Certificate Validation

Certificate Validation

The certificates that are offered during the negotiation for secure communication must be validated before secure communication can begin. For secure wireless authentication using EAP-TLS, the IAS server must validate the certificate offered by the Windows wireless client. For secure wireless authentication using either EAP-TLS or PEAP-MS-CHAP v2, the Windows wireless client must validate the certificate offered by the IAS server.

Certificate Validation by the IAS Server

In order for the IAS server to validate the certificate of the wireless client, the following must be true for each certificate in the certification path (also known as a certificate chain) sent by the wireless client:

  • The current date is within the validity dates of the certificate

    When certificates are issued, they are issued with a range of valid dates, before which they cannot be used and after which they are considered expired.

  • The certificate has not been revoked

    By default, the IAS server checks all the certificates in the wireless client s certificate chain (the series of certificates from the wireless client certificate to the root CA) for revocation. If any of the certificates in the chain have been revoked, certificate validation fails. This behavior can be modified with registry settings described in Chapter 16.

    The certificate revocation validation works only as well as the CRL publishing and distribution system. If the CRL in a certificate is not updated often, a certificate that has been revoked can still be used and considered valid because the published CRL that the IAS server is checking is out-of-date.

  • The certificate has a valid digital signature

    CAs digitally sign certificates they issue. The IAS server verifies the digital signature of each certificate in the chain, with the exception of the root CA certificate, by obtaining the public key from the certificate s issuing CA and mathematically validating the digital signature.

The wireless client certificate must also have the Client Authentication Enhanced Key Usage (EKU), using the object identifier (OID) of 1.3.6.1.5.5.7.3.2, and must either contain a user principal name (UPN) of a valid user account or fully qualified domain name (FQDN) of a valid computer account for the Subject Alternative Name field of the certificate.

To view the EKU for a certificate, obtain properties of the certificate, click the Details tab, and then click the Enhanced Key Usage field. The Enhanced Key Usage field of a computer certificate is shown in Figure 6-4.

figure 6-4 the enhanced key usage field for a computer certificate.

Figure 6-4. The Enhanced Key Usage field for a computer certificate.

To view the Subject Alternative Name field for a certificate, obtain properties of the certificate, click the Details tab and then click the Subject Alternative Name field. The Subject Alternative Name field of a computer certificate is shown in Figure 6-5.

figure 6-5 the subject alternative name field for a computer certificate.

Figure 6-5. The Subject Alternative Name field for a computer certificate.

Finally, to trust the certificate chain offered by the wireless client, the IAS server must have the root CA certificate of the issuing CA of the wireless client certificate installed in its Trusted Root Certification Authorities Local Computer store.

Certificate Validation by the Windows Wireless Client

In order for the wireless client to validate the certificate of the IAS server for either EAP-TLS or PEAP-MS-CHAP v2 authentication, the following must be true for each certificate in the certificate chain sent by the IAS server:

  • The current date must be within the validity dates of the certificate.

  • The certificate must have a valid digital signature.

    The wireless client verifies the digital signature of each certificate in the chain, with the exception of the root CA certificate, by obtaining the public key from the certificate s issuing CA and mathematically validating the digital signature.

Additionally, the IAS server computer certificate must have the Server Authentication EKU (OID 1.3.6.1.5.5.7.3.1).

Finally, to trust the certificate chain offered by the IAS server, the wireless client must have the root CA certificate of the issuing CA of the IAS server certificate installed in its Trusted Root Certification Authorities Local Computer store.

Notice that the wireless client does not perform certificate revocation checking for the certificates in the certificate chain of the IAS server s computer certificate. The assumption is that the wireless client does not yet have a physical connection to the network, and therefore it cannot access a Web page or other resource in order to check for certificate revocation.



Deploying Secure 802.11 Wireless Networks with Microsoft Windows
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
ISBN: 0735619395
EAN: 2147483647
Year: 2000
Pages: 123
Authors: Joseph Davies

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net