Suite B PKI Step-by-Step Guide

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2

This guide describes procedures for deploying a Suite B–compliant public key infrastructure (PKI) on computers running Windows Server 2008 or Windows Server 2008 R2 in a test environment.

In this guide

  • Suite B cryptography overview

  • Installing a Suite B–compliant CA

    • Customizing CA installation by using CAPolicy.inf (Windows Server 2008 only)

    • Installing a CA

  • Configuring CA encryption settings

  • Creating Suite B–compliant certificate templates

  • Resolving known issues

Suite B cryptography overview

Suite B is a set of cryptographic algorithms specified by the National Security Agency (NSA) as part of an effort to modernize information assurance capabilities. Suite B algorithms are intended to be used to secure unclassified information and most classified information. For more information about the Suite B specifications, see NSA Suite B Cryptography on the NSA Web site (https://go.microsoft.com/fwlink/?LinkID=136550).

A Suite B–compliant PKI issues certificates that use only Suite B algorithms. Support for Suite B algorithms was introduced in Windows Vista, and certification authority (CA) support for Suite B algorithms was introduced in Windows Server 2008.

The Suite B algorithms are described in the following table.

Algorithm type Algorithm Secret level Top Secret level

Encryption

Advanced Standard (AES)

128 bits

256 bits

Key Exchange

Elliptic Curve Diffie-Hellman (ECDH)

256-bit curve

384-bit curve

Digital Signature

Elliptic Curve Digital Signature Algorithm (ECDSA)

256-bit curve

384-bit curve

Hashing

Secure Hash Algorithm (SHA)

SHA-256

SHA-384

Installing a Suite B–compliant CA

The first step for deploying a PKI in Windows is to install the root CA. This guide describes a root CA that is also an enterprise CA, which issues end-entity certificates to users and computers. For an issuing CA, an enterprise CA is recommended because it can be integrated with Active Directory Domain Services (AD DS). However, it is a best practice for root CAs to be offline, stand-alone CAs rather than enterprise CAs. The Suite B PKI described in this guide is for example purposes only.

Customizing CA installation by using CAPolicy.inf (Windows Server 2008 only)

During installation of an enterprise CA, several certificate templates for common certificate types are added to AD DS. However, none of the default certificate templates specify Suite B algorithms.

Important

If your organization's security policy requires assurance of Suite B compliance, you should prevent default certificate template installation by using a CAPolicy.inf file to customize your CA installation.
If you are setting up a test environment and your security policy allows it, skip this section to allow default template installation in order to simplify the remaining certificate template configuration procedures. If default templates are installed, they can be easily duplicated and modified to use Suite B algorithms.

If the default templates are not installed, certificate templates must be manually created for all certificate types you plan to issue. Creating certificate templates requires that you have the required information and technical understanding to configure all required certificate template properties. For more information, see Creating Certificate Templates.

To prevent default certificate template installation, create a CAPolicy.inf file and save it in the %SystemRoot% directory before beginning CA installation. The [Certsrv_Server] section in the following example includes the line LoadDefaultTemplates=False to prevent default templates from being added to AD DS during CA installation.

[Version]
Signature= "$Windows NT$"

[Certsrv_Server]
LoadDefaultTemplates = False

When installing a Suite B–compliant CA on a computer running Windows Server 2008 R2, default certificate templates are not added to AD DS. Therefore, it is not necessary to use a CAPolicy.inf file to prevent default template installation. However, a CAPolicy.inf file can be used to customize CA installation.

Several CA settings can be specified by using a CAPolicy.inf file. For more information about the format and syntax used to create a CAPolicy.inf file, see "Creating an issuer policy statement for the CA" in Installing and Configuring a Certification Authority (https://go.microsoft.com/fwlink/?LinkId=182479).

Installing a CA

To install a CA in Windows Server 2008 or Windows Server 2008 R2, the Active Directory Certificate Services (AD CS) server role must be added to the server by using Server Manager.

To install a CA

  1. Log on as a member of the Enterprise Admins group.

  2. Click Start, point to Administrative Tools, and then click Server Manager.

  3. In the console tree, click Roles.

  4. In the details pane, click Add Role. The Add Roles Wizard appears. On the Welcome page, click Next.

  5. On the Select Server Roles page, select Active Directory Certificate Services, and then click Next.

  6. On the Introduction to Active Directory Certificate Services page, click Next.

  7. On the Select Role Services page, select Certification Authority, and then click Next.

  8. On the Specify Setup page, select Enterprise, and then click Next.

  9. On the Specify CA Type page, select Root CA, and then click Next.

Note

This guide describes a root CA that is also an enterprise CA, which issues end-entity certificates to users and computers. However, it is a best practice for root CAs to be offline, stand-alone CAs rather than enterprise CAs. The Suite B PKI described in this guide is for example purposes only. For more information on designing a PKI, see Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure.

  1. On the Set Up Private Key page, select Create a new private key, and then click Next.

  2. On the Configure Cryptography for CA page, select the following options, and then click Next:

    • For CSP, select ECDSA_P256#Microsoft Software Key Service Provider.

    • For Key Character Length, select 256.

    • For the Hash Algorithm, select SHA256.

Note

For Suite B compliance, the ECDSA_P384#Microsoft Software Key Service Provider cryptographic service provider (CSP), 384 key character length, and SHA384 hash algorithm can be selected if the level of classification desired is Top Secret. Use the settings required by your organization for the classification level of the data you are protecting. ECDSA_P521 is also available, although it is not part of the Suite B specification.

  1. On the Configure CA Name page, type a common name for the CA. The distinguished name suffix will automatically be set to the domain that the CA server is a member of. This field can also be changed, if necessary. Click Next.

  2. On the Set Validity Period page, set the desired validity period, and then click Next.

  3. On the Configure Certificate Database page, either accept the default locations for the CA database and log files or define alternate locations. Click Next.

  4. Review the information on the Confirm Installation Selections page, and then click Install.

  5. Review the Installation Results page for messages.

Configuring CA encryption settings

To ensure Suite B compliance for key archival operations, it is necessary to configure the CA encryption settings to use Suite B algorithms. Even if you do not plan to implement key archival at this time, we recommend completing the necessary configuration so that your CA is Suite B compliant if key archival operations are implemented at another time.

For more information about key archival, see Key Archival and Management in Windows Server 2008.

The following CA encryption settings are used for key archival operations and must be configured to use Suite B algorithms:

  • Encryption algorithm

  • Symmetric key size

  • Public key algorithm

  • Public key size

To configure these items for Suite B compliance, start an elevated command prompt on the CA, type each of the following commands, and press ENTER. The CA service must be restarted after completing the commands.

Certutil –setreg ca\EncryptionCSP\CNGEncryptionAlgorithm AES
Certutil –setreg ca\EncryptionCSP\SymmetricKeySize 128
Certutil –setreg ca\EncryptionCSP\CNGPublicKeyAlorithm ECDH_P256
Certutil –setreg ca\EncryptionCSP\KeySize 256
Net stop certsvc
Net start certsvc

Note

The key sizes are provided for example purposes. Use the settings required by your organization for the classification level of the data you are protecting. The AES symmetric key size can also be 256 and the public key algorithm can be ECDH_P384.

Creating Suite B–compliant certificate templates

In a Suite B–compliant PKI, all issued certificates must be Suite B compliant. Because none of the default certificate templates use Suite B algorithms, you must create a new certificate template for each type of certificate you plan to issue. Use a version 3 certificate template and specify Suite B algorithms.

If the default templates are not installed, certificate templates must be manually created for all certificate types you plan to issue. Creating certificate templates requires that you have the required information and technical understanding to configure all require certificate template properties. For more information, see Creating Certificate Templates.

Alternatively, the following procedure can be used if the default certificate templates are installed.

To create a Suite B–compliant certificate template by using Server Manager

  1. In the Server Manager console tree, expand Roles, expand Active Directory Certificate Services, and then click Certificate Templates.

  2. In the details pane, select the certificate template for a type of certificate you plan to issue. Right-click the template, and then click Duplicate Template. Select Windows Server 2008, Enterprise Edition, and then click OK.

  3. On the General tab, type a name for the new template, and select the desired periods from the Validity and Renewal lists.

  4. On the Cryptography tab, define the algorithm and key size to be used when requesting this certificate. In the Algorithm name list, select ECDH_P256, and in the Minimum key size list, type 256. In the Request hash list, select SHA256. (Alternatively, a key size of 384 can be specified for each cryptography setting.)

  5. Optionally, specify a cryptographic provider. Under Choose which cryptographic providers can be used for requests, select Requests must use one of the following providers, and then select any installed provider that supports the specified algorithm and key size.

  6. Click the Extensions tab. In Key Usage extension, click Allow key exchange without key encryption (key agreement). Click OK twice.

Resolving known issues

Enterprise CAs running on Windows Server 2008 cannot issue Suite B–compliant CA certificates based on version 2 or version 3 certificate templates

In AD CS on Windows Server 2008, when a version 2 or version 3 certificate template is created, the value of the msPKI-Minimal-Key-Size attribute is automatically set to 2048. This setting cannot be changed.

Although this setting does not technically apply to Elliptic Curve Cryptography (ECC) keys, because of a known issue, an enterprise CA running on Windows Server 2008 rejects certificate requests that contain ECC keys and returns the following error message:

"The public key does not meet the minimum size requirement by the specified certificate template. 0x80094811 (-2146875375)"

This does not occur when the default version 1 template is used. This is a known issue in Windows Server 2008 only. This is not an issue in Windows Server 2008 R2.

Resolution

There are three options to resolve this issue:

  • Use the default version 1 subordinate CA certificate template instead of version 2 or version 3 certificate templates. To use the default template, do not specify a value for the CertificateTemplate attribute in the subordinate CA's CAPolicy.inf file during CA installation.

  • Use a standalone CA instead of an enterprise CA to issue subordinate CA certificates.

  • Upgrade your issuing CA to Windows Server 2008 R2.

CAs running on Windows Server 2003 cannot issue CA certificates that use Suite B algorithms

Because Windows Server 2003 does not have support for Suite B algorithms, a CA running on Windows Server 2003 cannot issue certificates that use Suite B algorithms. Therefore, you cannot use a CA running on Windows Server 2003 to issue a CA certificate to a subordinate CA that is Suite B–compliant.

Resolution

The only resolution is to upgrade the issuing CA's operating system to Windows Server 2008 or Windows Server 2008 R2. Of the two operating systems, Windows Server 2008 R2 provides better support for Suite B PKI.