S 2.232 Planning the Windows CA structure in Windows 2000 and higher

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, Administrator

Starting with Windows 2000, Windows comes with its own PKI components to enable establishment of a company-wide certificate hierarchy. Certificates are used to confirm identities of people and systems in cryptographic processes such as encryption, for ("certificate-based") authentication or for electronic signatures for data and applications. The heart of a public key infrastructure (PKI) is the certificate authority (CA), which is authorised to issue certificates. It is generally not necessary to operate a CA in order to operate Windows, but operation of a CA is necessary if you want to use certain properties or functions. This includes smart card logins or secure communication between Windows system components using SSL. Windows offers two types of CA:

Stand-alone CA (independent certification authority), and
Enterprise CA (organisation-wide certification authority).

The main difference between the two types of CAs is that the enterprise CA is integrated into the Active Directory and can therefore benefit from the use of the Active Directory as a directory service. For example, certification authorities can be made public in the Active Directory, and then large numbers of certificates can be issued and distributed automatically. With the stand-alone CA, the certificate request is always checked by the CA administrator, and the generation of a certificate must be triggered manually by the administrator. The creation of certificates must be triggered manually by the administrator. The stand-alone CA can also be installed and operated on a non-networked computer, whereas it only makes sense to run the enterprise CA on a networked computer. In Windows Server 2003 Enterprise Edition and higher, the certificate templates for the enterprise CA can be customised individually.

Both CA versions are suitable for establishing a certificate hierarchy, and therefore both versions can also be operated as secondary CAs. The enterprise CA is better suited for use in a LAN infrastructure, and this version should normally be preferred. In hierarchies with several levels it is recommended to operate the highest hierarchy (root CA) offline since its key as a "trust anchor" of the overall hierarchy is particularly worthy of protection and the CA is seldom required for issuing the certificates for the sub-CAs.

It must be ensured that all operational scenarios and the applications affected by the scenarios are known, especially when planning a government-wide or company-wide PKI. To estimate the technical feasibility, it is recommended to check the interoperability of all components to be used in advance.

A list of structural planning aspects can be found on the BSI website under the Resources for IT-Grundschutz (see Resources for planning the Windows 2000/2003 CA structure). It is generally true that all general organisational, technical, and security-related conditions relevant to the operation of a CA must be documented in a corresponding concept.

Planning the use of suitable certification authorities

Organisational aspects:

It takes time to plan a PKI. As a rule, the responsibilities within the organisation in particular need to be delegated and documented.
The CA hierarchy should be based on the planned and possible future operational scenarios. Different application scenarios should be represented by separate CAs which can be brought together offline under a shared root CA.
The intended purpose of each certificate plays an important role when planning the CA structure. For example, more problems will usually be encountered when designing a general, organisation-wide certificate infrastructure than when designing an application-based PKI. An application-based PKI can be used, for example, when only the employees affected need to be reliably identified in the context of a network-based application. An example of such a case is the electronic submission and processing of requests for leave where the requests submitted have to be signed digitally by several people in a certain order.
A CA policy should be defined and documented for operation of the CAs and use of the certificates issued, typically in form of so-called Certification Practice Statements (CPS) and Certificate Policies (CP). The internet standard RFC 3647 is internationally recognised for their organisation.
Suitable processes must be introduced for blocking certificates. The accessibility and availability aspects of the blocking party, persons authorised for blocking and their reliable identification and documentation of the blocking must be considered.
If keys are lost or compromised and blocked as a consequence, the employees need a new certificate to be able to continue their tasks. Especially when using smart cards or tokens as key carriers, suitable procedures must be defined on how the functionality can be restored in a sufficiently short time (for example, by securely reserving and issuing pre-personalised smart cards at the individual locations).

Technical aspects:

The planning must also include selection of the cryptographic procedures and algorithms and of the key lengths to be used (see also S 2.162 Determining the need to use cryptographic procedures and products).
The level of trust placed in the certificates of a CA depends mainly on the level of security available in the CA. For this reason, particular attention must be paid to the physical and technical software security of those CAs critical to the generation of security certificates. Certificates that are particularly critical to security include certificates with a large number of users and certificates whose correctness is depended upon by other applications critical to security.
For sensitive applications it is recommended to protect the private keys against unauthorised reproduction and unauthorised access by storing them in cryptographic hardware (smart cards, tokens).
Different CAs should be used for certificates with different security requirements.
When certificates are used the validity model must be specified ("chain model" versus "shell model"). In this context it must be specified how certificates are to be treated if the certificate of the issuing CA is blocked or expires.
The maximum validity period must be specified for each of the various types of certificates (e.g. root CA certificate, user email certificate). When checking certificates according to the shell model it makes sense to ensure that the validity period of the certificates does not exceed the validity period of the certificate from the issuing CA.
The possibilities and procedures available after a certificate expires must be defined. For example, is it possible to extend the certificate or do new certificates need to be issued?
Suitable certificate templates should be created and followed for the various application scenarios. The correct usage of the restrictions, in particular the "Certificate Usage" in the certificate must be ensured in order to prevent misuse of certificates (for example, for creating sub-CAs). In Windows Server 2008 and higher, more parameters are available as default in the certificate templates; however, these can only be used if no CAs on older (Windows Server 2003) systems are operated in the same hierarchy.
The certificate database of the CA should be included in the data backup.

The security during actual operation of the individual PKI components plays a particularly important role, as well as the planning of a PKI. A certificate authority must be protected according to the protection requirement of the particular applications in which the certificates are used. Recommendations for protection can be found in the Resources for IT-Grundschutz (see Resources for protecting certificate services under Windows Server 2003).

Version-specific planning aspects for a CA in Windows Server 2003 and higher

Distribution of certificates:

Certificates can be requested and issued (short: distributed) automatically (without user interaction) or manually. The automatic distribution of certificates (autoenrolment) is based on Active Directory and group policies (see also ). Autoenrolment simplifies the administration of certificates of users (under Windows Server 2003 Enterprise Edition and higher) and computers for specific applications in the organisational environment. A common example of this is the distribution of encryption certificates for the Encrypting File System (EFS) among the clients. The certificate enrolment procedure is only performed for authenticated clients and is equipped with corresponding security mechanisms and authorisations. The settings are found in the Group Policy Object Editor under

Computer Configuration | Windows Settings | Security Settings | Public Key Policies | Properties of the Autoenrolment Settings

and

User Configuration | Windows Settings | Security Settings | Public Key Policies | Properties of the Autoenrolment Settings.

By default, only domain controllers automatically request a computer certificate. Furthermore, some optional Windows components also automatically request a certificate. In this way, every client with activated EFS automatically receives an EFS certificate. The scope of autoenrolment used should match the scope actually needed because otherwise administration becomes more difficult and there is a risk of the keys being disclosed, among other risks.

Based on the applications or Windows components you plan to use, you must consider which certificate types will be permitted to be used by which users and computers, and how the certificates will be distributed. The group policies and authorisations in the certificate services must be planned accordingly.

Archiving private keys:

The archiving of private keys in the certification authority (available in Windows Server 2003 Enterprise Edition and higher) is not recommended. It should only be activated when a suitable role separation concept for PKI administration has been planned and implemented. Archiving can reduce the risk of an individual user losing his keys, but comes in combination with a higher risk of misuse of the archives. The suitable strategy depends on the applications and components used and should be specified by the PKI planners and documented in a security policy.

Separation of roles:

Separating roles means preventing the concentration of several or all critical administration roles arising in conjunction with the PKI in a single person or a single user account. To separate the roles, each role must be defined first at the organisational level, as described above. The separation of the roles can be enforced technically by the system (in Windows Server 2003 Enterprise Edition and higher). The four roles are:

certification authority administrator
certificate administration
backup operator
examiner

Detailed information on the roles can be found under the subject of role-based administration in the integrated Windows help system.

A user account that previously assumed two or more of the roles mentioned above must be excluded from all administration activities on the CA through role separation. The roles must be redistributed in this case by an administrator. If the role separation configuration is incorrect, then the CA is unusable. If you want to implement role separation, then you must first create a suitable authorisation concept, which should then be tried out in a test scenario.

Review questions:

Are the organisational, technical, and security-related requirements for operation of a Certificate Authority (CA) under Windows documented?
Do the cryptographic procedures, algorithms, and key lengths used in the Windows CA meet the requirements of the organisation?
Are different CAs used for certificates with different security requirements?
Are processes for extending the validity and/or issuing a new certificate in time after a certificate expires specified?
Does the protection of the certification authority correspond to the protection requirement for the relevant applications in which certificates are used?
Has it been ensured that all operational scenarios and the applications affected by the scenarios are known, especially when planning a government-wide or company-wide PKI under Windows 2000 and higher?
Are regular backups of the certificate database made?