Task force looking into Domain Controller requirements

StartCom´s solution: http://cert.startcom.org/?lang=en&app=138

Guide on how to do it: OpenCA Guide, Chapter 3

This list was generated using the following MS articles

See also MS article "How to enable LDAP over SSL with a third-party certification authority"

What good is a domain controller cert, and what is it for?

Since Windows 2000 and better come with the "Microsoft Certificate Authority", that CA obviously handles the creation of all the certificates required. This is fine, but what if I don't want the added overhead of running my own CA, or I think its a bad idea because it won't be trusted and I don't want the headache of trying to make it trusted, or I am just a smart admin who knows that the more certs my dumb users have the more troubles they are going to have knowing which one to use where.

Knowing that the Microsoft CA, issues everything I need the first approach might be to ask for a subordinate CA cert. This is an interesting idea and would require the LEAST amount of work on my side. But this would be a very BAD idea for the parent CA, as this subordinate CA can then issue certs that are trusted even though they aren't controlled by the parent CA. If you want an example of this, look at Comodo/InstantSSL this company is a subordinate CA and they will issue a cert to anyone anywhere with no further verification of who you are other than sending the public key portion to the email address given. So if a Subordinate CA cert is a bad idea how do I make this work another way?

This is where a "Domain Controller Certificate" comes in. For some reason, which I will not try to fathom, MS doesn't try to verify a certificates via the CRL, or even caching the CRL, at least not in straight forward way. The "Domain Controller Certificate" allows windows to verify a smartcard logon certificates without hitting the issuing CAs CRL every time.

So in short a "Domain Controller Certificate" is a special type of certificate used by microsoft networks for verification of smartcard logons. (I am not going to say this is the only thing its used for, but its the only important thing for this discussion)

What makes up a domain controller certificate

CN=server1.northwindtraders.com OU=Domain Controllers DC=northwwindtraders DC=com

Digital Signature, Key Encipherment

[Subject Type=End Entity, Path Length Constraint=None]

Other Name: 1.3.6.1.4.1.311.25.1 = ac 4b 29 06 aa d6 5d 4f a9 9c 4c bc b0 6a 65 d9 DNS Name=server1.northwindtraders.com

NOTE: The dsstore.exe -dcmon command does not recognize the certificate without one of these extensions.

Please see this link for the certutil.exe dump of an example certificate http://support.microsoft.com/kb/291010/EN-US/#XSLTH3124121123120121120120

We would need help about configuring OpenSSL for DC CSR see proposal for DC CSR

send comments to <cacert-support #AT# lists.cacert.org>

This link http://www.cs.bham.ac.uk/~smp/projects/peap/ provides information and a patch to create Microsoft IAS PEAP & LDAPS certificates using OpenSSL 0.9.8a and might be helpful to create a Domain Controller certificate:

"Windows requires the PKCS12 file to contain a couple of Microsoft specific /Bag Attributes/. Namely the /Crypto Graphic Service Provider/ (oid=1.3.6.1.4.1.311.17.1) set to 'Microsoft RSA SChannel Cryptographic Provider' and LocalKeySet (oid=1.3.6.1.4.1.311.17.2) set to an empty string. OpenSSL currently doesn't appear to support LocalKeySet so it's necessary to patch it yourself."

Smartcard logon certificates

Without smartcards there is very little ( I don't know of any ) real benefit of having a "Domain Controller Certificate". So what is needed for a smartcard logon certificate.

Distribution Point Name: Full Name: URL=http://server1.name.com/CertEnroll/caname.crl

UPN = user1@name.com The UPN OtherName OID is : "1.3.6.1.4.1.311.20.2.3" The UPN OtherName value: Must be ASN1-encoded UTF8 string

We would need help about configuring OpenSSL for DC smartcard CSR see proposal for DC CSR

send comments to <cacert-support #AT# lists.cacert.org>


http://www.cs.bham.ac.uk/~smp/projects/peap/

Here i found some useful information, and a patch to openssl. "Windows requires the PKCS12 file to contain a couple of Microsoft specific /Bag Attributes/. Namely the /Crypto Graphic Service Provider/ (oid=1.3.6.1.4.1.311.17.1) set to 'Microsoft RSA SChannel Cryptographic Provider' and LocalKeySet (oid=1.3.6.1.4.1.311.17.2) set to an empty string."


DomainController (last edited 2010-01-14 02:03:35 by UlrichSchroeter)