The last couple of days, I have been having lots of fun (that was sarcasm for those that are sarcasm challenged) working with some colleagues on some certificate issues.
Basically, the issue is that Lync Server 2013’s Front-End services will not start up properly if Intermediate Certification Authorities certificates, or any other non-Root certificates, are put in the Trusted Root Certification Authorities certificate store. This issue is documented in Technet.
The first part of the discussion was how to identify a Root CA certificate.
What is a Root Certificate Authority certificate? This is the actual issue. If you don’t know what a Root CA certificate is, it is hard to fix the problem. If you look at the certificates here, you will see that there is a column title Issued To and another column titled Issued By. A Root CA issues its own cert. Basically, the Issued To and the Issued By need to be the same. Please not that, in this case, the following certs in this graphic are NOT Root CA certs:
- Symantec Class 3 DSA SSL CA
- Symantec Class 3 EV SSL CA – G2
- Symantec Class 3 EV SSL CA – G3
- Symantec Class 3 Secure Server CA – G4
- Symantec Class 3 SHA256 Code Signing CA
These should be moved to the Intermediate Certification Authorities container.
Certificate Authority Analogy – Also a bit of a Rant
I put together an analogy a few years ago, and I think it really helps explain the issue that we are discussing here.
Back in 2010, there was a huge Lacrosse tournament being held in the United Kingdom. The Iroquois Nationals lacrosse team was invited to this tournament. For those that don’t know, the Iroquois Nation (also known as the Haudenosaunee and the Six Nations) is a very powerful and influential Native American confederacy. The Iroquois Nation includes land that spans the border between the United States and Canada.
Anyway, the Iroquois were issued passports by their government officials. The passports were not recognized as being acceptable by the UK (nor would they have been found to be acceptable to the US) as they just are not recognized as a separate nation with an accepted passport issuing authority. Well, who says whether they should be allowed to create passports and that their passports should or should not be accepted? Who gets to make that decision?
Let me ask a different question: Who says that we should accept certificates issued by the Equifax Secure Certification Authority (I just picked one out of the air)? Really, who says we have to accept the certificates issued by their CA? The answer is, “We do.” We, as server administrators, can easily add or remove CAs from our list any time we want. The CAs in our certification stores are prepopulated in many cases by the operating system vendor, i.e. Microsoft, but we can change the list all we want. It is just like the US has refused to accept Cuban passports for political reasons for decades, while other nations accept Cuban passports without any issues. Who says the US does not have to accept Cuban passports? Well, the US government is fully allowed to accept or reject any passport document. They can also change their minds about it.
So what it comes down to is that a CA is only as valid as we decide. If Joe’s Seafood Emporium created its own CA and issued certificates, does that mean we have to accept them as a valid CA and thus accept all certs that it issues? Of course not.
To extend this analogy, if the Iroquois Nation was recognized as a valid passport issuing authority by the UK, then there wouldn’t have been any issues so long as the passports contained all of the proper passport authorities security mechanisms. They would have been allowed into the UK for the tournament, and they might have won it all. However, they didn’t have valid passports according to the UK as the UK didn’t recognize the Iroquois Nation as a proper passport issuing authority, and they were denied entry to the UK.
Back to the Topic
OK, back to my original rant. In my case, these Intermediate CA certs were being pushed into the Trusted Root Certification Authorities container by a Group Policy. Somebody in the company decided that they should go there, even though they don’t belong there. To remove them is easy, but if the Group Policy keeps putting them back, the only solution is fix the Group Policy.
Thankfully, it was pretty easy to convince the right people that they needed to fix the Group Policy that was causing me heartache.