OCSP part 6 – Test OCSP service

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

To test if OCSP is working, you need to have a certificate with OCSP information included. This is only available for certificates emitted AFTER the service was installed, configured and activated on the CA. Therefore, you`ll need to first create a new certificate for your tests. Depending on your CA configuration, you can use OpenSSL to create a request or will have to use the Windows integrated tools. I will show here how to use a CSR created by OpenSSL and a Windows Enterprise CA.

Create CSR with OpenSSL

openssl req –new –newkey rsa:2046 –nodes –keyout dummy.key –out dummy.csr

This creates a key file and the CSR in Base64.

Submit CSR to CA

Certificate snap-in

MSFT Enterprise CA needs the CSR created for a specific template, something that OpenSSL is not offering. If you submit such a request to the CA via MMC, you get an error message.

More information

CA Web Interface

Open the web enrollment server in your browser. Click on Request a certificate.

Go to the advanced options.

Paste the Base64 encoded CSR in the input field. Select as certificate User.

Submit the request and download the generated certificate.

Take a closer look at the certificate. In the AIA section, OCSP must be shown.

Test OCSP service

In the above step, a new user certificate was created, containing OCSP information. To test if OCSP is working, Microsoft is offering the certutil tool.

certutiil –URL dummy.cer

In the Retrieve box, you can select how to certificate information should be retrieved.

Select OCSP.

Check the status

Result: Failed

Result: Unsuccessful

Result: Verified

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

OCSP part 5 – Further configuration steps

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

After having OCSP installed, configured and having CA include OCSP information in newly emitted certificates, the basic configuration is done and you are ready to use OCSP in your environment. To make better use of OCSP, some additional configuration steps should be done, like enabling NONCE. Microsoft test client isn`t using NONCE and their test will pass, while OpenSSL uses NONCE and that test will fail. Generally, enabling it ensures you`ll have less problems with a wide range of clients.

Enable NONCE

Edit OCSP configuration properties.

Go to tab Signing and enable NONCE.

Check status

In case you get a signing certificate not available for the array controller, do a refresh of the node.

The status should be empty.

In the CA, an OCSP signing certificate must appear in the list of issued certificates.

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

OCSP part 4 – Configure CA to support OCSP Responders

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

After having the OCSP service installed and configured, the CA must be made aware of the service. Only after this, new emitted certificates by the CA will include the OCSP information. This means that you can run a OCSP service without having it included in the client certificates. In that case, clients can be configured to use a static OCSP address to validate the status of the certificate, while other clients won`t be able to do this.

To configure a CA to support an Online Responder or OCSP responder services

  • Open the Certification Authority snap-in.


  • Open the properties of the CA.

  • Open the extensions tab. By default, the CRL distribution point (CDP) list is shown.

  • Change from CDP to Authority Information Access (AIA)

  • Click on Add to add a new location.

  • Specify the locations from which users can obtain certificate revocation data. This is the URL under which the OCSP service is installed.Make sure that the clients can resolve the DNS name and communicate with the service.

    Example: http://<ServerDNSName>/ocsp

  • Select “Include in the online certificate status protocol (OCSP) extension”. This makes the OCSP URL available in the certificate.

    You will have to restart the CA service to make the new configuration effective.

  • Next, you will have to include the OCSP certificate in the list of available certificates of the CA.


  • Open the CA snap-in, select Certificate Templates, right click and choose “New Certificate Template to Issue”


  • Select the OCSP Response Signing certificate.

  • To check that it worked, select the certificate and open its properties.

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Afaria – Define certificate template for SCEP on Windows CA

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

When you work with Afaria, you`ll sooner (iOS) or later (Android, WP) come in contact with certificates. To be more specific, with device (iOS) and user (all platforms) certificates. To make it as easy as possible to get those certificates available to the devices and users, an MDM solution makes use of SCEP. SCPE in the Microsoft world is called NDES, and is available with their CA. If you install everything following the official documentation, you`ll end up having

  1. A working environment (yeah)
  2. Most probably a certificate issue, as your users and devices get a certificate named IPSec (Offline request).

This default certificate is what Microsoft thinks fulfills most use cases of SCEP (sorry, NDES) and basically they are right. A device or user can use this certificate without problems for most of the scenarios. Most importantly, users can use it to authenticate themselves against services. It may be that

  • your security area does not like the name
  • the lifetime does not meet the requirement: its 2 years as given by Microsoft
  • it is missing some functionality
  • wrong algorithm or key length
  • or something else

All of the above points are valid and can invalidate the use of the default configuration. Which leaves you to the question: how to solve this?

To make Afaria get back from the CA a valid certificate based on a custom template, it only takes two steps:

  1. Create a template
  2. Assign template to NDES (SCEP)

With SCEP, Afaria is only consuming a service offered by CA. How the CA is treating the request, depends 100% on the CA. Therefore, no additional configuration is needed on the consuming service: Afaria. As a result of this, three steps are necessary to make Afaria get back a custom certificate:

  1. Create a certificate template
  2. Assign template to NDES (SCEP)
  3. Test
Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Microsoft NDES – use custom certificate template

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

To change the default certificate template NDES is using, it is necessary to change some Windows registry values. Looks like there is no GUI tool from Microsoft for this available. The procedure for changing these values is given by Microsoft [1],[2]. To do so, open the registry editor and navigate to:

HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Cryptography -> MSCEP

Under this node, the registry values can be found. By default, the certificate template used by NDES is IPSECIntermediateOffline.

I`ll now use my AfariaUser certificate I created in an earlier blog (you can find it on my site). To change this and to make use of the new AfariaUser certificate, edit all three entries.

Afterwards, the registry key looks like this:

To make the new templates effective for new requests, restart IIS (or the CA too, or the whole computer).

References

[1] http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx#Appendix_2_Set_Registry_Keys_to_Default_Values

[2] https://technet.microsoft.com/de-de/library/ff955642(v=ws.10).aspx

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Microsoft CA – create a new certificate template

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

The creation of a certificate template is a basic administration task for a CA admin. To create a new template, open the CA management console and manage the available certificate templates

Next, select a base template and duplicate it. The new template will be based on this template and inherit some if its properties. It is a good idea to take the User template as a basis for certificates requested by Afaria via SCEP.

Select for which CA type this template is going to be generated and later on used. You should go for at least Windows Server 2008.

Now you can fill in the information of your certificate template. This information will be used by the CA to create the final certificate, requested by Afaria. Make sure to include all you need and to configure it accordingly to your requirements.

After clicking OK, the new certificate template is listed in the available templates of your CA. Please be aware that with this, the new certificate template is only available for the CA, it is not added to the list of templates actually used by the CA. You can have several CA`s in your organization and while the administrator add new templates for the whole organization, only selected certificates may be used by certain CAs. You can have a CA that is only issuing user certificates, while another CA only issues device certificates.

To make the template available to your CA, add the template to the list of available templates to issue for your CA.

Select it from the list.

Congratulations. Now your new certificate template is available to your CA and new certificates based on this template can be issued to clients.

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

Afaria Setup 4: Install roles – Certificate Authority – NDE

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn

To enroll an iOS device to SAP Afaria, a certificate for this device is needed. For mobile apps, SAP Afaria client can be used to request a user certificate from the CA. All these requests are handled by SAP Afaria, making the certificate handling transparent to the user. For doing this, SAP Afaria needs a CA with NDE enabled.

Pre-requisite

  • Install a CA
  • Add a user for NDE

Install a CA

See previous blog about how to install a CA.

Add user for NDE

Create a user for NDE service using Windows tool: Active Directory Users and Computers.

Add a new user.

  • First name: ndeuser
  • Last name: n/a
  • Full name: ndeuser
  • Logon: ndeuser@tobias.de

Inform password. As this is a test environment installation, it makes sense to not have a user whose password expires every N month.

  • Password never expires: yes

Confirm user data.

Assign user to group

Add ndeuser to IIS group using Windows tool: Active Directory Users and Computers.

Open the AD domain and go to folder Builtin. Select group IIS_IUSRS.

Go to tab Members

Click Add

Enter user: ndeuser and select Check Names.

This adds the AD user ndeuser to the local group IIS_IUSRS. This is needed for the NDE service of CA.

Add service NDE to Windows Server

Add Role Services.

Add

  • Network Device Enrollment Service
  • Certificate Enrollment Web Service
  • Certificate Enrollment Policy Web Service
  • And all dependencies

Inform the user created earlier: ndeuser@tobias.de

Inform registration authority (RA) information.

  • RA Name: Tobias-RA
  • Country: BR (or your country)
  • City: Rio de Janeiro (or your city)
  • State: RJ (or your state)

Inform key strength of RA

Inform the CA that will be used by NDE (use previously created CA).

Select authentication type going to be used to log on to NDE.

  • Windows Integrated Authentication: Yes

Specifiy service account: ndeuser@tobias.de

Select a SSL certificate. Chose to select a SSL certificate later, as this certificate still does not exist and will be created later on.

Check the selected server roles.

Confirm.

Windows installs and configures NDE.

Installation results.

Result

NDE installed on Windows Server, using previously installed CA for requesting certificates.

Let the world know ...Tweet about this on TwitterShare on Google+Share on FacebookEmail this to someoneShare on LinkedIn