Module 2: Installing, Configuring, and Managing Certification Authorities

Ing. Giuseppe Blacio Abad

What Is a PKI?
The combination of software and encryption technologies that helps to secure communication and business transactions. A PKI relies on the exchange of digital certificates between authenticated users and trusted resources

Requirements for PKI

Requirement
Confidentiality Integrity Authenticity Data encryption Digital signatures Hash algorithms, message digests, digital signatures

PKI solutions

Nonrepudiation
Availability

Digital signatures, audit logs

Redundancy

Public key infrastructure (PKI)

Building Blocks:
Certificates Certification authorities (CAs) Certificate revocation lists (CRLs)

Applications That Use a PKI

Digital Signatures Encrypting File System Smart Card Logon

Internet Authentication Windows 2003 Certificate Services

Secure E-mail

Software Restriction Policy 802.1x IP Security

Software Code Signing

Accounts That Use PKI-Enabled Applications

Users

Computers

Services

How Applications Check Certificate Status

Process 1
Certificate discovery

Action
Collects CA certificates from cache, Group Policy, enterprise policy, applications Validates the certificates in a certificate chain until the certificate chain terminates at a trusted, self-signed certificate Ensures that no certificates have been revoked

2
Path validation

3
Revocation checking

Certificates

Certificates
Certificates provide the foundation of a public key infrastructure (PKI). Certificates are electronic representations of users, computers, network devices, or services, issued by a certification authority (CA), that are associated with a public and private key pair. A certificate is a digitally signed collection of information generally 24 kilobytes (KB) in size.

Certificates includes:
Information about the user, computer, or network device that holds the private key corresponding to the issued certificate (the user, computer, or network device is referred to as the subject of the certificate). Information about the issuing CA. The public key of the certificates associated public and private key pair.

Certificates includes:
The names of the encryption and/or digital signing algorithms supported by the certificate. A list of X.509 version 3 extensions included in the issued certificate. Information for determining the revocation status and validity of the certificate.

Certificates
The CA must ensure the identity of the requestor before issuing a certificate. Once identity is confirmed, the CA issues the certificate and digitally signs the certificate with its private key. The signature certifies that the certificate was signed by the issuing CA and helps detect if changes are made to the certificate after issuance.

Certificates
It is nearly impossible for another user, computer, network device, or service to impersonate the subject of a certificate, because impersonation requires access to the certificate holders private key. Impersonation is highly improbable if an attacker has access to the certificate only.

Certificates
Three versions of digital certificates can be used in a PKI:
X.509 version 1 certificates X.509 version 2 certificates X.509 version 3 certificates

X.509 version 1
Defined in 1988

X.509 version 1
Provides basic information about the certificate holder, the format offers little information about the certificate issuer, by including only the issuer, issuer name, CA signature algorithm, and signature value. The version 1 format does not have any provisions for CA renewal.

X.509 version 2
Defined in 1993

X.509 version 2
Issuer Unique ID An optional field that contains a unique identifier, typically a hexadecimal string, for the issuing CA as defined by the issuing CA. When a CA renews its certificate, a new Issuer Unique ID is generated for that certificate version. Subject Unique ID An optional field that contains a unique identifier, typically a hexadecimal string, for the certificates subject as defined by the issuing CA. If the subject is also a CA, this unique identifier is placed in the Issuer Unique ID.

X.509 version 3
Defined in 1996

X.509 version 3
Key Usage: A CA, user, computer, network device, or service can have more than one certificate. The Key Usage extension defines the security services for which a certificate can be used. Digital Signature Non-Repudiation Key Encipherment Data Encipherment Key Agreement Key Cert Sign CRL Sign Encipher Only Decipher Only

Certification Authorities

Certification Authorities
CA is a Windows Server 2008 computer with Certificate Services installed. A CA will sign certificates, revoke certificates, and publish CRL information about revoked certificates to ensure that users, services, and computers are issued certificates that can be validated.

What Is a Certification Authority?

A certification authority:

Verifies the identity of a certificate requestor The mode of identification depends on the type of CA

Issues certificates
The certificate template or requested certificate determines the information in the certificate Manages certificate revocation

The CRL ensures that invalid certificates are not used

Types of Certification Authorities

Stand-alone CA Typically used for offline CAs Does not require Active Directory Can use Web pages for certificate requests Certificate requests issued or denied by a certificate manager Enterprise CA Typically used to issue certificates Requires Active Directory Can use Certificate Request Wizard or Web pages for certificate request Certificate requests issued or denied based on the certificate template

Roles in Certification Authorities

The CAs are organized into a CA hierarchy consisting of a single root CA and several other subordinate CAs.

Roles in a Certification Authority Hierarchy

Root CA
In a PKI, the root CA acts as the trust point for certificates issued by CAs in the hierarchy. The root CA can issue certificates to other CAs tipically When the root CA issues a certificate to another entity, the root CA certificate signs the certificate with its private key.

Root CA
If the root CA is compromised or issues a certificate to an unauthorized entity, any certificate-based security in the organization is suddenly vulnerable. For this reason, a root CA is generally configured as a stand-alone CA and kept offline.

Intermediate CA
Its subordinate to another CA and issues certificates to other CAs in the CA hierarchy. The intermediate CA can exist at any level in the CA hierarchy except at the root CA level.

Policy CA
Its a special category of intermediate CA. Describes the policies and procedures, an organization implements to validate certificateholder identity and secure the CAs in the CA hierarchy.

Roles in a Certification Authority Hierarchy

A root CA is generally configured as a standalone CA and kept offline
Root CA

Policy CA

Issuing CA

Policy CA

Issuing CA
An issuing CA issues certificates to users, computers, network devices, or services on the network. An issuing CA is typically located on the third tier of a CA hierarchy, but it can exist on the second level and typically acts as both a policy CA and issuing CA.

Certification Authority Design Options

Certificate Use
Root Policy

Location
Root Policy

Secure E-mail

EFS

VPN

India

Canada

United States

Departments
Root
Policy

Organizational unit

Root Policy

Manufacturing Engineering Accounting

Employee

Contractor Partner

Certificate Revocation Lists

Certificate Revocation Lists

In some cases, a CA must revoke a certificate before the certificates validity period expires. When a certificate is revoked, the CA includes the serial number of the certificate and the reason for the revocation in the CRL.

Types of CRLs
Windows Server 2008 supports the issuance of two types of CRLs: Base CRLs and Delta CRLs.

Base CRL
Contains the serial numbers of all certificates revoked on a CA that are still time valid, as well as the reason for each revocation. A Base CRL contains all time-valid revoked certificates signed by a CAs specific private key

Delta CRL
Contains only the serial numbers and revocation reasons for certificates revoked since the last base CRL was published . The delta CRL is much smaller than a base CRL because only the most recent revocations are included.

Revocation Reasons
Key Compromise CA Compromise Affiliation Changed Superseded Cessation of Oper Certificate Hold Remove From CRL Unspecified

How Certificate Services Publishes CRLs

Offline Root CA Installation Settings

Offline Root CA Database and Log Settings

stand-alone CA Policy

Validity Period Computer Name

Key Length

CA Name

Cryptographic Service Provider