Best Practice for installing certificates on non-internet connected servers
Certificate trust and CRLs are difficult for disconnected systems :(
For certiifcate trust I see no other way than importing the CER files...depending on the issuer and their hierarchy, you may need Root or Intermediate certs.
For CRLs; you can try reducing the CRL timeout period (maybe to 1s), include the latest CRL with your build, or carry on supplying .config files to bypass the check...
I see this scenario as a common problem with products like TMG/UAG when they are inbound facing in a DMZ and do not have outbound Internet access (needed to validate CRLs).
Cheers
JJJason Jones |
Forefront MVP | Silversands Ltd | My Blogs:
http://blog.msedge.org.uk and
http://blog.msfirewall.org.uk
August 25th, 2012 8:59pm
Thanks for answering, much appreciated.
I didn't know the CRL timeout was configurable, or that I could provide a CRL - that's something I'll look into.
Free Windows Admin Tool Kit Click here and download it now
September 1st, 2012 8:31am
Scenario
My customer is in a highly secure environment. They do not have computers connected to the internet.
We deliver an Install Shield installation of a windows product (nothing SSL or webby) which is digitally signed with an Authenticode Code Signing certificate.
This certificate used the 2048 bit Versign root CA, and that's not recognized by their computers.
They won't get new root CA's automatically through windows update because they do not connect to the internet. Ever.
When installing our product, the main setup.exe runs fine, but one of the .cab files hits a problem because the certificate is not recognized. (I believe this is installshield behaving badly, msiexec doesn't do this!). They are not our only customer, so
we do not want a 'non signed' version of our installation just for them.
The product installation will not continue.
Viewing the .exe or .cab and trying to install our verisign certificate doesn't solve the problem. It needs more.
Current solution
I have provided them with a .cer file, which is the
VeriSign Class 3 Public Primary Certification
Authority - G5 (Primary Intermediate)
[25 0c e8 e0 30 61 2e 9f 2b 89 f7 05 4d 7c f8 fd]
After they install this certificate, the installation succeeds.
We have also supplied some .config files to prevent the CRL list check from delaying services from starting - as they take longer than 30 seconds otherwise - and then fail.
Question
What is the best practice in this area given that they will not connect to the internet to let 'the magic happen:
Is what we did ok? I thought it would be less risky to install the Intermediate rather than a root. Is there any whitepaper or guidance on certificate installation for disconnected systems? For services that are signed with certificates - Should we provide them with a exe.config file or is that wrong?
September 1st, 2012 12:47pm
Certificate trust and CRLs are difficult for disconnected systems :(
For certiifcate trust I see no other way than importing the CER files...depending on the issuer and their hierarchy, you may need Root or Intermediate certs.
For CRLs; you can try reducing the CRL timeout period (maybe to 1s), include the latest CRL with your build, or carry on supplying .config files to bypass the check...
I see this scenario as a common problem with products like TMG/UAG when they are inbound facing in a DMZ and do not have outbound Internet access (needed to validate CRLs).
Cheers
JJJason Jones |
Forefront MVP | Silversands Ltd | My Blogs:
http://blog.msedge.org.uk and
http://blog.msfirewall.org.uk
Free Windows Admin Tool Kit Click here and download it now
September 1st, 2012 9:23pm