPI security explains why users don't lose access to their EFS private keys if their passwords are reset by a domain admin.
- The key associated with a self-signed certificate in the computer store is used in the Microsoft implementation of DNSSEC.
Encoding
- Advanced Certificate Enrollment and Management: White Paper incl. sample commands for the Windows tool certreq and a summary on BASE64 and ASN.1
- BASE64 explained
- The Absolute Minimum Every Software Developer Absolutely, Positively Must Know About Unicode and Character Sets (No Excuses!)
- dumpasn1.c: Peter Gutmann's tool for checking ASN.1 encoding of any file.
- DER Encoding of ASN.1 Types - introduction to ASN.1 by Microsoft.
- Syntax of Windows' tool certutil that can (among many other things) show ASN.1 or encode/decode/encode hex files.
Using certificates for authentication
Native Active Directory logon:
- How to use certificates to integrate with the Kerberos protocol: RFC 4556 - Public Key Cryptography for Initial Authentication in Kerberos (PKINIT).
- Certificate Processing Logic, Figure 21 in Windows Vista Smart Card Infrastructure. Essential: String-based mapping of UPN in SAN onto UPN in AD. Secure though because the issuing CA's certificate need to be present in the NTAuth object.
- IIS configuration details of Active Directory Certificate Mapping: Client Certificate Mapping Authentication.
- Security advice by Microsoft - use this feature with caution and don't allow 'PKI admins' to control both a CA and the details of requests: Because user input can be abused by persons with malicious intent, precautions should be taken to mitigate the risks associated with the use of user-defined SANs.
- Specification of the Remote Certificate Mapping Protocol. An example of how the protocol is used in the communication between domain controllers and web servers.
Webserver-based mapping (no directory)
Apple iDevices, SAP, and other non-MS clients
- In contrast to Windows'/AD's native logon via UPN string mapping
SAP uses a 1:1 mapping of binary certificates to users:
Single Sign-on mit SAP (part of a German book, assignment of the certificate is explained on pp.33) - Apple iPhones, 802.1x authentication against Active Directory using Windows
RADIUS server (NPS)
(promoted to blog post, summary kept here for traceability).- Properties of the certificate
Subject CN: host/machine.domain.com
Subject Alternative Name machine.domain.com
Certificate Template (Windows Enterprise PKI): Copy the default template Workstation Authentication, Subject Name: Name as submitted with the Request. - Create the key, request and certificate on a dedicated enrollment machine and export key and certificates as PKCS#12 (PFX) file.
- Create a shadow account in Active Directory
dnsHostName: machine.domain.com
servicePrincipalNames: HOST/machine.domain.com - According to my tests, the creation of an additional name mapping (as recommended here) is not required - SAN-DNS gets mapped onto dnsHostName in AD.
- Properties of the certificate
Network authentication of devices
- Overview: Certificates for different services / protocols, like 802.1x or IPsec
PKI Applications
Started in 2014-10. Usual suspects as SMIME, EFS, 802.1x to be added as needed over time. See also the list of Technet Postings and the PKI FAQ.
- DNSSEC: Secure DNS Deployment Guide, Step-by-Step: Demonstrate DNSSEC in a Test Lab.
- Remote Desktop Services: Certificate requirements for RDP.
- Domain Controllers: Certificate requirements when using a third-party CA. These are the same requirements as with an inhouse CA - an external CA chain needs to be manually imported in addition (Trusted Roots, NTAuth).
Useful commands (in the Windows world)
Configuration parameters:
- Some interesting flags for locking down access to a Windows CA. See section on Config_CA_Interface in this Configuration List.
- Windows Certificate Services Tools and Settings: Describing the CA's registry keys.
Emergency processes, for Windows.
- Delete cached CRLs:
certutil -setreg chain\ChainCacheResyncFiletime @now
(Weitere Optionen siehe diesen MS-PKI-Team-Blogeintrag) - Start a CA even if the revocation check on its own certificate has
failed - set this flag:
certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE - Key Recovery:
- Search for the archived keys of a specific user and create a batach
script (CA admin permissions required)
certutil –getkey domain\username >recovery-username.bat
This script also contains the password of the p12 key file that will be created. - Run this batch file. This creates a single p12 file including all keys for this user. Pre-requisites: The user executing the script needs to have one Key Recovery Agent's certificates associated with each of the keys to be recovered in his/her store. In addition CA Admin permissions are required and this needs to be an admin cmd session.
- Search for the archived keys of a specific user and create a batach
script (CA admin permissions required)
- The batch file does the following for every key found:
certutil -getkey [SerialNumber] [encrypted blob]
certutil -recoverykey [encrypted blob]
A temporary p12 file is created from every blob; then all p12 files are merged using certutil -mergepfx and all temporary files are deleted.
PKI and smart metering
Requirements for a smart meter PKI in Germany:
Sicherheitsinfrastruktur für „smarte“ Versorgungsnetze
An example: Smart Meter mit PKI Sicherheit
(Not sure if I will ever update this.)
Here I am documenting issues with X.509 certificates and Public Key Infrastructure I have encountered.
In the grand tradition of true geeks I use the most compatible format that alien civilizations might be able in million of years - a simple text file (in a pre tag)
PKI Issues Random collection by Elke Stangl, elke@punktwissen.at ------------------------------------------------------------------------ Certificate path validation * Ambiguous chains and chains sent in SSL handshake. The web server sends the chain it prefers. If there are two valid chains, such as a shorter chain associated with an internal root CA and a longer chain connected to a cross-certificate issued by a public CA AND the server is available on 'internal' and 'external' networks (via a reverse proxy) it will send the untrusted internal chain to external relying parties as well. * Some embedded devices cannot deal with chains - including earlier versions of CISCO PIX and Apple's IOS SCEP client. In order to get validation working you might need to: Import the subordinate CA to the root / 'CA' store or add the thumbprint of the sub CA where one would expect that of the root CA or vice versa. * Some apps / devices cannot deal with a 'renewed' CA, that is: Two CA certificates with same subject names but different keys imported to the same CA cert. store. Unfortunately this is the default state of affairs if CA's life times are nested according to the shell model (CA certificates renewed at half of its validity period e.g.) CISCO fixed a related bug some years ago. ------------------------------------------------------------------------ Names and encoding * CAs may change the encoding of subject names of the certificates issued in relation to the encoding in the request. The subscriber may not be happy with that - and it can be quite a challenge to track this down if this client is a custom-made device / blackblox. * CAs may reorder the X.500 components (Should we go O-->CN or CN--> O) and again apps. who combine the binary name blob could fail. * Details of the validation depend on the browser (version) used. I can't recall the versions unfortunately but some years ago some browser was happy to match certificates on names (neglecting encoding) while another did a binary check of names plus cross-checking AIA versus SKI fields. * I was surprised to see that Windows clients fall back on name only matching if they are not able to match on SKI / AKI. This gives the user a nice picture of a certificae chain, however an error message tells you that the certificates may be corrupt. ------------------------------------------------------------------------ Revocation checking * Devices may have size limits - I recall 256kB for some of the older (?) ones. This would cause VPN and the like to fail if you would use, say, current cacert certificates or those issued by the Austrian public CA, A-Trust. * I have seen Outlook failing often when trying to download such large CRLs as well - although the CRL servers were accessible. Fortunately there are some registry keys that allow for tuning the way Outlook deals with CRLs and related errors. Unfortunately you cannot manage the registry keys of the e-mail clients that receive your e-mail. * OCSP is a solution to oversome the size issue but not necessarily the issue of current revocation information. The Windows OCSP server retrieves information from a CRL, and the validity period of OCSP responses is either that of the CRL used or of the OCSP signing certificate (the latter is two weeks by default). Sure, the caching behavior can be configured so the OCSP server would consult the CRL more often. Yet the responses sent to relying parties are still 'long-lived'. As I understood the options the only way to really purge responses at the client earlier is to use an HTTP Expires header at the OCSP server and hopefully the OCSP client does respect it. * Deleting CRLs regularly should be a built-option of PKI-enabled servers. VPN servers (CISCO, Nortel, Juniper) have been able to do this since a long time. Then you can configure CRLs a way that allows for reasonable operations (that is, solving the issue: What happens if the CA runs into an issue when the CEO gives the yearly motivation speech at Dec. 24, 11:30 - when will you be able to spot the problem). CRLs would be allowed to live for, say, a week, but are purged at the validating server every, say, 3 hours. With Windows, you can do this on princple since Vista/Server 2008 has been given a supported option to delete CRLs - but you need to create scripts to do it. ------------------------------------------------------------------------ How apps use certificates for authorisation (in probably unexpected ways) * Certificates might be used as files to be parsed for name-value pairs. I found something like an 'authorisation scheme' coded into X.500 name fields. * So-called LDAP group memberships: While some devices understand memberOf attributes, some so-called groups are based on parsing X.500 names. Such as: Putting everybody with OU=External in the 'external group', 'external VLAN' etc. It can be a challenge to reconcile this with a concept of real groups in LDAP directories such as Active Directory. ------------------------------------------------------------------------ How users don't expect PKI-enabled apps to work. (This could probably be used as a title for anything in this file) * CRLs are blacklists not only used for blacklisting in the way admins expect it. Often people are surprised that network logon etc. will fail simply because the CRL is not accessible or expired. * Sent items of encrypted e-mails in Outlook are encrypted. This comes as a painful surprise to users who had used smartcards (e.g. the Austrian National ID certificates issued by A-Trust) to encrypt their mails and whose card used basically for other purposes (health insurance) has been retired / cut in two pieces. Ironically, it does not help that new cards are issued with the same keys as Outlook tries to find the associated certificate in the store first before 'accessing' the key (via the CSP). * CRLs cannot not necessarily be pre-fetched - though this is what admins would like to do whose internal AD logon depends on certificates and CRLs issued by an external provider. Of course you can build all sorts of hacks as mirroring an external LDAP server, periodically polling for CRLs etc. * Windows NTAuth store and the number 1 misconception of how certificates are used for logging on to AD: UPNs in the SAN are automatically mapped to UPNs in AD (DNS names for machines). This is a string-based mapping - not a binary comparison of certificates or hashes - and the security hinges on the fact that the issuing CA's certificate has been distributed via an attribute in the so-called NTAuth object in AD's configuration container. This means if you somehow manage to get a highly privileged admin's UPN into a certificate issued by an NTAuth-entitled CA you could impersonate that admin (logging in using smartcard for example). That's why it is a really bad idea to 'delegate' management of an enterprise CA AND management of certificate templates(the defintions of how cert. content is constructed and how certs. are issued - such as allowing for arbitrary names in requests) to the administrators of a child domain who on principle only want to issue certificates to their users or machines. * Certificates are not necessarily more secure than machine logon in a Windows environment - comparing EAP-TLS using certificates configured as non-exportable (as per cert. template) and PEAP-TLS. Hacking the latter would require transferring / extracting the machine's password/ Kerberos secrets / system state. 'Hacking' the former is not hacking at all as the 'not exportable' option can be overruled by a local administrator at enrolment. Since Vista/2008 this can be done in the GUI (certmgr.msc), before you needed to craft your key and request with certreq and submit it in a sepearate step to the CA. * The advantage of certificates over PEAP-TLS is that they are more standards-compatible - but still the process can be painful (to equip print server boxes with certifiactes for example. To let iPhones do 802.1x logon (to AD) via WLAN you need to add host/machine.domain.com to the subject CN (so that the device send the correct string) and machine.domain.com to the SAN (so that AD-based mapping against the dnsHostName attribute does work). And of course you need a dummy / shadow object in AD with that DNS name and a service principle name of host/machine.domain.com. * Accessing 'public' CAs' CRL is more difficult than expected - in particular if the validation is done by machine entities. Servers such as an Exchange server that should check CRLs for e-mail certificates on behfalf of a web access user, or 'internal' webs servers that should validate users' logon certificates) often cannot access 'the internet' and/or a proxy server is used in the context of users but not in the context of machines. ------------------------------------------------------------------------ Processes and the human factor * It is always the seemingly simple processes and logistics that go wrong - that is: scheduling CA renewal or issuing a CRL signed by an offline CA infrequently. This is also true for well-managed environments. * Offline CAs escape the usual monitoring processes. There is an inside joke about carefully naming an offline CA (e.g. the virtual machine) so that it does not get deleted accidentally because 'it is never online'. Since I have encountered such an incident - a classical unfortunate connection of events - I don't laugh anymore. * Freshly minted PKI consultants often take a very academic, PKI theological ((C) Peter Gutmann) approach. I was no exception. But who needs three tiers for an internal, "device / infrastructure" PKI really? * Eternal CRL as fall-back solution. I have seen processes re HSM management gone wrong too often. Thus I recommend to create a CRL that will be valid until the related CA's certificate will be expired. In case an HSM is renderend inaccessible this CRL will provide business continuity. ------------------------------------------------------------------------ CA Operations * CRL publication can fail due to the CA's issues with writing the CRL file to the file system. A virus scanner has once locked the temporary .tmp file and a (Windows) CA was not able to rename it to .crl. ------------------------------------------------------------------------ Law and politics * Digital signatures on invoices transmitted electronically have been mandatory in Austria for a few years before the law has been changed. I wonder how agencies will ever check the signatures applied in these years by wildy varying technologies - XML signatures, signed PDFs (including CRLs or not, including time stamps or not), signatures stored on / provided by server-side components such as the 'mobile signature'... * I wonder how cross-country checks of signatures on PDFs are ever going to work. Legal cross-certification does not imply technical compliance. For validating Austrian Qualified signatures (ECC) with Adobe Reader you need to install a plug-In AND know how to configure advanced security settings. Otherwise error messages are misleading. * Time-stamps have not been mandatory with digitally signed invoices in AT. Yet, Adobe Reader will report signatures as invalid in the future if the computer's clock time has been embedded. Fortunately some PDF signers allow for embedding CRLs or OCSP responses. * My impression is that (in middle Europe) governmental organizations or organizations closely related to agencies are 'motivated' to use PKI-based technology provided by those CA operators that originally were founded to bring PKI and digital signatures to the masses. ------------------------------------------------------------------------ Enigmatic stuff to be investigated * For some Windows 2008 R2 CAs built from scratch with a software-based key I saw the CA 'suddenly' losing access to its keys after it had run for some days properly, after some service re-start. I thought it is some issue with DPAPI protection of system keys, probably when some not supported virtualization software is used. Now I rather think it is due to a 'confusion' of chains: At the CA its own certificate is present different cert. stores, the Personal store being associated with the private key, the CA store not so. But then if have seen some private keys also being indicated for certificates in a non-Personal store - causing some of the chains (in case of renewed CAs) to fail while others still work. ------------------------------------------------------------------------
Personal website of Elke Stangl, Zagersdorf, Austria, c/o punktwissen.
elkement [at] subversiv [dot] at. Contact
(This compilation of links is static - no more amendments planned.)