Dave W
Guest
|
 Posted:
Sun Jan 30, 2005 6:45 am Post subject:
Concealment of DNS Name in CA Certificate |
|
|
I'd like to remove all DNS references from CA certificates, Âsuch that the
AIA CRT publication path is "DNS free". As far as I can tell, including the
DNS name in the CRT name is a bit of a security poser as it reveals a CA
server's DNS name to all and sundry.
There is a registry value called CACertFileName that I can cÂhange,
howÂever, I cannot make this registry change before the CA server is
insÂtalled - and by then the CA server's certificate has already been
pubÂlished (including the DNS reference). I could manually change the ÂCRT
filename once published, but this will cause me problems when I come to
certificate renewal.
Anyone got any ideas?
Dave |
|
Steve Riley [MSFT]
Guest
|
| Posted:
Wed Feb 02, 2005 3:08 am Post subject:
Re: Concealment of DNS Name in CA Certificate |
|
|
You can't do that. AIA is used whenever a resource (user, service) wants
to verify the trust state of a certificate. It's also used when a resource
needs to obtain an issuing CA's public certificate and for OCSP responders.
Knowledge of your CA's DNS name is not useful to an attacker if your CA is
properly secured.
Steve Riley
steriley@microsoft.com
| Quote: | I'd like to remove all DNS references from CA certificates, such that
the AIA CRT publication path is "DNS free". As far as I can tell,
including the DNS name in the CRT name is a bit of a security poser as
it reveals a CA server's DNS name to all and sundry.
There is a registry value called CACertFileName that I can change,
however, I cannot make this registry change before the CA server is
installed - and by then the CA server's certificate has already been
published (including the DNS reference). I could manually change the
CRT filename once published, but this will cause me problems when I
come to certificate renewal.
Anyone got any ideas?
Dave
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in