Uwe Gradenegger - Page 17 - Uwe Gradenegger

Signing certificates bypassing the certification authority

Time and again in discussions about the security of a certification authority, it comes up that abuse of the certification authority could be contained by its security settings.

However, the fact that the integrity of a certification authority is directly tied to its key material and can therefore also be compromised by it is not obvious at first glance.

one must think of the certification authority software as a kind of management around the key material. For example, the software provides a Online interface for Certificate Enrollment takes care of the authentication of the enrollees, the automated execution of signature operations (issuing certificates and Brevocation lists) and their logging (Certification Authority Database, Audit log, Event log).

However, signature operations require nothing more than the private key of the certification authority. The following example shows how an attacker, given access to the certification authority's private key, can generate and issue certificates without the certification authority software and its security mechanisms being aware of this.

With such a certificate, it would even be possible in the worst case, take over the Active Directory forest undetected.

Moving the certification authority database to another directory or drive

In the operation of a certification authority, one may find that it is necessary to subsequently change the storage path for the certification authority database. For example, one may want to move the database to another partition/drive.

Microsoft Outlook: View which algorithm was used for an S/MIME encrypted or signed email

Below is a description of where it is possible to view which symmetric algorithm was used to encrypt an email received, and which hash algorithm was used for a signed email.

Microsoft Outlook: Control the encryption algorithm used for S/MIME.

When S/MIME certificates are issued, they usually contain a certificate extension "S/MIME Capabilities". This certificate extension is specified in RFC 4262 and can be used by compatible e-mail programs to specify the symmetric algorithms supported by the recipient of an encrypted message. The sender should then choose the strongest algorithm supported by the recipient.

Microsoft Outlook uses (if available and required) the information in the "S/MIME Capabilities" extension of a certificate. Below is a description of how it is used and which algorithms are selected.

The "S/MIME Capabilities" certificate extension

Among other things, the Microsoft Outlook extension is evaluated and used to determine the symmetric algorithm for an encrypted email.

Extend the "S/MIME Capabilities" certificate extension in issued certificates to include the Cryptography Next Generation (CNG) algorithms.

However, if you take a look at the symmetric algorithms included in such a certificate, you will probably find that the list contains rather outdated algorithms - the "strongest" of these algorithms is Triple DES (3DES), which is now considered obsolete.

Use SSH (PuTTY) on Windows with a certificate / smart card

Secure administration of Linux systems includes avoiding SSH logins by password and instead logging in with RSA keys.

The de facto standard for SSH connections on Windows is PuTTY. Here, logon with RSA keys is implemented, but only key files can be used, which has the disadvantage that they are almost unprotected in the file system.

Surely a great option would be to use RSA keys from the Windows world, and perhaps even stored on a physical or virtual smartcard.

When installing an Active Directory integrated certificate authority, the error message "Insufficient access rights to perform the operation. 0x80072098 (Win32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)" appears.

Assume the following scenario:

A certification authority (Enterprise Certification Authority) integrated into Active Directory is installed via Windows PowerShell.
Delegated permissions are used to install the certificate authority. Thus, the installing user is not a member of the Enterprise Administrators group.
After running the Role Configuration Wizard, one or more of the following error messages is displayed on the command line:

Setup could not add the Certification Authority's computer account to the Pre-Windows 2000 Compatible Access security group. Certificate managers Restrictions feature will not work correctly on this Certification Authority. To fix this, an administrator must manually add the Certification's Authority's computer account to the Pre-Windows 2000 Compatible Access security group in Active Directory. Insufficient access rights to perform the operation. 0x80072098 (Win32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)

Warning: Setup could not add the certification authority's computer account to the cert Publishers Security Group. This Certification Authority will not be able to publish certificates in Active Directory. To fix this, an administrator must manually add the Certification Authority's computer account to the Cert Publishers security group in Active Directory.  Insufficient access rights to perform the operation. 0x80072098 (Win32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)

Installation of a certificate authority certificate fails with error message "Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)".

Assume the following scenario:

A certification authority (Enterprise Certification Authority) integrated into Active Directory is installed.
Delegated permissions are used to install the certificate authority. Thus, the installing user is not a member of the Enterprise Administrators group.
After the certification authority certificate is issued by the parent certification authority, it is installed to complete the role configuration.
The installation of the certificate authority certificate fails with the following error message:

Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)

The installation of a certificate authority certificate fails with error code "NTE_PROVIDER_DLL_FAIL".

Assume the following scenario:

A certification authority is installed.
The certificate authority uses a Gemalto/SafeNet Hardware Security Module (HSM) with the SafeNet Luna Key Storage Provider.
After the certification authority certificate is issued by the parent certification authority, it is installed to complete the role configuration.
The installation of the certificate authority certificate fails with the following error message:

An error was detected while configuring Active Directory Certificate Services.
The Active Directory Certificate Services Setup Wizard will need to be rerun to complete the configuration.
The new certificate public key does not match the current outstanding request.
The wrong request may have been used to generate the new certificate: Provider DLL failed to initialize correctly.
0x8009001d (-2146893795 NTE_PROVIDER_DLL_FAIL)

SSCEP: Subject of our request does not match that of the returned Certificate!

Assume the following scenario:

A certificate request is made on a Linux system (for example, a thin client) by means of a SSCEP against a Network Device Enrollment Service (NDES) performed.
The certificate request fails with the following error message:

sscep: Subject of our request does not match that of the returned Certificate!

Use of undefined Relative Distinguished Names (RDN) in issued certificates

Sometimes it is necessary to allow Relative Distinguished Names (RDNs) in issued certificates that are not defined and accordingly not included in the SubjectTemplate value of the certification authority registration could be configured.

An example of this is the Organization Identifier with Object Identifier 2.5.4.97, which is required, for example, for certificates that are used for the eIDAS Regulation are compliant.

Change the order of the Relative Distinguished Names (RDNs) in the subject of issued certificates.

The Microsoft Certification Authority accepts subjects from certificate requests for templates in which their specification by the requester is allowed, not 1:1 in the issued certificate.

Instead, both is defined, which Relative Distinguished Names (RDNs) are allowedas well as in which order they are written to issued certificates. However, this order can be changed. How this is done is explained below.

Install SSCEP for Linux (Debian Buster) and apply for certificates via the Network Device Enrollment Service (NDES).

If you want to equip a large quantity of systems with certificates, a Manual request and renewal of certificates is not an option. The only viable path is automation.

For systems that are not members of the Active Directory forest, an automatic certificate request via RPC/DCOM not an option.

For certain use cases, the Simple Certificate Enrollment Protocol (SCEP) is an interesting alternative. There are not only clients for Windows for this protocol, but also for Linux with SSCEP. SSCEP is used, among other things, by thin clients with the eLux operating system used.

The following describes how to set up the SSCEP client on a Debian Buster Linux system - either to use it to manage servers or to be able to test the client-side behavior.

Regular password change when configuring the Network Device Enrollment Service (NDES) with a static password.

Suppose you are running a Network Device Enrollment Service (NDES), which relies on is configured to use a static password. In this case, unlike the default configuration, the password for the Requesting certificates via NDES clients never.

However, one may aim for an intermediate way, for example, a daily change of the password. The following describes a way to automate the change of the password.