the new rocket science stuff in microsoft pki

Roger A. GrimesMicrosoft

Presenter BIORoger A. Grimes CPA, CISSP, CEH, CISA, TICSA, MCSE: Security, yada,

yadaPKI installer for over 1o yearsTaught Microsoft PKI to VerisignPrincipal Security Architect for Microsoft InfoSec ACE

TeamInfoWorld Contributing Editor, Security Columnist,

Product Reviewer, and Blogger23-year Windows security consultant, instructor, and

authorAuthor of seven books on computer security, including:

Windows Vista Security: Security Vista Against Malicious Attacks (Wiley, 2007)

Professional Windows Desktop and Server Hardening (Dec. 2005)

Malicious Mobile Code: Virus Protection for Windows (O’Reilly, 2001)

Honeypots for Windows (Apress, December 2004)Author of over 300 national magazine articles on

computer security

Roger’s Books

Presentation SummaryQuick PKI Terminology OverviewW2K8\R2 New Features SummaryInstalling a W2K8 PKI CANew Features Review

New CiphersVersion 3 TemplatesRestricted KRA and Enrollment AgentsOCSPNDESWeb Enrollment ServiceCross-Forest EnrollmentClustering

Public Key Infrastructure

Quick Primer

Why PKI?Primarily, PKI exists to authenticate the

identities and their cryptographic keys involved in cryptographic transactions

PKI says to the consumer of PKI certs: If you trust me, then the certificate is who it says it is from and that is their encryption key

Principal=subject=user, computer, device, or service

Public Key Infrastructure Primer

Signed by Trusted CA Self Signed


Components of a PKICertificate and CAManagement ToolsCertificate and CAManagement Tools

Certification Authority

Certification Authority

Certificate and CRLDistribution PointsCertificate and CRLDistribution Points

Certificate Template

Certificate Template

Digital Certificate

Digital Certificate

Certificate Revocation List

Certificate Revocation List

Public Key-EnabledApplications and Services

Public Key-EnabledApplications and Services

Certification Authority (CA) Duties:Main: Confirm identity of certificate requestorConfigure Templates and Publish For subjects to enroll against (i.e. request)Issue CertificatesRevoke Certificates


Digital encryption keys are just a series of binary bits (1’s and 0’s) used (i.e. mathematically applied) to obscure plaintext contentComputers often represent keys as ASCII

or hexadecimal charactersToday, a typical key size ranges from a

few dozen bits to thousands128-bit to 4096-bit keys are very normal

Why can’t a hacker just guess the key?Because with good crypto, brute force

guessing would take more than “atoms in the known universe”


Example Digital Encryption Key


Two major types of encryption keys:Symmetric – same key used to lock and unlockAsymmetric – diff key used to lock and unlock

Called Private\Public Key Cryptography

Most programs using asymmetric ciphers also use symmetric ciphers as part of their encryption process


Popular Public Symmetric Encryption CiphersData Encryption Standard (DES)

56-bit strength (64-bit key)Improved versions: 3DES, DESX (DES Extended)

Advanced Encryption Standard (AES)Became U.S. gov’t standard in 2002Windows (and nearly every other OS) standard

today128-bit keys or larger. 256-bit or larger is normal

IDEABlowfishRC4, RC5, CAST-128


Popular Public Symmetric Encryption CiphersMost applications should strive to use

AES for symmetric encryptionWindows XP SP1 and later supports AES

If you have XP and don’t have SP1 or later installed, you probably don’t have AES

If you can’t use AES:Use 3DES (168-bit key, 112 effective bit length,

still FIPS certified); or DESX (184-bit key, 118 effective bits)

Don’t use DES (64-bit key, 56-bit effective) anymore


Symmetric key encryption has several benefits over asymmetric encryption:FasterMore secure for a stated key sizeBetter tested over time


Asymmetric CryptographySolves the problem of how to securely transmit

the secret key(s) between source and destination, plus adds non-repudiation (when used with hash/signature)

Private/public key pairOne key is used to encryptAnother key is used to decryptKeys are mathematically related and unique to each other


Asymmetric Cryptography

Private/public key pairCentral Point: What one key can encrypt, the other can decrypt

Besides the key pair, no other key can decrypt what the other key encrypted

All participating parties should have their own key pairs


Asymmetric Cryptography

Private keyOnly single owner/user should possess

No one else should ever seeNeeds to be protected against unauthorized use/viewing/change

Public keyThe “world” can possess and see


Asymmetric cryptoWhatever the public key encrypts, the private key can decryptEncryption

Whatever the private key encrypts, the public key can decryptSigning/Authentication


Popular Public Asymmetric Encryption CiphersRSADiffie-HellmanElGamalDSS/DSAElliptical Curve Cryptography (ECC)

RSA and Diffie-Hellman most popular, but ECC gaining

All are supported in today’s Windows OSs by default except ElGamal (which can be added by 3rd party)


Asymmetric Encryption Example-TLS/SSL


Public Key Infrastructure PrimerMixed Cipher Usage

Supported IE Ciphers (XP and before)TLS_RSA_WITH_DES_CBC_SHATLS_DHE_DSS_WITH_DES_CBC_SHATLS_RSA_EXPORT1024_WITH_RC4_56_SHATLS_RSA_EXPORT1024_WITH_DES_CBC_SHATLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SH

ATLS_RSA_EXPORT_WITH_RC4_40_MD5SSL_CK_DES_64_CBC_WITH_MD5SSL_CK_RC4_128_EXPORT40_WITH_MD5

Mixed Cipher Usage

Supported IE Ciphers (Vista and later), in preference order

TLS w/RSA w/128-bit AES, then 256-bit AESTLS w/RSA w/RC4, then 3DESTLS w/ECC w/128-bit AES, then 256-bit AES

SHA 256-bit to 521-bitTLS w/ECC/RSA w/AES and SHATLS w/DSS w/128-bit AES, then 256-bit AESMixture of (mostly) TLS intermingled with SSL

Crypto ProvidersCrypto Providers are software programs

that provide cryptographic services, ciphers, and generate cryptographic keys

Crypto providers which use the legacy Cryptographic API (CAPI) are called Cryptographic Service Providers (CSPs)

Crypto providers that use Cryptographic Next Generation (CNG) API are called Key Storage Providers (KSPs)KSPs appear in Vista and later


Crypto Providers (CSP/KSP)CSPs/KSPs determine what cipher algorithms

(e.g. AES, RSA, sizes, etc.) are available to useWindows comes with many default CSPs

Prior to Vista, only CSPs by defaultWith Vista and later, both CSPs and KSPs can be

usedOnly Vista and later recognizes KSPsCan use the default ones in Windows or 3rd party

vendors can install their ownOften you can choose between Windows

defaults or vendor supplied CSP\KSP


Crypto Provider ExampleTo use a smart card:You need a smart cardPKI to issue certs to smart cardSmart card readerKSP/CSP that works with smart cardsSmart card reader and KSP/CSP must be

installed where ever you plan to use smart card plus on CA where templates are created or published


Crypto in Microsoft Certificate ServicesCan use any cipher provided by a Crypto

Provider (KSP\CSP) module installedDefaults are:

Diffie-Hellman, RSA, ECCDSSMD5, SHA1AES, DES, 3DES, DESX


Suite BSet of algorithms required by US gov’t

starting in 2007AES 128 and 256, SHA-2 (SHA-256, SHA-384, SHA-512)ECC

Vista and later is Suite B compliant


Certificates in WindowsWays to Request Certificates

• Autoenrollment (XP and above)• Automatic Certificate Requests (Windows

2000 machine certs)• Certificate Manager (certmgr.msc) GUI• Web Enrollment• Certreq.exe• Programmatically• Email (manual process, can be automated)• Network Device Enrollment Service (NDES)• Manually (sneaker net)• Registration Authority (eg. CLM/ILM/FIM)

Certificates in Windows

PKI Security Statements• (In most scenarios) You should have at least

two CAs• Offline Root and one or more online

issuing CAs• No other server roles on any CA• If your root CA has been connected to your

network, it should be considered compromised, and the entire PKI and every valid issued cert replaced

W2K8\R2Certificate Services

New Feature Summary

Certificate Services 2008 vs. 2003

Main New “Feature” Now known as ADCS

Active Directory Certificate Services


Certificate Services is 90% the same between versions. An admin on one can easily do most of the basics on the other

Certificate Services is now a W2K8 server “role”

Uses Cryptographic Next Generation API

CryptoAPI is legacy (also present)

Supports Suite B ciphers Supports version 3 certificate templates

With new KSPs and Suite B ciphers


More Secure W2K8 and Certificate Services is more

secure W2K8 is significantly more secure More secure defaults Windows Firewall (enabled by default) Improved ciphers Improved key protection, not that keys

were ever compromised in the wild anyway


Online Certificate Status Protocol Improved revocation checking protocol W2K8 can be an OCSP Responder

New CA role service Deployed as an IIS ISAPI application

W2K8 is an OCSP client, too, along with Vista and later

New OCSP tools


Restricted KRAs and Enrollment Agents Restricted KRAs Restricted Enrollment Agents

In W2K3 KRAs and Enrollment agents were global

In W2K8, they can be restricted by template or security group

Not available on Standard CA


Template Changes 2 new default templates

Kerberos Authentication (supercedes DC certs)

OCSP Response Signing LoadDefaultTemplates=0

Put in CApolicy.inf to prevent auto-publishing of default templates

In W2K3 SP1, too (Standalone CAs only)


Template Changes (con’t) Version 3 Certificate Templates

For Vista and later (don’t use with XP and W2K3)

Uses new CSPs -CryptoNextGeneration (CNG)

New Cryptography tab for detailing crypto V.2.0 templates have a CSP button with less choices

Uses AES-256 to transport private key to and from enrollment client (instead of 3DES)

New field to allow Network Service to have Read permission to templates

Helps machine-based certs in certain scenarios


Network Device Enrollment Service (NDES) For issuing certs to SCEP-compatible

devices Simple Certificate Enrollment Protocol Invented by Cisco

Receives and processes SCEP enrollment requests on behalf of software running on network devices.

Retrieves pending requests from the CA Generates and provides one-time

enrollment passwords to administrators.


Network Device Enrollment Service (NDES)

(con’t) Now a built-in role

Was a W2K3 add-on called MSCEP Runs as an IIS ISAPI app Can run on non-CA servers Enhanced security

For example, can require a password Wide range of template use Can now renew NDES certs


Web Enrollment Website UpdatedSome good and interesting changesNow easier to put on non-CA serverUses Certenroll.dll instead of xenroll.dll

Pre-Vista OS must use older dll Can install both on web enrollment server

Unfortunately, does not support some new features (like KSP, v.3 templates, Suite B, etc.)Web enrollment web site included by Microsoft is probably being discontinued


Supports Issuer Distribution Point (IDP) for partitioned CRLs

Credential Roaming built-in (client-side) Requires schema updates on older domains

Supports clustering (W2K3 and earlier didn’t)

Replaceable random number generator Better auditing


Client-can enroll on behalf of someone else

You can rename CA servers nowNew template field to allow Network

Service to have Read permission to templatesHelps machine-based certs in certain

scenarios


DiscreteSignatureAlgorithmSupport for newer PKCS#1 V2.1 signature

format for CA certificate (Vista and later)

3 new assurance levels besides low, medium, and high

KRA-archived keys can be protected by AES instead of 3DES

New Microsoft smart card KSP (in Vista, too)

Supports date setting during revocation


Tools Supports Powershell PKIView.msc built-in now

Used to have to install separately Improved functionality and bug fixes

Supports CAPI2 diagnostics More tools, more scripts available Bad: Key Recovery Tool gui gone

Use certutil.exe instead


Pushing Certs Using GPO Trusted root CA certificates (W2K3 too) Enterprise trust certificates (W2K3 too) Intermediate CA certificates Trusted publisher certificates Untrusted certificates Trusted people (peer trust certificates)

NewW2K8 R2Features


W2K8R2 Certificate Enrollment Services (CES)Don’t confuse with web enrollment web site!Website enrollment is for browser interactive sessionsProblem to Solve: All legacy enrollment services required RPC and DCOM, and lots of open RPC ports

Even web enrollment web site uses DCOM to back-end CA

Firewall nightmare Didn’t work well across the Internet,

forests, non-domain joined machines, etc.


W2k8 R2 Certificate Enrollment Services (con’t)New method is a web service, less interactiveUses TLS over 443New method works well in almost all scenarios (if the client enrollment process uses the new enrollment method)

Windows 7\W2K8R2 and laterUses two new services:Certificate Enrollment Policy Web Service

the policy serviceCertificate Enrollment Web Service

the enrollment service


W2k8 R2 Certificate Enrollment Services (con’t)Certificate Enrollment Web Service

Provides enrollment services, main serviceCertificate Enrollment Policy Web Service

Client contacts to get certificate policy information consisting of the types of certificates it can enroll for, which enrollment services to contact to enroll for them, and what type of authentication to use for each service. The client must first be configured with information about which policy server(s) to contact and how to authenticate to them


W2k8 R2 Enrollment Services (con’t)Once configured, during interactive enrollments, you’ll see this


W2k8 R2 Enrollment Services (con’t)CES are server roles


W2k8 R2 Enrollment Services (con’t)Service Uses SSL\TLS


W2k8 R2 Enrollment Services (con’t)Clients must be configured to connect to web site


W2k8 R2 Enrollment Services (con’t)CES must be linked to issuing CA


W2k8 R2 Enrollment Services (con’t)CES web site(s)

Common Web Service Scenario

ca.corp.contoso.com

running ADCS role, but not a CA;

running CES and CEP role services

certificate requests are

‘proxyed’ through CES to

back end CA

corp.contoso.comdmz.contoso.com

get-certs.contoso.com

policy requests are ‘proxyed’

through CEP to back end

Domain Controller

users and computer, both domain joined and not, connect

over HTTPS without a VPN


W2k8 R2 Enrollment Services (con’t)Can configure client auth method


New R2 StuffSupport cross-forest servicingOld CA versions required separate PKI per forest; or limited service using cross-forest trusts and lots of pre-work

Didn’t work well off-intranetNew version can support multiple forests with one PKI

Works well off-netBut requires cross-forest trusts, Kerberos

auth, and Win7\W2K8R2 or later clients

Cross Forest Servicing

ca.corp.contoso.com

rootca.contoso.com

A single CA in one forest is able to issue certificates to end entities in any trusting forest

corp.contoso.com dev.contoso.com test.contoso.com


New R2 StuffSupports “renewal-only” mode for Internet-facing CAs

Using Certificate Enrollment ServiceSupports static port 80 CA interactions (Enrollment/renewal/revocation)Supports internet clients for enrollment/renewal/revocation when off the corporate network (great for mobile users)


Is A Schema Update Needed for W2K8 CAs?

Schema update not needed to use almost all functionality of W2K8 CA

Schema update needed for Credential Roaming support, or CLM/ILM/FIM

ACL update (using adprep /forestprep) on Domain Controller template to let RODC get issued DC certs)

Installing ADCS

Install W2K8 CAUnfortunately, still need to place a

CAPolicy.inf file on CA server before installing

Microsoft Certificate Services

CAPolicy.inf FileExample - Bare Minimum for Issuing CA[Version]Signature= "$Windows NT$"[Certsrv_Server]RenewalKeyLength=4096RenewalValidityPeriod=YearsRenewalValidityPeriodUnits=10[CRLDistributionPoint]URL = “LDAP:///CN=%7,CN=CDP,CN=Public Key Services,

CN=Services,%6,%10”URL = http://W2K8IssuingCA1.contoso.ad/PKI/IssuingCA1.crlURL = “http://www.contoso.com/PKI/IssuingCA1.crl”[AuthorityInformationAccess]URL = “LDAP:///CN=%7,CN=AIA,CN=Public Key Services,

CN=Services,%6,%11”URL = “http://www.contoso.ad/PKI/ContosoCA.cer”

Install W2K8 CA13.In Configuration Task wizard and click on Add roles


Installing Microsoft Certificate Services

Install W2K8 CA14.Click Next



Install W2K8 CA15.Click on Active Directory Certificate Server and Next



Install W2K8 CA16.Click on Next



Install W2K8 CA17.Keep default of Certification Authority and Next



Install W2K8 CA18.Accept default of Standalone and click on Next



Install W2K8 CA19.Accept default of Root CA and click on Next



Install W2K8 CA20.Accept default and click on Next



Install W2K8 CA21.Use the options shown here and click on Next



Install W2K8 CA22.Type in a better Common Name and then Next



Install W2K8 CA23.Change validity period to 20 years and then Next



Install W2K8 CA24.Accept the default locations and click on Next



Install W2K8 CA25.Select Install



Install W2K8 CAWait while it installs...



Install W2K8 CA27.Click Close to end install



Install W2K8 CA28.Confirm new and only role is installed, then Close



29.Open the Certification Authority console under Administrative Tools to verify the install.


Version 3.0 Templates

Certificate Template Version 3A certificate based on a version 3

certificate template can only be issued by an enterprise CA running on Windows Server 2008 (or later), Enterprise Edition.

Version 3 templates contain more options, and stronger crypto

Version 3 templates can only be published on W2K8 CAs

V3 templates do not work with Windows OSs prior to Windows Vista


Certificate Template Version 3Windows 2000, XP, and 2003 will not

enroll against V3 templatesOnly Vista and later understands SHA-2

hashes and ECC ciphersXP SP3 can verify certificates containing

SHA-256 ciphers, but not all applications can, so be careful in using any cipher above SHA-1

V3 templates will not show up on web enroll site

**To be safe, only use V3 templates with Windows Vista and later


Creating Certificate Templates Choose what version template you want to create

Version 2Version 3

New Certificate Template AttributeAdd Read permissions to Network Service on the

private key... (version 3.0 and later templates only)

New Certificate Template AttributeCryptography tab (version 3.0 templates and later)

Certificate RevocationCRLsand

OCSP

Certificate RevocationCertificate RevocationUsed to indicate digital certificate is

invalidAny revoked certificate is to be

considered (very) untrustedApp may “break” if it can’t find

revocation point or revocation is negativeUnfortunately, certificate revocation

doesn’t always work (not all applications or users check for revocation)

Certificate RevocationCertificate RevocationCertificates are revoked when:CA or other CAs in path (e.g. issuing)

have been compromisedEntity issued certificate is discovered to

be a fraudTo prematurely end certificate’s useful

lifeFor any other reason the CA wants (e.g.

customer didn’t pay their bill)

Certificate RevocationChecking Certificate RevocationIn order for revocation to be checked, the

certificate being verified must include valid revocation information (e.g. revocation list location, etc.) and the resulting information must be reachable by the client/application investigating

• Called certificate chaining• Certificate information is usually checked

back to just before Root CA (root is offline)

Certificate RevocationCertificate RevocationRevocation checking not always done,

depends on the PKI-participating application and/or its settings

Sometimes even when it is done/required, application only reports if certificate is revoked (and not, unfortunately, if the revocation information can’t be confirmed)

But can also cripple your organization if revocation is not working!!!

Certificate RevocationCertificate RevocationSome Apps Allow Turning On and Off

Certificate RevocationCertificate Revocation• In IE (with revocation checking enabled),

if the cert’s revocation information isn’t valid or reachable, IE won’t report an error by default

• Although when using Secure Socket Tunneling Protocol (SSTP), IE will check and absolutely require correct revocation information in the VPN server’s cert

Certificate RevocationChecking Certificate RevocationWays Revocation Can Be CheckedCertificate Revocation List (CRL)

Full and deltasOnline Certificate Status Protocol (OCSP)Application checks (depends on app)Manually using Certutil.exeProgrammaticallyStored locally in revocation database

Certificate RevocationCertificate Revocation List (CRL)List of revoked certificates (revocation).CRL is placed at CDP (CRL distribution

point) so clients can check. CDP is hard wired into certificateCRL’s can be published to Active Directory

so it is available to everyone.CRLs can be full base or delta.HTTP references should not be HTTPS-

enabled


OCSPOCSP (RFC 2560)

Online Certificate Status ProtocolReplacement for older CRL revocation

checking methodOCSP Responder collects CRL entries

and stores them in a databaseCan be queried for a particular certAllows OCSP clients (Vista and later) to

quickly query/verify certificate status, instead of relying on and downloading entire CDP/CRL.

OCSPOCSP (RFC 2560)

Online Certificate Status ProtocolOCSP Online Responder Service can be

installed stand-alone or on CA W2K8 server

OCSP Responder available for Windows Server 2008, but can respond for W2K3 also

OCSPBasic OCSP Setup

OCSP Process

1.Bob gets certificate/public key from Alice2.Alice’s digital certificate contains OCSP

extension3.Bob sends fingerprint of Alice’s public key to

Alice’s defined OCSP responder4.OCSP responder confirms status (success or

revoked) or sends backup unknown message5.OCSP sends back signed OCSP response6.Bob reads status and handles accordingly

OCSPMore Complex

OCSP Setup

OCSP (RFC 2560) con’tOCSP uses HTTPOCSP Responder location should be

hardcoded into OCSP-enabled digital certificates in AIA location

OCSP Standard can connect directly to CA database or use CRLsWindows OCSP relies on CA CRLs

Client must be OCSP-aware and be able to reach OCSP responder

OCSP (RFC 2560) con’tVista/W2K8 and later has OCSP client

built in and will resolve using OCSP first vs. CRLsLegacy clients will need to use 3rd party

OCSP clientW2K8 can serve as an OCSP Responder

for W2K8/W2K3 serversOCSP Responder was a separate

download in W2K3

OCSP

Online Certificate Status ProtocolApplication must be coded to look for

OCSP extension in certificateIE 7 and later, on Vista and laterAll versions of Firefox support OCSP,

v.3.0 turns it on by defaultSafari and Opera support itGoogle’s Chrome does not (as of 3/09)

OCSP

Online Certificate Status ProtocolBy default:OCSP will be checked first if OCSP

extension is foundIf no OCSP response, then CRL triedDefault behavior can be reversed

OCSPOnline Certificate Status ProtocolComputer Configuration\Policies\Windows Settings\

Security Settings\Public Key Policies\Certificate Path Validation Settings


OCSPInstalling OCSPConfigure OCSP Response Signing

Certificate Template and PublishModify AIA on Issuing CA to point to

OCSP Responder virtual directoryInstall OCSP Responder and configureTest

OCSPPublish OCSP Response Signing Certificate1.Logon to W2K8IssuingCA1 as local Administrator

and start Certification Authority console

OCSPPublish OCSP Response Signing Certificate2.Right-click Certificate Templates and

choose Manage

OCSPPublish OCSP Response Signing Certificate3.Right-click the OCSP Response Signing

template and choose Duplicate Template

OCSPPublish OCSP Response Signing Certificate4.Choose Windows Server 2008, Enterprise

Edition and then select OK

OCSPPublish OCSP Response Signing Certificate5.Type in a new template name and then click

on the Security tab.

OCSPPublish OCSP Response Signing Certificate6.On the security tab, add the W2K8IssuingCA1

computer account (as OCSP Responder)

OCSPPublish OCSP Response Signing Certificate7.Give Read and Enroll permissions to the

W2K8IssuingCA1 computer account, OK, then Close

OCSPPublish OCSP Response Signing Certificate8.In the Certification Authority console,

right-click Certificate Templates, New, Certificate Template to Issue

OCSPPublish OCSP Response Signing Certificate9.Select the new OCSP certificate template

and then OK

OCSPPublish OCSP Response Signing Certificate10.Minimize or close the Certification

Authority console

OCSPPublish OCSP Response Signing Certificate

11.At the command prompt on the CA server, type:certutil –setreg CA\UseDefinedCACertInRequest

1 11.Close prompt12.Restart the CA service

OCSPInstalling OCSPYou need to install OCSP Responder service, and

then configure a Revocation Provider Configuration entry for each Revocation Provider that you want the OCSP Responder to respond for

OCSPInstalling OCSP1.Logon to W2K8IssuingCA1 as local

Administrator and start Server Manager. Choose Add Role Services

OCSPInstalling OCSP

2.Select Online Responder and then Next

OCSPInstalling OCSP

3.Choose Install

OCSPInstalling OCSPIf you install IIS 7 separately, the following

IIS/Web Server components are required:

Common HTTP Features: Static Content, ,Default Document, Directory Browsing, Http Errors, Http RedirectionApplication Development: .NET Extensibility, ISAPI ExtensionsHealth and Diagnostics: Http Logging, Logging Tools, Request Monitor, TracingSecurity: Request FilteringPerformance: Static Content CompressionManagement Tools: IIS Management Console, IIS 6 Management Compatibility, IIS Metabase Compatibility

OCSPInstalling OCSP

4.Choose Close and close Server Manager

OCSPInstalling OCSP5.Choose Start, Administrative Tools and

Online Responder Management


OCSPInstalling OCSP

6.Right-click Revocation Configuration

OCSPInstalling OCSP

7.And choose Add Revocation Configuration

OCSPInstalling OCSP

8.Click on the Next button

OCSPInstalling OCSP

9.Type in a name and then the Next button

OCSPInstalling OCSP

10.Keep the default option and then choose Next

OCSPInstalling OCSP

11.Keep the default option and then choose Browse

OCSPInstalling OCSP

12.Select W2K8IssuingCA1 and then choose OK

OCSPInstalling OCSP

13.Click on Next


OCSPInstalling OCSP

14.Select correct template and the click on Next

OCSPInstalling OCSP

15.Click on Finish

OCSPInstalling OCSP16.Confirm Revocation Configuration Status by

clicking on revocation configuration object and choosing Edit Properties

OCSPInstalling OCSP17.Review Revocation Configuration, confirm Base

CRLs and then click OK. (No need to define deltas)

OCSPInstalling OCSP

Example Certificate with OCSP Extension

OCSPInstalling OCSP18.Right-click OCSP server name and choose

Responder Properties

OCSPInstalling OCSP

19.On the Audit tab, enable all auditing options, OK

OCSPInstalling OCSP20.Give Enterprise PKI Publishers Manage Online

Responder and Read permissions, then OK


OCSPInstalling OCSP

21.Close the OCSP Responder console

OCSPInstalling OCSP22.Confirm Windows Firewall has inbound

rules for OCSP

OCSPConfigure OCSP Extensions

1.Open up Certification Authority console

OCSPConfigure OCSP Extensions

2.Right-click on CA name and choose Properties

OCSPConfigure OCSP Extensions3.Click on the Add button under the Extensions

tab and choose the AIA extension option

OCSPConfigure OCSP Extensions4.Add http://W2K8IssuingCA1.contoso.ad/ocsp

and enable both AIA and OCSP options, then OK

OCSPConfigure OCSP Extensions5.Close or minimize the Certification

Authority console

OCSPTesting OCSPPKIView.msc (W2K8 or later)Generate a new cert and verify correct http

path in OCSP extension in the AIA extensionForce CRL checking in application using

certificateCertutil –verify <certname>

OCSPOCSP ArraysIt is easy to create a fault-tolerant array of

OCSP RespondersEnable Network Load Balance (NLB) serviceDefine OCSP extension with a name that will

resolve with the NLB’s cluster IP addressThen defined in the Array Configuration

option in the OCSP Responder gui

OCSPIs Schema Update Needed?W2K3 AD schema or later is needed for OCSP

W2K8 schema update is not needed if schema has been updated to W2K3

A Windows 2000 domain is OK, as long as the AD schema has been upgraded to Windows 2003 AD schema.

Need at least one W2K8 server joined to the domain, and to have a domain admin execute the template snap-in from the Windows 2008 server to get the new OCSP Responder Signing template(s) installed in AD.

OCSPFor More Readinghttp://technet.microsoft.com/en-us/library/cc770413.aspx

Questions?

Fault Tolerance,Backup

and Disaster Recovery

Fault ToleranceWhen would end-users notice a problem?If Issuing CAs are down:When users request new cert or try to renew

expiring cert

If AIA or CDP publication points are down:When application end-user is using checks

certificate revocation

Fault ToleranceRequiredAlways have a minimum of two issuing CAs

with same templates publishedCAs should have fault-tolerant disksCRLs should be redundant

Internally redundant LDAP, and multiple http locations?

Externally redundant, if certs used externallyOCSP Responders should be redundant


Fault ToleranceOptionalClusteringRedundant hardware?Cold standby?Virtual machine standby?


Fault ToleranceCA Clustering


Fault ToleranceCA ClusteringAvailable in Windows Server 2008

Enterprise editionOnly supports two-node Active/Passive

clusterMust share same database and log filesCan’t mix W2K8 and W2K3Many HSMs support clusteringMust load balance (using NLB, etc.)

other things: CDP, OCSP Responders, NDES, web enrollment, etc.


Fault ToleranceWhy Clustering?If multiple issuing CA servers can issue the

same types of certs, why cluster CA servers?Answer:They don’t issue the same certs or share the

same databaseCan’t revoke a cert you can’t “find”If one goes down, there can be problems

when base or delta CRLs expire (can break the revocation chain and break applications that depend on revocation checking


Enrolling on Behalf of Another User

Certificate Request Wizard


Useful for:• Smart card certificates• S/MIME certificates• Enrolling for offline users and computers

Certificate Services


Enrolling on Behalf of Another UserMust already have Enrollment Agent cert

Can also issue Enrollment Workstation certificate and require that Enrollment Agents be logged on at approved Enrollment workstations to enroll on the behalf of others



Enrolling on Behalf of Another UserMust already have Enrollment Agent cert


e: [email protected]

New PKI FeaturesQuestions

the new rocket science stuff in microsoft pki

Technology

encryption key principal

asymmetric diff key

pki certificate

key improved versions

privatepublic key cryptography

microsoft pki

computer security

security vista