I’ve been working on PKI for a couple weeks now. Here’s what I’ve found out.
CRL’s and CDP’s
So, let’s say I assign Bob a user certificate valid for 1 year. A month later, I find out that Bob was the one responsible for stealing the pens off of my desk and can him. Does Bob get to use his certificate for the rest of the year? No, because before consuming a certificate, both parties usually check what’s called a Certificate Revocation List (CRL). Where do we get a CRL? From the CDP. That’s CRL Distribution Point. CDP locations can be LDAP (Active Directory) or HTTP. The new thing is to use HTTP-only so that non-windows clients are served well.
OK, time for some Authority Information Access action. Let’s say that I have 100 CA’s in my environment because my company is huge. Let’s also say that I login to a new blank web server and request web server certificate from a CA named CA12.domain.com, so that I can use https. CA12.domain.com is a subordinate CA to CA0.domain.com (the offline standalone root in my environment). My computer trusts CA0, but it doesn’t explicitly trust CA12. So, why does my web server certificate still work? Let’s look at what happens when I try to hit the website.
So, I’m at my PC and I hit my web server on an SSL port. The following happens: my computer looks at the cert and checks the CRL via the CDP. It checks out — the cert is still valid. However, my computer doesn’t have the Issuing Server in it’s trusted root (ca12.domain.com). So what happens now? Now, my computer opens the AIA extension of the certificate and downloads the CA certificate of the issuing CA server. In this case, my computer downloads the CA certificate for CA12.domain.com. It still doesn’t trust CA12, but now it opens the AIA extenion of the CA12’s CA certificate. This AIA extension points to the CA certificate of my standalone root. My computer downloads the CA certificate of the standalone root, which is trusts, and so the entire chain of trust of validated. Now, I see my encrypted web page!
So, long story short, AIA extensions point to the CA certificate download location for the certificate of the ISSUING SERVER.
If I have a long certificate chain, there will be a lot of CRL downloads. CRL’s can get big, so OCSP (the Online Responder Service) was created. The Online Responder service allows your computer to check a specific certificate for validity by asking a server instead of downloading an entire CRL. The Online Responder role does not need to reside on a CA. Multiple Online Responder servers can be assigned to an array, which is really just a shared configuration. Then, NLB (Network Load Balancing) can load balance requests.
CES, CPS, and Web Enrollment Pages
Normally you request a certificate through certutil.exe or by opening the certificates MMC snap-in. But what if you have a non-domain PC, or EVEN A MAC?! That’s where Web Enrollment Pages comes in. Web Enrollment Pages runs on IIS and allows you to request a certificate from a CA through a web page. Pretty cool, and works pretty well.
New in Windows Server 2008 R2 is the ability to auto-enroll and auto-renew certificates for Windows 7 while you’re not connected to the LDAP servers via a VPN or direct connection. This is done via the Certificate Enrollment Web Service and the Certificate Policy Web Service. These services work together to provide HTTPS renewals. It’s really cool, and can run on the CA servers if necessary.
Other Notes and Reading about PKI Services
- Don’t just open Server Manager, click Add Roles, click ADCS, then click next until done. This will make a very bad PKI.
- You want to use an offline root CA, because otherwise there’s no way to revoke an issuing CA’s certificate. This would be a really bad thing if a CA was compromised!
- If you ever want to use http for non-ldap connected clients (laptops…), you’ll need a reliable web server to use as the AIA\CDP. This can be the issuing CA’s running IIS with NLB\DFS if desired.
- Get a copy of Brian Komar’s book “Windows Server 2008 PKI and Certificate Security“. You’ll need to get an eBook since it’s out of print, or check eBay. This is pretty much the only way to get started; seriously.
- Watch this video; it’s a great start: Brian Komar – How Not To Skrew Up Your PKI.
This stuff is -hard- at first. I’ll be posting a guide for a creating a 2-Tier PKI pretty soon. Stay tuned!