certificates

VPN Introduction

I have been doing some work with VPNs lately, having set up a PPTP(Point to Point Tunneling Protocol) VPN for some Android network analysis that I have been doing lately.  It is easy to set up on a server and a mobile device, but PPTP generally isn’t secure unless you are using (P)EAP.  I wanted to try out something that overlaps with something that I’m pretty knowledgeable about, TLS/SSL, with something I have never had to actually set up, an SSL VPN.  Most people who use a VPN to connect into work use an SSL VPN.  Probably either from someone like Cisco or Juniper.  They are pretty easy to set up on the router side of things, and relatively easy for client device to get set up.  Other advantages are that they can be run over port 443, so they won’t be blocked by most firewalls, and that they use the verification properties inherent to TLS/SSL rather than some sort of challenge-response handshake.  Using TLS/SSL allows them to also be flexible about key sizes and cipher suites used and upgrade them as the future requires.
Read Full Article

PKI vs. CA

First we need to get a few terms straight.  I have heard the terms public key infrastructure(PKI) and certificate authority(CA) sometimes used in conversation interchangeably.  The difference is that a CA by itself doesn’t perform all of the functions of a PKI.  PKIs contain CAs, but they also have other components like certificate revocation lists(CRLs), online certificate status protocol(OCSP) responders that allow clients a higher degree of certainty when assessing whether or not a certificate is valid, even things like policy, which allows you to specify what kinds of certificates or what attributes can be signed by CAs within the PKI.

What is AD CS?

Active Directory Certificate Services(AD CS) is made by Microsoft and it is what a lot of companies use for their PKI needs.  It works well, gives you nice ways to interact with it and runs on Windows Server.  You can request certificates through a (somewhat ugly) web interface, you can also request/issue certificates through a Microsoft Management Console(MMC),  you can request/issue certificates at the command-line with certutil/certreq.  AD CS even handles things like CRL publishing over FTP or SMB and running an OCSP responder, in concert with IIS.  Even though certificate revocation is utterly broken in the consumer world, many PKI uses in the enterprise, e.g. EAP-TLS, generally require revocation to be ‘working’.
Read Full Article