| Author |
Message |
Vsevolod
Guest
|
 Posted:
Wed Oct 19, 2005 12:50 pm Post subject:
Certificate chain building |
|
|
Hi, guys !
It's me again with the same problem which have been discussed in previous
threads "IIS 6 behavior on checking clients' certificates". My questions are
still open.
I understand you are very busy but could you help me to solve this issue.
After numerous tests I determinated and you can easily to check it.:
1. IIS 5 (Win2k) doesn't build certificate chain, because client
certificate that has intermediate CAs in the certificate chain and hasn't
AIA extension it can open https resources on IIS that knows nothing about
intemediate CA.
2. IIS 6 (Win3k) builds certificate chain but it requires all intemediate
certificates in the Intemediate Storage (Local Machine) and it doesn't use
AIA extention that client certificate has.
Am I right ? If is it the bug, can I hope it will be fixed ?
BR,
Vsevolod. |
|
| Back to top |
|
 |
Paul Adare
Guest
|
| Posted:
Wed Oct 19, 2005 12:50 pm Post subject:
Re: Certificate chain building |
|
|
In article <790A4463-7F3E-4524-A21D-50FCC27CEBE8@microsoft.com>, in the
microsoft.public.windows.server.security news group, =?Utf-8?B?
VnNldm9sb2Q=?= <Vsevolod@discussions.microsoft.com> says...
| Quote: | 2. IIS 6 (Win3k) builds certificate chain but it requires all intemediate
certificates in the Intemediate Storage (Local Machine) and it doesn't use
AIA extention that client certificate has.
|
This is not the case. IIS 6 itself does not perform the certificate
chaining process. That process is handled by the certificate chaining
engine in the OS and it will attempt to retrieve the required
certificates based on the AIA locations in the certificate being
presented.
--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea |
|
| Back to top |
|
|
Vsevolod
Guest
|
| Posted:
Wed Oct 19, 2005 12:50 pm Post subject:
Re: Certificate chain building |
|
|
Thanks for your reply.
"Paul Adare" wrote:
| Quote: | This is not the case. IIS 6 itself does not perform the certificate
chaining process. That process is handled by the certificate chaining
engine in the OS and it will attempt to retrieve the required
certificates based on the AIA locations in the certificate being
presented.
|
I understand IIS 6 itself doesn't perform the certificate
chaining process. So it uses certificate chaining engine in the OS not
properly particularly with AIA extension processing at the same time certutil
does it properly.
If it doesn't found certificate in Intemediate Certificate Storage it
retrieves it from AIA location ant installs to Intemediate Certificate
Storage. How can you explain it ?
How can I trace the IIS certificate chaining process ? Is there a way to do
this ?
BR,
Vsevolod. |
|
| Back to top |
|
|
Paul Adare
Guest
|
| Posted:
Wed Oct 19, 2005 12:50 pm Post subject:
Re: Certificate chain building |
|
|
In article <7AB87322-4C01-4BAF-AAA5-BDF763E03A38@microsoft.com>, in the
microsoft.public.windows.server.security news group, =?Utf-8?B?
VnNldm9sb2Q=?= <Vsevolod@discussions.microsoft.com> says...
| Quote: | Thanks for your reply.
"Paul Adare" wrote:
This is not the case. IIS 6 itself does not perform the certificate
chaining process. That process is handled by the certificate chaining
engine in the OS and it will attempt to retrieve the required
certificates based on the AIA locations in the certificate being
presented.
I understand IIS 6 itself doesn't perform the certificate
chaining process. So it uses certificate chaining engine in the OS not
properly particularly with AIA extension processing at the same time certutil
does it properly.
If it doesn't found certificate in Intemediate Certificate Storage it
retrieves it from AIA location ant installs to Intemediate Certificate
Storage. How can you explain it ?
|
How can I explain what? I don't understand the problem here. This is how
things are supposed to work.
| Quote: | How can I trace the IIS certificate chaining process ? Is there a way to do
this ?
BR,
Vsevolod.
|
--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea |
|
| Back to top |
|
|
Vsevolod
Guest
|
| Posted:
Wed Oct 19, 2005 12:50 pm Post subject:
Re: Certificate chain building |
|
|
"Paul Adare" wrote:
| Quote: | I don't understand the problem here. This is how
things are supposed to work.
|
Excuse me, don't you understand the problem here ? Do you consider that
there isn't a bug here ?
If IIS 6 ( certificate chaining engine in the OS ) doesn't use AIA
extention in the client certificate then why does it need ?
I think it's very convenient manually install/update/remove hundreds and
thousands intermediate certificates on WEB Server side when CryptoApi must to
do that. As I was writing before I had read in the article "Troubleshooting
Certificate Status and Revocation" published: November 1, 2003 By Brian Komar
and David B. Cross, Microsoft Corporation
The chain building process will validate the certification path by checking
each certificate in the certification path from the end certificate to the
Root CA's certificate. The certificates are retrieved from the Intermediate
Certification Authorities store, the Trusted Root Certification Authorities
store, or from a URL specified in the Authority Information Access (AIA)
attribute of the certificate. If the CryptoAPI discovers a problem with one
of the certificates in the path, or if it cannot find a certificate, the
certification path is discarded as a non-trusted certification path.
To improve performance, the CryptoAPI will store subordinate CA certificates
in the Intermediate Certification Authorities store so that future requests
for the certificate can be satisfied from the store, rather than accessing
the certificate through a URL
Excuse me again. If you consider that I'm not right and there is no problem
here I don't write more about this.
BR,
Vsevolod. |
|
| Back to top |
|
|
Vsevolod
Guest
|
| Posted:
Wed Oct 19, 2005 4:51 pm Post subject:
Re: Certificate chain building |
|
|
| Quote: | Ok, I think maybe I see where you're coming from here. When a client
requests an SSL connection with an IIS 6 server, the IIS server attempts
to build its own chain prior to sending its certificate information to
the client. At this point, if the IIS 6's intermediate CA certificate(s)
is not in the local store it won't attempt to retrieve it.
I believe, however, that this only applies to its own chain.
|
In my case IIS server certificate chain has no intermediate certificates.
| Quote: | If presented with a client auth certificate, it should use the AIA
extension in the client certificate to build that chain.
|
It should use but don't use :) I'll be so happy if it would so :(
| Quote: | I'm checking with some contacts I have at Microsoft and will get back to
you as soon as I have an answer.
|
Thanks a lot.
BR,
Vsevolod. |
|
| Back to top |
|
|
Vsevolod
Guest
|
| Posted:
Wed Oct 19, 2005 4:51 pm Post subject:
Re: Certificate chain building |
|
|
"Paul Adare" wrote:
| Quote: | You need to relax a little. I'm having some trouble following what
you're posting here.
|
Sorry.
| Quote: | My point is that it does use the AIA extension in client certs for chain
building. I don't understand why you seem to think it doesn't.
|
The best way to determinate this - take a test. As I was talking before I
had many tests and determinated :
IIS 6 doesn't use AIA extension for chain building because WEB server
Log where I placed intermediate certificates has no records about attempts to
retrieve it while when I launch certutil to check certificate WEB Server log
shows the certificate retrieving attempts .
| Quote: | Right, and all of that is done when IIS 6 is doing chain validation.
|
Excuse me again. IIS 6 only retrieves certificates from the Intermediate
Certification Authorities store and doesn't use AIA extension.
BR,
Vsevolod. |
|
| Back to top |
|
|
Paul Adare
Guest
|
| Posted:
Wed Oct 19, 2005 4:51 pm Post subject:
Re: Certificate chain building |
|
|
In article <MPG.1dc00c491d1f07aa989eea@msnews.microsoft.com>, in the
microsoft.public.windows.server.security news group, Paul Adare
<padare@newsguy.com> says...
| Quote: | Right, and all of that is done when IIS 6 is doing chain validation.
Excuse me again. If you consider that I'm not right and there is no problem
here I don't write more about this.
I don't understand why you seem to think that IIS 6 does not do this.
|
Ok, I think maybe I see where you're coming from here. When a client
requests an SSL connection with an IIS 6 server, the IIS server attempts
to build its own chain prior to sending its certificate information to
the client. At this point, if the IIS 6's intermediate CA certificate(s)
is not in the local store it won't attempt to retrieve it.
I believe, however, that this only applies to its own chain. If
presented with a client auth certificate, it should use the AIA
extension in the client certificate to build that chain.
I'm checking with some contacts I have at Microsoft and will get back to
you as soon as I have an answer.
--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea |
|
| Back to top |
|
|
Paul Adare
Guest
|
| Posted:
Wed Oct 19, 2005 4:51 pm Post subject:
Re: Certificate chain building |
|
|
In article <967023F1-AF17-4FC7-8780-F944FC3D9F56@microsoft.com>, in the
microsoft.public.windows.server.security news group, =?Utf-8?B?
VnNldm9sb2Q=?= <Vsevolod@discussions.microsoft.com> says...
| Quote: | "Paul Adare" wrote:
I don't understand the problem here. This is how
things are supposed to work.
Excuse me, don't you understand the problem here ? Do you consider that
there isn't a bug here ?
|
You need to relax a little. I'm having some trouble following what
you're posting here.
| Quote: | If IIS 6 ( certificate chaining engine in the OS ) doesn't use AIA
extention in the client certificate then why does it need ?
|
My point is that it does use the AIA extension in client certs for chain
building. I don't understand why you seem to think it doesn't.
| Quote: | I think it's very convenient manually install/update/remove hundreds and
thousands intermediate certificates on WEB Server side when CryptoApi must to
do that. As I was writing before I had read in the article "Troubleshooting
Certificate Status and Revocation" published: November 1, 2003 By Brian Komar
and David B. Cross, Microsoft Corporation
|
I'm well aware of this white paper. Brian is my business partner.
| Quote: |
The chain building process will validate the certification path by checking
each certificate in the certification path from the end certificate to the
Root CA's certificate. The certificates are retrieved from the Intermediate
Certification Authorities store, the Trusted Root Certification Authorities
store, or from a URL specified in the Authority Information Access (AIA)
attribute of the certificate. If the CryptoAPI discovers a problem with one
of the certificates in the path, or if it cannot find a certificate, the
certification path is discarded as a non-trusted certification path.
To improve performance, the CryptoAPI will store subordinate CA certificates
in the Intermediate Certification Authorities store so that future requests
for the certificate can be satisfied from the store, rather than accessing
the certificate through a URL
|
Right, and all of that is done when IIS 6 is doing chain validation.
| Quote: |
Excuse me again. If you consider that I'm not right and there is no problem
here I don't write more about this.
|
I don't understand why you seem to think that IIS 6 does not do this.
--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in