|
Posted by Brian Komar on December 27, 2007, 11:24 am
If you were Registered and logged in, you could reply and use other advanced thread options
Please forward these questions to info@identit.ca and we can send you a
proposal for a PKI engagement.
This stretches way beyond a mere newsgroup question and enters into a true
deployment engagement
Brian
> Hello,
>
> First, I want to thank those who have already helping me here (Bryan
> and others....) but I need help again :)
> I'm not friendly with PKI. So in this post, I sum up all things I done
> and I ask questions about some steps.
> Thanks for your help :)
>
> I have 7 domains :
>
> ROOT.LOCAL. (thoe forest root domain, ressources domain, no user,
> located at Mexico)
>
> AMERICAS.LOCAL. (technical domain, located in Mexico)
> MEXICO.AMERICAS.LOCAL. (located at Mexico)
> BRAZIL.AMERICAS.LOCAL. (located at Rio)
>
> ASIA.LOCAL. (technical domain, located at Tokyo)
> JAPAN.ASIA.LOCAL. (located at Tokyo)
> KOREA.ASIA.LOCAL. (located at Seoul)
>
> There are 4 AD sites :
>
> MEXICO site (for DC of ROOT.LOCAL., AMERICAS.LOCAL. and
> MEXICO.AMERICAS.LOCAL.)
> RIO site (for DC of BRAZIL.AMERICAS.LOCAL.)
> TOKYO site (for DC of ASIA.LOCAL. and TOKYO.ASIA.LOCAL.)
> KOREA site (for DC or KOREA.ASIA.LOCAL.)
>
> All site are connected with MEXICO (hub site) with 20Mb/s link (uptime
> 24/7).
>
> PKI Target architecture :
>
> Three Tier PKI
>
> One STAND ALONE ROOT CA called SACAMX00 (SA stand for Stand Alone, CA
> for Certificate Authority, MX for Mexico not for the domain -machine
> is in workgroup- but site)
> Two STAND ALONE INTERMEDIATE CA called SACAAM01 (AM stand for America
> not for the domain -machine is in workgroup- but site) and SACAAS01
> (AS stand for Asia not for the domain -machine is in workgroup- but
> site)
> Then, two Enterprise Issuing SA in each domains called ENCAJP01 and
> ENCAJP02 (EN stand for Enterprise, JP for Japan), same for others
> domains ENCAKR01 and ENCAKR02 (KR stand for Korea) etc ... Name :
> ENCAxx0y where xx are code corresponding of domain name.
>
> Stand alone CA are secured virtual machines.
>
> Name of CA are :
> - CA Root
> - AMERICAS Sub & CA ASIA Sub
> - CA JAPAN Iss1, CA JAPAN Iss2, ...
>
> Ok, let's see the installation steps:
>
>
> Installation of SACAMX00
> ------------------------
>
> Windows 2003 Standard Edition SP2 with IIS (even IIS is not necessary)
> Configuration of CAPolicy.inf before CA services looks like that :
>
> [Version]
> Signature= "$Windows NT$"
> [LegalPolicy]
> OID= 1.3.6.1.4.1.311.21.43
> Notice= "http://intranet.americas.local/pki/cps.asp"
> [Certsrv_Server]
> RenewalKeyLength= 4096
> RenewalValidityPeriod= Years
> RenewalValidityPeriodUnits= 20
> [CRLDistributionPoint]
> [AuthorityInformationAccess]
>
> Q-01 Is the " " (space caracter) is required ?
> Q-02 What does legalpolicy section mean ? And what about notice
> parameter (can I change this parameter later?) ? Why this OID ? Does
> it show somewhere in my CA ?
> Q-03 What about Certsrv_server section ? We can configure these
> parameters laters, after the installation or we have to set its now ?
> Q-04 CRLDistributionPoint and AuthorityInformationAccess are
> explicited wrote and left blank. Why ? What's happened if I don't add
> these sections ?
>
> Then, I install CA services.
>
> SYSOCMGR /I:SYSOC.INF
>
> In the wizard, I specify a 4096 Key and a validity period of 20 years.
>
> Q-05 Is it redundant with Certsrv_Server section in CAPolicy.inf ?
> What was the real utility of this section ?
>
> CERTUTIL "CA Root.cer"
>
> Q-06 Is that action wich create the cert file ? Without this command,
> no .cer generated anywhere else ? Or should I specify option -
> ca.cert ?
>
> I map the offline root CA to the AD configuration container
>
> CERTUTIL -setreg ca\DSConfig CN=Configuration,DC=ROOT,DC=LOCAL
>
> Q-07 The Offline root never communicate with AD, why need we set this
> parameter ? What about this parameter exactly ?
> Q-08 Can we do the same action modifying the registry ?
>
> Then I configure CDPs. I clear all checkboxes where CRL Delta is
> mentionned. I have 3 CDP, on local, one LDAP and one HTTP.
>
> Q-09 Can I uncheck "Include in CRLs. Client use this to find Delta CRL
> locations." on all CDP because I don't use Delta CRL in an offline
> CA ? Or is this option has others consequences ?
>
> Then I configure AIAs with a local file publication, a LDAP and a
> HTTP.
>
> Q-10 Is there a difference if I set this parameters using REGEDIT.EXE
> instead of using Extension tab in the GUI ?
>
> Then I configure CRL publication interval. I set 180 days. (left blank
> Delta CRLs)
>
> Q-11 Should I publish again CRL when I change CRL interval ?
> Q-12 If I change CRL interval, are my certificated already issued
> still valid ?
> Q-13 180 Days, does that mean I have to bring online my CA in order to
> publish my CRL again even if no certificate are revoked ? Or does it
> expire (when? How to configure it ?) ?
>
> Then I modify "HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/
> CertSvc/Configuration/Root CA". I set ValidityPeriod to Years,
> ValidityPeriodUnit with 10.
>
> Q-14 Can we set theses options in CAPolicy ?
> Q-15 Is the CAPolicy.inf file modified by wizards or other after the
> installation ?
>
>
> Installation of SACAAM01
> ------------------------
>
> Windows 2003 Standard Edition SP2 with IIS (even IIS is not necessary)
> Configuration of CAPolicy.inf before CA services looks like that :
>
> [Version]
> Signature= "$Windows NT$"
> [PolicyStatementExtension]
> Policies= AllInssuancePolicy
> Critical= FALSE
> [AllIssuancePolicy]
> OID= 2.5.29.32.0
>
> Q-16 Is PolicyStatementExtension section required ? Why ?
> Q-17 OID 2.5.29.32.0 was in a exemple CAPolicy.inf file I found. Is it
> the good OID ? Is there only one OID for subordinate CA ?
> Q-18 What does critical parameter mean exactly ? It is not a technical
> parameter.
> Q-19 Why there are no section with Renewal information ? Because it is
> set by the Root CA so we don't need to specify here ?
>
> Then I insatll binaries
>
> SYSOCMGR /I:SYSOC.INF
>
> In the wizard, I specify a 2048 Key and a validity period of 10 years.
>
> Q-20 Should I prefer choice a 4096 bits key ? (it's an offline root,
> what is the drawback if I choice a 4096 bits key ?
>
> I modify registry as for the Root CA. I set 5 years for lifetime on
> issued certificates and 30 days for CRL publication (no delta CRL).
> Then I run
>
> CERTUTIL -setreg ca\DSConfig CN=Configuration,DC=ROOT,DC=LOCAL
>
> Q-21 Why ?
>
> Then I run
>
> certutil.exe -v -setreg policy\EnableRequestExtensionlist "+2.5.29.32"
>
> Q-22 Is it required even if this parameter is specified in
> CAPolicy.inf file ?
> Q-23 What is this parameter exactly ? I can't issue certificates if
> this parameter isn't set ?
>
> I omit certificate request and import/export ioperations. That's ok
> for theses.
>
> Now. If I revoke the subornidate CA certificate.
>
> Q-24 I publish CRL now ? Or I have to wait 180 days (I hope not ...) ?
> (and copy/past crl file in my HTTP point).
> Q-25 How can I republish CRL in AD ? Offline CA (wich are in
> workgroup) can check CRL in AD ? I don't think so. And you ?
> Q-26 Does the Sub CA service detect that its certificate is revoked
> and do not start ? I test this scenario, and Sub CA still work and
> chaining is OK. So, how much time this mechanism take ?
>
> Ok for Root and Sub. Let's see for Online issuing CA.
>
>
> Installation of ENCAJP01
> ------------------------
>
> Windows 2003 Enterprise Edition SP2 with IIS, member of the domain
> JAPAN.ASIA.LOCAL.
>
> Q-27 If an online CA is down, does the roll back to an other is
> automatic ?
> Q-28 I want that CA is JAPAN domain only issuing CA for JAPAN users
> (and even sub domains if I need in the future). I don't want that a
> MEXICO user can obtain a certificate from MEXICO's CA. Should I use
> X500 constraints or ACE permissions limitation ? What are the
> advantages and drawbacks of the two methods ?
>
> I don't use CAPolicy.inf file.
>
> Q-29 Is it optional ? What can I specify in this CAPolicy.inf file
> (constraints ?) ?
>
> I use theses parameters, 2048 bits key for the CA, 5 years lifetime.
> And 2 years lifetime on issued certificates. 1 week CRL and delta CRL
> allowed.
>
> Q-30 Can I use Delta CRL even if some of my servers are still Windows
> 2000 Server ?
>
> Then i run theses commands :
>
> certutil -dspublish <Root CRT file> RootCA
> certutil -dspublish <Sub CRT file> SubCA
> certutil -dspublish <Root CRL file> {Root CA Host Name}
> certutil -dspublish <Sub CRL file> {Sub CA Host Name}
>
> Q-31 In some documentations I found that I maty use -f parameters in
> addition. Why ?
> Q-32 When Root CA or Sub CA revoke a certificate, i have to run theses
> commands again (concerning CRL) ?
>
> I configure the Domain Policy GPO in order to publishing the root CA.
>
> Q-33 Is this operation is required or is AD automaticaly done this
> operation with other machanism ?
>
> At the moment I don't use KRA agent. But in the future, I will.
>
> Q-34 Can i configure all options about KRA later when the need will be
> more hurry ? Or should I configure that now ?
>
>
> I have many more questions about KRA and other. But if I can have
> answer of theses question, it will be great !
>
> Sorry for my poor english, and thanks for reading until there !
>
> --
> P.J.A.
| 
XML site map