Dlouhé řetězce v certifikátech

Microsofí CA omezuje délku řetězců ve vystavených certifikátech (64 znaků podle CCITT) a nepovolí certikát vystavit.

To je celkem opruz při složité struktuře OU nebo prapodivných jménech např. u Code Signing certifikátů.

Kontrola lze vypnout přes

certutil -setreg ca\EnforceX500NameLengths 0

Původní stav pak přes

certutil -setreg ca\EnforceX500NameLengths 1

Perfect Forward Secrecy a TLS pro Windows Server

Poslední dobou všichni provádí bezpečnostní audity a panikaří ze špatných známek od https://www.ssllabs.com.

Skvělý PS skript pro snadné získání lepších známek je k dispozici na

https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12

Klikači samozřejmě mohou použít neméně skvělý IIS Crypto od  https://www.nartac.com/Products/IISCrypto/

Certifikáty pro Domain Controllery

Výborný článek popisující různé varianty šablon pro certifikáty doménových řadičů.

https://morgansimonsen.wordpress.com/2013/06/25/active-directory-domain-controllers-and-certificate-auto-enrollment 

 

Domain Controller related certificate templates

Domain controllers are interested in the following certificate templates, but depending on the DCs operating system version and the CA’s OS version it depends on what they prefer:

Name Description Key Usage Subject Type Applications used for enhanced key usage Application policies or enhanced key usage
Domain Controller Used by domain controllers as all-purpose certificates and is superseded by two separate templates: Domain Controller Authentication and Directory E-mail Replication Signature and encryption DirEmailRep Client authentication
Server authentication
4.1
Domain Controller Authentication Used to authenticate Active Directory computers and users Signature and encryption Computer Client authentication
Server authentication
Smart card logon
110.0
Directory E-mail Replication Used to replicate e-mail within AD DS Signature and encryption DirEmailRep Directory service e-mail replication 115.0
Kerberos Authentication New in Windows Server 2008, this template is similar to the Domain Controller Authentication template and offers enhanced security capabilities for Windows Server 2008 domain controllers authenticating Active Directory users and computers Signature and encryption Computer Client authentication
Server authentication
Smart card logon
KDC authentication
110.0

 

Domain Controller Windows2000 Server-based CA (version 1 only) Windows Server 2003-based CA Windows Server 2008-based CA
Windows 2000 Server (enroll for version 1 templates only) Domain Controller Domain Controller Domain Controller
Windows Server 2003 Domain Controller Domain Controller
or
Domain Controller Authentication
Directory E-mail Replication
Kerberos Authentication or Domain Controller Authentication
Directory E-mail Replication
Windows Server2008 Domain Controller Domain Controller
or
Domain Controller Authentication
Directory E-mail Replication
Kerberos Authentication
Directory E-mail Replication
Windows Server 2012 Domain Controller Domain Controller
or
Domain Controller Authentication
Directory E-mail Replication
Kerberos Authentication
Directory E-mail Replication

 

Template name Windows 2000 Server Windows Server 2003 Windows Server 2008/2012
Directory E-mail Replication X
Domain Controller X X X
Domain Controller Authentication X
Kerberos Authentication X

 

Používáme cookies. Další informace

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close