With any luck, impact will be minimal

[Kurt Buff]

But I'm not holding my breath:

https://googlechrome.github.io/chromerootprogram/policy-archive/policy-version-1-6/#32-promote-use-of-dedicated-tls-server-authentication-pki-hierarchies

Chrome is restricting how certs in its root store can be used. Among other things, this will affect mTLS, and we'll probably start to see more public PKIs to handle the changes.

Here's a take from MSFT and how it affects Teams:

https://www.linkedin.com/posts/filipp-seljanko_there-are-ongoing-developments-regarding-activity-7380866818715930624-Qbat

Quote:

"Session Border Controllers (SBCs) acting as TLS clients towards Microsoft Teams infrastructure: Due to recent changes in Google’s Chrome root program, many public Certificate Authorities (CAs) will stop issuing certificates with the clientAuth Extended Key Usage (EKU). If they continue to issue such certificates, those CAs will be distrusted by browsers like Chrome and Mozilla. However, some public CAs are expected to continue issuing certificates that include clientAuth. While these certificates may not be trusted by Chrome and Mozilla, operating systems such as Windows, macOS, and potentially Linux will continue to trust certificates from these CAs natively. At some point, SBC certificates will likely need to be issued by one of these CAs, ensuring they include the clientAuth EKU. A list of these CAs will be provided when available. Customers may need to collaborate with their CAs to continue obtaining these certificates. For instance, DigiCert is expected to have such a CA (DigiCert G1) and can issue the necessary certificates."

Kurt

[Michael B. Smith]

This will be painful.

 

For example, if you have internal sites that use internal CAs and those CAs do other things too (e.g, create DC certs), you are going to need one CA hierarchy for TLS only and one CA hierarchy for “everything else”.

 

Last time I checked, there are 33 EKUs common on Windows – not just PKIX_KP_CLIENT_AUTH and PKIX_KP_SERVER_AUTH.

 

    $EKU_OIDName = @{

        '1.3.6.1.4.1.311.10.12.1' = 'ANY_APPLICATION_POLICY';

        '1.3.6.1.4.1.311.20.1' = 'AUTO_ENROLL_CTL_USAGE';

        '1.3.6.1.4.1.311.10.5.1' = 'DRM';

        '1.3.6.1.4.1.311.21.19' = 'DS_EMAIL_REPLICATION';

        '1.3.6.1.4.1.311.10.3.4.1' = 'EFS_RECOVERY';

        '1.3.6.1.4.1.311.10.3.8' = 'EMBEDDED_NT_CRYPTO';

        '1.3.6.1.4.1.311.20.2.1' = 'ENROLLMENT_AGENT';

        '1.3.6.1.5.5.8.2.2' = 'IPSEC_KP_IKE_INTERMEDIATE';

        '1.3.6.1.4.1.311.21.5' = 'KP_CA_EXCHANGE';

        '1.3.6.1.4.1.311.10.3.1' = 'KP_CTL_USAGE_SIGNING';

        '1.3.6.1.4.1.311.10.3.12' = 'KP_DOCUMENT_SIGNING';

        '1.3.6.1.4.1.311.10.3.4' = 'KP_EFS';

        '1.3.6.1.4.1.311.10.3.11' = 'KP_KEY_RECOVERY';

        '1.3.6.1.4.1.311.21.6' = 'KP_KEY_RECOVERY_AGENT';

        '1.3.6.1.4.1.311.10.3.13' = 'KP_LIFETIME_SIGNING';

        '1.3.6.1.4.1.311.10.3.10' = 'KP_QUALIFIED_SUBORDINATION';

        '1.3.6.1.4.1.311.20.2.2' = 'KP_SMARTCARD_LOGON';

        '1.3.6.1.4.1.311.10.3.2' = 'KP_TIME_STAMP_SIGNING';

        '1.3.6.1.4.1.311.10.6.2' = 'LICENSE_SERVER';

        '1.3.6.1.4.1.311.10.6.1' = 'LICENSES';

        '1.3.6.1.4.1.311.10.3.7' = 'NT5_CRYPTO';

        '1.3.6.1.4.1.311.10.3.7' = 'OEM_WHQL_CRYPTO';

        '1.3.6.1.5.5.7.3.2' = 'PKIX_KP_CLIENT_AUTH';

        '1.3.6.1.5.5.7.3.3' = 'PKIX_KP_CODE_SIGNING';

        '1.3.6.1.5.5.7.3.4' = 'PKIX_KP_EMAIL_PROTECTION';

        '1.3.6.1.5.5.7.3.5' = 'PKIX_KP_IPSEC_END_SYSTEM';

        '1.3.6.1.5.5.7.3.6' = 'PKIX_KP_IPSEC_TUNNEL';

        '1.3.6.1.5.5.7.3.7' = 'PKIX_KP_IPSEC_USER';

        '1.3.6.1.5.5.7.3.9' = 'PKIX_KP_OCSP_SIGNING';

        '1.3.6.1.5.5.7.3.1' = 'PKIX_KP_SERVER_AUTH';

        '1.3.6.1.5.5.7.3.8' = 'PKIX_KP_TIMESTAMP_SIGNING';

        '1.3.6.1.4.1.311.10.3.9' = 'ROOT_LIST_SIGNER';

        '1.3.6.1.4.1.311.10.3.5' = 'WHQL_CRYPTO';

    }

    $EKU_OIDDesc = @{

        '1.3.6.1.4.1.311.10.12.1' = 'The applications that can use the certificate are not restricted.';

        '1.3.6.1.4.1.311.20.1' = 'The certificate can be used to sign a request for automatic enrollment in a certificate trust list (CTL).';

        '1.3.6.1.4.1.311.10.5.1' = 'The certificate can be used for digital rights management applications.';

        '1.3.6.1.4.1.311.21.19' = 'The certificate can be used for Directory Service email replication.';

        '1.3.6.1.4.1.311.10.3.4.1' = 'The certificate can be used for recovery of documents protected by using Encrypting File System (EFS).';

        '1.3.6.1.4.1.311.10.3.8' = 'The certificate can be used for Windows NT Embedded cryptography.';

        '1.3.6.1.4.1.311.20.2.1' = 'The certificate can be used by an enrollment agent.';

        '1.3.6.1.5.5.8.2.2' = 'The certificate can be used for Internet Key Exchange (IKE).';

        '1.3.6.1.4.1.311.21.5' = 'The certificate can be used for archiving a private key on a certification authority.';

        '1.3.6.1.4.1.311.10.3.1' = 'The certificate can be used to sign a CTL.';

        '1.3.6.1.4.1.311.10.3.12' = 'The certificate can be used for signing documents.';

        '1.3.6.1.4.1.311.10.3.4' = 'The certificate can be used to encrypt files by using the Encrypting File System.';

        '1.3.6.1.4.1.311.10.3.11' = 'The certificate can be used to encrypt and recover escrowed keys.';

        '1.3.6.1.4.1.311.21.6' = 'The certificate is used to identify a key recovery agent.';

        '1.3.6.1.4.1.311.10.3.13' = 'Limits the validity period of a signature to the validity period of the certificate. This restriction is typically used with the XCN_OID_PKIX_KP_CODE_SIGNING OID value to indicate that new time stamp semantics should be used.';

        '1.3.6.1.4.1.311.10.3.10' = 'The certificate can be used to sign cross certificate and subordinate certification authority certificate requests. Qualified subordination is implemented by applying basic constraints, certificate policies, and application policies. Cross certification typically requires policy mapping.';

        '1.3.6.1.4.1.311.20.2.2' = 'The certificate enables an individual to log on to a computer by using a smart card.';

        '1.3.6.1.4.1.311.10.3.2' = 'The certificate can be used to sign a time stamp to be added to a document. Time stamp signing is typically part of a time stamping service.';

        '1.3.6.1.4.1.311.10.6.2' = 'The certificate can be used by a license server when transacting with Microsoft to receive licenses for Terminal Services clients.';

        '1.3.6.1.4.1.311.10.6.1' = 'The certificate can be used for key pack licenses.';

        '1.3.6.1.4.1.311.10.3.7' = 'The certificate can be used for Windows Server 2003, Windows XP, and Windows 2000 cryptography.';

        '1.3.6.1.4.1.311.10.3.7' = 'The certificate can be used for used for Original Equipment Manufacturers (OEM) Windows Hardware Quality Labs (WHQL) cryptography.';

        '1.3.6.1.5.5.7.3.2' = 'The certificate can be used for authenticating a client.';

        '1.3.6.1.5.5.7.3.3' = 'The certificate can be used for signing code.';

        '1.3.6.1.5.5.7.3.4' = 'The certificate can be used to encrypt email messages.';

        '1.3.6.1.5.5.7.3.5' = 'The certificate can be used for signing end-to-end Internet Protocol Security (IPSEC) communication.';

        '1.3.6.1.5.5.7.3.6' = 'The certificate can be used for singing IPSEC communication in tunnel mode.';

        '1.3.6.1.5.5.7.3.7' = 'The certificate can be used for an IPSEC user.';

        '1.3.6.1.5.5.7.3.9' = 'The certificate can be used for Online Certificate Status Protocol (OCSP) signing.';

        '1.3.6.1.5.5.7.3.1' = 'The certificate can be used for OCSP authentication.';

        '1.3.6.1.5.5.7.3.8' = 'The certificate can be used for signing public key infrastructure timestamps.';

        '1.3.6.1.4.1.311.10.3.9' = 'The certificate can be used to sign a certificate root list.';

        '1.3.6.1.4.1.311.10.3.5' = 'The certificate can be used for Windows Hardware Quality Labs (WHQL) cryptography.';

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce4c-S0DU%3DqWC%3DYyx02x7P0-jv9oGVcjKcCoRmLG7D4fCw%40mail.gmail.com.

[Michael B. Smith]

Eh, I’ll take a step back. Since this only effects the roots included in the store BY DEFAULT – on-prem CA hierarchies are not impacted. Sorry for not reading the entire document before responding.

 

But still the concept applies – for example CAs that also issue code signing certs or IPSEC certs.