Custom CA Configuration

  • Article

Applies To: Windows Server 2003 with SP1

This section highlights various custom configuration scenarios that may be employed with a Windows Server 2003 certification authority to achieve various operational environment requirements. Various scenarios may apply differently to stand-alone or enterprise CAs.

Ignore Offline CRL Errors on the CA

Normally, a Windows Server 2003 CA will always check revocation on all certificates in the PKI hierarchy (except the root CA certificate) before issuing an end-entity certificate. To disable this feature, use the following command on the CA, and then restart the CA service:

certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

Configure Serial Number Generation

In a Windows 2000 CA, two types of fixed-length serial numbers are generated. The registry can be modified to generate one or the other type. The default serial number is (from high to low): a DWORD from GetTickCount() + a USHORT CA cert index (0 to start) + a DWORD RequestId (10 bytes/20 hexadecimal digits). The alternate form is: one byte derived from the registry + a DWORD RequestId + 8 bytes of CryptGenRandom output + a USHORT CA cert index + a DWORD RequestId (19 bytes/38 hexadecimal digits).

To enable the alternate form and set the byte derived from the registry, use the following command:

certutil –setreg ca\HighSerial 0x33

The byte value specified will be modified to clear the sign bit and to set a bit in the high nibble to work around serial number encoding ambiguity bugs in certain non-Microsoft PKI applications.

In a Windows Server 2003 CA, three types of fixed-length serial numbers are generated. The default and alternate forms are the same as in Windows 2000. The Windows 2000 alternate form uses a new random 8 bytes generated by CryptGenRandom for each serial number. The new alternate form for Windows Server 2003 uses a fixed random 8 bytes from CryptGenRandom, generated during the first attempt to issue a certificate, and saved in the registry as 8 bytes of fixed CryptGenRandom output + a USHORT CA cert index + a DWORD RequestId (14 bytes/28 hexadecimal digits).

To enable the new alternate form in the registry, use the following command:

certutil –setreg ca\HighSerial 0xffffffff

Since the fixed random 8 bytes from CryptGenRandom are encoded as a string and saved in the registry, you could set them directly and cause them to be used for new serial numbers. In fact, any length hexadecimal string could be set in the registry (but there must be an even number of digits). The number of bytes used from the registry will be reduced if it would overflow a total of 19 bytes for the serial number. The high byte is manipulated as described previously to avoid problems with certain non-Microsoft applications. The IETF standards specify a maximum of 20 byte serial numbers.

CA Key Usage

Normally, a stand-alone CA certificate will contain digital signature, Certificate Signing, and CRL Signing as key usage values. For a stand-alone CA to issue a subordinate CA certificate without the digital signature key usage value, the following command must be performed on the stand-alone CA and the CA service restarted before the subordinate CA request is issued:

certutil -setreg policy\EditFlags -EDITF_ADDOLDKEYUSAGE

Note

Enterprise CAs enforce the key usage based on the subordinate CA template settings.

Disable DN Length Enforcement

The original CCITT spec for the OU field says it should be limited to 64 characters. Normally, the CA enforces x.500 name length standards on the subject extension of certificates for all requests. It is possible that deep OU paths may exceed normal length restrictions.

To disable name length enforcement, run the following command on the CA, and then restart the CA service:

certutil -setreg ca\EnforceX500NameLengths 0

To restore the default setting, run the following command on the CA, and then restart the CA service:

certutil -setreg ca\EnforceX500NameLengths 1

Maintaining the CA Database

Windows Server 2003 allows certificate records to be purged manually through certutil.exe should the need arise to remove expired certificate records. The certutil.exe –deleterow command may be used for this task. Only a local administrator may delete multiple rows from a CA database. Standard JET database tools such as ESEUTIL.EXE may also be used with the certificate server database to perform defragmentation maintenance, and so on. For additional information, see the Windows Server 2003 help files.

Securing DCOM Interfaces

The Windows Server 2003 CA does not enforce encryption on the ICertRequest or ICertAdmin DCOM interfaces by default. Normally, this setting is not required except in special operational scenarios and should not be enabled. Only Windows Server 2003 machines by default support DCOM encryption on these interfaces. For example, Windows XP clients will not by default enforce encryption on certificate request to a Windows Server 2003 CA.

To enable encryption to be forced, perform the following procedures from the command line:

certutil -setreg ca\InterfaceFlags [+|-]IF_ENFORCEENCRYPTICERTREQUEST 
certutil -setreg ca\InterfaceFlags [+|-]IF_ENFORCEENCRYPTICERTADMIN