Best Practice for installing certificates on non-internet connected servers
Certificate trust and CRLs are difficult for disconnected systems :( For certiifcate trust I see no other way than importing the CER files...depending on the issuer and their hierarchy, you may need Root or Intermediate certs. For CRLs; you can try reducing the CRL timeout period (maybe to 1s), include the latest CRL with your build, or carry on supplying .config files to bypass the check... I see this scenario as a common problem with products like TMG/UAG when they are inbound facing in a DMZ and do not have outbound Internet access (needed to validate CRLs). Cheers JJJason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
August 25th, 2012 8:59pm

Thanks for answering, much appreciated. I didn't know the CRL timeout was configurable, or that I could provide a CRL - that's something I'll look into.
Free Windows Admin Tool Kit Click here and download it now
September 1st, 2012 8:31am

Scenario My customer is in a highly secure environment. They do not have computers connected to the internet. We deliver an Install Shield installation of a windows product (nothing SSL or webby) which is digitally signed with an Authenticode Code Signing certificate. This certificate used the 2048 bit Versign root CA, and that's not recognized by their computers. They won't get new root CA's automatically through windows update because they do not connect to the internet. Ever. When installing our product, the main setup.exe runs fine, but one of the .cab files hits a problem because the certificate is not recognized. (I believe this is installshield behaving badly, msiexec doesn't do this!). They are not our only customer, so we do not want a 'non signed' version of our installation just for them. The product installation will not continue. Viewing the .exe or .cab and trying to install our verisign certificate doesn't solve the problem. It needs more. Current solution I have provided them with a .cer file, which is the VeriSign Class 3 Public Primary Certification Authority - G5 (Primary Intermediate) [25 0c e8 e0 30 61 2e 9f 2b 89 f7 05 4d 7c f8 fd] After they install this certificate, the installation succeeds. We have also supplied some .config files to prevent the CRL list check from delaying services from starting - as they take longer than 30 seconds otherwise - and then fail. Question What is the best practice in this area given that they will not connect to the internet to let 'the magic happen: Is what we did ok? I thought it would be less risky to install the Intermediate rather than a root. Is there any whitepaper or guidance on certificate installation for disconnected systems? For services that are signed with certificates - Should we provide them with a exe.config file or is that wrong?
September 1st, 2012 12:47pm

Certificate trust and CRLs are difficult for disconnected systems :( For certiifcate trust I see no other way than importing the CER files...depending on the issuer and their hierarchy, you may need Root or Intermediate certs. For CRLs; you can try reducing the CRL timeout period (maybe to 1s), include the latest CRL with your build, or carry on supplying .config files to bypass the check... I see this scenario as a common problem with products like TMG/UAG when they are inbound facing in a DMZ and do not have outbound Internet access (needed to validate CRLs). Cheers JJJason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
Free Windows Admin Tool Kit Click here and download it now
September 1st, 2012 9:23pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics