Windows Server 2003 Security Infrastructures: Core Security Features (HP Technologies)
In this section we focus on key Windows Server 2003 PKI maintenance tasks: CA backup and restore, rollover, and auditing.
16.2.1 CA backup and restore
As for any other critical component in your IT infrastructure, it is very important to have solid backup-restore procedures for your CA, its configuration, and its database. Windows Server 2003 comes with three tools you can use to back up and restore CA configuration data: the Windows backup and restore wizard, the CA-specific backup and restore utility, and the IIS configuration backup and restore utility.
The Windows backup and restore wizard is available from the Windows Server 2003 Accessories\System Tools start menu option. It can be used to back up the CA data at the file system level listed in Table 16.9, as well as the CA configuration data stored in the system registry and the AD. To back up the registry data, you must check the System State option in the wizard (as illustrated in Figure 16.14).
CA Data | Notes |
---|---|
CA Database directory | Default: <%windir%>\system32\certlog |
CA Web directory | Default: <%windir%>\system32\certsrv |
CA Configuration directory | Only available if explicitly created during CA installation (shared as certconfig) |
The CA-specific backup-restore utility is available from the CA MMC snap-in and from the command prompt (using the certutil utility). The CA-specific backup-restore utility can backup and restore the CA database and the CA private key and certificate, which are exported to a PKCS#12- formatted file. The certutil CA backup and restore-related switches and their meaning are explained in Table 16.10. For more information, type certutil /? at the command line.
Certutil CA Backup and Restore Switches | Meaning |
---|---|
certutil -backup certutil -restore | Backs up or restores the CA database, certificate and private key. |
certutil -backupDB certutil -restoreDB | Backs up or restores the CA database. |
certutil -backupKey certutil -restoreKey | Backs up or restores the CA certificate and private key. |
Before starting the CA-specific backup utility, make sure you have prepared a separate backup medium or at least a separate folder, different from the CA configuration folder on the CA server. Also, the backup will fail if the folder you are using is not empty. The CA database can be backed up incrementally. An incremental backup can be saved at the same location as a full backup. When doing a CA database, restore from a full backup and a set of incremental backups, and never restart the CA service if not all incremental backups have been restored. If you do so, you will lose all of the changes starting from the last incremental backup you restored.
You can use the IIS configuration backup and restore utility to backup and restore the CA Web enrollment interface configuration settings. To start this utility, open the Internet Information Services Manager, right- click the Web server computer object, and select All Tasks\Backup\Restore Configuration. To back up and restore the CA-related Web directories, you must rely on the Windows backup and restore wizard.
16.2.2 CA rollover
In PKI terminology, CA certificate rollover is the process of generating a new CA certificate. A CA’s certificate may be renewed for different reasons:
-
Extend the CA lifetime
-
Change the CA’s public-private key pair
-
Change the CA’s key size
-
Change CA certificate properties
-
The CA’s private key has been compromised
-
CRL partitioning
To renew a CA certificate, you must run the renew CA certificate wizard (illustrated in Figure 16.15). It is accessible by right-clicking the CA object in the CA MMC snap-in, and selecting All Tasks\Renew CA Certificate. The wizard prompts you to reuse the same key pair or generate a new one. It brings up different dialog boxes depending on whether you are dealing with a root CA or a subordinate CA.
Changing the CA’s key size and other CA certificate properties at CA certificate renewal time can be done by specifying these parameters in a capolicy.inf configuration file and making this file available when the renewal process occurs (as was explained in Chapter 14).
When a new key pair is generated together with CA certificate renewal, the CA will generate a brand-new base CRL the next time the CRL is published. “Brand-new” means that this new CRL will not contain any of the revoked certificates contained in the previous CRL. This makes it possible to partition a CA’s base CRLs because a CRL is signed with a CA’s private key. When the private key is renewed, it will only be used to sign CRLs containing certificates revoked after the key renewal date. As long as the old CA keys are valid, the CA will also keep on publishing their associated CRLs. This explains why after CA certificate and key pair renewal a CA may publish multiple CRLs every time CRL publishing occurs.
Certificate renewal affects the version number of the CA’s certificate, which is stored in a CA certificate’s CA Version extension. Renewal without generating a new key pair will only affect the first part (the part before the dot) of the CA certificate’s version number. Renewing with generating a new key pair will affect the complete CA version number: It will change both the part before and after the dot. Another way to distinguish between renewal and reissuing on the level of the CA certificate properties is the following: Reissuing will generate a new subject key identifier field.
The number of times a CA’s certificate has been renewed and the content of the CA certificates can be seen from the General tab of the CA object’s properties in the CA MMC snap-in (as illustrated in Figure 16.16). In the example of Figure 16.13, the CA certificate was renewed 10 times.
16.2.3 CA auditing
Windows Server 2003 PKI comes with interesting new CA auditing capabilities. You can enable auditing for the event groups illustrated in Table16.11. All events are logged into the local system’s security event log. CA auditing depends on object access auditing, which can be enabled from the GPO MMC or Local Security Settings MMC snap-in. To fine-tune CA auditing, go to the auditing tab (illustrated in Figure 16.17) in the properties of the CA object (accessible from the CA MMC snap-in). Table 16.12 shows the most important Certificate Services Event IDs.
CA Audit Category | Includes |
---|---|
Back up and restore the CA database |
|
Change CA security settings |
|
Change CA configuration |
|
Issue and manage certificate requests |
|
Revoke certificates and publish CRLs |
|
Store and retrieve archived keys |
|
Start and stop Certificate Services |
|
Event ID | Meaning |
---|---|
772 | The certificate manager denied a pending certificate request |
773 | Certificate Services received a resubmitted certificate request |
774 | Certificate Services revoked a certificate |
775 | Certificate Services received a request to publish the CRL |
776 | Certificate Services published the CRL |
777 | A certificate request extension changed |
778 | One or more certificate request attributes changed |
779 | Certificate Services received a request to shut down |
780 | Certificate Services backup started |
781 | Certificate Services backup completed |
782 | Certificate Services restore started |
783 | Certificate Services restore completed |
784 | Certificate Services started |
785 | Certificate Services stopped |
786 | The security permissions for Certificate Services changed |
787 | Certificate Services retrieved an archived key |
788 | Certificate Services imported a certificate into its database |
789 | The audit filter for Certificate Services changed |
790 | Certificate Services received a certificate request |
791 | Certificate Services approved a certificate request and issued a certificate |
792 | Certificate Services denied a certificate request |
793 | Certificate Services set the status of a certificate request to pending |
794 | The certificate manager settings for Certificate Services changed |
795 | A configuration entry changed in Certificate Services |
796 | A property of Certificate Services changed |
797 | Certificate Services archived a key |
798 | Certificate Services imported and archived a key |
799 | Certificate Services published the CA certificate to Active Directory |
800 | One or more rows has been deleted from the certificate database |
801 | Role separation enabled |
Категории