One of the least endearing aspects of the Microsoft Certificate Authority is the approach taken to Serial Number generation. The approach described in the following tech net article describes a brace of schemes: the first starts the serial number with the number of milliseconds since the system was started or you can opt for an alternative incorporating a random number generator.

http://technet.microsoft.com/en-us/library/cc784789(WS.10).aspx

The upshot of the default scheme is a sequence of serial numbers with such randomness and gaps that one is tempted to find the largest copy of the Oxford English dictionary available and re-educate the responsible party repeatedly and forcefully enough for the word serial and it’s meaning to be lodged permanently within their consciousness. Here is an example of the output:

So why is this an issue. Well any system performing business logic and making assumptions about the serial-ness of these numbers will be scuppered. One such system would be an OCSP system that provided with a CRL tries to assume what certificate serial numbers are still valid.

Luckily there is a way to force the CA into a much more sociable behaviour pattern. It’s largely undocumented, I only found it in a 3rd party* doc with the Microsoft docs completely ignoring it. Indeed I only knew to look because a wild eyed and battle scarred colleague had once heard tell of it. It is documented below and if you look at the image above you will see the effect in the last two numbers.

At the command line run the following commands. Stop the CA first.

certutil –delreg ca\HighSerial

then

certutil –setreg ca\HighSerial “3d”

Where the second setting sets the CA to issue certificates with sequential serial numbers using 7 bytes. It is also recommended to perform this configuration before any certificates are issued, otherwise there will be gaps in the serial numbers.

* http://www.commoncriteriaportal.org/files/epfiles/ST_VID4025-VR.pdf

Blacklog is a product of Blacktip Ltd

Feel free to link me in Mark Sutton CISSP
View Mark Sutton CISSP's profile on LinkedIn
I can also be found at twitter msutton

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s