PKI Blog

CSS recently discovered and published information on a potential privilege escalation attack in SCEP-based Certificate Issuance Systems. After this discovery, CSS created the SCEP Validation Service, which aims to close this attack by validating the certificate contents before the Certificate Authority sends it to the requestor. CSS’ patent-pending solution ships today with our Mobile Certificate Management System (mCMS) v 1.1 software. CSS’ SCEP Validation Service is architected as a set of components that can also be integrated into 3^rd-party Mobile Device Management (MDM) products.

Topics: consumerization of IT, Mobile Device Management, bring your own device, Certificate Management System (CMS), mCMS, Microsoft IT Security, MDM, SCEP, iOS management services, iOS management certificates, iOS, Blog, Simple Certificate Enrollment Protocol, VSCEP, BYOD, Validated SCEP

Topics: digital certificate, Mobile Device Management, bring your own device, Provisioning, Public Key Infrastructure, Certificate Management System (CMS), mCMS, MDM, SCEP, Identity and Access Management, iOS, US-CERT, Blog, Simple Certificate Enrollment Protocol, Active Directory, BYOD

It’s been in the works for quite some time, but we are finally able to publicly announce a problem that we’ve encountered, related to the use of the Simple Certificate Enrollment Protocol, or SCEP, in conjunction with mobile devices. We’ve been working for months behind the scenes with the folks at the United States Computer Emergency Readiness Team (US-CERT) and CERT/CC at Carnegie Mellon our customers, and a number of vendors as well, to help raise awareness of the issue. The CERT report can be found here, and we have a whitepaper and video overview on our website to provide more information.

It should be noted that not all MDM usage of SCEP is equally vulnerable. The scenarios that cause the most concern to us are those that involve the use of SCEP to issue authentication certificates to enterprise systems such as ActiveSync, WiFi, and VPN. In some cases it may be possible to use alternative configurations that reduce or eliminate these risks; in others, it may be more difficult. CSS is willing to help customers assess their specific usage of SCEP and PKI to determine their degree of exposure.

Topics: digital certificate, consumerization of IT, IT Security, Microsoft Security Partner, Mobile Device Management, bring your own device, Public Key Infrastructure, Certificate Management System (CMS), Industry Trends, mCMS, MDM, SCEP, Certificate Reporting Tool (CRT), PKI, certification and remediation, mobile certificate, Microsoft-centric infrastructure, Blog, Simple Certificate Enrollment Protocol, CERT Coordination Center, BYOD, ActiveSync, Got PKI?

Certified Security Solutions sent a team to the 2012 RSA Security Conference in San Francisco where one of the underlying themes was mobile security. Located in the Microsoft Pavilion, team CSS boasted a 'Got PKI?' theme centered around PKI best practices and the power of digital certificates on mobile devices. Booth conversations included PKI as a service in addition to leveraging CSS' own software solution, the Certificate Management System (CMS) for digital certificate management and enrollment in a Microsoft PKI. Visitors to the booth were genuinely excited to see a mobile security solution from a company that "gets" PKI. CSS' CTO, Ted Shorter, and Director of Business Development, Uri Lichtenfeld, presented a theater session titled 'Do's and Don’ts of PKI and Certificate Management for Mobile Devices.' Check out the photos below:

Topics: digital certificate, Fulfillment and governance tools for IAM, consumerization of IT, apple, iPhone, digital pki, digital certificate management, Public Key Infrastructure, Certificate Management System (CMS), mCMS, certificate remediation, Microsoft Public Key Infrastructure, iPad, Certificate Reporting Tool (CRT), PKI, Microsoft PKI, iOS management certificates, Microsoft-centric infrastructure, iOS, Blog, expanded compliance and forensic issues, mobile certificates, BYOD, Got PKI?

Recently, while working on a Microsoft Network Device Enrollment Services (NDES) deployment, a client asked a simple-enough question about the thumbprint for the Certificate Authority (CA) certificate that was displayed on the NDES admin enrollment GUI, “What is that hash? And why doesn’t it match any of the CA certificate thumbprint hashes in my chain-of-authority?”

Topics: digital certificate, microsoft ca, IT Security, Microsoft Security Partner, NDES, Public Key Infrastructure, Certificate Management System (CMS), Infrastructure Management, mCMS, SCEP, Microsoft Checksum Integrity Verifier, MD5 hash, Blog, FCIV, SHA-1, Simple Certificate Enrollment Protocol, Microsoft Network Device Enrollment Services (NDES, Microsoft Certificate Authority

Topics: digital certificate, Microsoft Active Directory AD, certificates, apple, iOS 5, iPhone, IT Security, Microsoft Security Partner, digital pki, Certificate Reporting Tool, Public Key Infrastructure, Certificate Management System (CMS), Industry Trends, mCMS, Microsoft Public Key Infrastructure, Active Directory Certificate Services, iPad, PKI, Microsoft PKI, iOS management certificates, Microsoft and Apple, iOS, Blog, Active Directory, mobile certificates, BYOD, AD, Got PKI?

Topics: digital certificate, iPad security, apple, iOS 5, iPhone, IT Security, consumerization, Microsoft Security Partner, Certificate Reporting Tool, Certificate Management System (CMS), Industry Trends, mCMS, Software Products, Microsoft Public Key Infrastructure, iPad, SCEP, mobile security, Microsoft, Microsoft PKI, CRT, iOS management certificates, mobile certificate, Microsoft and Apple, iOS, Blog, iPhone security, secure enrollment, BYOD, Got PKI?

Topics: digital certificate, consumerization of IT, apple, iOS 5, iPhone, IT Security, consumerization, Microsoft Security Partner, authentication, Certificate Reporting Tool, cert downtime, Certificate Management System (CMS), Industry Trends, mCMS, Software Products, Certificate revocation list, iPad, CRT, iOS management services, expired certs, mobile certificate, iOS, Blog, digital certificates expire, BYOD, expired digital certificates, Got PKI?

Part 2 of Apple’s iOS Devices and Certificate Lifecycle Planning blog.

Topics: digital certificate, apple, iPhone, Microsoft Security Partner, Certificate Reporting Tool, Certificate Management System (CMS), mCMS, iPad, SCEP, CRT, iOS management certificates, mobile certificate, iOS, Blog, BYOD, Got PKI?

Topics: digital certificate, apple, iPhone, consumerization, Microsoft Security Partner, digital pki, Certificate Reporting Tool, Public Key Infrastructure, Certificate Management System (CMS), mCMS, Microsoft Public Key Infrastructure, iPad, iOS management certificates, mobile certificate, iOS, Blog, Simple Certificate Enrollment Protocol, BYOD, Got PKI?