Wednesday, July 7, 2010

Key recovery agent certificate for a Windows CA

You might know that there is the key archival option included only in the Windows Enterprise editions on 2003, 2003 R2, 2008 and 2008 R2.
It is used to have a backup of each user certificate in the case that the user lost her certificate or she left the company. Make sure that you follow all legal procedures. But back to the technical part. If you follow the standard procedures in all Microsoft documents you have to deal with certificate templates, publish the template, deal with access permissions, log on as a user and request a key recovery agent (KRA) certificate and the private key is stored on a windows machine.

With openssl you can create private key and certificate on a secured standalone machine, Windows or Unix does not matter. For example copy the KRA certificates to Smart Cards and only copy the public part of the certificate to the CA.

- add in openssl.cnf NEW_OIDS section the line
- add in openssl.cnf v3_ca section two lines
- remove or comment line basicConstraints = CA:true
- generate a new RSA key
openssl genrsa -aes256 -out kra1.key 2048
- generate a self signed certificate for x days, x can max to the CA cert validity
openssl req -new -x509 -days 365 -key kra1.key -config openssl.cnf -out kra1.cer
- copy only ht kra1.cer to the CA and add import it also to the Root CA store to make it valid for the CA service. To add it to the Root CA store is only necessary on the CA itself, there is no need to do so on any other servers or clients in your environment.
- Configure the KRA1 certificate in the CA.

Certutil -f -enterprise -addstore KRA KRA1.cer
Certutil -f -enterprise -addstore Root KRA1.cer

Go through the same procedure for a KRA2.

If you wanna have that as a PFX file:
openssl pkcs12 -export -in kra1.cer -inkey kra1.key -out kra1.pfx

Best practise:
- Never copy the private key to the CA itself
- Secure your KRA with password or move it to a set of smart cards
- Have at least 2 KRA installed and set the CA to use all!!
- Use at least a 2048 bit key
- Verify access to KRA on a regular basis, e.g. every 12 months
- Have a approved process for key escrow and data recovery

Check for new email via TLS secured IMAP or POP

You can check POP and IMAP with telnet, e.g. telnet 143. But how to do this with TLS? Run it with openssl.exe and dont forget the CRLF (carriage return line feed) parameter.

c:\openssl\openssl.exe s_client -crlf -connect
* OK The POP3 service is ready.

Then you can use USER and PASS commands to authenticate to the POP server. LIST will show you the mailbox content. To retrieve a message call RETR .

Saturday, July 3, 2010

Copy & paste error on certificate serial number or thumbprint

It is often useful to copy a certificate serial number or thumbprint to the clipboard. Both information, especially the thumbprint, can be used to securely identify a certificate, e.g. for certificate based authentication or accepting only request from a specific agent.
You can easily mark the the serial number or thumbprint with the mouse and a left click and than a Ctrl+C to copy it to the clipboard. So the strange thing is on the left before the hex numbers. If you paste it into notepad you will not see that extra character. On command line or pspad there is a question mark, e.g.
?‎14 c4 ff ce 00 01 00 00 00 14

In FIM2010 policy modules or in your application you have just to delete the first one or two numbers of your serial and type it again.
Seen on Windows XP, 2003 and Windows 2008 R2