Verisign PKI: anyone to subordinate CA

From: Pidgorny, Slav (pidgorns@anz.com)
Date: 05/19/02


From: "Pidgorny, Slav" <pidgorns@anz.com>
To: "'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>
Date: Sun, 19 May 2002 16:01:03 +1000

G'day Bugtraq,

Microsoft Security Bulletin MS01-017
(http://www.microsoft.com/technet/security/bulletin/MS01-017.asp) inspired
me to do some testing. Here are the results:

1. I configured Microsoft Certificate services to act as a standalone
subordinate CA. A request for a CA certificate was generated.
2. I sent this request as a request for a Web server SSL certificate.
3. The Verisign test CA did not complain upon processing this request. It
generated and signed the certificate.
4. I installed the certificate to MS Certificate Services and start the CA
service.
5. From now on, I effectively have a signed CA certification. Any generated
signatures from this point will have a certification path leading to the
root CA.

I only used Verisign test root CA in my test. The steps above can probably
be repeated using Verisign production root CA, resulting the situation
whereas I'm becoming a subordinate CA to Verisign trusted root without
letting them know.

Thawte test CA also signs the CA certificate submitted as a Web server
certificate, but MS Certificate Server refuses to install the certificate as
the CA certificate. The difference between Verisign and Thawte certificates
is the Basic Constraints field. If I would be using OpenSSL tools instead of
MS Certificate Server, I can probably disable all the checks against the CA
certificate.

Any thoughts? Do you think it's a security problem?

Regards,

S. Pidgorny, MS MVP, MCSE

DISCLAIMER: Opinions expressed by me is not necessarily my employer's, it is
not intended to be formal and accurate. Neither myself nor my employer
assume any responsibility for any consequences.

P.S. Many thanks to Dave Ahmad for the discussion leading to this post.



Relevant Pages

  • Digital sign a driver for XP and Vista
    ... My company has just bought a Class 3 certificate from Verisign to digitally sign some drivers. ... The driver is made up by a .inf file, a .sys file and a .dll file. ... SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3 ...
    (microsoft.public.development.device.drivers)
  • Certificate Services wont start on a new off-line root CA.
    ... I'm attempting to setup an off-line root CA. ... Schlumberger e-gate 32K smart card to store the CA private key. ... the Schlumberger CSP and 2048-bit when I generate the CA certificate. ... The Certificate Services service terminated with service-specific error ...
    (microsoft.public.security)
  • Certificate Services wont start on a new off-line root CA.
    ... I'm attempting to setup an off-line root CA. ... Schlumberger e-gate 32K smart card to store the CA private key. ... the Schlumberger CSP and 2048-bit when I generate the CA certificate. ... The Certificate Services service terminated with service-specific error ...
    (microsoft.public.win2000.security)
  • Re: RSA vs AES
    ... > Verisign, MS took the extra burden of issuing a critical patch to ... > those stolen root CAs. ... if any of these other keys ever got compromised ... ... BBN Certificate Services ...
    (sci.crypt)
  • Re: Your digital ID name cannot be found by the underlying security system
    ... This morning I received email from VeriSign indicating that apparently I ... Although I do not have a private key recovery feature, ... replaced the certificate 3 times already and still it will not work. ...
    (microsoft.public.outlook)