View Issue Details

IDProjectCategoryView StatusLast Update
0000812Main CAcert Websitepublic2013-01-15 21:02
Reporterjanst Assigned To 
PriorityhighSeverityminorReproducibilityalways
Status needs workResolutionopen 
PlatformWindowsOSW2K, XP, W2K3 
Summary0000812: CAcert certificate not working with Windows Encrypting Filesystem (EFS)
DescriptionAccording to the CPS, Client certificates should be able to be used for Microsoft EFS:

"extendedKeyUsage=emailProtection,clientAuth,serverAuth,msEFS,msSGC,nsSGC "

Indeed, Windows displays correctly "filesystem encryption" within the certificate-properties. Unfortunately it won't use the CAcert client certificate but create a new self-signed one.

This happens even if I manually set the relevant registry key to the CAcert-certificate (identified by its hash-value). Windows will create a new selfsigned one and overwrite the value with the new hash.

I suppose the problem might be that OID 1.3.6.1.4.1.311.10.3.4 is not set.
This may also be the reason why the "EFS certificate configuration updater" (http://www.codeplex.com/EFSCertUpdater) does not detec a valid EFS certificate and exits without doing anything.

Any information on this?
Additional Informationhttp://technet.microsoft.com/library/bb457116.aspx#EGAA
TagsNo tags attached.
Reviewed by
Test Instructions

Relationships

related to 0000905 new Unable to sign PDF file with Acrobat 
related to 0000540 needs feedbackNEOatNHNG No key usage attribute in cacert org certs anymore? 

Activities

illuminat

2011-09-22 23:03

reporter   ~0002492

http://support.microsoft.com/kb/273856

Uli60

2012-02-21 22:18

updater   ~0002834

test #1 - client certs variations

creating new account: certs.test@wiamail.de
confirmed email/account
add assurances (100 pts)
add experience points (50)

create client cert
a) email 1
   class1
   no name
   enable cert login

   create client cert
   install client cert

   serno: 10D5
   displ.name: CAcert WoT User -> ok
   valid from/to: 2012-02-21 / 2012-03-22 -> ok
   owner: E = certs.test@wiamail.de, CN = CAcert WoT User -> ok

   extended key usage:
    Nicht kritisch
    E-Mail-Schutz (1.3.6.1.5.5.7.3.4)
    TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2)
    Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4)
    Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3)
    Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1)

    certs alternate name
    Nicht kritisch
    E-Mail-Adresse: certs.test@wiamail.de

    => all ok


b) email 1
   class3
   no name
   enable cert login

   create client cert
   install client cert

   serno: 10A1
   displ.name: CAcert WoT User -> ok
   valid from/to: 2012-02-21 / 2012-03-22 -> ok
   owner: E = certs.test@wiamail.de, CN = CAcert WoT User -> ok

   extended key usage:
    Nicht kritisch
    E-Mail-Schutz (1.3.6.1.5.5.7.3.4)
    TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2)
    Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4)
    Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3)
    Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1)

   certs alternate name
    Nicht kritisch
    E-Mail-Adresse: certs.test@wiamail.de

   => all ok

c) email 1
   class1
   "Certs Test"
   enable cert login

   create client cert
   install client cert

   serno: 10D6
   displ.name: Certs Test -> ok

d) email 1
   class3
   "Certs Test"
   enable cert login

   create client cert
   install client cert

   serno: 10A2

e) email 1
   class1
   "Certs Sub Test"
   enable cert login

   create client cert
   install client cert

   serno: 10D7
   displ.name: Certs Sub Test -> ok

   owner: E = certs.test@wiamail.de, CN = Certs Sub Test -> ok
   extended key usage:
    Nicht kritisch
    E-Mail-Schutz (1.3.6.1.5.5.7.3.4)
    TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2)
    Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4)
    Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3)
    Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1)

   certs alternate name
   Nicht kritisch
   E-Mail-Adresse: certs.test@wiamail.de

   => all ok


f) email 1
   class3
   "Certs Sub Test"
   enable cert login

   create client cert
   install client cert

   serno: 10A3
   displ.name: Certs Sub Test -> ok

   owner: E = certs.test@wiamail.de, CN = Certs Sub Test -> ok
   extended key usage:
    Nicht kritisch
    E-Mail-Schutz (1.3.6.1.5.5.7.3.4)
    TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2)
    Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4)
    Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3)
    Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1)

   certs alternate name
   Nicht kritisch
   E-Mail-Adresse: certs.test@wiamail.de

   => all ok

Uli60

2012-02-22 00:28

updater   ~0002840

test 0000002 - server certs variations

using prev account
add domain avintec.com
confirmed avintec.com

openssl genrsa -out test1-avintec-com-512.key 512
openssl req -new -key test1-avintec-com-512.key -out test1-avintec-com-512.csr

paste csr

sign class1
<paste>
submit
error/warning
"The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki"
=> ok

sign class3
<paste>
submit
error/warning
"The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki"
=> ok



openssl genrsa -out test1-avintec-com-1024.key 1024
openssl req -new -key test1-avintec-com-1024.key -out test1-avintec-com-1024.csr

sign class1
<paste>
submit

Please make sure the following details are correct before proceeding any further.

CommonName: test1.avintec.com
No additional information will be included on certificates because it can not be automatically checked by the system.

submit

returns:
Below is your Server Certificate

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

new file test1-avintec-com-1024-signed-c1.key
<paste>

key in list:
     Valid test1.avintec.com 10DA Not Revoked 2012-03-22 23:59:21


openssl x509 -text -in test1-avintec-com-1024-signed-c1.key -noout

....................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4314 (0x10da)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Feb 21 23:59:21 2012 GMT
            Not After : Mar 22 23:59:21 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
....................................................................

=> ok




sign class3
<paste>
submit

Please make sure the following details are correct before proceeding any further.

CommonName: test1.avintec.com
No additional information will be included on certificates because it can not be automatically checked by the system.

submit

returns:
Below is your Server Certificate

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

new file test1-avintec-com-signed-c1.key
<paste>


key in list:
Valid test1.avintec.com 10A6 Not Revoked 2012-03-23 00:02:34

....................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4262 (0x10a6)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Tests
erver Class 3
        Validity
            Not Before: Feb 22 00:02:34 2012 GMT
            Not After : Mar 23 00:02:34 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/class3-revoke.crl

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
....................................................................

=> ok




openssl genrsa -out test1-avintec-com-2048.key 2048
openssl req -new -key test1-avintec-com-2048.key -out test1-avintec-com-2048.csr


sign class1
<paste>
submit

Please make sure the following details are correct before proceeding any further.

CommonName: test1.avintec.com
No additional information will be included on certificates because it can not be automatically checked by the system.

submit

returns:
Below is your Server Certificate

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

new file test1-avintec-com-2048-signed-c1.key
<paste>

key in list:
Valid test1.avintec.com 10DB Not Revoked 2012-03-23 00:12:53


openssl x509 -text -in test1-avintec-com-2048-signed-c1.key -noout

....................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4315 (0x10db)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Feb 22 00:12:53 2012 GMT
            Not After : Mar 23 00:12:53 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
....................................................................

=> ok



sign class3
<paste>
submit

Please make sure the following details are correct before proceeding any further.

CommonName: test1.avintec.com
No additional information will be included on certificates because it can not be automatically checked by the system.

submit

returns:
Below is your Server Certificate

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

new file test1-avintec-com-2048-signed-c3.key
<paste>


key in list:
     Valid test1.avintec.com 10A7 Not Revoked 2012-03-23 00:20:44

openssl x509 -text -in test1-avintec-com-2048-signed-c3.key -noout

....................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4263 (0x10a7)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Tests
erver Class 3
        Validity
            Not Before: Feb 22 00:20:44 2012 GMT
            Not After : Mar 23 00:20:44 2012 GMT
        Subject: CN=test1.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/class3-revoke.crl

            X509v3 Subject Alternative Name:
                DNS:test1.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
....................................................................

=> ok

Uli60

2012-02-22 00:48

updater   ~0002845

test 3 - client cert login

Valid certs.test@wiamail.de 10A3 Not Revoked 2012-03-22 21:56:34
Valid certs.test@wiamail.de 10D7 Not Revoked 2012-03-22 21:55:49
Valid certs.test@wiamail.de 10A2 Not Revoked 2012-03-22 21:54:57
Valid certs.test@wiamail.de 10D6 Not Revoked 2012-03-22 21:53:42
Valid certs.test@wiamail.de 10A1 Not Revoked 2012-03-22 21:52:39
Valid certs.test@wiamail.de 10D5 Not Revoked 2012-03-22 21:51:09


cert login using:
Ausgestellt auf: E=certs.test@wiamail.de,CN=CAcert WoT User
  Seriennummer: 10:D5
  Gültig von 21.02.2012 22:51:09 an 22.03.2012 22:51:09
  Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung
  E-Mail: certs.test@wiamail.de
Ausgestellt von: CN=CAcert Testserver Root,OU=http://cacert1.it-sls.de,O=CAcert Testserver,ST=New South Wales,C=AU
Gespeichert in: Software-Sicherheitsmodul

=> ok

logout
logout crypto modul

cert login using:
Ausgestellt auf: E=certs.test@wiamail.de,CN=CAcert WoT User
  Seriennummer: 10:A1
  Gültig von 21.02.2012 22:52:39 an 22.03.2012 22:52:39
  Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung
  E-Mail: certs.test@wiamail.de
Ausgestellt von: CN=CAcert Testserver Class 3,OU=http://cacert1.it-sls.de,O=CAcert Testsever
Gespeichert in: Software-Sicherheitsmodul

=> ok

logout
logout crypto modul

cert login using:
Ausgestellt auf: E=certs.test@wiamail.de,CN=Certs Test
  Seriennummer: 10:D6
  Gültig von 21.02.2012 22:53:42 an 22.03.2012 22:53:42
  Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung
  E-Mail: certs.test@wiamail.de
Ausgestellt von: CN=CAcert Testserver Root,OU=http://cacert1.it-sls.de,O=CAcert Testserver,ST=New South Wales,C=AU
Gespeichert in: Software-Sicherheitsmodul

=> ok

logout
logout crypto modul

cert login using:
Ausgestellt auf: E=certs.test@wiamail.de,CN=Certs Test
  Seriennummer: 10:A2
  Gültig von 21.02.2012 22:54:57 an 22.03.2012 22:54:57
  Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung
  E-Mail: certs.test@wiamail.de
Ausgestellt von: CN=CAcert Testserver Class 3,OU=http://cacert1.it-sls.de,O=CAcert Testsever
Gespeichert in: Software-Sicherheitsmodul

=> ok

logout
logout crypto modul

cert login using:
Ausgestellt auf: E=certs.test@wiamail.de,CN=Certs Sub Test
  Seriennummer: 10:D7
  Gültig von 21.02.2012 22:55:49 an 22.03.2012 22:55:49
  Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung
  E-Mail: certs.test@wiamail.de
Ausgestellt von: CN=CAcert Testserver Root,OU=http://cacert1.it-sls.de,O=CAcert Testserver,ST=New South Wales,C=AU
Gespeichert in: Software-Sicherheitsmodul

=> ok

logout
logout crypto modul

cert login using:
Ausgestellt auf: E=certs.test@wiamail.de,CN=Certs Sub Test
  Seriennummer: 10:A3
  Gültig von 21.02.2012 22:56:34 an 22.03.2012 22:56:34
  Verwendung eines Zertifikatsschlüssels: unterzeichne,Schlüssel-Verschlüsselung,Schlüssel-Vereinbarung
  E-Mail: certs.test@wiamail.de
Ausgestellt von: CN=CAcert Testserver Class 3,OU=http://cacert1.it-sls.de,O=CAcert Testsever
Gespeichert in: Software-Sicherheitsmodul

=> ok

Uli60

2012-02-22 01:28

updater   ~0002850

test 4 - org client certs

preparation for test 4 + 5 (once)

make test user OA Admin (Organisation-Admin)

login OrgAssurer
new organisations
  Avintec COM

view organisations
Avintec COM, Germany/Hessen DE Domains (0) Admins (0) Edit Delete
add domain: avintec.com
added.

view organisations
Avintec COM, Germany/Hessen DE Domains (1) Admins (0) Edit Delete
add admin: certs.test@wiamail.de
Department: IT
Master Account: Yes
Comments: ...

view organisations
Avintec COM, Germany/Hessen DE Domains (1) Admins (1) Edit Delete

logout


cert login using:
Ausgestellt auf: E=certs.test@wiamail.de,CN=Certs Sub Test
  Seriennummer: 10:A3
  Gültig von 21.02.2012 22:56:34 an 22.03.2012 22:56:34


3 more menu choices
 - Org Client Certs
 - Org Server Certs
 - Org Admin

Org Admin - View
Organisations
# Organisation Admins
275 Avintec COM, Germany/Hessen DE Admins (1)
796 Domain available avintec.com

=> ok

alice, bob, carol, dave

new org client cert:
  alice@avintec.com class1 Dep1 next
  create
  Installing your certificate
  You are about to install a certificate, if you are using mozilla/netscape based browsers you will not be informed that the certificate was installed successfully, you can go into the options dialog box, security and manage certificates to view if it was installed correctly however.
  Click here to install your certificate.

org client cert - view
       Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36


new org client cert:
  alice@avintec.com class3 Dep1 next
  create
org client cert - view
     Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36
    Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36


new org client cert:
  bob@avintec.com class1 Dep2 next
  create
org client cert - view
    Valid bob@avintec.com 10DD Not Revoked 2012-02-29 01:06:18
    Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36
    Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36

new org client cert:
  bob@avintec.com class3 Dep2 next
  create
org client cert - view
    Valid bob@avintec.com 10A9 Not Revoked 2012-02-29 01:08:19
    Valid bob@avintec.com 10DD Not Revoked 2012-02-29 01:06:18
    Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36
    Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36


new org client cert:
  carol@avintec.com class1 Dep3 next
  create
org client cert - view
    Valid carol@avintec.com 10DE Not Revoked 2012-02-29 01:10:16
    Valid bob@avintec.com 10A9 Not Revoked 2012-02-29 01:08:19
    Valid bob@avintec.com 10DD Not Revoked 2012-02-29 01:06:18
    Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36
    Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36

new org client cert:
  carol@avintec.com class3 Dep3 next
  create
org client cert - view
     Valid carol@avintec.com 10AA Not Revoked 2012-02-29 01:11:23
    Valid carol@avintec.com 10DE Not Revoked 2012-02-29 01:10:16
    Valid bob@avintec.com 10A9 Not Revoked 2012-02-29 01:08:19
    Valid bob@avintec.com 10DD Not Revoked 2012-02-29 01:06:18
    Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36
    Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36


new org client cert:
  dave@avintec.com class1 Dep4 next
  create
org client cert - view
     Valid dave@avintec.com 10DF Not Revoked 2012-02-29 01:15:07
    Valid carol@avintec.com 10AA Not Revoked 2012-02-29 01:11:23
    Valid carol@avintec.com 10DE Not Revoked 2012-02-29 01:10:16
    Valid bob@avintec.com 10A9 Not Revoked 2012-02-29 01:08:19
    Valid bob@avintec.com 10DD Not Revoked 2012-02-29 01:06:18
    Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36
    Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36

new org client cert:
  dave@avintec.com class3 Dep4 next
  create
org client cert - view
    Valid dave@avintec.com 10AB Not Revoked 2012-02-29 01:15:47
    Valid dave@avintec.com 10DF Not Revoked 2012-02-29 01:15:07
    Valid carol@avintec.com 10AA Not Revoked 2012-02-29 01:11:23
    Valid carol@avintec.com 10DE Not Revoked 2012-02-29 01:10:16
    Valid bob@avintec.com 10A9 Not Revoked 2012-02-29 01:08:19
    Valid bob@avintec.com 10DD Not Revoked 2012-02-29 01:06:18
    Valid alice@avintec.com 10A8 Not Revoked 2012-02-29 01:04:36
    Valid alice@avintec.com 10DC Not Revoked 2012-02-29 01:02:36


checking keys in cert manager:

CAcert Testserver (-> is root, class1)
Alice (10DC), Bob (10DD), Carol (10DE), Dave (10DF)
-and-
CAcert Testserver (-> is subroot, class3)
Alice (10A8), Bob (10A9), Carol (10AA), Dave (10AB)

Alice (10A8)
CN Alice
O Avintec COM
OU Dep1
Ser 10:A8
From 2012-02-22
To 2012-02-29
=> ok

owner:
E = alice@avintec.com
CN = Alice
OU = Dep1
O = Avintec COM
L = Frankfurt/Main
ST = Germany/Hessen
C = DE

=> Ok

extended key usage:
Nicht kritisch
E-Mail-Schutz (1.3.6.1.5.5.7.3.4)
TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2)
Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4)
Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3)
Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1)

cert alternate name
Nicht kritisch
E-Mail-Adresse: alice@avintec.com

=> ok




Dave (10DF)
cN Dave
O Avintec COM
OU Dep4
Ser 10:DF
From 2012-02-22
To 2012-02-29
=> ok

owner:
E = dave@avintec.com
CN = Dave
OU = Dep4
O = Avintec COM
L = Frankfurt/Main
ST = Germany/Hessen
C = DE

=> ok

extended key usage:
Nicht kritisch
E-Mail-Schutz (1.3.6.1.5.5.7.3.4)
TLS-Web-Client-Authentifikation (1.3.6.1.5.5.7.3.2)
Microsoft-Dateisystemverschlüsselung (1.3.6.1.4.1.311.10.3.4)
Microsoft servergesperrte Kryptographie (1.3.6.1.4.1.311.10.3.3)
Netscape servergesperrte Kryptographie (2.16.840.1.113730.4.1)

cert alternate name
Nicht kritisch
E-Mail-Adresse: dave@avintec.com

=> ok

Uli60

2012-02-22 02:12

updater   ~0002855

test 5 - org server certs

Org Server Certs - View
empty list
=> ok

openssl genrsa -out testserver1-avintec-com-512.key 512
openssl req -new -key testserver1-avintec-com-512.key -out testserver1-avintec-com-512.csr

using values from Org Account

Org Server Certs - New
class 1
<paste>
error/warning
The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki
=> ok

Org Server Certs - New
class 3
<paste>
error/warning
The keys that you use are very small and therefore insecure. Please generate stronger keys. More information about this issue can be found in the wiki
=> ok



openssl genrsa -out testserver2-avintec-com-1024.key 1024
openssl req -new -key testserver2-avintec-com-1024.key -out testserver2-avintec-com-1024.csr

using values from Org Account

Org Server Certs - New
class 1
<paste>

Please make sure the following details are correct before proceeding any further.

CommonName: testserver2.avintec.com
Organisation: Avintec COM
Org. Unit: UT
Location: Frankfurt/Main
State/Province: Germany/Hessen
Country: DE

Submit

new file
testserver2-avintec-com-1024-signed-c1.key
<paste>

Org Server Certs - View
     Valid testserver2.avintec.com 10E0 Not Revoked 2012-03-23 01:41:16




Org Server Certs - New
class 3
<paste>

Please make sure the following details are correct before proceeding any further.

CommonName: testserver2.avintec.com
Organisation: Avintec COM
Org. Unit: UT
Location: Frankfurt/Main
State/Province: Germany/Hessen
Country: DE

Submit

new file
testserver2-avintec-com-1024-signed-c3.key
<paste>

Org Server Certs - View
    Valid testserver2.avintec.com 10AC Not Revoked 2012-03-23 01:44:33
    Valid testserver2.avintec.com 10E0 Not Revoked 2012-03-23 01:41:16




openssl genrsa -out testserver3-avintec-com-2048.key 2048
openssl req -new -key testserver3-avintec-com-2048.key -out testserver3-avintec-com-2048.csr

using values from Org Account

Org Server Certs - New
class 1
<paste>

Please make sure the following details are correct before proceeding any further.

CommonName: testserver3.avintec.com
Organisation: Avintec COM
Org. Unit: IT
Location: Frankfurt/Main
State/Province: Germany/Hessen
Country: DE

Submit

new file
testserver3-avintec-com-2048-signed-c1.key
<paste>

Org Server Certs - View
     Valid testserver3.avintec.com 10E1 Not Revoked 2012-03-23 01:50:21
    Valid testserver2.avintec.com 10AC Not Revoked 2012-03-23 01:44:33
    Valid testserver2.avintec.com 10E0 Not Revoked 2012-03-23 01:41:16



Org Server Certs - New
class 1
<paste>

Please make sure the following details are correct before proceeding any further.

CommonName: testserver3.avintec.com
Organisation: Avintec COM
Org. Unit: IT
Location: Frankfurt/Main
State/Province: Germany/Hessen
Country: DE

Submit

new file
testserver3-avintec-com-2048-signed-c3.key
<paste>

Org Server Certs - View
    Valid testserver3.avintec.com 10AD Not Revoked 2012-03-23 01:52:37
    Valid testserver3.avintec.com 10E1 Not Revoked 2012-03-23 01:50:21
    Valid testserver2.avintec.com 10AC Not Revoked 2012-03-23 01:44:33
    Valid testserver2.avintec.com 10E0 Not Revoked 2012-03-23 01:41:16


test keys:

openssl x509 -text -in testserver2-avintec-com-1024-signed-c1.key -noout
..........................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4320 (0x10e0)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Feb 22 01:41:16 2012 GMT
            Not After : Mar 23 01:41:16 2012 GMT
        Subject: L=Frankfurt, O=Avintec COM, OU=UT, CN=testserver2.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                DNS:testserver2.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
..........................................................................

=> ok



openssl x509 -text -in testserver2-avintec-com-1024-signed-c3.key -noout
..........................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4268 (0x10ac)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Tests
erver Class 3
        Validity
            Not Before: Feb 22 01:44:33 2012 GMT
            Not After : Mar 23 01:44:33 2012 GMT
        Subject: L=Frankfurt, O=Avintec COM, OU=UT, CN=testserver2.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/class3-revoke.crl

            X509v3 Subject Alternative Name:
                DNS:testserver2.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
..........................................................................

=> ok



openssl x509 -text -in testserver3-avintec-com-2048-signed-c1.key -noout
..........................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4321 (0x10e1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1
.it-sls.de, CN=CAcert Testserver Root
        Validity
            Not Before: Feb 22 01:50:21 2012 GMT
            Not After : Mar 23 01:50:21 2012 GMT
        Subject: L=Frankfurt, O=Avintec COM, OU=IT, CN=testserver3.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/revoke.crl

            X509v3 Subject Alternative Name:
                DNS:testserver3.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
..........................................................................

=> ok



openssl x509 -text -in testserver3-avintec-com-2048-signed-c3.key -noout
..........................................................................
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4269 (0x10ad)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=CAcert Testsever, OU=http://cacert1.it-sls.de, CN=CAcert Tests
erver Class 3
        Validity
            Not Before: Feb 22 01:52:37 2012 GMT
            Not After : Mar 23 01:52:37 2012 GMT
        Subject: L=Frankfurt, O=Avintec COM, OU=IT, CN=testserver3.avintec.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Ne
tscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/class3-revoke.crl

            X509v3 Subject Alternative Name:
                DNS:testserver3.avintec.com, othername:<unsupported>
    Signature Algorithm: sha1WithRSAEncryption
[...]
..........................................................................

=> ok

Uli60

2012-02-22 02:24

updater   ~0002860

test 6 - admin console view

login admin / OA

Sys Admin - search certs.test@wiamail.de

Certificates
Cert Type: Total Valid Expired Revoked Latest Expire
Server: 4 4 0 0 2012-03-23
Client: 6 6 0 0 2012-03-22
GPG: None
Org Server: 4 4 0 0 2012-03-23
Org Client: 8 8 0 0 2012-02-29


=> ok


Sysadmin - find domain avintec.com


Select Specific Account Details
Domain: 167970 avintec.com
1 rows displayed.


Select Specific Account Details
Domain: 796 avintec.com
1 rows displayed.


1 relates to member account
1 relates to Org account

a) https://cacert1.it-sls.de/account.php?id=43&userid=171296
b) https://cacert1.it-sls.de/account.php?id=26&orgid=275

=> ok

Uli60

2012-02-25 09:25

updater   ~0002864

Last edited: 2012-02-25 09:49

View 2 revisions

while deploying a EFS test environment I've stumbled over the problem, that despite the fact I had personal certs in my private information store no cert was probably used.

While doing the research how EFS is implemented and how clients certs with EFS flag are used, I've stumbled over following article:
http://technet.microsoft.com/library/bb457116.aspx#EGAA

other related articles:
http://technet.microsoft.com/en-us/library/cc700811.aspx#XSLTsection126121120120
http://technet.microsoft.com/en-us/library/cc700811.aspx
http://support.microsoft.com/kb/223316/en-us

The latter describes how to backup the used private/public keys. But, oh wonder (!) no keys are visible in the private certs store (!)
so its still a mystery which client certs are used once EFS has been enabled. EFS works either way.

All CAcert client certs (also old ones) have the EFS (1.3.6.1.4.1.311.10.3.4) flag enabled. The EFS routine ignores it completely and while reading http://technet.microsoft.com/library/bb457116.aspx#EGAA, I still no longer wonder why.

But, article http://support.microsoft.com/kb/273856 describes how to change the keys which are used by the EFS routine =>

There are two ways to change the certificate that EFS uses:

    * To set the new certificate for EFS, use the SetUserFileEncryptionKey API, which is documented by Microsoft Developer Network (MSDN). EFS starts using the new certificate immediately.
    * Change the hash of the certificate that is stored in the following registry key to the Thumbprint field in the new certificate:
      HKEY_CURRENT_USER\Software\Microsoft\Windows NT\Current Version\EFS\CurrentKeys

      Value: CertificateHash
      Type: REG_BINARY
      Data: Thumbprint of the new certificate

Its impossible to use any display function, to show which certs are used in the EFS routine (only if files and folders are encryoted or not -> "E" by cipher) a test deployment is impossible. EFS works either way :-P

Werner Dworak

2012-12-21 04:57

updater   ~0003505

More than 3 month fixed and no complaints

Uli60

2013-01-15 21:02

updater   ~0003661

case is still open and requires check against 540 fixes until 540 is fixed
case is still not fixed

Issue History

Date Modified Username Field Change
2010-03-22 17:59 janst New Issue
2010-03-22 18:01 janst Description Updated
2011-01-09 13:07 homer Relationship added related to 0000905
2011-09-22 23:03 illuminat Note Added: 0002492
2011-09-26 09:16 Uli60 Relationship added related to 0000540
2012-01-25 17:17 NEOatNHNG Project bugs.cacert.org => Main CAcert Website
2012-02-21 22:18 Uli60 Note Added: 0002834
2012-02-22 00:28 Uli60 Note Added: 0002840
2012-02-22 00:48 Uli60 Note Added: 0002845
2012-02-22 01:28 Uli60 Note Added: 0002850
2012-02-22 02:12 Uli60 Note Added: 0002855
2012-02-22 02:24 Uli60 Note Added: 0002860
2012-02-25 09:25 Uli60 Note Added: 0002864
2012-02-25 09:26 Uli60 Status new => solved?
2012-02-25 09:26 Uli60 Resolution open => not fixable
2012-02-25 09:26 Uli60 OS => W2K, XP, W2K3
2012-02-25 09:26 Uli60 Platform => Windows
2012-02-25 09:26 Uli60 Additional Information Updated View Revisions
2012-02-25 09:49 Uli60 Note Edited: 0002864 View Revisions
2012-02-25 09:51 Uli60 Resolution not fixable => no change required
2012-12-21 04:57 Werner Dworak Note Added: 0003505
2012-12-21 04:57 Werner Dworak Status solved? => closed
2013-01-15 14:32 Werner Dworak Fixed in Version => 2012 Q1
2013-01-15 21:02 Uli60 Note Added: 0003661
2013-01-15 21:02 Uli60 Status closed => needs work
2013-01-15 21:02 Uli60 Resolution no change required => open
2013-01-15 21:02 Uli60 Fixed in Version 2012 Q1 =>