When a certificate request is received by a certification authority (CA), encryption for the request can be enforced by the CA via the RPC_C_AUTHN_LEVEL_PKT, as described in MSDN article Authentication-Level Constants (http://msdn.microsoft.com/library/aa373553.aspx).
On Windows Server 2008 R2 and earlier versions, this setting is not enabled by default on the CA. On a Windows Server 2012 CA, this enhanced security setting is enabled by default.
What value does this change add?
The CA enforces enhanced security in the requests that are sent to it. This higher security level requires that the packets requesting a certificate are encrypted, so they cannot be intercepted and read.
Without this setting enabled, anyone with access to the network can read packets sent to and from the CA using a network analyzer. This means that information could be exposed that might be considered a privacy violation, such as the names of requesting users or machines, the types of certificates for which they are enrolling, the public keys involved, and so on. Within a forest or domain, leaking these data may not be a concern for most organizations. However, if attackers gain access to the network traffic, internal company structure and activity could be gleaned, which could be used for more targeted social engineering or phishing attacks.
The commands to enable the enhanced security level of RPC_C_AUTHN_LEVEL_PKT on Windows Server® 2003, Windows Server® 2003 R2, Windows Server® 2008, or Windows Server 2008 R2 certification authorities are:
certutil -setreg CA\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST
Restart the certification authority
net stop certsvc
net start certsvc
If you still have Windows XP client computers that need to request certificates from a CA that has the setting enabled, you have two options:
- Upgrade the Windows XP clients to a newer operating system.
- Lower the security of the CA by running the following commands:
To lower CA security for compatibility with Windows XP clientscertutil -setreg CA\InterfaceFlags -IF_ENFORCEENCRYPTICERTREQUEST
net stop certsvc
net start certsvc
What works differently?
Windows XP clients will not be compatible with this higher security setting enabled by default on a Windows Server 2012 CA. If necessary, you can lower the security setting as previously described.
Further details:
Authentication-Level Constants
http://msdn.microsoft.com/library/aa373553.aspx