WinEP - Revocation over MS-CSRA
Introduction
This article explains how to configure CM and the Active Directory for end user certificate revocation over Microsoft Certificate Services Remote Administration Protocol (MS-CSRA) https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-csra/.
It also explains how to perform the revocation using the CertUtil (https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil) Microsoft Windows application.
Configuration
Standard WinEP configuration:
Ensure WinEP is installed and configured according to [1].
CAs published to Active Directory:
The CAs (for which revocation shall be enabled) must be placed in the CN=AIA container in Active Directory (CN= AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=<domain>, DC=<local>).
Distribution Rules can be configured in CM to achieve this. See https://doc.nexusgroup.com/pub/create-distribution-rule-in-certificate-manager
WinEP CM officer (SSL certificate (see [1]) for the WinEP service):
The CM officer must have role: cert.revoke
It is possible to restrict which CAs (end user) certificates the WinEP service is allowed to revoke by configuring the domains of the CA object and the CM officer in CM Administrators Workbench (AWB).
WinEP user:
The user account that is running the WinEP service (see [1]) must have Read all properties permission on the CA object in the CN=AIA container in Active Directory (CN= AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=<domain>, DC=<local>).
To configure this:
Open ADSI Edit tool (adsiedit.msc)
Open the Configuration context
Navigate to CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=<domain>, DC=<local>
Right click on the CA object, select Properties, go to Security tab and click Advanced
Add the WinEP user and click Edit to edit its permissions
In Properties, enable Read all properties permission
Click OK and apply the changes
Requester's Windows User:
The user performing the revocation must have write permissions on the certificateRevocationList attribute of the CA object (for which certificates are revoked) in the AIA container in Active Directory.
To configure this:
Open ADSI Edit tool (adsiedit.msc)
Open the Configuration context
Navigate to CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=<domain>, DC=<local>
Right click on the CA object, select Properties, go to Security tab and click Advanced
Add the requester's user or group and click Edit to edit its permissions
In Properties, enable Write certificateRevocationList permission to allow the user/group perform certificate revocation
Click OK and apply the changes
Certadm.dll:
This DLL must be available on the machine where CertUtil is run to send revocation requests. It provides the ICertAdmin interface for administrative tasks like revoking certificates.
This library is included by default in Windows Server instances. If not, you need to add it manually.
Revocation procedure:
Revocation of a certificate can be performed by using the certutil.exe tool from Microsoft by running the following command:
certutil -config "<domain>\<ca_name>" -revoke <cert_serial_number> <revocation_reason_code> where:
<domain>\<ca_name>: The issuer CA name and the Windows domain
<cert_serial_number>: The certificate's serial number
<revocation_reason_code>: The revocation reason code
For example: certutil -config "DC.example.com\Issuer CA" -revoke 918273 1
The following revocation reason codes are supported by WinEP:
Unspecified (0)
Key Compromise (1)
Afiliation Changes (3)
Superseeded (4)
Cessation of Operation (5)
[1]: Certificate Manager WinEP documentation found in the CM installation distribution.