When your Public Key Infrastructure (PKI) or Certificates scare the h@*! out of you

Who Ya Gonna Call?

Public Key Infrastructure PKI Certificates Mitigating Risks

Halloween should be scary, not your PKIs 🎃 We were excited to offer a monthly PKI "Office hours" where viewers posted questions and topics they wanted addressed in the comments. Check out our most recent Office Hours, Halloween Edition. Or else...

Here are some of the questions that were asked during the webinar along with answers from PKI Solutions.

To view the entire video is added to the bottom of this post.

Halloween Office Hours Snippet Q&A Transcript

Q: How do you enable auditing in Microsoft ADCS?  

Summary: 

  • ADCS auditing disabled by default. Details on enabling ADCS auditing are located here: Enabling Active Directory Certificate Services (ADCS) advanced audit - PKI Solutions Inc.
  • ADCS auditing enabled at the ADCS and Group Policy level
  • Newer Group Policy versions have ADCS Advanced Object level auditing to audit ADCS-only object events
  • DB considerations as every time you start and stop a CA, the DB will be hashed. This can slow down the shutdown and startup process by hours (depending on the size of the DB)
  • If you are still using Windows Fail Over Clusters, make sure that your CA service is not abnormally interrupted due to long startup times

 

Q: Will Windows server allow for multiple CAs on a single server?

Summary:

You can run multiple instances of VMs, each with Server installed and CA services enabled on a single VM host. Alternatively, you can create partitions on the same server with a different OS installed. Lastly, you can run ADCS and a CA that is third-party to Microsoft on the same server. But we are not aware of any plans to run multiple instances of ADCS on the same server.

 

Q: We recently did a DR test and I restored ONLY our subordinate CA. From the subordinate CA it had valid CRL for our root and itself, we did not restore an OCSP responder or any other infrastructure (but we do have it). During the test certificates validated and we were able to issue new certificates. My question is this: was that a valid DR test? How long could we run on just a restored subordinate? What kind of components do you think is critical to a DR test for PKI in ADCS?

Summary:

  • Be clear on your DR intent, for example being able to issue certificates in the event of a disaster
  • Be clear on DR scenarios: We lost power for 2 hours, or long-term intermediate disaster with a functioning backup data center
  • A valid DR test exhibits a running service with the ability to sign CRLs. Additional components like OCSP should be included in a thorough BCDR plan but may not need to be included to have minimal functionality. At the core, the priority needs to be publishing any CRLs ahead of expiry.

 

Q: Renewing an intermediate CA cert after doing a renewal of the CA cert using the same key pair. How does this affect OCSP and the responder snap in? I still see old CA cert reference to the revocation configuration. I'm thinking a new revocation configuration will have to be done. Do you agree?

Summary:

  • It should be the same revocation configuration
  • OCSP responder certificate would have the Authority Key Identifier (AKI) that points to the Certificate Authority and its key identifier that was used to sign it
  • When a CA renews, it'll have a new serial number, it'll have new date information. But if we're using the same key, it'll have the same Subject Key Identifier
  • Caveat: it could be an issue if you have done renewals in the past with new keys and OCSP was tied to one of those old keys
  • Instructions to renew OCSP Response Signing Certificates with an Existing Key. Details are here.

 

Q: Will Microsoft provide a Azure based private PKI? What's your opinion? 

Summary:

Microsoft has announced no plans for Azure PKI, however it was announced recently that Entrust PKI as a Service was granted the Preferred marker on the Azure Marketplace.

 

Q: Are you seeing general adoption of SHA-384 over SHA-256?

Summary: 

  • You really shouldn't be doing anything that SHA -1
  • If at SHA-256 you are at minimum (don’t get a pat on the back)
  • PKI Solutions recommends customers to be on SHA-384

 

The entire Halloween Office Hours video can be seen here:

Leave a Comment





This site uses Akismet to reduce spam. Learn how your comment data is processed.