1

I have a website running in Windows Server 2012, IIS. User's are authenticated using client certificates.

I used to issue client certificates using Certificate Authority MMC snap-in.

Since the number of users is growing rapidly, I am now creating client certificates in batch, using the BouncyCastle library and a little C# code. I believe that I could also have done this using Makecert or Openssl.

In these certificates I am setting the revocation list entries to the same values that the Certificate Authority snap-in uses.

IIS accepts these certificates just fine.

My question relates to certificate revocation. The client certificates that were issued on the server can easily be revoked, using the MMC snap-in, but suppose I need to revoke any of these new certificates. Although IIS accepts these certificates, it does not have any record of them, so apparently I can't revoke them using the Certificate Authority snap-in. Furthermore, there appears to be no way to import these certificates, making them show up in the Certificate Authority snap-in.

So what is the best way to go about this? Do I need to setup a revocation list (CRL) somewhere else for these certificates?

H. den Breejen
  • 11
  • 1
  • CryptoGuy's answer and comments made me realize that any procedure to create client certificates without any user interaction for each individual certificate would be fine. User interaction would be time consuming and error prone. If I could make the Windows CA issue certificates in bulk, that would be ideal, since that would solve any administrative an revocation issues. – H. den Breejen Feb 03 '15 at 13:57
  • I'd rather not have all these users in Active Directory. CryptoGuy's answer did help me a lot to better understand the options. Still hoping for an alternative approach. – H. den Breejen Feb 04 '15 at 11:57

1 Answers1

0

You are doing it wrong. If you use Windows CA to issue certificates, then only Windows CA should sign certificates with that particular CA certificate and key pair. You are compromising your PKI by using openssl and 3rd party libraries to sign client certificates with Windows CA certificate. Because you violate RFC5280 §4.1.2.2 requirement: CA must keep the record of issued certs and enforce some restrictions. For example serial number uniqueness.

Also it may lead to a policy incosistence and, of course, an inability to provide revocation means for certificates signed by openssl.

It doesn't matter what tool you use to generate and sign requests, but only one application shall use particular CA certificate to sign other certificates, store them in a database and sign CRLs. There might be workarounds, but none will be supported.

If your users reside in Active Directory, then you should utilize certificate autenrollment functionality to automate certificate issuance tasks.

Community
  • 1
Crypt32
  • 6,639
  • 1
  • 15
  • 33
  • Thanks. IIS appears to use random serial numbers, and this is what I've done too. Since this is a large number, I expect these to be sufficiently unique. I understand that uniqueness is required by RFC5280, but I believe that this does not imply the need for some central issuer. – H. den Breejen Feb 03 '15 at 10:11
  • certificate serial number uniqueness is not the only reason why you should not do what you are trying to do. You are not tracking issued certificates, do not have a control over certificate revocation. You will not pass any audit with this design and you will be out of support. – Crypt32 Feb 03 '15 at 10:43
  • I do intend to track the certificates I am creating. I'd prefer to use standard Windows features for this. Is this possible? If not, I will look into doing tracking in some custom way. I've thought of revocation, which I could do if necessary using a CRL that I maintain. And of course I will have some record of the certificates issued. Would an auditor require anything else then? – H. den Breejen Feb 03 '15 at 12:15
  • Windows CA automatically store all issued certificates in the database. Use your Windows CA to take care of issued certificates and you will be fine. – Crypt32 Feb 03 '15 at 12:47
  • I need to create client certificates in bulk. There can be no user interaction for each certificate, because this would be time consuming and error prone. Do you know of a way I could do this with the standard Windows CA? That would be a nice solution to my problem. Having to write some code is no problem. Perhaps I should rephrase the original question accordingly. – H. den Breejen Feb 03 '15 at 13:46
  • it is possible by using certificate autoenrollment. My original reply has a link to autoenrollment description. – Crypt32 Feb 03 '15 at 15:59