Dmitrii blog : General

Re-Revoking Certificates with Different Reason Code

lezine — Sat, 18 Aug 2007 02:53:00 GMT

One of my customers is using 3rd party Card Management System (CMS) to manage their smart cards. One of many common management tasks that such systems perform is revocation of the smart card and in particular the certificates issued to the given smart card. Well, of course CMS only originates the revocation request - the actual revocation is performed on CA that issued certificates. Certificates can be revoked for different reasons and when you revoke it is good idea to specify the reason code for revocation. Some implementations require that the reason code is specified, and some implementations require that this reason code must be set to "key compromise". If you do not specify the reason code during revocation then it will be set to the default reason code which is "unspecified".

So this particular CMS does not specify the reason code when it sends revocation requests to CA. At the same time customer Security Policy dictates that all subscriber certificates will be revoked with "key compromise" reason code.

As I mention before the default revocation reason code for Windows 2003 CA is "unspecified". It is not possible to change the default setting to any other reason code.

Since CMS doesn't specify the reason code for revocation all revoked certificates by this CMS are revoked with the reason code "unspecified". This is a problem for them and we had to find some quick and easy solution to change the reason code on already revoked certificates from "unspecified" to "key compromise".

Fortunately it is possible to do in couple different ways. One of them is to use certutil.exe command to re-revoke already issued certificates and specify new required reason code.

Here is the command you need to run to revoke a certificate with Serial Number 18e877ea00000000000a and reason code "key compromise":

certutil -revoke "18e877ea00000000000a" 1

So far so good, but how do we know what Serial Number to put into this command? We need to know what certificates already have been revoked. Well, the same utility comes to our rescue. If you run the following command it will provide you with Serial Numbers of all revoked certificates after the specified date:

certutil –view –restrict "RevokedWhen>=08/15/2007" –out SerialNumber

OK, so we run this command, get all serial numbers of revoked certificates, populate this numbers to the first command and re-revoke all of them with new reason code. Cool, but what kind of output does this command provide to us? Can we easily grab serial numbers out from it?

The output from this command looks similar to this:

1/1/2006 12:00 AM

Schema:

Column Name Localized Name Type MaxLength

---------------------------- ---------------------------- ------ ---------

SerialNumber Serial Number String 128 -- Indexed

Row 1:

Serial Number: "61153ff1000000000006"

Row 2:

Serial Number: "18daada4000000000007"

Row 3:

Serial Number: "18e2c82a000000000008"

Row 4:

Serial Number: "18e3c5d4000000000009"

Row 5:

Serial Number: "18e877ea00000000000a"

Can we get actual numbers out of this output? To the rescue comes Visual Basic script that parse through this information and as it finds anything between "" it takes it, and then creates the revocation command and executes that command.

First we run this command and create the output file with serial numbers:

certutil –view –restrict "RevokedWhen>=08/15/2007" –out SerialNumber > sn-input.txt

Then we can run the following VBScript to re-revoke all certificates that have been revoked since 8/15/07. Here is the sample script to do it:

sInFile = "sn-input.txt"

sDelimiter = """"

const ForReading = 1, ForWriting = 2, ForAppending = 8

set oShell = wscript.createobject("wscript.shell")

set oFSO = wscript.createobject("scripting.filesystemobject")

if oFSO.FileExists(sInFile) then

set oInFile = oFSO.OpenTextFile(sInFile,ForReading)

else

wscript.echo "Input file " & sInFile & " does not exist."

wscript.quit(1)

end if

do while not oInFile.AtEndOfStream

sLine = oInFile.ReadLine

aValues = split(sLine,sDelimiter)

if ubound(aValues)>0 then

if ucase(trim(aValues(0))) = ucase("Serial Number:") then

iRetVal = oShell.Run("certutil -revoke " & """"& aValues(1) &"""" & " 1",TRUE)

end if

loop ' oFile

oInFile.Close

Now it should be easy to create a batch file that will first create an input file with serial numbers of all revoked certificates and then run vbscript that will parse through this file and re-revoke them with new reason code.

To truly really automate this solution we'll need to automatically inject the date into the command that creates the input file, otherwise it will re-revoke bunch more certificates that we really need. But I didn’t do any investigation yet on how easy it would be inject a certain date into that command. Maybe some other time.

By the way it would take me much longer to come up with this solution if not for some quick pointers from PG and help with writing vbscript from another MS Consultant. Mark you are da man!

Cool Windows 2008 posters

lezine — Thu, 19 Jul 2007 16:27:00 GMT

cool posters for download, check it out:

http://www.microsoft.com/downloads/details.aspx?FamilyID=c2b9e44e-0bbd-47cb-bc09-b3d48be7f867&displaylang=en

FBCA PKI cross-certification

lezine — Wed, 23 Aug 2006 17:26:00 GMT

For the last few months I've been helping large organization with their efforts to cross-certify their PKI infrastructure with Federal Bridge Certification Authority (FBCA). We had some technical challenges with interoperability between our systems which we were able to resolve fairly quickly with some help from product group guys and our own tireless testing. But at the end of the day the technical issues are really not that difficult comparing to the implementation of all required operational processes and ensuring that they are auditable by Audit Company. FBCA wants to know that cross-certifying agency is in full compliance with their Certificate Practice Statement (CPS). Auditors are the folks who actually provide report to FBCA about this compliance, and let me tell you, they do want to see working process (ie documentation, equipment, facilities, personnel etc) for every statement in your CPS. If you say in CPS that something is done certain way, well you better have actual process established, people trained etc on how to do that. Otherwise you'll fail the Audit and eventually might have problems with FBCA giving you a green light for issuing cross certificate keys.

In large organizations with multiple data centers, multiple departments, different contracting companies it can be fairly difficult to implement in short amount of time.

Publishing SharePoint with ISA 2006 and 2 factor authentication

lezine — Wed, 28 Jun 2006 23:17:00 GMT

ISA 2006 provides some great new capabilities for user authentication. Find more info on ISA at the following link http://www.microsoft.com/isa.

On one of my recent projects I had to publish SharePoint Portal to Internet based users. The information on the portal is very sensitive and customer has made a decision to require two factor authentication. The original proposal was to allow users to VPN into network with Smart Card, go through quarantine and then access SharePoint portal. While it is valid solution, I felt that it is not the most efficient way to provide access to the portal.

In turn, I have decided to use ISA 2006 SharePoint publishing functionality and its ability to authenticate users with certificates and form-based authentication (FBA). In this configuration users type URL for SharePoint site, they are asked to choose certificate and after entering the pin they are presented with FBA form asking for user name and password. It takes less then one minute to log into portal and it works super fast. ISA 2006 FBA has new cool functionality - password change. Now users can change their passwords via ISA 2006 FBA without ever logging into internal corporate network.

In my solution each user have been issued USB based smart card token that allows them to authenticate against ISA 2006. In the next phase of the project we are going to deploy Certificate Lifecycle Manager (CLM) to manage all of those tokens and certificates that they have been issued with.