Comments (3)
On Tuesday, August 27th, 2019, Microsoft released an update to the Microsoft Trusted Root Certificate Program. In this release, Microsoft marked the Swisscom Root CA 2 (77474FC630E40F4C47643F84BAB8C6954A8A41EC) with a NotBefore-property.
According to Microsoft:
Windows 10 allows us to stop trusting roots or EKU's using the "NotBefore" or "Disable" properties, both of which allow us to remove certain capabilities of the root certificate without complete removal. These features are not available on versions prior to Windows 10. Earlier versions of Windows will be unaffected by this change.
Please note that this is a Microsoft Windows related problem. According to Swisscom, the Swisscom Root CA 2 certificate is still trustworthy and the certificate has NOT been revoked from Swisscom. This "Swisscom Root CA 2" Root CA certificate remains valid at least until late 2024, from Swisscom point of view.
Note that Swisscom will introduce a new certificate chain in 2022 with the Swisscom Root CA 4 certificate (Root Certificate) and Swisscom Rubin CA 4 (Intermediate Certificate). Nevertheless, the Swisscom Root CA 2 is still being used by the MobileID service at least until late 2024.
Therefore, we need a solution or a workaround to solve the problem with the Microsoft Trusted Root Certificate Program, as Microsoft marked the Swisscom Root CA 2 in August 2019 with the NotBefore-property (in an up-to-date Windows Root CA-Truststore).
from mobileid-enabler-adfs.
Find below some first thoughts and ideas. They have not been tested by Swisscom yet, please use at your own risk. Some of them may not work or may not be compliant with your security requirements. The instructions below are given without any guarantee and with the exclusion of any legal liability.
-
Turn off Automatic Root Certificates Update
On a Windows System that is not up-to-date (older than August 2019) the Swisscom Root CA 2 is still considered valid. To prevent an automatic root certificate update, the following policy may be enabled with the Local Group Policy Editor. This will keep the Swisscom Root CA 2 considered trustworthy.
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Automatic Root Certificates Update
-
Use the Root-CA-Truststore of the user (instead of the Computer's Root-CA-Truststore)
Windows will lookup certificates in the user's trust store first, before it will lookup certificates in the Computer's trust store. It MAY work if the Swisscom Root CA 2 is imported in the Root-CA-Truststore of the technical user of the ADFS service. -
Disable the validation of the MobileID user certificate in the ADFS configuration
Set the configuration parameterDisableSignatureCertValidation
to actually disable the validation of the certificate chain. This should work, but obviously security will suffer. -
Include the Swisscom Root CA 2 in the MID/ADFS application
In the MID/ADFS methodService::WebClientImpl::_isValidSignture(string, byte[])
you can find the callsignedCms.CheckSignature(...)
(line 1152), which is responsible for the signature validation. According to the dotnet documentation of CheckSignature, you can specify your own/additional certificates (such as the Swisscom Root CA 2) used for the validation of the certificate chain. The Swisscom Root CA 2 needs to be included in the MID/ADFS Installer. It may (or may not) be required to delete the Swisscom Root CA 2 from the Computer's Root-CA-Truststore. This would definitely be the best solution.
from mobileid-enabler-adfs.
Please note, this issue appears on newer Windows Server versions. On Windows Server 2012 R2 the "NotBefore"-property seems not to be supported and the Swisscom Root CA 2 remains valid.
from mobileid-enabler-adfs.
Related Issues (10)
- Rename MobileIdClient Configuration Parameters
- Add support for MobileID Geofencing (enhancement)
- README: Add full description of available parameters
- Error if more than one MFA method configured in AD FS HOT 1
- Transport Layer Security (TLS) 1.0 not supported on Windows Server 2016 or newer HOT 3
- Extend mobileIdClient configuration to allow the configuration of more than one Swisscom Root CA Certificate HOT 1
- Update Installer/Build and README for latest Windows Server 2022
- Make value of mss:SignatureProfile configurable HOT 1
- AD user attribute 'mobile' needs to be normalized HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mobileid-enabler-adfs.