Windows Server 2003 Security Infrastructures: Core Security Features (HP Technologies)

In this section we focus on key Windows Server 2003 PKI maintenance tasks: CA backup and restore, rollover, and auditing.

16.2.1 CA backup and restore

As for any other critical component in your IT infrastructure, it is very important to have solid backup-restore procedures for your CA, its configuration, and its database. Windows Server 2003 comes with three tools you can use to back up and restore CA configuration data: the Windows backup and restore wizard, the CA-specific backup and restore utility, and the IIS configuration backup and restore utility.

The Windows backup and restore wizard is available from the Windows Server 2003 Accessories\System Tools start menu option. It can be used to back up the CA data at the file system level listed in Table 16.9, as well as the CA configuration data stored in the system registry and the AD. To back up the registry data, you must check the System State option in the wizard (as illustrated in Figure 16.14).

Table 16.9: CA File System Level Data

CA Data

Notes

CA Database directory

Default: <%windir%>\system32\certlog

CA Web directory

Default: <%windir%>\system32\certsrv

CA Configuration directory

Only available if explicitly created during CA installation (shared as certconfig)

Figure 16.14: Backing up the system state and CA configuration data using the backup wizard.

The CA-specific backup-restore utility is available from the CA MMC snap-in and from the command prompt (using the certutil utility). The CA-specific backup-restore utility can backup and restore the CA database and the CA private key and certificate, which are exported to a PKCS#12- formatted file. The certutil CA backup and restore-related switches and their meaning are explained in Table 16.10. For more information, type certutil /? at the command line.

Table 16.10: Certutil CA Backup and Restore-Related Switches

Certutil CA Backup and Restore Switches

Meaning

certutil -backup

certutil -restore

Backs up or restores the CA database, certificate and private key.

certutil -backupDB

certutil -restoreDB

Backs up or restores the CA database.

certutil -backupKey

certutil -restoreKey

Backs up or restores the CA certificate and private key.

Before starting the CA-specific backup utility, make sure you have prepared a separate backup medium or at least a separate folder, different from the CA configuration folder on the CA server. Also, the backup will fail if the folder you are using is not empty. The CA database can be backed up incrementally. An incremental backup can be saved at the same location as a full backup. When doing a CA database, restore from a full backup and a set of incremental backups, and never restart the CA service if not all incremental backups have been restored. If you do so, you will lose all of the changes starting from the last incremental backup you restored.

You can use the IIS configuration backup and restore utility to backup and restore the CA Web enrollment interface configuration settings. To start this utility, open the Internet Information Services Manager, right- click the Web server computer object, and select All Tasks\Backup\Restore Configuration. To back up and restore the CA-related Web directories, you must rely on the Windows backup and restore wizard.

16.2.2 CA rollover

In PKI terminology, CA certificate rollover is the process of generating a new CA certificate. A CA’s certificate may be renewed for different reasons:

To renew a CA certificate, you must run the renew CA certificate wizard (illustrated in Figure 16.15). It is accessible by right-clicking the CA object in the CA MMC snap-in, and selecting All Tasks\Renew CA Certificate. The wizard prompts you to reuse the same key pair or generate a new one. It brings up different dialog boxes depending on whether you are dealing with a root CA or a subordinate CA.

Figure 16.15: Renew CA certificate wizard.

Changing the CA’s key size and other CA certificate properties at CA certificate renewal time can be done by specifying these parameters in a capolicy.inf configuration file and making this file available when the renewal process occurs (as was explained in Chapter 14).

When a new key pair is generated together with CA certificate renewal, the CA will generate a brand-new base CRL the next time the CRL is published. “Brand-new” means that this new CRL will not contain any of the revoked certificates contained in the previous CRL. This makes it possible to partition a CA’s base CRLs because a CRL is signed with a CA’s private key. When the private key is renewed, it will only be used to sign CRLs containing certificates revoked after the key renewal date. As long as the old CA keys are valid, the CA will also keep on publishing their associated CRLs. This explains why after CA certificate and key pair renewal a CA may publish multiple CRLs every time CRL publishing occurs.

Certificate renewal affects the version number of the CA’s certificate, which is stored in a CA certificate’s CA Version extension. Renewal without generating a new key pair will only affect the first part (the part before the dot) of the CA certificate’s version number. Renewing with generating a new key pair will affect the complete CA version number: It will change both the part before and after the dot. Another way to distinguish between renewal and reissuing on the level of the CA certificate properties is the following: Reissuing will generate a new subject key identifier field.

The number of times a CA’s certificate has been renewed and the content of the CA certificates can be seen from the General tab of the CA object’s properties in the CA MMC snap-in (as illustrated in Figure 16.16). In the example of Figure 16.13, the CA certificate was renewed 10 times.

Figure 16.16: CA properties: CA certificates.

16.2.3 CA auditing

Windows Server 2003 PKI comes with interesting new CA auditing capabilities. You can enable auditing for the event groups illustrated in Table16.11. All events are logged into the local system’s security event log. CA auditing depends on object access auditing, which can be enabled from the GPO MMC or Local Security Settings MMC snap-in. To fine-tune CA auditing, go to the auditing tab (illustrated in Figure 16.17) in the properties of the CA object (accessible from the CA MMC snap-in). Table 16.12 shows the most important Certificate Services Event IDs.

Table 16.11: CA Audit Categories

CA Audit Category

Includes

Back up and restore the CA database

  • Backup CA database

  • Restore CA database

Change CA security settings

  • Configure CA administration roles

  • Configure Certificate Manager restrictions

  • Configure CA auditing

Change CA configuration

  • Add/Remove templates to the CA

  • Configure CRL publication schedule

  • Modify policy module configuration

  • Modify exit module configuration

  • Configure CRL Distribution Points (CDP)

  • Configure Authority Information Access (AIA)

  • Change policy module

  • Change Exit Module

  • Configure Key Archival and Recovery

Issue and manage certificate requests

  • Incoming certificate requests

  • Certificate issuance

  • Certificate import

  • Deletion of rows in the CA database

Revoke certificates and publish CRLs

  • Certificate revocation

  • CRL publication

Store and retrieve archived keys

  • Archival of keys

  • Retrieval of archived keys

Start and stop Certificate Services

  • Starting Certificate Services

  • Stopping Certificate Services

Figure 16.17: CA auditing settings.

Table 16.12: Certificate Services Event IDs

Event ID

Meaning

772

The certificate manager denied a pending certificate request

773

Certificate Services received a resubmitted certificate request

774

Certificate Services revoked a certificate

775

Certificate Services received a request to publish the CRL

776

Certificate Services published the CRL

777

A certificate request extension changed

778

One or more certificate request attributes changed

779

Certificate Services received a request to shut down

780

Certificate Services backup started

781

Certificate Services backup completed

782

Certificate Services restore started

783

Certificate Services restore completed

784

Certificate Services started

785

Certificate Services stopped

786

The security permissions for Certificate Services changed

787

Certificate Services retrieved an archived key

788

Certificate Services imported a certificate into its database

789

The audit filter for Certificate Services changed

790

Certificate Services received a certificate request

791

Certificate Services approved a certificate request and issued a certificate

792

Certificate Services denied a certificate request

793

Certificate Services set the status of a certificate request to pending

794

The certificate manager settings for Certificate Services changed

795

A configuration entry changed in Certificate Services

796

A property of Certificate Services changed

797

Certificate Services archived a key

798

Certificate Services imported and archived a key

799

Certificate Services published the CA certificate to Active Directory

800

One or more rows has been deleted from the certificate database

801

Role separation enabled

Категории