Attention Entrust Customers,
As Entrust announced in our initial Customer Notice on Dec. 30, 2022, Microsoft is addressing the vulnerabilities documented in CVE-2022-34691, CVE-2022-26931, and CVE-2022-26923. They are implementing a set of updates in their Active Directory (AD) Certificate Services and Windows Domain Controllers (DCs) that service certificate-based authentication.
On Feb. 11, 2025 (previously, Nov. 14, 2023), Microsoft will enact a “Full Enforcement” mode in their AD/DC devices.
- For newly issued certificates, Full Enforcement mode requires checking the Object Identifier (OID) (1.3.6.1.4.1.311.25.2) extension against the corresponding user account SID (Security Identifier) in AD/DC.
- For legacy certificates (certificates issued without the SID/OID), Full Enforcement mode requires strong attribute mappings between the authentication certificates and the user account objects.
For details, see: KB5014754: Certificate-based authentication changes on Windows domain controllers – Microsoft Support.
- Entrust has been working diligently on product enhancements to meet the Microsoft recommendations. These include:
- Enabling issuance of authentication certificates with the SID/OID (1.3.6.1.4.1.311.25.2) extension
Tools for adding strong mapping attributes in AD for legacy certificates
Please follow the corrective actions for each of the affected products.
Need help?
If you have any questions about the instructions, or you need assistance, contact us at: https://www.rjrinnovations.com/contact/
You can download the product software enhancement patches, mapping tools, written procedures, and product documentation from the Entrust TrustedCare site at: https://trustedcare.entrust.com.
Who is affected?
Entrust customers who issue certificates to their users and devices for authentication in their Microsoft AD/DC environment.
Customer corrective actions
The table lists Entrust products affected by Microsoft’s Full Enforcement mode for issuing certificates with the SID attribute and the adoption of AD/DC strong authentication attribute mapping. Please follow the corrective action appropriate for your product.
Entrust Product Name |
Corrective Action |
Entrust Identity Enterprise |
- For issuing new certificates that include the SID attribute, upgrade your Identity Enterprise product to the following patches:
- Identity Enterprise R13.0 Server patch# 452877
- Identity Enterprise R13.0 Self-Service Module patch# 452879
- For legacy certificates, go to TrustedCare > Related Products and download the “Legacy Certificate Remediation tool.” Follow the instructions to update Active Directory accounts with Microsoft recommended “strong attribute” (X509IssuerSerialNumber) value mapping.
Notes:
- Enhancement patches have not been implemented for earlier IdentityGuard end-of-support product releases
- The Legacy Certificate Remediation tool and procedures should be used for legacy certificates issued without the OID/SID attribute
|
Entrust Security Manager |
- For issuing new certificates that include the SID attribute, no product update is needed. The SID extension in certificates is supported through Cert Type variables, but the value should be supplied as DER encoded. Alternatively, upgrade to Entrust Security Manager 10.0.30 (recommended) that helps supplying the SID value in clear text using the Entrust Security Manager Administration.
- For legacy certificates, go to TrustedCare > Related Products and download the “Entrust PKI altSecurityIdentities Mapping Tool.” Follow the instructions to update Active Directory accounts with the recommended “strong” attribute (X509IssuerSerialNumber) value mapping. We recommend running the mapping tool periodically (e.g., daily with log events filter range set to the last 24 hours) to capture the list of users who authenticate with certificates without the SID extension or strong authentication mapping in AD.
|
Entrust Security Manager Administration |
- Upgrade to Entrust Security Manager Administration 10.0.30 (recommended) which allows entering SID value in clear text. If you’re using previous versions of Entrust Security Manager Administration 10.0.x, you must enter the SID value in DER encoded format.
|
Entrust Administration Service |
- Upgrade to Entrust Administration Services 10.2.1 (recommended) for CSR-ES and WNES to support including SID in the CSR.
- UMS and URS will prompt for SID if the Cert Type variable is used. The Entrust Administration Services 10.2.1 patch will accept the SID value in plain text and encode it appropriately.
- MDMWS will accept the SID value if clients send the value as part of the request in encoded format.
- MDM-SCEP will accept the SID value if SCEP clients send the value as part of the request.
- CSR-SCEP will accept the SID value if SCEP clients send the value as part of the request.
- AES will retrieve the SID from AD and include it in the certificate.
|
Entrust Certificate Enrollment Gateway |
- Upgrade to Entrust Certificate Enrollment Gateway 1.6.1 (recommended) for WSTEP to support including SID in the CSR.
|
Entrust Certificate Agent for Windows |
- No corrective patches are available. Certificate Agent customers who want to have SIDs automatically added to certificates during enrollment or renewal must use AS-AES. AS-AES is the Certificate Agent administrative service that handles retrieving the user’s SID from Active Directory and passing it to Entrust Security Manager for inclusion in the requested certificate.
|
Entrust Certificate Agent for macOS |
- No corrective patches are available. Certificate Agent customers who want to have SIDs automatically added to certificates during enrollment or renewal must use AS-AES. AS-AES is the Certificate Agent administrative service that handles retrieving the user’s SID from Active Directory and passing it to Entrust Security Manager for inclusion in the requested certificate.
|
KeyOne CA |
- No corrective patches are available. Go to TrustedCare > Related Products and download the “Entrust PKI altSecurityIdentities Mapping Tool.” Follow the instructions to update Active Directory accounts with the recommended “strong” attribute (X509IssuerSerialNumber) value mapping.
|
DCMS |
- Upgrade to DCMS 3.0 (recommended) which allows users to add the SID value.
|
PKIaaS |
- No product updates are needed. For other on-premises Entrust products, follow the appropriate product updates.
|
CA Gateway |
- No product updates are needed.
|