Wednesday, January 27, 2016

Can MS Certificate Services be a Subordinate Enterprise CA beneath a Root CA created with OpenSSL


Yes this is possible, if you consider a few additional configuration entries for the openssl config file.

Suppose a scenario where you want to deploy a multi-tiered certificate authority, using open ssl on a non-networked (offline) device to store your top level Root Certificate Authority (a linux box perhaps).
The device would remain offline to mitigate the network attack vector to steal the private key of the top level Root CA.
Subsequently, a MS Enterprise Subordinate Certificate Authority would be certified in the certificate chain to certify downstream certificates.

The Microsoft Certificate Authority expects valid AIA and CDP locations in the root CA certificate.
These url locations should be entered in the openssl configuration file before creation of the root CA or certification of the MS subordinate enterprise CA.

Setting up a certificate authority with openssl is beyond the scope op this tutorial, but there is a very good tutorial on the subject hosted at https://jamielinux.com/docs/openssl-certificate-authority/index.html

This tutorial assumes that you have set up a Root certificate authority with openssl according above tutorial up until verifying the root certificate, keeping in mind the following additions to the openssl.cnf config file.

As per the tutorial, the openssl config file would reside on the following location: /root/ca/openssl.cnf

Under the [ v3_ca ] and the [ v3_intermediate_ca ] sections the following two lines need to be added:
(these are the valid AIA and CDP locations that the Microsoft CA expects to be present)

authorityInfoAccess = caIssuers;URI:http://root-ca.mydomain.local/root.pem
crlDistributionPoints = URI:http://root-ca.mydomain.local/root.crl

Note that these two files will need to be present on your MS webserver before completion of your certificate signing request from your MS Enterprise Subordinate CA, or else the completion of the certificate signing request will fail because the MS Enterprise Subordinate CA fails to verify the validity of the Root CA Certificate and the Subordinate certificate.

No comments:

Post a Comment