UniCERT PKI: limited auto-enrollment support 2


 

In enterprise environments, non-Windows PKI solutions are not uncommon. Such as product is PKI from Verizon CyberTrust called UniCERT, or UniCERT PKI for short.

Although the product delivers standard PKI features, like many Unix-Java based products it has many limitations when it comes to integration into the Windows world. Here is a few caveats I came across when I had to participate into such an integration.

Use as a stand alone CA

If you use it as regular stand-alone Certification Authority, standard certificates are not a big deal. Some limitations however appear because what they call ‘policies’ do not target Windows specifically. In UniCERT jargon, a policy is roughly what a Microsoft CA calls a template. Since most of the Microsoft template equivalents are not provided by UniCERT, everw time you design a policy for a Windows machine or user, you have to create a policy by looking at the Microsoft template and creating all the needed OIDs and policies. This is just fastidious.

Use as an Enterprise CA

However the real culprit occurs when you want to create Enterprise CAs. An Enterprise CA  is supposed to publish some records into the Active Directory so the Windows Client can find it and automatically request and receive certificates if needed.

As the product is Unix and Java based, they had to mimic the functionality, including the Windows protocol and the records in the AD. So they create an Auto-Enrollment module you have to install on a member server. And here are the problems:

  1. They don’t give it for free : you have to pay for this module in addition to the Windows license for the member server if any;
  2. The module is not HA/DRP compliant: you cannot install several member servers having each the module  in an active/active or even active/passive fashion. Needless to say that the failover clustering configuration has not been tested
  3. The module doesn’t install correctly if you don’t grant the account you’re uninstalling under rights to the configuration AD Container: it should be able to read and write on this container and all the objects below
  4. The module doesn’t create CA templates for the Windows machines and users to consume. You have to install AD Certificate Services and then uninstall it. So that the templates are published by Microsoft product. Of course, none of the document  tells you about doing this with a clean CAPolicy.Inf file. Therefore you end up with all the templates created in your Active Directory

Additional security issues

  1. The code running on the member server which acts a as relay to your UniCERT PKI infrastructure is based on Java, so you’ll get all the JAVA vulnerabilities and patch cycle to follow for free, without Verizon telling you if you can safely update JAVA or not
  2. Finally, the code still implements a pre-Windows 2008R2 PKI; therefore you must deploy and pay for one server module per forest even if you have forest trust relationships
  3. A side-effect of being stuck in a pre-Windows2008R2 protocol version is that you cannot propose:
    • autoenrollment over HTTPS or to non-domain-joined machines
    • your firewall has to open all the set of ports for RPC: TCP/135 and the dynamic ports

Leave a comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

2 thoughts on “UniCERT PKI: limited auto-enrollment support

  • MOI

    This is a very microsoft centric appraisal…. UniCERT produces x509 certificates (rfc5280), and additionally adds support for many of the frequently evolving MS defined extensions (that have extended outside of the x509 standard) so that it could serve the subset of MS AD use cases. The MS AD use cases your post is based around, are only a subset of the PKI use cases that can be served by UniCERT and the other PKIs you referred to.
    In addition to a providing a protocol handler (auto-enrol Handler) that mimics the MS CA for the MS AD use cases, UniCERT provides protocol handlers for web, email, SCEP and CMP, a number of which provide flexible APIs that can be used to serve very sophisticated PKI use cases outside of the MS arena (eg MDM, IoT) . UniCERT is used to provide public and private trust CAs at governments and major financial institutions globally. MS CA is a nice CA too, but is often used as very useful tool for sys admins to enable technical controls within the forest as opposed to the tradional ‘trust’ PKI use cases that other PKI vendors are focused on.

    • dimitri

      My test case is in fact a big company where they had to deploy 802.1x authentication on many devices (around 3000) without going physically to each device. In that case, and based on what the product was at the time of writing, there were several issues with UniCert:

    • additional cost per Auto-Enrollment server, whereas the MS role was free in addition to the license<
    • usage of Java by the product which created 2 additional risk concerns: Java updates to be maintained in conjunction with the support matrix and the fact and the Certificate request was done in user mode, therefore much more hackable in memory than a process in kernel mode
    • The product did not implement any auto-enrollment other than using RPC, which means a lot of open ports, no advanced cross-forest support without template replications, and no enrollment of non-Windows devices over HTTPS
    • Thereforemm TCO was higher, additional security concerns were present, and I’m not speaking about the interface’s usage for which my colleagues, ironically from a Unix background, clearly preferred the MS UI