Tuesday, December 17, 2013

Enterprise Certificate Authority Pushing Old Certificates through Active Directory

A new public key infrastructure was deployed on Windows Server 2012 R2 consisting of two certificate authorities.  For security reasons and to adhere to Microsoft best practice, we deployed a new stand alone offline certificate authority and a subordinate enterprise certificate authority which is Active Directory integrated and will be responsible for issuing certificates to all devices, users and service accounts on the domain.

The following image is an overview of the deployed solution.

When I setup the subordinate certificate authority, I issued a certificate to the subordinate from the root certificate authority to validate its identity and authorise it to issue certificates on behalf of the root.  Only after I issued this certificate, I found out the default issuing time for certificates on stand alone certificate authorities in Windows Server 2012 R2 is only 1 year.  This period of time is far to small for a certificate that is assigned to another certificate authority.

As a result we increased the time that the root certificate authority issues certificates for which was performed with the following command:

certutil -setreg ca\ValidityPeriodUnits "10"

This changed it from 1 year to 10 years.
We then issued a new certificate from the root authority to the subordinate certificate authority for the 10 year period.

The Problem

After issuing a new certificate to the subordinate certificate authority I realised the subordinate certificate authority is pushing out the new 10 year certificate to the intermediate certificate store on workstations as well as the old 1 year certificate.  This is shown in the following screenshot below on a domain member machine.  The two certificates highlighted were old certificates which use to be assigned to the enterprise subordinate certificate authority.  There are two because we issued two (we forgot to restart the certificate authority service on the root CA after running the certutil command above to extend the validity period so we had to repeat the process).

I don't want the Active Directory certificate authority pushing out these invalid certificates to all domain joined devices.

How to Remove Certificates from Active Directory Deployment

To remove certificates from Active Directory deployment, you must open an application called pkiview.msc on an Enterprise Certificate Authority.

Right click Enterprise PKI and select Managed AD Containers.
Enterprise root certificate authorities are located in the "Certification Authorities Container" tab and enterprise subordinate certificate authorities are located under the "NTAuthCertificates" and "AIA Container" tab. View the certificates by looking at expiry date or thumb print to ensure you find the correct certificate.  Remove the unwanted certificates which are no longer required by your workstations.
After removing the unwanted certificates performing a gpupdate /force on a domain member automatically removes the unwanted certificates from the intermediate store and root store.  This is shown in the following screenshot taken of the computers certificate store in a mmc snapin.

A big thankyou to River Mei from Microsoft who assisted me with this issue.

No comments:

Post a Comment