Private key protection 编辑

Introduction

Certificates are stored in an embedded database on the FAS server. The associated private keys are stored by means of the Network Service account of the FAS server and marked as non-exportable by default.

There are two types of private keys:

  • The private key associated with the registration authority certificate, from the Citrix_RegistrationAuthority certificate template.
  • The private keys associated with the user certificates, from the Citrix_SmartcardLogon certificate template.

There are actually two registration authority certificates: Citrix_RegistrationAuthority_ManualAuthorization (valid for 24 hours by default) and Citrix_RegistrationAuthority (valid for two years by default).

During step 3 of the Initial Setup tab in the Federated Authentication Service (FAS) administration console, when you click Authorize the FAS server generates a keypair and sends a certificate signing request to the certificate authority for the Citrix_RegistrationAuthority_ManualAuthorization certificate. This is a temporary certificate, valid for 24 hours by default. The certificate authority does not automatically issue this certificate; its issuance must be manually authorised on the certificate authority by an administrator. Once the certificate is issued to the FAS server, FAS uses the Citrix_RegistrationAuthority_ManualAuthorization certificate to automatically obtain the Citrix_RegistrationAuthority certificate (valid for two years by default). The FAS server deletes the certificate and key for Citrix_RegistrationAuthority_ManualAuthorization as soon as it obtains the Citrix_RegistrationAuthority certificate.

The private key associated with the registration authority certificate is particularly sensitive, because the registration authority certificate policy allows whoever possesses the private key to issue certificate requests for the set of users configured in the template. As a consequence, whoever controls this key can connect to the environment as any of the users in the set.

You can configure the FAS server to protect private keys in a way that fits your organization’s security requirements, using one of the following:

  • Microsoft Enhanced RSA and AES Cryptographic Provider or Microsoft Software Key Storage Provider for both the registration authority certificate and the user certificates’ private keys.
  • Microsoft Platform Key Storage Provider with a Trusted Platform Module (TPM) chip for the registration authority certificate’s private key, and Microsoft Enhanced RSA and AES Cryptographic Provider or Microsoft Software Key Storage Provider for the user certificates’ private keys.
  • A Hardware Security Module (HSM) vendor’s Cryptographic Service or Key Storage Provider with the HSM device for both the registration authority certificate and the user certificates’ private keys.

Private key configuration settings

Configure FAS to use one of the three options. Use a text editor to edit the Citrix.Authentication.FederatedAuthenticationService.exe.config file. The default location of the file is in the Program Files\Citrix\Federated Authentication Service folder on the FAS server.

localized image

FAS reads the config file only when the service starts. If any values are changed, FAS must be restarted before it reflects the new settings.

Set the relevant values in the Citrix.Authentication.FederatedAuthenticationService.exe.config file as follows:

Citrix.TrustFabric.ClientSDK.TrustAreaJoinParameters.ProviderLegacyCsp (switch between CAPI and CNG APIs)

ValueComment
trueUse CAPI APIs
false (default)Use CNG APIs

Citrix.TrustFabric.ClientSDK.TrustAreaJoinParameters.ProviderName (name of the provider to use)

ValueComment
Microsoft Enhanced RSA and AES Cryptographic ProviderDefault CAPI provider
Microsoft Software Key Storage ProviderDefault CNG Provider
Microsoft Platform Key Storage ProviderDefault TPM provider. Note that TPM is not recommended for user keys. Use TPM for the registration authority key only. If you plan to run your FAS server in a virtualized environment, check with your TPM and hypervisor vendor whether virtualization is supported.
HSM_Vendor CSP/Key Storage ProviderSupplied by HSM vendor. The value differs between vendors. If you plan to run your FAS server in a virtualized environment, check with your HSM vendor whether virtualization is supported.

Citrix.TrustFabric.ClientSDK.TrustAreaJoinParameters.ProviderType (Required only in case of CAPI API)

ValueComment
24Default. Refers to Microsoft KeyContainerPermissionAccessEntry.ProviderType Property PROV_RSA_AES 24. Should always be 24 unless you are using an HSM with CAPI and the HSM vendor specifies otherwise.

Citrix.TrustFabric.ClientSDK.TrustAreaJoinParameters.KeyProtection (When FAS needs to perform a private key operation, it uses the value specified here) Controls the “exportable” flag of private keys. Allows the use of TPM key storage, if supported by the hardware.

ValueComment
NoProtectionPrivate key can be exported.
GenerateNonExportableKeyDefault. Private key cannot be exported.
GenerateTPMProtectedKeyPrivate key will be managed using the TPM. Private key is stored via the ProviderName you specified in ProviderName (for example, Microsoft Platform Key Storage Provider)

Citrix.TrustFabric.ClientSDK.TrustAreaJoinParameters.KeyLength (Specify size of private key in bits)

ValueComment
2048Default. 1024 or 4096 can also be used.

The config file settings are represented graphically as follows (installation defaults are shown in red):

localized image

Configuration scenario examples

Example 1

This example covers the registration authority certificate private key and user certificates’ private keys stored using the Microsoft Software Key Storage Provider

This is the default post-install configuration. No additional private key configuration is required.

Example 2

This example shows the registration authority certificate private key stored in the FAS server motherboard’s hardware TPM via the Microsoft Platform Key Storage Provider, and user certificates’ private keys stored using the Microsoft Software Key Storage Provider.

This scenario assumes that the TPM on your FAS server motherboard has been enabled in the BIOS according to the TPM manufacturer’s documentation and then initialized in Windows; see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749022(v=ws.10).

Using the FAS administration console

The FAS administration console cannot perform offline certificate signing request, so using it is not recommended unless your organization allows online certificate signing request for registration authority certificates.

When performing initial FAS setup, after deploying certificate templates and setting up the certificate authority, but before authorizing the service (step 3 in the configuration sequence):

Step 1: Edit the config file by changing the following line as follows:

localized image

The file should now appear as follows:

localized image

Some TPMs restrict key length. The default key length is 2048 bits. Ensure that you specify a key length supported by your hardware.

Step 2: Restart the Citrix Federated Authentication Service to read the values from the config file.

Step 3: Authorize the service.

Step 4: Manually issue the pending certificate request from the certificate authority server. After the registration authority certificate is obtained, step 3 in the setup sequence in the administration console will be green. At this point, the registration authority certificate’s private key will have generated in the TPM. The certificate will be valid for 2 years by default.

To confirm that the registration authority certificate’s private key is correctly being stored in the TPM, use the following PowerShell commands. The PrivateKeyProvider field will be set to Microsoft Platform Crypto Provider if the registration authority certificate’s private key is stored in the TPM:

Add-PSSnapin Citrix.Authentication.FederatedAuthenticationService.V1
Get-FasAuthorizationCertificate -FullCertInfo -Address localhost
<!--NeedCopy-->

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:87 次

字数:10729

最后编辑:6 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文