none
SHA256 certificate with Signature Algorithm as RSASSA-PSS not supported in FireFox but it is the only option available RRS feed

  • Question

  • I have just built a new PKI infrastructure for issuing SHA2 certificates. When I duplicate a template and set it up to use KSP instead of CSP to enable SHA2 signing, the only provider I have available is the Microsoft Software Key Storage Provider which translates into RSASSA-PSS. I am also allowing the Private Key to be exported due to the fact that the cert and Key need to be placed on multiple servers such as in a cluster.

    I am finding that FireFox does not support certificates which use RSASSA-PSS and have tracked it to a few Bugzilla reports. IE and Chrome appear to not have any problem with this.

    I want to change the provider to something that FireFox supports while still being able to issue SHA2 certs. I am finding that if I unmark the "Allow Key to be Exported" on the template when I build the it, other options for providers appear.

    I need to be able to support the big 3 browsers: IE, Firefox, and Chrome while still allowing the key to be exported. I used AlternateSignatureAlgorithms=1 for the capolicy.inf file on both the offline root and Intermediate CA's. I read a post somewhere that changing the Root to AlternateSignatureAlgorithms=0 and renewing the Intermediate CA certificate could solve the problem but I do not understand how I can obtain a HSA2 certificate for the Intermediate if that is not enabled.

    I could use some assistance with this if someone knows how to make this work. Many thanks.

    Brian B.

    Monday, March 9, 2015 9:44 PM

Answers

  • Brian,

    There is no correlation at all between the AlternateSignatureAlgorithms=1  or 0 line and the use of SHA256. In my book, it is recommended when you get into the weirder combinations (Elliptical curve versions, etc.)

    If you do as you plan (using AlternateSignatureAlgorithms=0), then the CA certificates will show Sha256RSA as the signature algorithm, and be universally accepted.

    As you stated... 

    1) Change the capolicy.inf on the root CA and renew the root CA certificate.

    2) Change the CAPolicy.inf on the issuing CA and renew the issuing CA certificate

    Now start issuing the KSP certificates, they will be usable on Firefox

    Brian 

     

    Monday, March 9, 2015 11:50 PM
  • Patience. It should reverse itself.

    If not, run a batch file in an admin cmd prompt that runs certutil -delstore root SerialNumberofRootCACert  and 
    certutil -delstore ca SerialNumberofIssuingCACert

    For the NTAuth store, run certutil -delstore -enterprise ntauth SerialNumberofIssuingCACert 

    The serial number must be delimeted with quotes """

    Brian

    Tuesday, March 10, 2015 9:44 PM
  • Hi BrianB,

    First, please mark my previous two answers as answered <G>

    As for the certificate template dumps, just use

    certutil.exe -template -v "WebServer"

    certutilexe -template -v "TemplatenamewithNoSpaces"

    Brian

    • Marked as answer by WBrianBritt Monday, March 16, 2015 8:53 PM
    Monday, March 16, 2015 6:24 PM

All replies

  • Brian,

    There is no correlation at all between the AlternateSignatureAlgorithms=1  or 0 line and the use of SHA256. In my book, it is recommended when you get into the weirder combinations (Elliptical curve versions, etc.)

    If you do as you plan (using AlternateSignatureAlgorithms=0), then the CA certificates will show Sha256RSA as the signature algorithm, and be universally accepted.

    As you stated... 

    1) Change the capolicy.inf on the root CA and renew the root CA certificate.

    2) Change the CAPolicy.inf on the issuing CA and renew the issuing CA certificate

    Now start issuing the KSP certificates, they will be usable on Firefox

    Brian 

     

    Monday, March 9, 2015 11:50 PM
  • Brian,

    Thanks for responding so quickly. That worked. 

    I still have one other minor problem. I want to remove the old CA certificates that were generated on the CA's from all clients' Trusted Root and Intermediate certification authorities stores. (I have not issued any certs from the CA's to anyone yet and just want to clean things up in AD and on the clients.)

    I renewed the Root CA cert and published to AD.

    I renewed the Intermediate CA cert with different keys.

    I cleaned up AD by deleting ADObjects in the Configuration Partition under Services > Public Key Infra. except for the new published certs. 

    I deleted the old cert out of NTAuth and ran gpupdate /force at the admin cmd prompt.

    I still have the old CA certs persisting on the clients. What did I miss?

    Brian B.

    • Marked as answer by WBrianBritt Monday, March 16, 2015 8:46 PM
    • Unmarked as answer by WBrianBritt Monday, March 16, 2015 8:46 PM
    Tuesday, March 10, 2015 7:15 PM
  • Patience. It should reverse itself.

    If not, run a batch file in an admin cmd prompt that runs certutil -delstore root SerialNumberofRootCACert  and 
    certutil -delstore ca SerialNumberofIssuingCACert

    For the NTAuth store, run certutil -delstore -enterprise ntauth SerialNumberofIssuingCACert 

    The serial number must be delimeted with quotes """

    Brian

    Tuesday, March 10, 2015 9:44 PM
  • Brian,

    As always, great advice. I was able to cleanup everything and all is well. I do have one other question that is unrelated to the original topic. I want to be able to document all of my certificate templates. I was hoping Posh or certutil would be able to give me all of the settings as defined on the certificate templates that I have created. Unfortunately I cannot figure out how to get what I want. I ran the command, "certutil -view -restrict "certificate template= OID value" but that give me the schema and a lot of information that I do not need. I just want to be able to recreate a template in the event that we need to deploy again in a new forest or in multiple forests. Documenting these settings by hand can be time consuming. Is there a way to do this via command line option?

    BrianB

    Monday, March 16, 2015 4:08 PM
  • Hi BrianB,

    First, please mark my previous two answers as answered <G>

    As for the certificate template dumps, just use

    certutil.exe -template -v "WebServer"

    certutilexe -template -v "TemplatenamewithNoSpaces"

    Brian

    • Marked as answer by WBrianBritt Monday, March 16, 2015 8:53 PM
    Monday, March 16, 2015 6:24 PM
  • Brian,

    Thanks again. That worked. I was obviously using the wrong method.

    BrianB

    Monday, March 16, 2015 8:54 PM
  • Hi Brian.

    The above has been very helpful in my environment, but I'm having a bit of an issue.  Regarding the NTAuth Store, I am testing the removal of a certificate from this store, and executed the command above "certutil -delstore -enterprise NTAuth <serial number>" and it appears to work fine.  When I then execute "certutil -viewstore -enterprise NTAuth" the certificate is no longer listed (often after a gpupdate).  That said, when I then launch PKIView, and look under Manage AD Containers, the certificate is still listed under NTAuth.  I am wondering if this is just a cache issue, or if the certificate really isn't being removed from NTAuth?

    I also looked under the Configuration of adsiedit, and have a suspicion that it is also listed there.  The reason being, is I did remove the certificate via pkiview (after removing it view the certutil command), and then there was one less certificate in adsiedit.

    This is on a Windows Server 2012 R2 DC.  The certificates being added are not from a Microsoft CA, nor is there a Microsoft CA in the Domain.

    Thoughts?  Thanks in advance.

    JT

    Wednesday, April 20, 2016 7:16 PM
  • If you are using PKIView, you can just clean up the objects that way with the Manage AD Containers which you have already found. The -delstore command makes it harder to do the cleanup as you have to manually define each container and each serial number. PKIView has the same net effect but you can examine object by object and decide what you want to remove in PKIView.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

    Friday, April 22, 2016 2:41 PM