CRL and AIA CDP in certificates exposes internal AD configuration information

D

Dean

In "Best Practices for Implementing a Microsoft Windows Server2003
Public Key Infrastructure"(
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx),

the scripts show us how to publish CA Certs and CRLs using HTTP and
LDAP path:

certutil -setreg CA\CRLPublicationURLs
"1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:%myhttp
PKIvroot%/%%3%%8%%9.crl\n10:ldap://%myLDAPserver%/CN=%%7%%8,CN=%%2,
CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"
certutil -setreg CA\CACertPublicationURLs
"1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:%myhttp
PKIvroot%/%%1_%%3%%4.crt\n2:ldap://%myLDAPserver%/CN=%%7,CN=AIA,
CN=Public Key Services,CN=Services,%%6%%11"

In LDAP path, the token %6 shows AD Configuration Container. If my AD
name space is "DC=company_name, DC=internal", instead of
"DC=company_name, DC=com", my private AD name space will be exposed to
the external parties if we issue the certificates to them.

According to the best practice recommendation in this document, we
should avoid to include internal organization name in the CRL. I
understand using only HTTP CDP can avoid this problem. My question is
that if I want to keep LDAP path for CDP in issued certificates, is
there any other way not to use "%6" token in CA AIA and CRL
publishing? Is it a serious problem?

Could Microsoft folks, especially David Cross, give me some
explanations here? I really appreciate it.

Thanks,

Dean
 
D

David Cross [MS]

Note that the %6 replacement token typically starts with
"CN=Configuration,DC=..." It's certainly reasonable to replace the %6 with
any other valid, accessible sequence that could be resolved in your
environment.

I think we may have generally overstated the potential risk that customers
may or may not be exposed through an LDAP path in certificates. I think we
really wanted to note a potential decision point that each organization has
to evaluate based on risks, threats, etc.
 
D

Dean

David Cross said:
Note that the %6 replacement token typically starts with
"CN=Configuration,DC=..." It's certainly reasonable to replace the %6 with
any other valid, accessible sequence that could be resolved in your
environment.

I think we may have generally overstated the potential risk that customers
may or may not be exposed through an LDAP path in certificates. I think we
really wanted to note a potential decision point that each organization has
to evaluate based on risks, threats, etc.
Click to expand...

Thanks David. Your answer is very helpful. I really appreciate it.
Could you give me a simple example that shows a "valid, accessible
sequence that could be resolved in your environment" with LDAP URL.
That is what I am struggling with now.

If my private LDAP path looks "....CN=Configuration,DC=...", how can
it be resolved with anothe LDAP path by the public? Besides, if I find
a public accessiable LDAP path for my private AD, do I have to open
firewall ports to LDAP?

Thanks,

Dean
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

CRL distribution point in AD problem 0
A Question for LDAP URL (namespace) for CA CRL and AIA Distribution Points 0
CRL Distribution point naming 7
Changing the AIA and CDP for an Issuing CA 0

Top