standalone CA customized certificate

[sunil]

Hi ,

I am running windows XP embedded/winCe/Linux on my thin client
machines. None of them are in widnows domain. They connect to windows
Virtual PC to run widonws XP.

Anyways my question is i want to allocate certificate to my thin
client machine from Certification services.I want to issue the
certifcate on the basis of MAC and processor type and some other
parameter.

As my machine is not in domain, i have to use standalone CA . So can i
create customized certificate using certification services. Please
tell me.how can i create certificates based on my parameters.

Regards,
Sunil

 

[Brian Komar [MVP]]

Hi ,

I am running windows XP embedded/winCe/Linux on my thin client
machines. None of them are in widnows domain. They connect to windows
Virtual PC to run widonws XP.

Anyways my question is i want to allocate certificate to my thin
client machine from Certification services.I want to issue the
certifcate on the basis of MAC and processor type and some other
parameter.

As my machine is not in domain, i have to use standalone CA . So can i
create customized certificate using certification services. Please
tell me.how can i create certificates based on my parameters.

Regards,
Sunil

With a standalone CA, you can create any type of request
you want with the Certificate Request Editor. I have a
version of the editor in my PKI book from MSPress.
THe request will be pended by default, allowing you to
review the request before issuing the certificate.

I am not sure what type of certificate you are after, as
you have not stated the application, or what purpose the
certificate is used for.

I have no idea what you mean by on the basis of MAC or
processor type.

Brian

 

[sunil]

Basically i want to have some kind of machine certificate for thin
client.I want to authenticate thin terminals with that machine
certificate. Is there any standard certificate for machines.

 

[Brian Komar [MVP]]

Basically i want to have some kind of machine certificate for thin
client.I want to authenticate thin terminals with that machine
certificate. Is there any standard certificate for machines.

<snip>
You would need to create a certificate with the Client
Authentication EKU. Now, you still need to determine if
your Citrix server or Terminal server can authenticate
using a machine certificate (I know that TS does not)...
It can use a user certificate (smart card), not a
machine cert.

Brian

 

[Guest]

Hi Brain,

Does Request Editor is also included in msdn ? Is it possible to download it
from microsoft site ?

Further Does EKU mean i need to provide new OID for my purpose?

Further I want to add serial number and processor type of my terminal
machines in the certicate. Should i use SAN(subject alternative name) for
the same ?

One more question is the certification services store information in the sql
server. Is there any interface to get the information from the certification
services database.

Regards,
Sunil

 

[Brian Komar [MVP]]

Hi Sunil,

(e-mail address removed)>,
(e-mail address removed) says...

Hi Brain,

Does Request Editor is also included in msdn ? Is it possible to download it
from microsoft site ?

Not that I am aware of. I got permission to add it to
the book from MS internal.

Further Does EKU mean i need to provide new OID for my purpose?

You could, but only if you are writing your own app.
There is a default OID for client authentication.
- Client Authentication (1.3.6.1.5.5.7.3.2)

Further I want to add serial number and processor type of my terminal
machines in the certicate. Should i use SAN(subject alternative name) for
the same ?

Why do you want to add these? what purpose does it
server. You would have to define name forms if using a
SAN and provide ASN.1 information. It is possible, but I
am not sure if you want to go down that path. Each would
have to be provided manually, as this information is not
provided during an enrollment.

One more question is the certification services store information in the sql
server. Is there any interface to get the information from the certification
services database.

No, it is stored in its own JET database. iCertAdmin can
query the database.

 

[Guest]

Hi Brain,

It is regarding the following

Further I want to add serial number and processor type of my terminal
machines in the certicate.

My understanding is that when we issue a client certificate on the basis of
email address , we embed the email address in the certificate.Now each of my
client machine will be distinguished by serial number and processor type.
Should not i put the serial number and processor type in the certificate.

Please let me know if my understanding is incorrect . Further What kind of
information (instead of email address) should be in the certificate to
distinguish the two certificate.

Regards,
Sunil

 

[Brian Komar [MVP]]

@microsoft.com>, (e-mail address removed)
says...

Hi Brain,

It is regarding the following


My understanding is that when we issue a client certificate on the basis of
email address , we embed the email address in the certificate.Now each of my
client machine will be distinguished by serial number and processor type.
Should not i put the serial number and processor type in the certificate.

Please let me know if my understanding is incorrect . Further What kind of
information (instead of email address) should be in the certificate to
distinguish the two certificate.

Regards,
Sunil

<snip>
You are definitely making some assumptions. Client
authentication certificates require two things:

1) The client authentication OID in the EKU or
application policy extension (or both). This states that
the certificate is for authentication purposes. In
addition, the purpose of the certificate must be for
digital signature.

2) The subject must contain a subject that is recognized
by the authenticating server. For most MS apps, the
subject name for is the User Principal Name (UPN) stored
in the subject alternate name. Alternatively, you can
use some applications to map a certificate subject name
format to a specific account. This is where you could
use email name, or any other form of distinguished name.
I have seen some custom applications where a subject
alternate name was used to look up an account (GUID in
their case) against a SQL or Oracle database.

If you are wanting to put processor type or serial
number, what application are you using/coding that would
look up this information. You are trying to mix machine
specific information into a user authentication
certificate by the looks of it.

The question comes down to: WHat application are you
trying to secure with these authentication certificates?

Brian

 

[Guest]

Brain,

I am sorry because of my limited knowledge. Let me explain the architecture
of my software

My software is divided into 3 parts

Terminal Software - run on thin terminal
Management Server - run on windows 2003 server
VPC Software- run on virtual pc.

1.To connect to VPC , thin client has to run Terminal Software
2.Terminal Software has to pass serial number and processor type to Mgmt
Server.

3.Management Server will authenticate the information passed.
4.Once the mgmt server authenticates the client , it will send message to
VPC agent to open the RDP port.

Thus only thin terminal authenticated by the VPC is able to connect to the
virtual PC.

Now while passing serial number and processor type in step 2 , i want to
pass this information encrypted using the private key of machine certificate.
So now server can verify the information is sent by the right machine.

Please let me know if you have any question.

Can you suggest me some way of using certificates and type of certificates
to be used in my architecture.


Regards,
Sunil

 

[Brian Komar [MVP]]

More questions inmline...

(e-mail address removed)>,
(e-mail address removed) says...

Brain,

I am sorry because of my limited knowledge. Let me explain the architecture
of my software

My software is divided into 3 parts

Terminal Software - run on thin terminal
Management Server - run on windows 2003 server
VPC Software- run on virtual pc.

who wrote thie management server. This is the key to
whether your application would work. I know of no
management server software that does what you want with
certs today.

1.To connect to VPC , thin client has to run Terminal Software
2.Terminal Software has to pass serial number and processor type to Mgmt
Server.

3.Management Server will authenticate the information passed.
4.Once the mgmt server authenticates the client , it will send message to
VPC agent to open the RDP port.

This is not the way VPC would work. You would only be
connecting to the VPC agent using the RDP port? If you
are using htis, the only attribute of the certificate
that is looked at is the EKU attribute and it must have
the Client AUthentication OID. In addition, the RDP
client is hard coded to *only* look for smart card-based
client authentication certs, definitely not machine
certs....

Thus only thin terminal authenticated by the VPC is able to connect to the
virtual PC.

Now while passing serial number and processor type in step 2 , i want to
pass this information encrypted using the private key of machine certificate.
So now server can verify the information is sent by the right machine.

You are reinventing the wheel. The RDP connection can
use TLS to encrypt the information. You have the key
exchang backwards. When you connect to a server, you
validate the server certificate. The server certificate
is used to protect a symmetric key that is used to
encrypt any data. A client machine certificate is never
used to protect data. It is the responsibility of the
server cert.

Please let me know if you have any question.

Your architecture seems to be flawed. Look to standards,
rather than creating your own solution.
<snip>

 

[Guest]

Brain ,

Thanks for your comments.

Please find the replies and some questions.

who wrote thie management server. This is the key to
whether your application would work. I know of no
management server software that does what you want with
certs today.

1.The Mgmt Server is self developed , apart from this authentication it does
many more things.

This is not the way VPC would work. You would only be
connecting to the VPC agent using the RDP port? If you
are using htis, the only attribute of the certificate
that is looked at is the EKU attribute and it must have
the Client AUthentication OID. In addition, the RDP
client is hard coded to *only* look for smart card-based
client authentication certs, definitely not machine
certs....

2. VPC Agent is some kind of firewall. The only way to connect from thin
terminals is using RDP. By Default VPC Agent keeps rdp port closed.

You are reinventing the wheel. The RDP connection can
use TLS to encrypt the information. You have the key
exchang backwards. When you connect to a server, you
validate the server certificate. The server certificate
is used to protect a symmetric key that is used to
encrypt any data. A client machine certificate is never
used to protect data. It is the responsibility of the
server cert.

3.Is it possible to use TLS in windows XP Terminal Services ?

Regards,
Sunil

 

[Brian Komar [MVP]]

Due to custom software, I will not be able to help you
at all with your management server. That is entirely in
your court... More inline.

Brain ,

Thanks for your comments.

Please find the replies and some questions.


1.The Mgmt Server is self developed , apart from this authentication it does
many more things.

2. VPC Agent is some kind of firewall. The only way to connect from thin
terminals is using RDP. By Default VPC Agent keeps rdp port closed.

I assumed you were talking about Microsoft Virtual PC. I
have no idea what you are talking about here.

3.Is it possible to use TLS in windows XP Terminal Services ?

You can if you use Windows Server 2003 with SP1 or R2 on
the back end. You can enable SSL (actually TLS) in the
properties of the RDP connection.

 

[Guest]

Hi Brian,

Well at backend windows XP SP2 is running the windows terminal services.I
think it is not possible for me to use TLS.

Well i am still confused about the extensions that can be added in the x509
certificate.Can you please provide me some url for the extensions of x509
certificate.

Basically i want to implement some kind of architecture implement windows
right management services. They also create the machine certificate , but i
dont know whats all is available in the Machine certificate.

Do you have idea of what kind of machine certificate is available in windows
RMS.


Rgds,
Sunil

 

[Guest]

Hi Brian ,


I think basically i want to know what should be the fields of my certificate
if i want to add hardware information

Please suggest me how a x509 certificate should look like.

What should be in the

Subject Name
Issuer Unique Identifier (Optional)
Subject Unique Identifier (Optional)
OID of my certificate (should it be a new OID)
subject alternative name


Regards,
Sunil

 

[Brian Komar [MVP]]

@microsoft.com>, (e-mail address removed)
says...

Hi Brian ,


I think basically i want to know what should be the fields of my certificate
if i want to add hardware information

Please suggest me how a x509 certificate should look like.

What should be in the

Subject Name
Issuer Unique Identifier (Optional)
Subject Unique Identifier (Optional)
OID of my certificate (should it be a new OID)
subject alternative name


Regards,
Sunil

<snip>
Do not add hardware information as no known application
will look for it in the way you want nor add it
Brian

 

[Brian Komar [MVP]]

@microsoft.com>, (e-mail address removed)
says...

Hi Brian,

Well at backend windows XP SP2 is running the windows terminal services.I
think it is not possible for me to use TLS.

Well i am still confused about the extensions that can be added in the x509
certificate.Can you please provide me some url for the extensions of x509
certificate.

Basically i want to implement some kind of architecture implement windows
right management services. They also create the machine certificate , but i
dont know whats all is available in the Machine certificate.

Do you have idea of what kind of machine certificate is available in windows
RMS.


Rgds,
Sunil

<snip>
I recommend you attend some training. RMS uses XrML
certificates, not X.509 certificates. Your entire design
is flawed
Brian

 

[Guest]

Hi Brian,

Was expecting this kind of response.

Will rethink of the architecture as suggested by you.

If you have some good suggestion to protect Windows XP Remote desktop
connection (@ backend) from unauthorized thin box(Linux/Win CE computer)
please suggest me.

Regards,
Sunil