Cross-Certification for Non-Windows Clients

-

still trying more information on getting sha256 root ca certificate signed sha1 root ca (temporarily), , having non-windows entities recognize that:

creating cross-certification between 2 root ca's within same organization (one hierarchy sha1 , other sha256) and distributing crossca certificate painless enough forest members because gets published ad , comes down forest member certificates store (trusted intermediary).  best way get non-windows end entities recognize crossca certificate?  rfc (http://tools.ietf.org/html/rfc5280#section-4.2.2.1) states can configure aia extension point collection of certificates, means (unless missing something) need modify aia extensions configuration on sha256 root ca point pkcs7 container on http location, issue sha256 subca certificates subordinate ca's.  way when sha256 subordinate ca's issue end entity certificates non-windows entities the chain of trust go sha1 root ca.

both hierarchies 2-tier.

end entity cert sha256 subordinate ca --> http location specifying location of the sha256 subca .crt --> http location specifying location of the exported cross-certification certificate in pkcs7 format (which contains sha256 root ca certificate , sha1 root ca certificate).

does seem correct configuration?  if so, how easy remove configuration when cutover complete?  if correct assume way remove configuration modify aia extension of sha256 root ca , issue new subca certificates sha256 subordinates.

as stated correctly aia url pointing cross ca certificate 1 embedded in certificates of ca subordinate (cross-certified) sha256 ca. certificate common either certificate chain (to short chain w/o cross-certificate , cross-certified one). if http url can point specific file - client can see , use new chain. windows clients should pick shorter chain though (not including cross-certificate) trust sha256 ca's root ca certificate. however, platform / application can apply different logic - prepared different apps. trust both root cas pick 1 chain or other.

make sure application in question check aia urls non-mandatory extension, , (or has been) not common in non-microsoft world. if ssl certificates - here chain distributed part of handshake. not need rely on aia, need make sure web servers send new subordinate ca certificate. example, windows web server having access short chain ending in sha256 root not send cross-certificate , java clients see incomplete chain (i had once encountered issue in scenario bit similar yours).

elke


Windows Server  >  Security



Comments

Post a Comment

Popular posts from this blog

DCOM received error "2147746132" from...

-
hi everybody, i have dc (my windows essentials 2012 server) , windows 2012 server in network.  the windows server 2012 inside domain. on server, got "non stopping" error says in event logs : ===> dcom received error "2147746132" fromd computer xxxx(my dc computer) while server trying activation : {6df8cb71-153b-4c66-8fc4-e59301b8011b} it never stops, got 11000+ new events :s i found : http://support.microsoft.com/kb/971153/fr i'm not sure should ? does got idea ? matthieu. hi, please try solution mentioned in below link: http://www.eventid.net/display-eventid-10006-source-dcom-eventno-272-phase-1.htm regards, cicely Windows Server  >  Windows Server 2012 General ...
Read more

ADFS 3.0 Event ID 4625 | An Error occurred During Logon | Status: 0xC000035B

-
we're getting these random errors on our adfs security logs, how can track down generating them? an account failed log on. subject: security id: null sid account name: - account domain: - logon id: 0x0 logon type: 3 account logon failed: security id: null sid account name: account domain: failure information: failure reason: an error occured during logon. status: 0xc000035b sub status: 0x0 process information: caller process id: 0x0 caller process name: - network information: workstation name: - source network address: - source port: - detailed authentication information: logon process: kerberos authentication package: kerberos transited services: - package name (ntlm only): - key length: 0 event generated when logon request fails. generated on computer access attempted. subject fields indicate account on local system requested logon. commonly service such server service, or local process such ...
Read more

DFSR RPC replication errors 5014 1726 with large files over VPN

-
i have similar issue ryan in reply http://social.technet.microsoft.com/forums/en-gb/winserverfiles/thread/6d49fd71-2236-4fcb-9763-bf1c03459ee8 cited below. start additional thread here because other 1 related windows server 2003 (r2) , i'm (as ryan) on windows 2008 r2 x64. here first of post ryan: i've got same problem on 2008 r2 dfsr server.  the spoke server has 2x intel 1 gigb on-board nics in active/standby teamed configuration. the hub server (running on vmware using 10gbit vmnet3 nic driver) logs dfsr event 5014 every 2-15mins (usually around 5mins). the spoke server not log event. replication running slowly. initial sync/replication. had re-configure replication folder because of lost dfsr database on spoke server.  could teamed nic on spoke causing error on host? a note: last time did initial sync on folder processed @ 30k files , hour. time it's doing few hundred and hour. another note: hub server has several replication groups , conne...
Read more