Security Certificates General Questions

Kevin Davis

I watched "Implement and Manage Certificates" in 70-414. I have a few followup questions...

I noticed, that when I created some of the templates, while the video recommended using 2048 or 4096 bit encryption, it didn't mention the hash algorithm. I chose 256 as one didn't appear selected. But, later a different algorithm was mentioned. How important is that selection? I'm guessing not too important since it wasn't mentioned.

I setup a recovery agent as described. But, I had already created the Group Policy Object to place the EFS certificate into computer "Trusted Root Certificate Authorities". So, do I need to do something extra to make sure that the recovery agent is used by those computers since the recovery agent didn't yet exist when the EFS certificates were issues?

There are a great many different certificate types. How can one know which to choose in any particular instance. For example, when I try to use remote logon to one of our servers, I get a message about not trusting the certificate. I'd like to fix that but am unsure of which certificate to use. Another example is on our Cisco Wireless Lan Controller. When I connect to it, the controller complains of not trusting the certificate. Again, which ceertificate should be used?

Thanks,
Kevin
Eternally Confuzzled

Mike Rodrick

Hi @Kevin-Davis ,

Using SHA256 as the hashing algorithm is recommended, as long as everything in your environment supports this, which shouldn't be a problem in todays environments. Some older OSs might not be able to decrypt a CRl signature for example. To my knowledge, SHA 256 is still considered secure.

If you have certificates that were issued before the recovery agent was enabled, or if you ever change the recovery agent, you will need to reissue those certificates. It's not as bad as it might seem. You can create a new certificate template to issue, and have it supersede the previous certificate.

As for what certificate to use, it is determined by the application policies on the extensions tab of the certificate template. If you pull up the properties of a template and navigate to the Extensions tab, select Application policies. The bottom half of the properties will tell you what the certificate can be used for (server authentication, client authentication, EFS, etc) Click edit and then click add and you will see a list of application policies you can add to a certificate template.

Trust is a big part of PKI. If you get a message about not trusting the certificate, this is because your machine does not trust the issuing CA. You will need to import either the issuing CA certificate or the root CA certificate for the entire hierarchy, depending on what you want to trust. Choose wisely ;)

Hope this helps!

Kevin Davis

I feel a conversation could clear up much of my ignorance about certificates. Is there any way that can be arranged? I assume you are available for consulting work, I'm not asking for anything free. Please let me know if something like that is allowed.

Thanks,
Kevin

Adam Gordon

@Kevin-Davis ,

I hope all is well. I would be happy to see if we can schedule some time to chat.

I am a bit tied up right now, but the end of this week, Friday, August 21st would be a good day if you are available in the morning, perhaps at 9:30 A.M. Eastern Daylight Time?

My direct e-mail is : adam@itpro.tv

Please let me know if that would work.

Cheers,

Adam