Introduction
After applying Microsoft KB5014754 update, already issued authentication certificates will not function if you do not update them accordingly. After applying the update to certification authority (CA) servers, a non-critical extension with Object Identifier (OID) 1.3.6.1.4.1.311.25.2 is added to all issued certificates with the user or device security identifier (SID) included. Domain controllers with the update installed will use this information to validate the certificate used for authentication and ensure that it matches the information in Active Directory.
This article will describe enhancements made to vSEC:CMS that can help you to identify those authentication certificates, issued through vSEC:CMS, that need to be updated.
Versasec is not responsible if your authentication fails when KB5014754 is enforced. The enhanced functionality provided and described here should be used as a tool to help you determine what credentials with authentication certificates need to be acted on. If you would like to engage with Versasec to assist you on using and determining what certificates need to be updated then contact our Professional Service team at info@versasec.com.
Identify Certificates
The first task is to identify the authentication certificates issued through vSEC:CMS that need to be acted upon. From version 6.8 we have added a support console task that can be used to identify those certificates.
It will be necessary to enable support console operations from the vSEC:CMS Admin application. This should be done on the server where vSEC:CMS is installed.
This can be done by setting a DWORD registry named app.behave.showsupport in [HKEY_CURRENT_USER\SOFTWARE\Versatile Security\vSEC_CMS_T] with a value of 1.
Only operators who have a role of System Administrator can and should perform the tasks described in this article.
Navigate to Help - Support Console and select Authentication certificates without SID.
Click Perform which will result in the dialog below opening. You will need to know the date when you performed the MS KB update so you can search before that date in order to retrieve the certificates issued without a SID value. Click the Browse button and select certificates (.cer file) within the range that you want to search for. Alternatively, you can click the Search button and enter a certificate serial number. In both cases the valid from field on the certificate is used to determine the date.
Click the Perform button to start. At the end of this operation you will see a summary dialog. You should save the output to a file. The content of the file will be filled with the details below.
| Parameter Name | Description |
| TMPLID_CA | This is the vSEC:CMS internal ID for the CA connection used when issuing the credential (from Options - Connections - Certificate Authorities). |
| CERTENROLLTEMPLATEID | This is the vSEC:CMS internal ID for the CA certificate template used when issuing the credential (from Templates - Credential Templates - Issue Credential). |
| CERTENROLLTEMPLATENAME | This is the actual name of the certificate template name from the CA. |
| CERT_HASH | This is the certificate hash or thumbprint. |
| CERT_SERIAL | This is the certificate serial number. |
| CERT_SUBJECT | This is the certificate subject details. |
| CERT_ISSUER | This is the certificate issuer details. |
| CERT_VALID_FROM | This is the valid from of the certificate. |
| CSN | This is the credential serial number. |
| USER_DN | This is the user DN from AD. |
| USER_GUID | This is the user GUID from AD. |
This file can then be used as the input file for further use cases.
Update Database
From the Update on credential section you can use the input file from the previous section to update records in vSEC:CMS. This will result in the certificate(s) identified in the input file being triggered to be updated like any credential update flow as currently is available in the product.
There are 3 options available:
1. Del: Using the input file you can delete any record(s) that you want to be removed from the database that have an Update needed flag.
2. Get: If you run this option you can get all records that have an Update needed flag set.
3. Set: Using the input file you can set record(s) with an Update needed flag.
You can cross reference whether a credential in the Repository - Credentials table has an Update needed flag set.
altSecurityIdentities Option
If you do not wish to re-issue all of the credential certificates that do not have the SID attribute issued in the certificate then you can use the altSecurityIdentities AD attribute. You will need to write the strong certificate mapping to the user attribute for all of users certificates you need to update. Domain administrators can manually map certificates to a user in Active Directory using the altSecurityIdentities attribute of the users Object using for example Windows Powershell.
In the Generate altSecurityIdentities attribute values section select the input file from earlier. Then you can select which encoding type from the drop-down list.
Microsoft recommend that you use the certificate serial number when mapping the details to the user's altSecurityIdentities attribute value. Therefore we recommend you select Issuer and serial from the drop-down list.
The output can then be used by your domain admins to add the altSecurityIdentities values to the AD user objects. For example, the value that needs to be mapped to the attribute could look something like this:
X509:<I>DC=com,DC=lab,CN=lab-my-CA<SR>320A00000100791DBE5F28484B24320A00001A