Using web Enrollment for webid URI names in certs


Not everyone can afford the enterprise edition of the Windows Operating System. Furthermore, not all use cases involve enrolling a million users, featuring auto rollover of certificate every 6 weeks or careful use of crypto modules that address the risks to private keys. Some folks just want to enroll using a web browser so they can play with technology; and play along with some actual systems as they learn about crypto and key management. Perhaps, folks might study NSA guidance on how certs relate to DoD office systems.

For webid purposes, one may also wish to use the web site enrollment feature of the Active Directory CA – a user interface onto the ADCS whose view is stripped down to a rather bald website. To make this site work for webid, we need to tune the deployment a little.

From http://download.microsoft.com/download/a/b/f/abf987c5-41fa-4189-be94-e78b02376c7e/ws03pkog.doc

image

image

The text quoted above introduces the notion of specifying at the cert enrollment website form a “request attribute”; one that enables the user to specify the email SAN value to be added to the cert’s alternative name extension for the subject. Then, it shows how in a 2003-era CA (and later) one can go further with attributed requests, now specifying the URI and the other name forms of SAN (including one’s own definition of other-name).

In the limit, there are the following SAN extensions, including a custom name-form (1.2.3.4={asn}Base64String)

SAN:1.2.3.4={asn}Base64String
&email=sample@bar.com&dns=sample.bar.com
&dn=”CN=xxx,OU=xxx,DC=xxx”
&url=http://sample.com/default.htlm
&ipaddress=172.134.10.134
&oid=1.2.3.4
&upn=sample@bar.com
&guid=f7c3ac41-b8ce-4fb4-aa58-3d1dc0e36b39

To configure web enrollment for SANs:-

certutil –setreg policy\EditFlags +0x40000

Given this advice, I added the cert enrollment website to my (otherwise enterprise class) ADCS installation and duly commanded “certutil –setreg policy\EditFlags +0x40000”.

image

RESTART the certificate service!

Then, I used the web browser, adding “SAN:url=http://yorkporc.blogspot.com/2011/11/bob.html#me as a request attribute

image

image

image

We then see the CA administrator’s view, having received the user’s request to make a cert with a webid URI:-

image

Once issued, we see a view of the certificate view bearing the SAN URI (along with the status of the system as evaluated by the workstation opening the cert object):-

imageimage

Back at the browser, post issuance, we download the cert to provision the browser.

image

And finally, we update the blogger page with the public key modulus and we also post the base64 of the cert (chain) into the same page (for experimental use by validation agents using certs). We obtain the modulus from the certificate viewer’s publicKey field (omitting the leading 00 byte, if present.

image

One advantage to using the certificate over the webid graph is that it contains an additional URI, usable by revocation management (assuming that the domain name (ca.pw.com) has been made visible to the evaluator of the cert, embedded in a web page). obviously, the advantage of using the webid graph, over the certificate, is that others can be publishing similar URIs and the better graph-centric system will mashup the data sources.

image

End.

About home_pw

Computer Programmer who often does network administration with focus on security servers. Sometimes plays at slot machine programming.
This entry was posted in webid. Bookmark the permalink.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s