Windows 2008 PKI combat 4: Revocation

(continued) Online revocation service is a new component introduced in Windows Server 2008. Is a Microsoft deployment of the OCSP protocol. This feature, coupled with the new OCSP response service, is a big boost compared to CRL-based revocation. The client's OCSP client has been redesigned with the OCSP responder. In addition, the OCSP method has been integrated into Kerberos and SSL.

The new OCSP responder is designed for scalability and can be deployed on a certificate server or a completely separate computer. This service can also be applied to multiple cluster computers. The server-side components are flexible enough to get revocation information from multiple sources. The response program supports caching NONCE and No-NONCE requests.

Configuring OCSP and Demonstration Using Revocation

Deploying the Online Responder consists of three steps: installing the Online Responder service, preparing the environment, and configuring the Online Responder. The deployment of the online response program should be after the CA is deployed, before deploying the end-entity certificate. We installed OCSP on the first demo of the computer, so we will check the remaining steps of the deployment process. As part of the installation process, a virtual directory named OCSP was created in IIS and the ISAPI extension used as the Web Proxy is registered. You can manually register or not register with the Web Proxy. Since Web Proxy registration occurs during OCSP installation, we can use the following command to not register it, as shown in Figure 29.

Certutil -vocsproot delete

We can use it to register Certutil -vocsproot command. As shown in Figure 30.

CA must be configured to respond to a URL that contains the program as a certificate authority information access (AIA) extension part. This URL is used by the OCSP client to verify the status of the certificate. As shown in Figure 31.

we will choose a location AIA extension and increase user access to the CA certificate from there. As shown in Figure 32.

The location can be any valid path or URL. It can be an HTTP, LDAP, file address, UNC or local path. We will enter the full URL of the online response program. As shown in Figure 33. When installing the online response program, the default virtual directory used in IIS is OCSP. We will include this location in the Online Certificate Status Protocol (OCSP) extension. In order for this change to take effect, the Active Directory Certificate Service must be restarted. As shown in Figure 34. The online response program can sign the OCSP response using the issued CA key or the delegated signature key. The signed signature certificate is: short-term, the recommended validity period is two weeks. It contains the Id-pkix-ocsp-nocheck extension, no CRL distribution point or AIA extension, and includes id-kp-OCSPSigning Extended Key Usage (EKU). In Windows Server 2003 and Windows Server 2008, configuring OCSP signature templates is different. In Windows Server 2008, a template with version number 3 was introduced. The new template version allows for advanced encryption support, among other enhancements. Also in Windows Server 2008, a new certificate template is added to the templates available in Active Directory. The template name is OCSP Response Signing, which is preconfigured with the required extensions and the attributes listed previously, with a version number of 3. No modifications are required for the template or CA.

One drawback

certificate templates is not increase a custom extension. Creating and configuring an OCSP signature template in Windows Server 2003 introduces a problem and the ability to add id-pkix-ocsp-nocheck extensions. Creating this duplicate template will create a template with version number 2, which can be issued by a Windows Server 2003 CA, and it will still contain the id-pkix-ocsp-nocheck extension. Next, it is necessary to configure the CA to allow custom extensions to be included in the certificate request.

After we modify the CA registration information, we need to restart the CA service. After the reboot is complete, the CA can now issue an OCSP signing certificate. As shown in Figure 35.

as other templates, Read, Enroll, AuthEnroll, Write, and Full Control permission to the registration must be configured.

We will add the SEA-DC-01 computer object.

To allow the Online Responder computer to register an OCSP Reply Signing Certificate, check the Read and Enroll options in the Access Control entry. As shown in Figure 36. For added security, the Online Responder service runs under Network Service. This means that by default it does not have access to the machine's private key and needs to be modified to allow the online responder to access the private key. A new feature included in the template with version number 3 that allows the registered client to configure the machine key's permissions as part of the registration process to allow access to services running as Network Service. As shown in Figure 37. This feature is only available in Windows Vista and Windows Server 2008. The version number 3 template contains a new feature that allows the registration client to automatically modify the private key permissions to allow NETWORK SERVICE access. Once the template is properly configured, you need to configure the CA to issue the template.

we will enable OCSP Response Signing template on the CA. As shown in Figure 38.

Responder online management tool is designed for ease of use with high. Regardless of whether the online responder is deployed on a single machine, cluster, or multiple clusters, the management tools provide a single point of monitoring and configuration for online responder deployment. By default, the management tools are installed on all versions of Windows Server 2008 and provide all the necessary functionality for managing online responders.

The Online Responder Home page provides the highest level of information about the online Responder configuration status and allows you to configure the properties of all Responders.

The Revocation Configuration Nodes view allows you to add, modify, and delete revocation configurations.

The Array Configuration Nodes view allows you to add, monitor, and diagnose online Responder array members.

The Online Responder provides a set of configurable properties that are all online response programs and service operations applied to the online response program.

The online response program Web Proxy cache is deployed as an ISAPI extension loaded by IIS. The following configuration settings are enabled: Web Proxy threads. This setting specifies the number of threads that the online response program ISAPI extends to handle the request. As shown in Figure 39.

This cache is deployed as part of the ISAPI extension of the responder, which is just an in-memory cache. The recommended cache sizes are between 1,000 and 10,000. The minimum cache entry allowed is 5. For any number less than 5, the online response program will treat it as the default 5. Small cache values ​​will cause more cache failures and will result in a high load on the response and lookup operations of the responder; large cache values ​​will affect the memory usage of the online responder. If the CA certificate is used to sign the response, the size of the in-memory cache entry is approximately 200 bytes; if the delegated signer certificate is used for the signature response, the size of the in-memory cache entry is approximately 2K bytes.

To enforce the security of the certificate issuing system in compliance with common standards, while providing a secure platform, certain time and configuration settings are logged to the Windows Security Event Log. The online response program allows the following audit events to be configured, as shown in Figure 40.

"Start /Stop Online Responder service. Every time you start /stop ocspsvc.exe services event will be recorded.

" for Online Responder Configuration changes. All online response program configuration changes, including audit settings changes, will be logged in the security log.

"Changes to the online response program security settings. All changes to the online responder service request and management interface ACL will be logged in the security log.

" Submitted to the online responder request. All requests processed by the Online Responder service will be logged in the security log. This option creates a high load on the service and should be evaluated for the specific environment. Only those requests that require an online response program signature operation will generate and audit events; requests for previously cached responses will not be logged.

The online response program's security settings include two new access control instances that can be set to allow or deny user and service access requests and management interfaces, proxy requests. As shown in Figure 41. The online responder exposes a request interface that allows the online responder Web Proxy component to submit a certificate status request to the online responder service. This interface will not be used by the terminal client.

Manage OCSP responders. The online responder exposes a management interface that provides the ability to perform administrative tasks, such as creating and managing revocation configurations, and modifying the global settings of the responder. Revocation can be done in two ways, either manually through the MMC or through the OCSP responder service.

We will revoke a certificate from the CA MMC. There is a folder under the CA tree that has been issued a certificate. The certificate we issued earlier is displayed in this folder. We are now able to manually revoke the certificate. This will force us to re-register the certificate.

We will be asked about the reason for the revocation when we revoke. In this demo, we will hold the certificate so we can withdraw the revocation. As shown in Figure 42. If a certificate is revoked for other reasons than Hold, the revocation of the certificate cannot be revoked.

the certificate has been revoked certificates moved to the folder. From the revocation certificate folder, we are able to withdraw the revocation of the certificate. As shown in Figure 43. During the period when the certificate is revoked, the client cannot encrypt or decrypt the information sent to and from it. We can still view the certificate information, if needed. We will withdraw the revocation of the certificate and return it to an active state.