We have Windows Server 2012 R2 with installed Certification Authority role.
There we have certificate templates.
I want to get certificate from this server of specific template into specific container automatically by autoenrollment.
Now I automatically get certificate into personal store by group policy and autoenrollment.
But I want to get certificate into the specific store (for example, custom SCCM or SMS) automatically by autoenrollment.
Related
We have a root certificate authority made with OpenSSL. Its file-based, runs on RHEL, uses "serial" and "index.txt" etc.
Now in a lab environment we have added an intermediate standalone certificate authority using Active Directory Certificate Services, standalone (i.e. not an AD or domain member), running on Windows Server 2012 (all latest updates applied). We signed the intermediate CA with our root and ADCS is up and running successfully. But what we're finding is that we actually cannot issue any certs from this intermediate CA.
When we use the management console and attempt to issue a requested cert, the cert ends up in "Failed Requests" with the message:
Active Directory Certificate Services denied request 4 because The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK).
The request was for CN=obelisk.sand.idfconnect.lan, OU=IDFC, O="IDF Connect, Inc.", L=Wilmington, S=Delaware, C=US. Additional information: Error Constructing or Publishing Certificate Resubmitted by OBELISK\Administrator
If I look at the request, I can see the is defined as:
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=file:////obelisk.sand.idfconnect.lan/CertEnroll/Obelisk Intermediate CA.crl (file:////obelisk.sand.idfconnect.lan/CertEnroll/Obelisk%20Intermediate%20CA.crl)
If I use IE to browse that file:// url, it pops open Windows Explorer, where I see the files I'd expect, i.e.
nsrev_Obelisk Intermediate CA.asp
Obelisk Intermediate CA.crl
Obelisk Intermediate CA+.crl
obelisk.sand.idfconnect.lan_Obelisk Intermediate CA.crt
Lastly, when I view the properties of the intermediate CA from the MMC, and look at its certificate, at the bottom of the details it says: "Extended Error Information: Revocation Status : The revocation function was unable to check revocation for the certificate."
Any advice to get this intermediate CA working greatly appreciated!
Add the public root certificate to the machine store (certlm.msc) trusted root certificate authorities.
Add the public root certificate CRL to the machine store (certlm.msc) trusted root certificate authorities.
The following set-up is given:
We are a fairly small branch of a big enterprise sitting on the bottom of a complex WinServer 2012 R2 AD. Therefore we are somehow restricted in our policies.
Our development department has three PowerShell developers who want to use their scripts securely.
We implemented an AD CS to sign our scripts by our own root certificate authority.
The technical steps to implement our certificates are the following:
Create a private key with a public certificate using openssl.
Sign the certificate by our certificate authority.
Import the signed certificate into an AD users account along with the public certificate of the CA into the trusted CAs.
The certificate user "ScriptUser" is not an AD user, therefore we import his certificate into the trusted users area.
Signing and testing:
On the client system (Windows 7 or Windows 10) we tested to sign a
PowerShell script which went ok.
When running the script locally we get an error message that the certificate owner is not trustworthy. After committing the script runs.
We expected the script to run without any dialogue.
What's our fault?
I'd like to automate the task of requesting client certificates from the CA attached to our Active Directory. Currently, I use certmgr and click "Request New Certificate" from the menu and do several other selections, including selecting an appropriate policy.
Surely, Powershell can help me with this, as I already use it to get rid of old certificates. Is there a module which can be used for this or does Powershell 3 cover this out-of-the-box?
I think certreq could be what you are looking for.
Certreq can be used to request certificates from a certification authority (CA), to retrieve a response to a previous request from a CA, to create a new request from an .inf file, to accept and install a response to a request, to construct a cross-certification or qualified subordination request from an existing CA certificate or request, and to sign a cross-certification or qualified subordination request.
Then there is another useful utility when dealing with certificates in windows - certutil
On Windows Server 2012, where does ADFS store the automatically generated Token-Decrypting certificate?
I manually checked the usual places and could not find it:
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
I was able to identify the Service-Communications cert and Token-Signing certificate.
On our boxes (WID / automatic rollover), they are stored in a container in AD under:
Program Data / Microsoft / ADFS
ADFS was configured to run under a specific account, the certificate was located under there Roaming profile. This path is only applicable for certficates that are automatically generated when ADFS is first configured. Once expired, I recommend installing a new cert is LocalMachine store instead.
C:\Users\<AccountNameRunningADFS>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates
Self-signed certificates are stored in the SQL / WID database, not the Certificates MMC
I have a need to access an RSA private key from a Windows service running under the NT AUTHORITY\SYSTEM account. I'm able to install the private key on the server, and then make use of that key when running as the user that installed the key. However, the key does not seem to be available from the Windows service. Do I need a machine-level key here (which I understand increases the risk of compromise), or is there a way I can install a key specifically intended for use by the SYSTEM account?
You can do start->run->mmc, load the Certificates snap-in and then choose "Service account" to manage the certificates for a specific service. I am not sure if you can do this for the SYSTEM account. Is this a requirement or are you able to run your service as a custom least privilege account?