Claus's profileSpace for Claus Jesperse...BlogListsGuestbookMore  |  Tools Help |
Space for Claus Jespersen |
|||||||
|
December 09 Support for non-ASCII characters
Sometimes I find lots of failed requests on the Issuing CA servers that are related to problems with non-ASCII characters. The error may be "The string contains a character not in the 7 bit ASCII character set". Typically this error occurs if a certificate request contains a non-ASCII character in the subject name. A certificate template can be set to "Common Name" or "Fully Distinquesed Name" in relation to the subject name attribute. Also notice that if a full FQDN is placed in the CN (Common Name) field, the string can't be more than 64 characters long. Health of CA datbase and cleaning up
I often find that customers don't know the status of their PKI Infrastructure. I would be nice to get an overview of issued certs from each CA as well as the number of failed requests and the number of revoked certificates. Even though these statistics are not directly available from the CA GUI, they can be obtained from command line using the following commands: To get issued certs from a CA, issue the following command on the CA server certutil –template -v | find “Template=” > templatefil.txt for /f “tokens=1,2 delims=[(,)]” %i in (templatefil.txt) do echo %i “ “ %j >> issuingcastat.txt && certutil –restrict “Certificate Template=%j,Disposition=20” –view –out serialnumber | find “Rows” >> issuingcastat.txt for /f “tokens=1,2 delims=[(,)]” %i in (templatefil.txt) do echo %i “ “ %j >> issuingcastatrevoked.txt && certutil –restrict “Certificate Template=%j,Disposition=21” –view –out serialnumber | find “Rows” >> issuingcastatrevoked.txt for /f “tokens=1,2 delims=[(,)]” %i in (templatefil.txt) do echo %i “ “ %j >> issuingcastatfailed.txt && certutil –restrict “Certificate Template=%j,Disposition=30” –view –out serialnumber | find “Rows” >> issuingcastatfailed.txt for /f “tokens=1,2 delims=[(,)]” %i in (templatefil.txt) do echo %i “ “ %j >> issuingcastatdenied.txt && certutil –restrict “Certificate Template=%j,Disposition=31” –view –out serialnumber | find “Rows” >> issuingcastatdenied.txt To see how many certificates that are in AD, you can make a script the walks through all users in AD and searches for certificates of given types. To clean up certs in the db, you could use: certutil -deleterow <date> request|cert|crl Even though this command can remove entries from the db, you would need to run a utility to shrink the database afterwards. jet compress utility can be used for this purpose Eseutil.exe /d <db path>\<CAName>.edb /t The db path can be found by issuing certutil -databaselocations November 07 News from Tech-Ed 2008Many PKI related features have been announced at Tech-Ed 2008 in relation to security and PKI. Some of them are listed below. In future blog entries, I intend to go into more details about some of the most interesting news
- Windows Server 2008 R2 PKI will support HTTP based enrollment for domain and non-domain members using new PKI server roles
- Auto-enrollment can be handled for certificates not issued by a Microsoft CA
- Certificates stored on Smartcards will be more easy to handle in Windows 7 as a new plug and play feature for SmartCards will be introduced
- Bitlocker in Windows 7 will have a recovery agent defined that use certificates.
- Auto-enrollment support for applications using certs in the computer store will not be supported directly, but a notification service is considered
- If you consider using HSM to protect the private key of certificates, but think they are too expensive, you could consider using a local TPM module to protect the private key, if the CSP for the TPM has a good administrative interface
I was nice to see all the PKI related sessions this year. Both native PKI sessions and CLM/ILM related sessions as well as interactive sessions.
October 05 Bitlocker does not use certificatesJust a short note about Bitlocker in relation to certificates. I often meet customers who tend to believe that Bitlocker uses certificates from an Enterprise Microsoft CA to encrypt data. This is not the case. Bitlocker does not use certificates to encrypt data. October 01 SCCM 2007 - To SAN or not to SAN client certificatesAccording to the SCCM 2007 documentation "Certificate requirements for native mode" (http://technet.microsoft.com/en-us/library/bb680733.aspx) , clients working in SCCM Native mode should have a certificate with the client authentication OID included and have the DNS name of the client in the SAN attribute.
According to updated documentation "How to Configure ISA SSL Bridging for System Center Configuration Manager Internet-Based Client Management" http://technet.microsoft.com/en-us/library/cc707697.aspx that I was made aware of by a customer (Alex Mærsk from Ecco Sko Denmark), it seems that an Internet based client working in native mode must have the SAN with UPN equal the clients DNS name. I therefore wonder if a SCCM native client should have a certificate with two SAN attributes, being the UPN and DNS name entries.
I will follow up on this and post the answer.
My own guess is that it is related to the fact that ISA Server is put in between to break the SSL connection, validate the certificate and account behind the certificate and hereafter forward it as another inbound SSL connection to the SCCM server. Maybe ISA Server need to have the UPN included in the client cert to be able to do this, I wonder. |
||||||
Send a private message
Subscribe to RSS feed
Tell a friend
Add to My MSN
Add to your network
Sign up for alerts
|
|
