Re: Can't disable "Trusted" for Certificates Issued by MS Certificate Server
From: Ohaya (ohaya_at_cox.net)
Date: 10/28/03
- Next message: Gabriele Zannoni: "Re: CryptoAPI: forcing CRL checking"
- Previous message: Ohaya: "Re: Can't disable "Trusted" for Certificates Issued by MS Certificate Server"
- In reply to: Ohaya: "Re: Can't disable "Trusted" for Certificates Issued by MS Certificate Server"
- Next in thread: Sergio Dutra [MS]: "Re: Can't disable "Trusted" for Certificates Issued by MS Certificate Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 28 Oct 2003 13:15:00 -0500
Sorry, I forgot to mention that the MS Certificate Server was installed
as a Standalone (root) Certificate Authority Server (i.e., not
subordinate)...
Ohaya wrote:
>
> Sergio,
>
> There are no intermediate CAs or intermediate CA certs for the MS
> Certificate Server CA chain. MS Certificate Server was installed with
> all the normal defaults.
>
> When I look at the MS Certificate Server CA cert under Details->Enhanced
> Key Usage extension, it lists:
>
> File Recover
> Digital Rights
> Smart Card Logon
> License Server Verification
> Key Pack Licenses
> Embedded Windows System...
> OEM Windows...
> Windows System Component Verification
> Windows Hardware Driver Verification
> Encrypting File System
> IP Security User
> IP Security tunnel termination
> IP Security end system
> Microsoft Time Stamping
> Microsoft Trust List Signing
> Time Stamping
> Secure email
> Code Signing
> Server Authentication
>
> Under Edit Properties:
>
> No matter whether I choose "Enable All", "Disable All", or "Enable Only"
> and uncheck all boxes, IIS sends out the MS Cert Server in the
> acceptable CA list.
>
> Some of my subsequent posts showed up in the NGs, some didn't, but FYI,
> I have used OpenSSL to confirm the above, and I have an image of a clean
> Win2K/IIS/Cert Server install, and this problem is repeatable.
>
> "Sergio Dutra [MS]" wrote:
> >
> > What usages does the root certificate of your MS Certificate Server have
> > (from the Enhanced Key Usage extension)? Are there any intermediate certs
> > and, if so, what are their usages?
> >
> > --
> > This posting is provided "AS IS" with no warranties, and confers no rights.
> > Use of included script samples are subject to the terms specified at
> > http://www.microsoft.com/info/cpyright.htm
> > "Ohaya" <ohaya@NO_SPAM.cox.net> wrote in message
> > news:3F9D3A7F.7294A454@NO_SPAM.cox.net...
> > > Hi,
> > >
> > > I think that I have encountered a somewhat serious "bug" somewhere. I
> > > can't tell if it's a CryptoAPI bug, an IIS bug, or whatever, so I'm
> > > cross-posting this to several newsgroups. This seems like (to me) a
> > > rather serious problem, and I'll try to describe what's happening as
> > > best I can, and also provide a somewhat kludgy workaround.
> > >
> > >
> > > Background:
> > > ===========
> > > Server: Win2K Advanced Server SP4, updated on Friday (10/24/03)
> > > Server is the DC (i.e., ActiveDirectory is installed)
> > > MS Certificate Server is installed
> > > IIS5
> > >
> > > Client: Win2K Pro SP4, updated same date as server
> > > IE 6.0.2800.1106
> > >
> > >
> > > I have been preparing to configure the above server for SSL with server
> > > and client authentication for awhile.
> > >
> > > Before I did that, in order to do some pre-testing, I issued a server
> > > cert for IIS with MS Certificate Server, and several client certs.
> > >
> > > I got all of this (SSL with client and server authentication) working,
> > > including IE would display the client certs that were issued by MS
> > > Certificate Server whenever I tried to connect from IE to IIS.
> > >
> > >
> > > Then, using the IIS server certificate wizard, I deleted the original MS
> > > Certificate Server-issued server cert, then created a new server
> > > certificate request, which I then sent to my commerical CA one night.
> > > The next morning, I received the new server cert from my commercial CA,
> > > along with a set of test client certificates.
> > >
> > > I then installed the root cert from my commercial CA on the server, and
> > > then using IIS, used the IIS server certificate wizard to install the
> > > new server cert that I had just received from my commercial CA.
> > >
> > > I also installed one of the test client certificates from my commercial
> > > CA, and installed it on my client machine, and began testing.
> > >
> > >
> > > Problem:
> > > ========
> > > From some previous testing with an earlier similar (SSL client and
> > > server authentication) setup, I found that I could control which client
> > > certificates that IE would display, when connecting to the server, by
> > > enabling or disabling the "Client Authentication" Purpose in the root CA
> > > certificate Purposes for specific root CAs.
> > >
> > > In other words, if I disabled/unchecked the "Client Authentication"
> > > purpose for the root CA cert for "Whatever CA", then client certificates
> > > issued by "Whatever CA" would display in the IE popup when I tried to
> > > connect to the server. If I enabled/checked the "Client Authentication"
> > > purpose for the root CA cert for "Whatever CA", then client certificates
> > > issued by "Whatever CA" would NOT display in the IE popup when I tried
> > > to connect to the server.
> > >
> > >
> > > However, it appears that with the setup that I ended up with above
> > > (install MS Cert Server server cert, uninstall server cert, install new
> > > commercial CA server cert), which I described above under "Background",
> > > this (enabling/disabling "Client Authentication" purpose for the root CA
> > > cert) does not appear to work for the client certs created with MS
> > > Certificate Server.
> > >
> > > Specifically, the client certificates that I created using MS
> > > Certificate Server still get displayed by IE when connecting to the
> > > server, regardless of how the "Client Authentication" purpose is set in
> > > the root CA certificate on the server-side, and there does not appear to
> > > be any reasonable way to prevent these client certificates from being
> > > displayed by IE during a connection attempt.
> > >
> > >
> > > I'm guessing (I would HOPE) that deleting the root certificate for my MS
> > > Certifate Server on the SERVER might work, but then that would kill my
> > > MS Certificate Server installation, so that doesn't seem like a
> > > reasonable solution, and really, I'm kind of puzzled about why the
> > > "Client Authentication" purpose is "obeyed" for all client certificates
> > > except for the ones created by MS Certificate Server.
> > >
> > >
> > > Bottom line: It appears that if you install MS Certificate Server,
> > > issue a server cert and some client certs, then install a server cert
> > > from another CA, that there is no way way get IE browsers that had
> > > client certs from MS Certificate Server not to display those previously
> > > issued client certs.
> > >
> > >
> > >
> > > Possible workaround:
> > > ====================
> > > I haven't found a way, from the server-end, to cause IE not to display
> > > those MS Certificate Server-issued client certs, but thankfully, with
> > > IIS at least, the CTL functionality still works properly.
> > >
> > > In other words, if I set up a CTL with only the root cert from my
> > > commercial CA, IE will STILL DISPLAY both the client certs from my
> > > commercial CA and the client certs that were issued by MS Certificate
> > > Server, but at least the authentication/connection will fail if someone
> > > tries to connect using one of the client certs issued by MS Certificate
> > > Server.
- Next message: Gabriele Zannoni: "Re: CryptoAPI: forcing CRL checking"
- Previous message: Ohaya: "Re: Can't disable "Trusted" for Certificates Issued by MS Certificate Server"
- In reply to: Ohaya: "Re: Can't disable "Trusted" for Certificates Issued by MS Certificate Server"
- Next in thread: Sergio Dutra [MS]: "Re: Can't disable "Trusted" for Certificates Issued by MS Certificate Server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
