Requesting a SHA-256 certificate for EmpowerID using Active Directory Certificate Services
Support for the SHA-1 cryptographic hash algorithm is slowly being deprecated by Google, Microsoft and other industry leaders and replaced with SHA-256. Popular web browsers are beginning to show warnings to end users in order to speed the adoption rate of SHA-256:
With computer hardware becoming faster and cheaper SHA-1 is no longer reasonably safe from collision attacks. SSL certificates being used for publicly facing EmpowerID websites should be upgraded to SHA-256 as soon as possible.
Please note that some applications and devices can only support SHA-1 certificates. Please see: SHA-256 Compatibility.
Businesses that have Active Directory Certificate Services (AD CS) available may wish to issue a SHA-256 certificate for EmpowerID using their existing Public Key Infrastructure (PKI). The following steps detail how to request a SHA-256 certificate for use with EmpowerID using AD CS.
SHA-256 certificates need to have the following properties to meet the Certificate Requirements for EmpowerID:
Key Usage: Digital Signature, Key Encipherment
Enhanced Key Usage: Server Authentication, Client Authentication
Signature algorithm: sha256RSA
Signature hash algorithm: sha256
Thumbprint algorithm: sha1
Provider: Microsoft Enhanced RSA and AES Cryptographic Provider
Configuring the Certificate Template
Open
Certification Authority on your root certification authority (CA) server. In the certification authority tree on the left hand side, right click the server node and click Properties.
In the Cryptographic settings section, please take note of the
Provider and Hash algorithm currently being used.
NOTE: If your certification authority (CA) cryptographic settings hash algorithm is SHA1, it is recommended to upgrade to SHA256. Please read the following Windows PKI blog entry: Upgrade Certification Authority to SHA256. Once the Operating System of the certification authority server has been upgraded to Windows Server 2008 or higher, the following commands can be run to upgrade the hash algorithm to SHA2:
certutil -setreg ca\csp\CNGHashAlgorithm SHA256
net stop certsvc
net start certsvc
Once the steps above have been performed the server properties pane should indicate a Hash algorithm of SHA256, as shown below:
In the certification authority tree on the left hand side, expand the server node. Right click
Certificate Templates and click Manage.
In the Certificate Templates Console window that appears, in the Template pane, scroll down to the Web Server template. Right click the
Web Server template and click Duplicate Template.
In the Properties of New Template window that appears, click the
General tab. Click the Template display name field and type EmpowerID Web Server. Choose an appropriate Validity period and Renewal period as per your corporate security policy.
Click the
Request Handling tab. Check Allow private key to be exported if you need to export the private key to a .pfx file once the certificate request is completed. This would be useful if you have more than one EmpowerID server - you could import the resultant .pfx into the other EmpowerID servers as needed. Allowing the private key to be exported also allows EmpowerID to upload and store the private key as an encrypted string within the CertificateStore table.
Click the
Cryptography tab. Choose an appropriate Minimum key size as per your corporate security policy (2048 or higher is recommended). The Choose which cryptographic providers can be used for requests radio button should be set to Requests must use one of the following providers. In the Providers checklist, please ensure only the following provider is checked:
Microsoft Enhanced RSA and AES Cryptographic Provider
Click the
Subject Name tab. Please ensure the Supply in the request radio button is selected.
Click the
Security tab. Click Add... In the Select Users, Computers, Service Accounts, or Groups window that appears, click the Object Types... button.
10. In the Object Types window that appears, in the Object types checklist, check Computers and click OK.
11. You will be returned to the Select Users, Computers, Service Accounts, or Groups window. In the Enter the object names to select field, type the computer account of the EmpowerID front end server and click OK.
12. You will be returned to the Properties of New Template window. Click on the computer account of your EmpowerID front end server to select it. In the Permissions pane, for the Enroll permission, check Allow.
13. Click the Extensions tab. Under Extensions included in this template:, click Application Policies. Click Edit...
14. In the Edit Application Policies Extension window that appears, in the Application policies: pane, click Add...
15. In the Add Application Policy window that appears, click Client Authentication to select it and click OK.
You will be returned to the Edit Application Policies Extension window. Click OK.
16. In the Extensions tab, under Extensions included in this template:, click Key Usage. Click Edit...
17. In the Edit Key Usage Extension window that appears, in the Signature pane, please confirm Digital signature is checked. In the Encryption pane, please confirm the Allow key exchange only with key encryption (key encipherment) radio button is selected and Make this extension critical is checked. Click Cancel once this information has been confirmed.
18. You will be returned to the Properties of New Template window. Click OK to confirm the creation of the certificate template. You should now see EmpowerID Web Server in the list of certificate templates.
19. Open Certification Authority. In the certification authority tree on the left hand side, right click on Certificate Templates and choose New > Certificate Template to Issue.
20. In the Enable Certificate Templates window that appears, click on EmpowerID Web Server and click OK.
21. You will be returned to the Certification Authority window. In the certificate templates pane on the right hand side, EmpowerID Web Server should now appear as an issuable certificate template.
Requesting the certificate template
Open the
Certificates snap-in on your EmpowerID front end server. Ensure the snap-in is configured to manage certificates for the local computer account.
In the certificate store tree on the left hand side, expand Certificates (Local Computer). Expand Personal. Right click
Certificates and click All Tasks > Request New Certificate.
In the
Certificate Enrollment window that appears, click Next. In the Select Certificate Enrollment Policy pane, ensure Active Directory Enrollment Policy is selected and click Next.
In the
Request Certificates screen that appears, under the Active Directory Enrollment Policy section, check EmpowerID Web Server and then click the link labeled More information is required to enroll for this certificate. Click here to configure settings.
In the
Certificate Properties window that appears, in the Subject name section, click the Type drop down and choose Common name. Enter the desired common name, such as sso.company.com, server1.company.com, or *.company.com into the Value field. Click the Add > button when finished.
Click the
Type drop down and fill out any other optional fields as desired, such as Organization, State, Street address, Country, Email, Locality, etc. Click the Add > button after each entry.
In the
Alternative name section, click the Type drop down and choose DNS. Enter the desired DNS name into the Value field and click the Add > button.
NOTE: The DNS values you provide here need to match any and all URLs that end users will be using to access EmpowerID. If the URLs do not match end users will be prompted with a security warning when accessing EmpowerID.
For example, if you use an F5 Networks load balanced URL of sso.company.com that points to two EmpowerID front end servers named server1.company.com and server2.company.com, it would be recommended to add
sso.company.com
server1.company.com
server2.company.com
as DNS values. You may use wildcards such as *.company.com if desired.
Click the
General tab. Provide a certificate Friendly name and Description as desired.
Click the
Private Key tab. Expand Cryptographic Service Provider by clicking on the down arrow. In the Select cryptographic service provider (CSP) checklist, ensure only Microsoft Enhanced RSA and AES Cryptographic Provider (Encryption) is checked. Click OK when finished.
10. You will be returned to the Certificate Enrollment window. Click Enroll.
11. The Certificate Installation Results screen will appear. Click Finish.
12. You will be returned to the Certificates snap-in. The newly requested certificate will be present in the Personal store, ready for use with Internet Information Services (IIS) and EmpowerID.
13. Using the Certificates snap-in, export the certificate (including the private key) and import the resultant .pfx into any other EmpowerID servers as needed.
NOTE: If you wish to sign a SAML response with SHA-256 please ensure you have enabled SHA-256 XML signing support in EmpowerID.
Please feel free to contact us by e-mail at support@empowerid.com or by phone at (877) 996-4276 (Option 2) if you have any questions or concerns regarding this guide.