DoD Root Certificate Chaining Problem



Similar documents
FBCA Cross-Certificate Remover 1.12 User Guide

Joint Knowledge Online. CAC Login Troubleshooting Guide

Test Plan for Department of Defense (DoD) Public Key Infrastructure (PKI) Interagency/Partner Interoperability. Version 1.0.3

The IVE also supports using the following additional features with CA certificates:

DEPARTMENT OF DEFENSE PUBLIC KEY INFRASTRUCTURE EXTERNAL CERTIFICATION AUTHORITY MASTER TEST PLAN VERSION 1.0

Entrust Managed Services PKI

InstallRoot 4.1 User Guide. for Unclassified Systems

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

Certificate Request Generation and Certificate Installation Instructions for IIS 5 April 14, 2006

Federal PKI (FPKI) Community Transition to SHA-256 Frequently Asked Questions (FAQ)

Trusting the ECA Certificate Authority in Microsoft Internet Explorer

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Integration of Access Security with Cloud- Based Credentialing Services

Certification Path Processing in the Tumbleweed Validation Authority Product Line Federal Bridge CA Meeting 10/14/2004

Exchange 2010 PKI Configuration Guide

INFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT

Conclusion and Future Directions


Agenda. DoD PKI Operational Status DoD PKI SIPRNET Token. Interoperability Public Key Enablement. Dynamic Access

Cross-Certification and PKI Policy Networking

Department of Defense External Interoperability Plan Version 1.0

DEPARTMENT OF DEFENSE ONLINE CERTIFICATE STATUS PROTOCOL RESPONDER INTEROPERABILITY MASTER TEST PLAN VERSION 1.0

StartCom Certification Authority

Administration Guide ActivClient for Windows 6.2

SSL Interception on Proxy SG

Public Key Infrastructure (PKI) Technical Troubleshooting Guide

Using Two-Factor Authentication Configuration to Combat Cybersecurity Threats

Websense Content Gateway HTTPS Configuration

Driving Safely on Information Highway. April 2006

SECURE USER GUIDE OUTLOOK 2000

How to use Certificate in Outlook Express

ECA IIS Instructions. January 2005

Steps to Troubleshoot Error Your CA is not trusted. Please use a trusted CA

Security certificate management

SSL BEST PRACTICES OVERVIEW

Axway Validation Authority Suite

Certificate Authority Product Overview Technology White Paper

SENDING AND RECEIVING PROTECTED INFORMATION VIA ELECTRONIC MAIL. Naval Medical Center Portsmouth IMD Training Division

Configuring DoD PKI. High-level for installing DoD PKI trust points. Details for installing DoD PKI trust points

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: October 08, 2014

Configuring and Troubleshooting Identity and Access Solutions with Windows Server 2008 Active Directory

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Using etoken for Securing s Using Outlook and Outlook Express

Certificate technology on Pulse Secure Access

Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 15.1

Certificate technology on Junos Pulse Secure Access

Securing VMware View Communication Channels with SSL Certificates TECHNICAL WHITE PAPER

BEA Weblogic Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

2. Each server or domain controller requires its own server certificate, DoD Root Certificates and enterprise validator installed.

TeleTrusT European Bridge CA Status and Outlook

Deploying and Managing a Public Key Infrastructure

Symantec Managed PKI. Integration Guide for ActiveSync

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

Understanding the differences in PIV, PIV-I, PIV-C August 23, 2010

Implementation notes on Integration of Avaya Aura Application Enablement Services with Microsoft Lync 2010 Server.

Outlook Web Access Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

Linux Web Based VPN Connectivity Details and Instructions

for esigntrust Personal Secure Enrollment and Generation Guide Operation Guide Microsoft Windows System & Internet Explorer Users

MAC Web Based VPN Connectivity Details and Instructions

Administration Guide Certificate Server May 2013

Two Factor Authentication in SonicOS

TechNote. Contents. Overview. Using a Windows Enterprise Root CA with DPI-SSL. Network Security

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Entrust Managed Services PKI Administrator s Quick Start Guide

TECHNICAL TRACKSNETWORKING ESSENTIALS OPPORTUNISTIC LOCKING

Certificates for computers, Web servers, and Web browser users

UserGuide ReflectionPKIServicesManager

Utilizing the DoD PKI to Provide Certificates for Unified Capabilities (UC) Components. DISA NS2 Capabilities Center November 3, 2011 Revision 1.

wce Outlook Contact Manager Documentation

Application Note Configuring Department of Defense Common Access Card Authentication on McAfee. Firewall Enterprise

Configure SecureZIP for Windows for Entrust Entelligence Security Provider 7.x for Windows

Marriott Enrollment Server for Web User Guide V1.4

OUTLOOK WEB ACCESS (OWA) AND SSL VPN HOME USERS MANUAL

This section includes troubleshooting topics about certificates.

HP Access Control Smartcard Solution

Distributing SMS v2.0

Certificate Management

Course 6426: Configuring and Troubleshooting Identity & Access Solutions With Windows Server 2008 Active Directory Page 1 of 6

6.1.2 Installing AD DS 7:45

Blending FreeIPA in a Certificate Infrastructure

OUTLOOK WEB ACCESS (OWA) AND SSL VPN HOME USERS MANUAL

PC Power Down. MSI Deployment Guide

Smart Card Authentication Client. Administrator's Guide

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Using Entrust certificates with Adobe PDF files and forms

Federal Identity, Credentialing, and Access Management. Personal Identity Verification Interoperable (PIV-I) Test Plan. Version 1.1.

How to use Certificate in Microsoft Outlook

Digital certificates and SSL

Department of Defense SHA-256 Migration Overview

Blue Coat Security First Steps Solution for Controlling HTTPS

SEZ SEZ Online Manual Digital Signature Certficate [DSC] V Version 1.2

Secure Messaging Challenge Technical Demonstration

Department of Defense PKI Use Case/Experiences

Configuring Digital Certificates

CA Nimsoft Unified Management Portal

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG 5 How-To Guide. Digital Certificates. July 2011 Revision 1.0

Key Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University

Purpose of PKI PUBLIC KEY INFRASTRUCTURE (PKI) Terminology in PKIs. Chain of Certificates

CAC/PIV PKI Solution Installation Survey & Checklist

Carillon eshop User s Guide

Transcription:

DoD Public Key Enablement (PKE) Information Paper DoD Root Certificate Chaining Problem Contact: PKE_Support@disa.mil URL: http://iase.disa.mil/pki/pke Audience This document is intended for DoD system administrators. Background Department of Defense (DoD) Public Key Enabling (PKE) and Public Key Infrastructure (PKI) Program Management Office (PMO) have received several reports from DoD services about DoD certificates chaining improperly to cross-certificates or the Common Policy Root Certification Authority (CA). When this occurs on DoD systems, PKI validation does not work properly and may result in any of the following: a) DoD user denied access to DoD web sites b) DoD signed emails in Outlook appear invalid c) DoD users experience extensive delays with Outlook or Internet Explorer during validation d) DoD users receive a prompt to install the Common Policy Root CA when opening a signed email of a DoD sender whose workstation is misconfigured Issue The issue is that DoD workstations are not properly configured. Due to DoD information sharing initiatives with Federal and commercial partners, cross-certificates are essential for our partners to be able to validate DoD credentials but can cause problems on DoD systems when one or more of the following conditions exist: a) When the DoD PKI CA certificates are not installed locally in the correct locations, Microsoft CAPI will attempt to build a path to a known issuer (e.g., Common Policy) and will automatically install cross-certificates obtained during path-processing into the user trust store. In addition to an incorrect or failed path, this can also cause significant delays. b) When Microsoft s Root Update Service is not disabled, Microsoft will automatically add the Common Policy self-signed certificates (among others) into the local computer Trusted Root store. This can pose a significant security risk and is a STIG violation. c) When valid certificate chains exist to both the DoD Root CA 2 and Common Policy Root CA, Microsoft will prefer the path to the Common Policy Root CA. 1

Resolution DoD PKE recommends the following resolution: a) DoD Root and subordinate/intermediate certificates should be installed on all DoD systems in the appropriate locations. Administrators should either use InstallRoot or other approved method of distribution (such as GPO). This will prevent Microsoft from trying to build a path to a known issuer since all required certificates are present locally. Appendix A provides additional details on proper certificate locations. b) Microsoft s Root Update service should be disabled on all DoD systems (through GPO when possible) which will prevent Common Policy and other certificates from being added to the local computer trusted root store through Microsoft Root Update service. c) The following cross-certificates should be removed from the local computer and user Intermediate Certification Authorities store. Common Policy Entrust (FBCA) cross-certificate 1 (Revoked) Common Policy Entrust (FBCA) cross-certificate 2 Entrust (FBCA) IRCA cross-certificate IRCA DoD Root CA 2 cross-certificate d) The following self-signed certificates should be removed from the local computer and user Trusted Root Certification Authorities store. Entrust (FBCA) self-signed certificate * DoD PKE has developed an executable which will automatically remove the specified certificates above. Certificate details and executable information are included in Appendix B. 2

Appendix A: DoD Certificate Installation DoD Administrators should ensure that: 1. Local Computer Trusted Root Certification Authorities store contains DoD self-signed certificates (DoD Root CA 2, dod ocsp ss, etc) 2. Local Computer Intermediate Certification Authorities store should contain all DoD PKI intermediate and subordinate CA certificates. InstallRoot should be run with Administrator privileges and will add the certificates in the proper locations. InstallRoot is available from one of the following locations: PKE on DKO: https://www.us.army.mil/suite/page/474113 under Downloads Dodpke.com https://www.dodpke.com/installroot/ The GPO distribution Quick Reference Guide, DoD PKE QRG-Deploying DoD PKI CA Certificates using Microsoft GPOs_v1 is available from the location below: PKE on DKO: https://www.us.army.mil/suite/page/474113 under Knowledge Base Server Microsoft Active Directory 3

Appendix B: Certificates to be Removed DoD Administrators with workstations affected by this issue should remove the certificates below either with the DoD PKE tool or some other means. The DoD PKE FBCA Cross-Certificate Removal Tool is available from the following location: PKE on DKO: https://www.us.army.mil/suite/page/474113 under Downloads The following cross-certificates should be removed from the Local Computer and User Intermediate Certification Authority store: Common Policy Entrust (FBCA) cross-certificate Subject: OU=FBCA, OU=FBCA,O=U.S. Government,C=us Issuer: OU=Common Policy,OU=FBCA,O=U.S. Government,C=us Serial # 18 cc d6 6b 00 01 00 00 00 6f Valid To: Thursday, April 23, 2015 9:20:26 AM Common Policy Entrust (FBCA) cross-certificate (Revoked) Subject: OU=FBCA, OU=FBCA,O=U.S. Government,C=us Issuer: OU=Common Policy,OU=FBCA,O=U.S. Government,C=us Serial # 62 fa 21 6f 00 01 00 00 00 56 Valid To: Friday, March 21, 2014 12:25:49 PM Entrust (FBCA) IRCA cross-certificate Subject: CN=DoD Interoperability Root CA 1,OU=PKI,OU=DoD,O=U.S. Government,C=US Issuer: OU=Entrust,OU=FBCA,O=U.S. Government,C=US Serial # 45 1d e5 23 Valid To: Friday, December 31, 2010 12:00:00 AM IRCA DoD Root CA 2 cross-certificate Subject: CN=DoD Root CA 2, OU=PKI,OU=DoD,O=U.S. Government,C=US Issuer: CN=DoD Interoperability Root CA 1,OU=PKI,OU=DoD,O=U.S. Government,C=US Serial # 0C Valid To: Thursday, March 03, 2011 10:22:43 AM The following self-signed certificate(s) should be removed from the Local Computer and User Trusted Root Certification Authority store: Entrust (FBCA) self-signed certificate Subject: OU=Entrust,OU=FBCA,O=U.S. Government,C=US Issuer: OU=Entrust,OU=FBCA,O=U.S. Government,C=US 4

Serial # 45 1d e1 72 Valid To: Tuesday, December 31, 2013 11:04:51 AM 5

Appendix B: Certificate Chain Screen Shots Desired Chain 6

Bad Chain # 1 7

Bad Chain #2 8

Bad Chain #3 9

Bad Chain #4 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information