CRL Distribution point naming

[David Beaven]

Reading 'best practicies for implementing a microsoft windows server 2003
public key infrastructure' it says that 'it is best practive to use paths
and naming that do not reveal the internal network infrastructure to
external entities'.

We used the sample script to configure the enterpriseSubCA where the ldap
entry is defined as ldap://%myLDAPserver%/CN=%%2,CN=CDP,CN=Public Key
Services,CN=Services,%%6%%10

This gives us:

CRL Distribution Point Distribution Point Name:

Full Name: URL=http://pki.mycompany.com/pki/mycompanyRootCA.crl

URL=ldap:///CN=mycompanyRootCA,CN=myserver,CN=CDP,CN=Public%20Key%20Services
,CN=Services,CN=Configuration,DC=ad,DC=mycompany,DC=com?certificateRevocatio
nList?base?objectClass=cRLDistributionPoint

Whichi does expose internal network infrastrucure. Assuming we want both
internal and external clients to access the distribution point (hence URl
listed first) what would you advise. I assume that we still would want to
advertise the distributiuon point in some way via ldap.

Thanks

David

 

[Steven Liu]

Hi David,

First, would you please give me the link of the 'best practicies for
implementing a microsoft windows server 2003 public key infrastructure'
article?

Where did you get the sample script? Would you please also give me the link
if possible?

As to the distribution point, you can refer to the Help of the Windows
server 2003.

"To specify certificate revocation list distribution points in issued
certificates"

ms-its:c:\WINDOWS\Help\CSconcepts.chm::/sag_CSprocs_CDP.htm

Note: if your Windows 2003 is not installed to the c:\windows folder,
change the proper location in the above link.

Thanks for using Microsoft News Group!

Sincerely,

Steven Liu [MSFT]

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

 

[David Beaven]

Please see:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsserver2003/maintain/operate/ws3PKIBP.asp

The sample script is published within this document.
The question is about 'best practice'.
Thanks
David

 

[Steven Liu]

Hi David,

I'm working on the problem and will give you the response as soon as
possible.

Thanks for using Microsoft News Group!

Sincerely,

Steven Liu [MSFT]

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

 

[Steven Liu]

Hi David,

For external users, they access the link for the CA:

http://pki.mycompany.com/pki/mycompanyRootCA.crl

The system has configured the CRL to the LDAP. The detail URL is:

ldap:///CN=mycompanyRootCA,CN=myserver,CN=CDP,CN=Public%20Key%20Services
,CN=Services,CN=Configuration,DC=ad,DC=mycompany,DC=com?certificateRevocatio
nList?base?objectClass=cRLDistributionPoint

The above link is not used for the external customer. They won't get this
link.

Thanks for using Microsoft News Group!

Sincerely,

Steven Liu [MSFT]

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

 

[David Beaven]

Steven

*Both* CRL's are published in the certificate - so external users are
provided details of internal domain infrastructure, e.g. the netbios name of
the CA server (from %2) and the active directory domain name (from %6) (all
they need to do is inspect the certificate).
Please explain, thanks
David

 

[Paul Adare]

microsoft.public.win2000.security news group, David Beaven

*Both* CRL's are published in the certificate - so external users are
provided details of internal domain infrastructure, e.g. the netbios name of
the CA server (from %2) and the active directory domain name (from %6) (all
they need to do is inspect the certificate).
Please explain, thanks

If this is truly a concern, then you have a couple of options.

1. Have more than one issuing CA. One that will issue certs only to
internal people or computers, and one that will issue certs only to
external people or computers. For the second CA, do not publish the CRLs
to an LDAP location.

2. Don't publish CRLs to AD at all.

The second option is not the best one in the world. IMO, the warning
about hiding your internal location is a little strong. So what if I
know the NetBIOS name of your CA and the AD domain name. If your network
is properly protected, that information is really not going to do me
much good in the first place. Also, if your Internet facing DNS domain
name is the same as your AD DNS domain name, then I've already got half
that information from your web site, or any email you may send to me.

 

[Steven Liu]

Hi David,

Paul's suggestion is correct. You can refer to his post.

If you have anything unclear, please reply my post and I will continue to
help you.

Thanks for using Microsoft News Group!

Sincerely,

Steven Liu [MSFT]

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.