4

I want to use SCEP to give out client certificates, probably using ADCS. We already have an internal offline root CA in place (securely in a safe, only used for signing and revoking intermediate certificate authorities), and this root is trusted by all internal clients and servers.

For signing the client certificates, I want to create an intermediate that can do only that: signing client certificates. Specifically, I don't want it to be possible to sign server certificates with this intermediate (the reason being that the intermediate by necessity has to be on an online system, and I want to limit the possible damage in case it gets breached)

Is this even possible?

Roel Harbers
  • 143
  • 4

2 Answers2

5

If you create the intermediate CA with only the client auth certificate EKU (1.3.6.1.5.5.7.3.2) then even if a template got altered to allow it to endorse server auth certificates they would fail a chain walk.

On Windows this would report an error with the leaf/EE certificate with status CERT_TRUST_IS_NOT_VALID_FOR_USAGE (or, in .NET, X509ChainStatusFlags.NotValidForUsage).

bartonjs
  • 361
  • 1
  • 10
  • Isn't 1.3.6.1.5.5.7.3.2 something that's set in the actual client certificates, not the intermediate? – Roel Harbers Apr 03 '17 at 12:10
  • 1
    Usually it's omitted from the CA chain, making them "valid for all purposes". But you can constrain them. The CA/Browser Forum Baseline Requirements even talks about it "... For a Subordinate CA Certificate to be considered Technically Constrained, the certificate MUST include an Extended Key Usage (EKU) extension specifying all extended key usages that the Subordinate CA Certificate is authorized to issue certificates for.". (https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.2.pdf, 7.1.5) – bartonjs Apr 03 '17 at 14:37
1

With AD integrated CAs you can specify the Certificate Templates, which a CA is allowed to issue. So, yes you can.

But note: Certificate Templates are stored in Forest Root. Thus the Forest Root admin can change the available certificate templates! The domain admin or local admin of the sub CA can change the templates provided by the sub CA. Thus you should in addition set the access rights on the templates accordingly.

cornelinux
  • 229
  • 1
  • 7
  • Can you provide more information or a link to how to set which templates a CA can issue? I haven't found anything in the Enterprise PKI snap-in. – duct_tape_coder Dec 05 '19 at 20:54
  • https://blogs.technet.microsoft.com/askds/2010/05/27/designing-and-implementing-a-pki-part-iii-certificate-templates/ – cornelinux Dec 08 '19 at 17:22