Windows XP Smart Card Logon, Digital Signature and Encryption Failures with Entrust SSP Issued HSPD-12 Certificates by Paul Fox, Senior Consultant, Microsoft Consulting Services

Background

On May 9th, 2009 Entrust Managed Services (provider of HSPD-12 certificates) performed a key update ceremony on the Entrust Managed Services Root and SSP certification authorities. HSPD-12 certificates issued after May 9th, 2009 will not work on the Windows XP operating system (i.e. RTM, SP1, SP2 and SP3).

More information concerning the Entrust key update can be found at http://sspweb.managed.entrust.com/emspkifsspcacertificateinformation.html

The following diagram depicts the PKI chaining (key match chaining method) of an HSPD-12 end entity digital signature certificate to the Common Policy root trust point as required per FIPS 201 architectural guidance.

clip_image002

Issue

Any Entrust MSO certificate issued after the key update ceremony will not properly validate its Extended Key Usage (a.k.a. Enhanced Key Usage) on the Windows XP operating system. The Extended Key Usage field is used to state the allowed usage of a certificate and is generally found only in end entity certificates. If the extension is present it must be used for the intended purpose. RFC 5280 states, “if a CA includes extended key usages to satisfy such applications, but does not wish to restrict usages of the key, the CA can include the special KeyPurposeId anyExtendedKeyUsage in addition to the particular key purposes required by the applications.”

The Entrust Managed Services Federal Root CA Link Certificate #2 (Cert Hash-sha1: 48 48 8c 9b 28 a5 ab d5 98 06 02 c1 d2 74 df d9 dd 43 c6 3f) contains the following in the Extended Key Usage field:

2.5.29.37: Flags = 0, Length = 13

Enhanced Key Usage

Any Purpose (2.5.29.37.0)

Unknown Key Usage (1.2.840.113533.7.74.3)

When tying to digitally sign an email on a Windows XP system the Entrust Managed Services Root CA Link Certificate #2 will have a yellow caution sign and a certificate status of “this certificate does not appear to be valid for the selected purpose.”

clip_image004

Cause

The Windows XP operating system was developed prior to the creation of the anyExtendedKeyUsage OID (circa 2001) and does not recognize the 2.5.29.37.0 OID. Note that the anyExtendedKeyUsage is not referenced in RFC 2459 (January 1999). Therefore any certificates that chains through the Entrust Managed Services Federal Root CA Link Certificate #2 will fail to work as intended on the Windows XP operating system. Any related HSPD-12 smart card application (i.e. smart card logon, digital signature and encryption) will fail on an XP system.

clip_image006

Resolution

HSPD-12 certificates issued by Entrust since May 9th, 2009 can be used on the Windows Vista and above operating systems. Crypt32.dll which is part of Vista, Windows Server 2008 and Windows 7 operating systems support the processing of the anyExtendedKeyUsage OID. It is recommended to upgrade the affected operating systems. For HSPD-12 smart card logon, digital signature and encryption applications to work on the XP operating system, Entrust will need to regenerate Entrust Managed Services Federal Root CA Link Certificate so that it does not include the anyExtendedKeyUsage nor the Entrust 1.2.840.113533.7.74.3 OIDs or explicitly state all associated HSPD-12 EKU OIDs within the Extended Key Usage field.

Acknowledgements

Microsoft would like to thank Wendy Brown (PGS) and Tom Connelly (SRA) of the Federal Public Key Infrastructure Authority (FPKIA) for identify and assisting in the troubleshooting of this issue.

References

· RFC 2459, Internet X.509 Public Key Infrastructure Certificate and CRL Profile, http://www.ietf.org/rfc/rfc2459.txt

· RFC 5280, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, http://www.ietf.org/rfc/rfc5280.txt

· FIPS 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, http://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf

· Microsoft Product Lifecycle, http://support.microsoft.com/lifecycle/?LN=en-gb&C2=1173

· Entrust Managed Services Federal CA Shared Service Provider offering CA certificate information, http://sspweb.managed.entrust.com/emspkifsspcacertificateinformation.html

· How Certificates Work, http://technet.microsoft.com/en-us/library/cc776447(WS.10).aspx

· anyExtendedKeyUsage OID, http://www.oid-info.com/get/2.5.29.37.0

· Crypto Next Generation Features, http://msdn.microsoft.com/en-us/library/bb204775(VS.85).aspx

Published 20 October 09 09:32 by Vernon.Lee

Comments

No Comments
Anonymous comments are disabled

Search

This Blog

Syndication

Page view tracker