B
BZP
Hello,
First, I want to thank those who have already helping me here (Bryan
and others....) but I need help again
I'm not friendly with PKI. So in this post, I sum up all things I done
and I ask questions about some steps.
Thanks for your help
I have 7 domains :
ROOT.LOCAL. (thoe forest root domain, ressources domain, no user,
located at Mexico)
AMERICAS.LOCAL. (technical domain, located in Mexico)
MEXICO.AMERICAS.LOCAL. (located at Mexico)
BRAZIL.AMERICAS.LOCAL. (located at Rio)
ASIA.LOCAL. (technical domain, located at Tokyo)
JAPAN.ASIA.LOCAL. (located at Tokyo)
KOREA.ASIA.LOCAL. (located at Seoul)
There are 4 AD sites :
MEXICO site (for DC of ROOT.LOCAL., AMERICAS.LOCAL. and
MEXICO.AMERICAS.LOCAL.)
RIO site (for DC of BRAZIL.AMERICAS.LOCAL.)
TOKYO site (for DC of ASIA.LOCAL. and TOKYO.ASIA.LOCAL.)
KOREA site (for DC or KOREA.ASIA.LOCAL.)
All site are connected with MEXICO (hub site) with 20Mb/s link (uptime
24/7).
PKI Target architecture :
Three Tier PKI
One STAND ALONE ROOT CA called SACAMX00 (SA stand for Stand Alone, CA
for Certificate Authority, MX for Mexico not for the domain -machine
is in workgroup- but site)
Two STAND ALONE INTERMEDIATE CA called SACAAM01 (AM stand for America
not for the domain -machine is in workgroup- but site) and SACAAS01
(AS stand for Asia not for the domain -machine is in workgroup- but
site)
Then, two Enterprise Issuing SA in each domains called ENCAJP01 and
ENCAJP02 (EN stand for Enterprise, JP for Japan), same for others
domains ENCAKR01 and ENCAKR02 (KR stand for Korea) etc ... Name :
ENCAxx0y where xx are code corresponding of domain name.
Stand alone CA are secured virtual machines.
Name of CA are :
- CA Root
- AMERICAS Sub & CA ASIA Sub
- CA JAPAN Iss1, CA JAPAN Iss2, ...
Ok, let's see the installation steps:
Installation of SACAMX00
------------------------
Windows 2003 Standard Edition SP2 with IIS (even IIS is not necessary)
Configuration of CAPolicy.inf before CA services looks like that :
[Version]
Signature= "$Windows NT$"
[LegalPolicy]
OID= 1.3.6.1.4.1.311.21.43
Notice= "http://intranet.americas.local/pki/cps.asp"
[Certsrv_Server]
RenewalKeyLength= 4096
RenewalValidityPeriod= Years
RenewalValidityPeriodUnits= 20
[CRLDistributionPoint]
[AuthorityInformationAccess]
Q-01 Is the " " (space caracter) is required ?
Q-02 What does legalpolicy section mean ? And what about notice
parameter (can I change this parameter later?) ? Why this OID ? Does
it show somewhere in my CA ?
Q-03 What about Certsrv_server section ? We can configure these
parameters laters, after the installation or we have to set its now ?
Q-04 CRLDistributionPoint and AuthorityInformationAccess are
explicited wrote and left blank. Why ? What's happened if I don't add
these sections ?
Then, I install CA services.
SYSOCMGR /I:SYSOC.INF
In the wizard, I specify a 4096 Key and a validity period of 20 years.
Q-05 Is it redundant with Certsrv_Server section in CAPolicy.inf ?
What was the real utility of this section ?
CERTUTIL "CA Root.cer"
Q-06 Is that action wich create the cert file ? Without this command,
no .cer generated anywhere else ? Or should I specify option -
ca.cert ?
I map the offline root CA to the AD configuration container
CERTUTIL -setreg ca\DSConfig CN=Configuration,DC=ROOT,DC=LOCAL
Q-07 The Offline root never communicate with AD, why need we set this
parameter ? What about this parameter exactly ?
Q-08 Can we do the same action modifying the registry ?
Then I configure CDPs. I clear all checkboxes where CRL Delta is
mentionned. I have 3 CDP, on local, one LDAP and one HTTP.
Q-09 Can I uncheck "Include in CRLs. Client use this to find Delta CRL
locations." on all CDP because I don't use Delta CRL in an offline
CA ? Or is this option has others consequences ?
Then I configure AIAs with a local file publication, a LDAP and a
HTTP.
Q-10 Is there a difference if I set this parameters using REGEDIT.EXE
instead of using Extension tab in the GUI ?
Then I configure CRL publication interval. I set 180 days. (left blank
Delta CRLs)
Q-11 Should I publish again CRL when I change CRL interval ?
Q-12 If I change CRL interval, are my certificated already issued
still valid ?
Q-13 180 Days, does that mean I have to bring online my CA in order to
publish my CRL again even if no certificate are revoked ? Or does it
expire (when? How to configure it ?) ?
Then I modify "HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/
CertSvc/Configuration/Root CA". I set ValidityPeriod to Years,
ValidityPeriodUnit with 10.
Q-14 Can we set theses options in CAPolicy ?
Q-15 Is the CAPolicy.inf file modified by wizards or other after the
installation ?
Installation of SACAAM01
------------------------
Windows 2003 Standard Edition SP2 with IIS (even IIS is not necessary)
Configuration of CAPolicy.inf before CA services looks like that :
[Version]
Signature= "$Windows NT$"
[PolicyStatementExtension]
Policies= AllInssuancePolicy
Critical= FALSE
[AllIssuancePolicy]
OID= 2.5.29.32.0
Q-16 Is PolicyStatementExtension section required ? Why ?
Q-17 OID 2.5.29.32.0 was in a exemple CAPolicy.inf file I found. Is it
the good OID ? Is there only one OID for subordinate CA ?
Q-18 What does critical parameter mean exactly ? It is not a technical
parameter.
Q-19 Why there are no section with Renewal information ? Because it is
set by the Root CA so we don't need to specify here ?
Then I insatll binaries
SYSOCMGR /I:SYSOC.INF
In the wizard, I specify a 2048 Key and a validity period of 10 years.
Q-20 Should I prefer choice a 4096 bits key ? (it's an offline root,
what is the drawback if I choice a 4096 bits key ?
I modify registry as for the Root CA. I set 5 years for lifetime on
issued certificates and 30 days for CRL publication (no delta CRL).
Then I run
CERTUTIL -setreg ca\DSConfig CN=Configuration,DC=ROOT,DC=LOCAL
Q-21 Why ?
Then I run
certutil.exe -v -setreg policy\EnableRequestExtensionlist "+2.5.29.32"
Q-22 Is it required even if this parameter is specified in
CAPolicy.inf file ?
Q-23 What is this parameter exactly ? I can't issue certificates if
this parameter isn't set ?
I omit certificate request and import/export ioperations. That's ok
for theses.
Now. If I revoke the subornidate CA certificate.
Q-24 I publish CRL now ? Or I have to wait 180 days (I hope not ...) ?
(and copy/past crl file in my HTTP point).
Q-25 How can I republish CRL in AD ? Offline CA (wich are in
workgroup) can check CRL in AD ? I don't think so. And you ?
Q-26 Does the Sub CA service detect that its certificate is revoked
and do not start ? I test this scenario, and Sub CA still work and
chaining is OK. So, how much time this mechanism take ?
Ok for Root and Sub. Let's see for Online issuing CA.
Installation of ENCAJP01
------------------------
Windows 2003 Enterprise Edition SP2 with IIS, member of the domain
JAPAN.ASIA.LOCAL.
Q-27 If an online CA is down, does the roll back to an other is
automatic ?
Q-28 I want that CA is JAPAN domain only issuing CA for JAPAN users
(and even sub domains if I need in the future). I don't want that a
MEXICO user can obtain a certificate from MEXICO's CA. Should I use
X500 constraints or ACE permissions limitation ? What are the
advantages and drawbacks of the two methods ?
I don't use CAPolicy.inf file.
Q-29 Is it optional ? What can I specify in this CAPolicy.inf file
(constraints ?) ?
I use theses parameters, 2048 bits key for the CA, 5 years lifetime.
And 2 years lifetime on issued certificates. 1 week CRL and delta CRL
allowed.
Q-30 Can I use Delta CRL even if some of my servers are still Windows
2000 Server ?
Then i run theses commands :
certutil -dspublish <Root CRT file> RootCA
certutil -dspublish <Sub CRT file> SubCA
certutil -dspublish <Root CRL file> {Root CA Host Name}
certutil -dspublish <Sub CRL file> {Sub CA Host Name}
Q-31 In some documentations I found that I maty use -f parameters in
addition. Why ?
Q-32 When Root CA or Sub CA revoke a certificate, i have to run theses
commands again (concerning CRL) ?
I configure the Domain Policy GPO in order to publishing the root CA.
Q-33 Is this operation is required or is AD automaticaly done this
operation with other machanism ?
At the moment I don't use KRA agent. But in the future, I will.
Q-34 Can i configure all options about KRA later when the need will be
more hurry ? Or should I configure that now ?
I have many more questions about KRA and other. But if I can have
answer of theses question, it will be great !
Sorry for my poor english, and thanks for reading until there !
--
P.J.A.
First, I want to thank those who have already helping me here (Bryan
and others....) but I need help again
I'm not friendly with PKI. So in this post, I sum up all things I done
and I ask questions about some steps.
Thanks for your help
I have 7 domains :
ROOT.LOCAL. (thoe forest root domain, ressources domain, no user,
located at Mexico)
AMERICAS.LOCAL. (technical domain, located in Mexico)
MEXICO.AMERICAS.LOCAL. (located at Mexico)
BRAZIL.AMERICAS.LOCAL. (located at Rio)
ASIA.LOCAL. (technical domain, located at Tokyo)
JAPAN.ASIA.LOCAL. (located at Tokyo)
KOREA.ASIA.LOCAL. (located at Seoul)
There are 4 AD sites :
MEXICO site (for DC of ROOT.LOCAL., AMERICAS.LOCAL. and
MEXICO.AMERICAS.LOCAL.)
RIO site (for DC of BRAZIL.AMERICAS.LOCAL.)
TOKYO site (for DC of ASIA.LOCAL. and TOKYO.ASIA.LOCAL.)
KOREA site (for DC or KOREA.ASIA.LOCAL.)
All site are connected with MEXICO (hub site) with 20Mb/s link (uptime
24/7).
PKI Target architecture :
Three Tier PKI
One STAND ALONE ROOT CA called SACAMX00 (SA stand for Stand Alone, CA
for Certificate Authority, MX for Mexico not for the domain -machine
is in workgroup- but site)
Two STAND ALONE INTERMEDIATE CA called SACAAM01 (AM stand for America
not for the domain -machine is in workgroup- but site) and SACAAS01
(AS stand for Asia not for the domain -machine is in workgroup- but
site)
Then, two Enterprise Issuing SA in each domains called ENCAJP01 and
ENCAJP02 (EN stand for Enterprise, JP for Japan), same for others
domains ENCAKR01 and ENCAKR02 (KR stand for Korea) etc ... Name :
ENCAxx0y where xx are code corresponding of domain name.
Stand alone CA are secured virtual machines.
Name of CA are :
- CA Root
- AMERICAS Sub & CA ASIA Sub
- CA JAPAN Iss1, CA JAPAN Iss2, ...
Ok, let's see the installation steps:
Installation of SACAMX00
------------------------
Windows 2003 Standard Edition SP2 with IIS (even IIS is not necessary)
Configuration of CAPolicy.inf before CA services looks like that :
[Version]
Signature= "$Windows NT$"
[LegalPolicy]
OID= 1.3.6.1.4.1.311.21.43
Notice= "http://intranet.americas.local/pki/cps.asp"
[Certsrv_Server]
RenewalKeyLength= 4096
RenewalValidityPeriod= Years
RenewalValidityPeriodUnits= 20
[CRLDistributionPoint]
[AuthorityInformationAccess]
Q-01 Is the " " (space caracter) is required ?
Q-02 What does legalpolicy section mean ? And what about notice
parameter (can I change this parameter later?) ? Why this OID ? Does
it show somewhere in my CA ?
Q-03 What about Certsrv_server section ? We can configure these
parameters laters, after the installation or we have to set its now ?
Q-04 CRLDistributionPoint and AuthorityInformationAccess are
explicited wrote and left blank. Why ? What's happened if I don't add
these sections ?
Then, I install CA services.
SYSOCMGR /I:SYSOC.INF
In the wizard, I specify a 4096 Key and a validity period of 20 years.
Q-05 Is it redundant with Certsrv_Server section in CAPolicy.inf ?
What was the real utility of this section ?
CERTUTIL "CA Root.cer"
Q-06 Is that action wich create the cert file ? Without this command,
no .cer generated anywhere else ? Or should I specify option -
ca.cert ?
I map the offline root CA to the AD configuration container
CERTUTIL -setreg ca\DSConfig CN=Configuration,DC=ROOT,DC=LOCAL
Q-07 The Offline root never communicate with AD, why need we set this
parameter ? What about this parameter exactly ?
Q-08 Can we do the same action modifying the registry ?
Then I configure CDPs. I clear all checkboxes where CRL Delta is
mentionned. I have 3 CDP, on local, one LDAP and one HTTP.
Q-09 Can I uncheck "Include in CRLs. Client use this to find Delta CRL
locations." on all CDP because I don't use Delta CRL in an offline
CA ? Or is this option has others consequences ?
Then I configure AIAs with a local file publication, a LDAP and a
HTTP.
Q-10 Is there a difference if I set this parameters using REGEDIT.EXE
instead of using Extension tab in the GUI ?
Then I configure CRL publication interval. I set 180 days. (left blank
Delta CRLs)
Q-11 Should I publish again CRL when I change CRL interval ?
Q-12 If I change CRL interval, are my certificated already issued
still valid ?
Q-13 180 Days, does that mean I have to bring online my CA in order to
publish my CRL again even if no certificate are revoked ? Or does it
expire (when? How to configure it ?) ?
Then I modify "HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/
CertSvc/Configuration/Root CA". I set ValidityPeriod to Years,
ValidityPeriodUnit with 10.
Q-14 Can we set theses options in CAPolicy ?
Q-15 Is the CAPolicy.inf file modified by wizards or other after the
installation ?
Installation of SACAAM01
------------------------
Windows 2003 Standard Edition SP2 with IIS (even IIS is not necessary)
Configuration of CAPolicy.inf before CA services looks like that :
[Version]
Signature= "$Windows NT$"
[PolicyStatementExtension]
Policies= AllInssuancePolicy
Critical= FALSE
[AllIssuancePolicy]
OID= 2.5.29.32.0
Q-16 Is PolicyStatementExtension section required ? Why ?
Q-17 OID 2.5.29.32.0 was in a exemple CAPolicy.inf file I found. Is it
the good OID ? Is there only one OID for subordinate CA ?
Q-18 What does critical parameter mean exactly ? It is not a technical
parameter.
Q-19 Why there are no section with Renewal information ? Because it is
set by the Root CA so we don't need to specify here ?
Then I insatll binaries
SYSOCMGR /I:SYSOC.INF
In the wizard, I specify a 2048 Key and a validity period of 10 years.
Q-20 Should I prefer choice a 4096 bits key ? (it's an offline root,
what is the drawback if I choice a 4096 bits key ?
I modify registry as for the Root CA. I set 5 years for lifetime on
issued certificates and 30 days for CRL publication (no delta CRL).
Then I run
CERTUTIL -setreg ca\DSConfig CN=Configuration,DC=ROOT,DC=LOCAL
Q-21 Why ?
Then I run
certutil.exe -v -setreg policy\EnableRequestExtensionlist "+2.5.29.32"
Q-22 Is it required even if this parameter is specified in
CAPolicy.inf file ?
Q-23 What is this parameter exactly ? I can't issue certificates if
this parameter isn't set ?
I omit certificate request and import/export ioperations. That's ok
for theses.
Now. If I revoke the subornidate CA certificate.
Q-24 I publish CRL now ? Or I have to wait 180 days (I hope not ...) ?
(and copy/past crl file in my HTTP point).
Q-25 How can I republish CRL in AD ? Offline CA (wich are in
workgroup) can check CRL in AD ? I don't think so. And you ?
Q-26 Does the Sub CA service detect that its certificate is revoked
and do not start ? I test this scenario, and Sub CA still work and
chaining is OK. So, how much time this mechanism take ?
Ok for Root and Sub. Let's see for Online issuing CA.
Installation of ENCAJP01
------------------------
Windows 2003 Enterprise Edition SP2 with IIS, member of the domain
JAPAN.ASIA.LOCAL.
Q-27 If an online CA is down, does the roll back to an other is
automatic ?
Q-28 I want that CA is JAPAN domain only issuing CA for JAPAN users
(and even sub domains if I need in the future). I don't want that a
MEXICO user can obtain a certificate from MEXICO's CA. Should I use
X500 constraints or ACE permissions limitation ? What are the
advantages and drawbacks of the two methods ?
I don't use CAPolicy.inf file.
Q-29 Is it optional ? What can I specify in this CAPolicy.inf file
(constraints ?) ?
I use theses parameters, 2048 bits key for the CA, 5 years lifetime.
And 2 years lifetime on issued certificates. 1 week CRL and delta CRL
allowed.
Q-30 Can I use Delta CRL even if some of my servers are still Windows
2000 Server ?
Then i run theses commands :
certutil -dspublish <Root CRT file> RootCA
certutil -dspublish <Sub CRT file> SubCA
certutil -dspublish <Root CRL file> {Root CA Host Name}
certutil -dspublish <Sub CRL file> {Sub CA Host Name}
Q-31 In some documentations I found that I maty use -f parameters in
addition. Why ?
Q-32 When Root CA or Sub CA revoke a certificate, i have to run theses
commands again (concerning CRL) ?
I configure the Domain Policy GPO in order to publishing the root CA.
Q-33 Is this operation is required or is AD automaticaly done this
operation with other machanism ?
At the moment I don't use KRA agent. But in the future, I will.
Q-34 Can i configure all options about KRA later when the need will be
more hurry ? Or should I configure that now ?
I have many more questions about KRA and other. But if I can have
answer of theses question, it will be great !
Sorry for my poor english, and thanks for reading until there !
--
P.J.A.
