Friends,

We have received Vulnerability scan report for our WS_FTP server and suggested below actions..

1. SSH Server CBC Mode Ciphers Enabled - Disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.

2. SSH Weak MAC Algorithms Enabled - Disable MD5 and 96-bit MAC algorithms

No Proper steps or Instructions are available on Internet regards to these two points, could you please suggest...

Regards,

SH,

MCP, MCTS

The OS used is Windows 2012R2 "Legacy mode" OS, my TPM 2.0 chip is displayed as "The TPM is ready for use with reduced functionality" in Windows TPM management console(tpm.msc), I have tried to clear TPM and back to OS again, this issue still exist

And moreover, when I tried to prepare the TPM, it displayed "The TPM security hardware on this computer is ready for use, with reduced functionality(consistent with previous OS versions)"

After that, I try to install Windows 2012R2 "UEFI mode" OS, it seems like it works without problem.("The TPM is ready for use" is displayed in Windows TPM management console)

Does TPM 2.0 is supported by Windows 2012R2 "Legacy" mode OS?

Albert Tseng

We are in the process of deploying an internal PKI with - 

• 1 standalone offline root CA
• 2 subordinate online Enterprise CAs
  

For the subordinate CAs, we don't want to run them in a Windows failover cluster for various internal reasons. However, the plan is to have both subordinate CAs online with the same certificate templates published on both of them to achieve some level of fault tolerance for issuing certificates if one of the issuing CAs is down.

I had a few questions regarding this:

1) Certificate issuance - If both subordinate CAs publish the same templates, how do clients determine which of the 2 CAs to contact to issue the certificate ?

2) Autoenrollment - I remember reading on one of these Technet forum threads that if both CAs publish the same template with autoenrollment enabled, then clients will receive 2 copies of the certificate - one from each CA. Can someone please confirm if this is the way it works with autoenrollment ?

3) Certificate renewal - If the CA that originally issued a certificate is down, then can the 2nd CA fulfill a request for certificate renewal (NOT enrolment) from a client ? (Or can renewal requests only be fulfiled by the original CA that issued the certificate ?)

4) Design - I'm new to PKI, and I was wondering if a similar design (multiple subordinate CAs with same templates) was fairly common, or if you would not recommend it for any reason.

I wanted to add - I understand that having 2 subordinate CAs will not provide for fault tolerance for the CRL of a CA, if the CRL expires when the CA is down. These questions are more directed towards fault tolerance of issuing / renewing certificates.

Thanks in advance for your help !

Regards,

Mario

Hello everyone,

We have two tier PKI (Win 2012 R2) and we issue certificates based on Web server template. Even though we implemented CP and FAQ & hits in the ticketing tool, people are submitting CSR files with funny names not according to the requirements. Also due to internal policies some sections of the subject name such as S (State) should not be submitted or if submitted should be emptied.

I implemented the following command in order to modify the subject name

certutil -setreg CA\CRLFlags +CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT

My adminisrators the use certreq -sumit -attrib to specify the template again we are enrolling, and then modify the subject:

certutil -setattributes attributeID "CommonName:server.contoso.com\nOrganizationalUnit:Contoso IT\nOrganization:Contoso\nState:London\nLocality:London\nCountry:UK\nEmail:it@contoso.com"

The problem comes when the original requests has value in "S" State but we need to be empty.

How to empty a value in the above command without typing empty spaces? (which are not respected and the certificate is issued with the original State, even though all the rest are modified)

I found that some admins are "temporary" removing the State field in CA\SubjectTemplate section for this specific request, but I want something easier and permanent. 

Any advice will be welcomed. 

Hello,

I'm working on Microsoft Advanced Threat Analytics. For the minimum requirements, in this link (precisely the "Minimum requirements" section) : https://technet.microsoft.com/fr-fr/dn707709

It is said that :

"If you want to install ATA in a lab with a few VMs, it is recommended that you have at least 2 cores, 4 GB of RAM and 100GB of storage to allow you to interact with the ATA Console without support for production deployment."

I'm not understanding very well this sentence. Does it means that you need at least 2 cores, 4 GB of RAM and 100GB of storage per ATA Center VM ?

Thanks

Best regards,

Mike

https://technet.microsoft.com/en-us/library/Cc756898(v=WS.10).aspx

I've reviewed the above article but it's not quite clear or I have not found what I'm looking for. I need to grant a Domain User another permission that has enough to access the Domain Controller and shut the server down. Is this possible without granting them complete access?

Hi Guys,

I have had to build a windows 2003 certificate server and i have it setup and working. 

I would like to enable and enrollment agent to enroll User (Exchange) certificate for users. I can do this in 2008 - 2012 but can not seem to find how to get it working for 2003. 

I have create the enrollment agent template and create the enrollment agent certificate. Yet I cannot  find how to create certificate on behalf of. The certsrv seem to only show smart card option. Certificate MMC only allows you to request certificate unlike 2008.

Anyone have any idea how to complete this. It may be an option to Auto enroll user certificate and then just export each user certificate.  Thanks for your help on this.

PS As a side note if you leave Basic authentication enable of Active-sync then users will require both certificate and basic authentication? You cannot set it up for one or the other?

Craig

Craig

I changed the Security Policy so that FIPS is enabled, but when I open IE there is no option related to TLS 1.1 or 1.2 , just 1.0

Looked into the registry , did not come up with any Keys for TLS .

How do I enable TLS 1.1 and/or 1.2 for 2008 Web Server?

TechNet

Hi,

I've got a windows7 server and i opened port 25 in windows firewall but i can see that this port is not open and when i check it on cmd , netstat -a it is not showing that port , please tell me what can i do in this case and also please let me know what the problem might be and can it be fixed by using cmd.

Thank you.

Hi,

Did anyone know why i have this error ?

PS C:\Windows\system32>> $pfxPath = "C:\certificates\******.pfx"
$pfxPass = "*******"
$stsCertificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $pfxPath, $pfxPass, 20
Set-SPSecurityTokenServiceConfig -ImportSigningCertificate $stsCertificate
certutil -addstore -enterprise -f -v root $stsCertificate
iisreset
net stop SPTimerV4
net start SPTimerV4
root "Trusted Root Certification Authorities"
DecodeFile returned The system cannot find the path specified. 0x80070003 (WIN32: 3 ERROR_PATH_NOT_FOUND)
CertUtil: -addstore command FAILED: 0x80070003 (WIN32: 3 ERROR_PATH_NOT_FOUND)
CertUtil: The system cannot find the path specified

I follow the tuto on https://technet.microsoft.com/en-us/us/library/dn197169.aspx

If anyone do this please help me,

Regards

Hi,

I am facing one issue with one application, that application is running on port "1423". Currently Application is not working and we found that other member servers are not able to connect to application server on port "1423". I added the Inbound and Outbond rule in Windows Firewall for port "1423" but still we are not able to connect to the application server, also that opened port is not showing in "netstat -ano" and we are not able to telnet the server on that port from other servers.

Now questions..

1. Why Netstat is not showing opened port "1423" even after we added the rule.

2. If port is opened why telnet is not working from other server.

3. Why Telnet is not working locally on application server where port is opened.

As per my understanding the application for which we added the port should take control of that port and only after that the port will be showing as Listening.

Need expert suggestion on this.

Regards,

SGH.

MCP, MCTS

Hello All,

I'm trying to install MS ADCS CA, as an Enterprise Subordinate CA.  I had no problems installing my offline root CA or my Enterprise Subordinate CA.  The farthest I get is to successfully generate my subordinate CA request (req.req) and then process it with my Root CA to get a certificate (cer.cer).  When I go to install my certificate, I get the following error message:

"An error was detected while configuring Active Directory Certificate Services.  The Active Directory Certificate Services Setup Wizard will need to be rerun to complete the configuration.  The new Certification Authority certificate cannot be installed because the CA Version extension is incorrect.  The most recently generated request file should be used to obtain the new certificate: z:\tmp\req(1).req The data is invalid.  0x800x7000d (WIN32: 13)".

I've tried reinstalling my Subordniate CA, I've purged and reinstalled Windows Server and reinstalled Certificate Services of my SubCA, still no luck.  Can anyone help?

I've logged into my sub CA as a member of the Enterprise Admin group, as the Administrator of the Domain (Administrator account in Enterprise Admin group).

Here are my req.req files and the generated certificate:

CERTUTIL -DUMP REQ.REQ:

PKCS10 Certificate Request:
Version: 1
Subject:
    CN=Sub-CA
    OU=OrgU
    O=Org
    S=QC
    C=CA

Public Key Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
    Algorithm Parameters:
    05 00
Public Key Length: 1024 bits
Public Key: UnusedBits = 0
    0000  30 81 89 02 81 81 00 bc  86 43 be 1a bf b5 d6 0d
    0010  ff 85 a0 62 25 e5 a0 bd  e4 2d 97 c6 da 26 55 3e
    0020  21 63 63 de 4f 30 60 e3  74 3d 02 75 f2 e7 e7 98
    0030  19 9d f7 8d 43 37 01 ec  b2 f9 66 a8 f5 37 a8 25
    0040  e0 9f 34 fc 8f de f0 64  10 c5 47 1b 23 e4 3b f7
    0050  80 83 b4 06 ee 9c 76 c6  ad 04 04 89 11 e2 76 6d
    0060  e0 a2 44 4b 76 9d 32 38  85 e2 58 70 89 d4 f1 b5
    0070  16 84 77 33 6e 2b 40 95  b0 8b f3 36 8b 5c 47 b1
    0080  b4 1e 64 1f aa 98 67 02  03 01 00 01
Request Attributes: 2
  2 attributes:

  Attribute[0]: 1.3.6.1.4.1.311.13.2.3 (OS Version)
    Value[0][0]:
        6.1.7600.2.

  Attribute[1]: 1.2.840.113549.1.9.14 (Certificate Extensions)
    Value[1][0]:
    Unknown Attribute type
Certificate Extensions: 6
    1.3.6.1.4.1.311.21.1: Flags = 0, Length = 3
    CA Version
        V0.0

    2.5.29.14: Flags = 0, Length = 16
    Subject Key Identifier
        ea 3a 8f cc 10 0c 06 06 a4 fd a6 66 e1 c0 42 d2 83 13 6c 9f

    2.5.29.32: Flags = 0, Length = ba
    Certificate Policies
        [1]Certificate Policy:
             Policy Identifier=9.9.9.9.9.9
             [1,1]Policy Qualifier Info:
                  Policy Qualifier Id=User Notice
                  Qualifier:
                       Notice Text=Verification niveau rudimentaire
             [1,2]Policy Qualifier Info:
                  Policy Qualifier Id=CPS
                  Qualifier:
                       ldap://anco:389/CN=principes_gestion,OU=ou,O=org,ST=QC,c=CA

    1.3.6.1.4.1.311.20.2: Flags = 0, Length = c
    Certificate Template Name (Certificate Type)
        SubCA

    2.5.29.15: Flags = 1(Critical), Length = 4
    Key Usage
        Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)

    2.5.29.19: Flags = 1(Critical), Length = 5
    Basic Constraints
        Subject Type=CA
        Path Length Constraint=None

Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
    Algorithm Parameters:
    05 00
Signature: UnusedBits=0
    0000  40 3c 3e a6 ea 46 e0 d2  30 79 6d e3 67 b1 c2 d5
    0010  34 44 1a bf 1f e3 c9 6b  e0 56 48 2b 21 28 d8 36
    0020  c2 eb 75 b2 f1 00 d9 49  00 f9 31 d6 61 fc 9f ab
    0030  54 24 32 9b f9 ef af 5e  d2 fd 3c 7c 20 58 19 8d
    0040  66 93 32 10 0d ef 36 58  c0 bb 07 73 27 95 c7 b1
    0050  fc 63 33 39 58 b2 d4 10  72 95 3b e8 fe 18 a0 c2
    0060  42 6f 43 d1 f8 3f f5 92  27 04 88 2f e2 98 e2 99
    0070  d4 05 62 52 77 c4 d2 49  f3 28 93 e3 cc f6 36 43
Signature matches Public Key
Key Id Hash(rfc-sha1): ea 3a 8f cc 10 0c 06 06 a4 fd a6 66 e1 c0 42 d2 83 13 6c 9f
Key Id Hash(sha1): 61 b1 5a d5 9c 84 74 ec 94 34 9b 01 1f cb 8b 9e 0f 61 12 df
CertUtil: -dump command completed successfully.

CERTUTIL -DUMP CER.CER

PKCS7 Message:
  CMSG_SIGNED(2)
  CMSG_SIGNED_DATA_PKCS_1_5_VERSION(1)
  Content Type: 1.2.840.113549.1.7.1 PKCS 7 Data

No PKCS7 Message Content

No Signer
No Recipient

Certificates:
================ Begin Nesting Level 1 ================
Element 0:
X509 Certificate:
Version: 3
Serial Number: 6065699c031f26a541da1dc9a6190298
Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
    Algorithm Parameters:
    05 00
Issuer:
    CN=Root-CA
    OU=OrgU
    O=Org
    S=QC
    C=CA

 NotBefore: 1/26/2011 5:32 PM
 NotAfter: 1/26/2031 5:42 PM

Subject:
    CN=Root-CA
    OU=OrgU
    O=Org
    S=QC
    C=CA

Public Key Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
    Algorithm Parameters:
    05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
    0000  30 82 01 0a 02 82 01 01  00 a7 c3 0c 03 a7 70 2a
    0010  99 df b7 89 bd 8d 18 d6  0d cb 9c 88 3c 7c 82 ba
    0020  60 f8 02 22 9d a4 2b a9  12 f7 0d 61 b8 19 89 3a
    0030  1b 49 6d 5e 5f 9e a9 10  f2 d1 ae c3 87 58 33 12
    0040  e6 5a 7e f3 9b df 50 8d  19 22 6c cb b0 3d 79 a3
    0050  9c b8 6b 3d 2b c8 a6 00  2b 08 89 0e 51 a0 e0 11
    0060  1a 45 c2 08 42 49 24 63  09 79 db ed 9f 97 35 51
    0070  1e 35 75 26 2d da bb 13  7e f0 fc 76 56 b1 3b 20
    0080  3e e5 ee 15 57 5f b2 04  f8 0f 54 f5 5c 2d cf b1
    0090  59 1a 40 ce 91 7c 50 b9  16 dc cc 42 a8 61 aa 81
    00a0  47 48 84 64 09 5d c0 33  06 c5 3d 9b 6f 8f d9 2c
    00b0  c5 15 8b 6b 1a 08 57 d7  05 a3 0d a3 47 47 3a 0d
    00c0  5c 65 bf 30 76 5c 02 78  fe c4 85 9c b0 22 00 fe
    00d0  a3 ca 7a 07 45 06 f4 bf  af b6 91 f3 4c 90 a6 a3
    00e0  0a 5d dc cb 4f b3 f5 f2  38 d2 03 7a 7e 89 d6 1e
    00f0  63 6a 56 55 91 86 6e 7d  34 12 30 8b 7d 26 28 32
    0100  92 e4 67 ad 62 e9 77 10  fb 02 03 01 00 01
Certificate Extensions: 4
    2.5.29.15: Flags = 1(Critical), Length = 4
    Key Usage
        Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)

    2.5.29.19: Flags = 1(Critical), Length = 5
    Basic Constraints
        Subject Type=CA
        Path Length Constraint=None

    2.5.29.14: Flags = 0, Length = 16
    Subject Key Identifier
        c6 af 14 ae 1c 12 f4 ab 2d f4 57 95 35 c6 a2 2b 3a 97 71 ce

    1.3.6.1.4.1.311.21.1: Flags = 0, Length = 3
    CA Version
        V0.0

Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
    Algorithm Parameters:
    05 00
Signature: UnusedBits=0
    0000  42 27 b2 09 cc 11 c2 e4  96 81 0c 91 da 84 c8 78
    0010  d8 3f 7a 1e df 10 d8 90  9a c6 cd fc 57 1d bd 8e
    0020  18 1a a6 ea 58 60 9d ea  6c c9 dd e4 9b 18 d6 49
    0030  3f c6 25 a2 28 5e 7f fa  2b 2a b0 81 cf bc 03 7f
    0040  b1 e2 c4 19 ce 2e c4 6e  a5 a3 2a 84 e6 a8 44 ab
    0050  df e9 74 20 e8 c7 1d 4d  3b 7f f0 8e 11 78 27 59
    0060  d2 15 44 c9 63 a2 f7 ce  f5 d0 10 f1 88 2d 32 c5
    0070  0f 1e 83 da 72 76 cf 45  3d 84 2c 80 59 54 df 19
    0080  df 2b c4 fe 90 0f f6 de  13 99 1a ee 50 32 4d 4e
    0090  63 35 ce 14 69 ab 3c 47  39 a0 10 d0 b4 01 9b 40
    00a0  b1 ba ea 60 79 49 d0 bf  32 cd 84 ce d7 03 75 36
    00b0  35 dc ab f1 2f c1 07 69  d7 66 f0 d2 c1 9c ba 78
    00c0  36 f3 23 28 8c 18 6b bc  8c cc 0a f9 04 a9 d5 d0
    00d0  63 3f bd 96 a5 9b 22 e8  c8 7f 74 60 13 bc 40 0f
    00e0  ef 47 73 6d bf 81 53 c3  7e 51 b8 9d 7c a2 ab b5
    00f0  fc b3 b8 d8 6b 89 60 f8  f0 f3 db d5 0a ac 4b 78
Signature matches Public Key
Root Certificate: Subject matches Issuer
Key Id Hash(rfc-sha1): c6 af 14 ae 1c 12 f4 ab 2d f4 57 95 35 c6 a2 2b 3a 97 71 ce
Key Id Hash(sha1): 78 a7 77 63 34 4a 24 14 fa ec dd c1 97 7c 8d d0 41 5a b4 5b
Cert Hash(md5): ff 26 5a cc 14 b8 c2 50 09 0a 0b 7e de c9 02 36
Cert Hash(sha1): 03 7d 11 b9 1c 4b 62 58 9f 48 5f 6b 95 c8 38 53 5a de 4d 4d
----------------  End Nesting Level 1  ----------------
================ Begin Nesting Level 1 ================
Element 1:
X509 Certificate:
Version: 3
Serial Number: 10a9a3a9000000000011
Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
    Algorithm Parameters:
    05 00
Issuer:
    CN=Root-CA
    OU=OrgU
    O=Org
    S=QC
    C=CA

 NotBefore: 3/10/2011 3:40 PM
 NotAfter: 3/10/2021 3:50 PM

Subject:
    CN=Sub-CA
    OU=OrgU
    O=Org
    S=QC
    C=CA

Public Key Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
    Algorithm Parameters:
    05 00
Public Key Length: 1024 bits
Public Key: UnusedBits = 0
    0000  30 81 89 02 81 81 00 bc  86 43 be 1a bf b5 d6 0d
    0010  ff 85 a0 62 25 e5 a0 bd  e4 2d 97 c6 da 26 55 3e
    0020  21 63 63 de 4f 30 60 e3  74 3d 02 75 f2 e7 e7 98
    0030  19 9d f7 8d 43 37 01 ec  b2 f9 66 a8 f5 37 a8 25
    0040  e0 9f 34 fc 8f de f0 64  10 c5 47 1b 23 e4 3b f7
    0050  80 83 b4 06 ee 9c 76 c6  ad 04 04 89 11 e2 76 6d
    0060  e0 a2 44 4b 76 9d 32 38  85 e2 58 70 89 d4 f1 b5
    0070  16 84 77 33 6e 2b 40 95  b0 8b f3 36 8b 5c 47 b1
    0080  b4 1e 64 1f aa 98 67 02  03 01 00 01
Certificate Extensions: 9
    1.3.6.1.4.1.311.21.1: Flags = 0, Length = 3
    CA Version
        V0.0

    2.5.29.14: Flags = 0, Length = 16
    Subject Key Identifier
        ea 3a 8f cc 10 0c 06 06 a4 fd a6 66 e1 c0 42 d2 83 13 6c 9f

    2.5.29.32: Flags = 0, Length = ba
    Certificate Policies
        [1]Certificate Policy:
             Policy Identifier=9.9.9.9.9.9
             [1,1]Policy Qualifier Info:
                  Policy Qualifier Id=User Notice
                  Qualifier:
                       Notice Text=Verification niveau rudimentaire
             [1,2]Policy Qualifier Info:
                  Policy Qualifier Id=CPS
                  Qualifier:
                       ldap://anco:389/CN=principes_gestion,OU=OrgU,O=Org,ST=QC,c=CA

    1.3.6.1.4.1.311.20.2: Flags = 0, Length = c
    Certificate Template Name (Certificate Type)
        SubCA

    2.5.29.15: Flags = 0, Length = 4
    Key Usage
        Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)

    2.5.29.19: Flags = 1(Critical), Length = 5
    Basic Constraints
        Subject Type=CA
        Path Length Constraint=None

    2.5.29.35: Flags = 0, Length = 18
    Authority Key Identifier
        KeyID=c6 af 14 ae 1c 12 f4 ab 2d f4 57 95 35 c6 a2 2b 3a 97 71 ce

    2.5.29.31: Flags = 0, Length = 10c
    CRL Distribution Points
        [1]CRL Distribution Point
             Distribution Point Name:
                  Full Name:
                       URL=http://www.org.com/certificat/rootca.crl
                       URL=ldap:///CN=RootCA-CA,CN=RootCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Domain,DC=Org,DC=QC,DC=CA?certificateRevocationList?base?objectClass=cRLDistributionPoint

    1.3.6.1.5.5.7.1.1: Flags = 0, Length = 101
    Authority Information Access
        [1]Authority Info Access
             Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
             Alternative Name:
                  URL=http://www.org.com/certificat/rootca.cer
        [2]Authority Info Access
             Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
             Alternative Name:
                  URL=ldap:///CN=SubCA-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Domain,DC=Org,DC=QC,DC=CA?cACertificate?base?objectClass=certificationAuthority

Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
    Algorithm Parameters:
    05 00
Signature: UnusedBits=0
    0000  71 6d 37 85 92 f8 a7 c9  fc d5 e5 37 97 cf 1f ca
    0010  5f ca 93 9e c0 b2 fb 3e  4e 20 0c 68 1e 09 3b 4b
    0020  ba cb 31 93 8e ec 7d f4  52 4a 78 2d 0f dc 9a bd
    0030  e8 08 23 4d 01 90 a2 ff  f9 14 64 b4 8f 12 42 86
    0040  1e 3b 20 a2 fb b3 47 f1  38 02 be 49 04 5f 42 e2
    0050  4e 43 8f 8f 01 73 2a 83  9f d9 73 79 47 cf 4f a2
    0060  eb 5c 79 97 5b ab 1b 0b  a7 33 6e b8 50 39 5d a6
    0070  98 a1 3c ae a8 8a 1a 57  9a ba 44 64 f6 99 72 92
    0080  2e 74 d9 56 9e 9c bf 0d  2d 7b 6f e1 cd a5 1e 3b
    0090  88 70 4f cc 86 be 5b 9b  f3 12 39 86 76 35 25 69
    00a0  3c 91 03 71 e4 7b 75 d3  f1 e8 cd a0 c2 df 39 00
    00b0  0a 76 71 bf 09 e2 6a c5  4d 54 2a 63 d8 fa 1e 93
    00c0  d4 d2 c0 6c 53 cf 29 c1  61 1a 35 28 5f 6d 1f 9f
    00d0  fa 29 22 98 4f d8 b0 34  a0 f6 6b 32 5a 21 91 10
    00e0  93 c8 24 2d 86 dc 1a e8  b4 e4 82 76 3d 8e 00 29
    00f0  cd de ca 59 ae 0c a3 20  35 4e 3b 82 a4 32 45 4c
Non-root Certificate
Key Id Hash(rfc-sha1): ea 3a 8f cc 10 0c 06 06 a4 fd a6 66 e1 c0 42 d2 83 13 6c 9f
Key Id Hash(sha1): 61 b1 5a d5 9c 84 74 ec 94 34 9b 01 1f cb 8b 9e 0f 61 12 df
Cert Hash(md5): fd 26 e5 47 8c 5e ba 84 51 6c b5 3b 09 f8 ce 70
Cert Hash(sha1): 13 3b c1 bc a7 0d 7f 54 92 2e 42 34 5d 32 6d 61 16 9c 6b ca
----------------  End Nesting Level 1  ----------------
No CRLs
CertUtil: -dump command completed successfully.

I opened the local certificate store on my domain controller to renew the DC certs. I renewed them successfully, but then right-clicked "Personal - Certificates" and selected "All Tasks - Request New Certificate" to make sure I had all the ones I needed. Under the options I saw:

• Domain Controller
• Domain Controller Authentication
• Directory Email Replication
• Kerberos Authentication

Because the certs I already had installed didn't have the same titles under "intended purposes" I selected them all and now I have duplicates and am wary to remove them. What should I do to remove the duplicates and are there any implications?

Thanks

For our OUs, the lion-share of results of the cmdlet are:

{NT AUTHORITY\SYSTEM, DOMAIN\Domain Admins}

But upon closer inspection (via ADUC MMC), the ACLs show many other groups given Full Control (including All Extended rights). These groups seem to have been ignored by the cmdlet, maybe because the rights are inherited from above?

In any case, the results seem to be incomplete, and I wonder if anyone else has noticed this...

Can someone tell me a brand of smartcard that currently uses ECDSA_P256, that generates the Private/Public keypair on the card, and will do smartcard login and email signing on Windows2008R2 or Windows 7?

Here is our infrastructure:

Offline root - Server 2012 Standard
Intermediate CA that issues certificates - Server 2012 Standard
PKI server (CDP and AIA over http url) - Server 2012 Standard

Here is the URL configuration for CDP and AIA:

CDP: http://pki.domain.org/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
AIA: http://pki.domain.org/<ServerDNSName>_<CaName><CertificateName>.crt

CRL has 180 day validity period and is generally renewed every 5 months from the offline root CA

I am trying to set up Hyper-V replication over HTTPS so I published a certificate and everything seems fine up to the point where I hit the apply button in the Hyper-V console and it comes up with the error in the following image (thumbprint removed just cuz).

Not sure if this is relevant but I am running Hyper-V Server 2012 but also recreated this issue on Server 2012 R2 Datacenter. I have run the tests described in the following paragraph on both servers and both had the same results.

I might add that If I choose a cert from a previously set up 2008 R2 Standard CA Root/issuing server (remnants from previous admin) that is used for Client and Server Authentication, I do not receive this error although I am not familiar with how that previous setup was accomplished except that it is a standalone.

I have gone back and forth with different certutil commands (such as urlfetch, user urlfetch, and url retrieval tool) and the results are always successful and always says that leaf certificate revocation check passed. I have even run this as SYSTEM and NETWORKSERVICE accounts and always seem to have successful results. I do not want to use the workaround of bypassing the CRL check for fear that there is a greater underlying problem. I have recently created a new CRL from the offline root and copied to the CDP and AIA directory so the CRL should not be expired (nor were expiration errors reported). I will admit that I'm novice at certificate authority management so please excuse my ignorance. Please let me know if there is any more information needed or correct me if I misspoke in any part. Thank you in advance for your time!

I'm in the process of trying to setup an HTTPS proxy for doing deep packet inspection.   I'm following the guide given by our Firewall vender for getting the CSR that there firewall creates signed by our CA authority. There guide suggests to use the Subordinate Certification Authority template when using a Windows CA authority. There guide also state that the extensions should be as follows

• Basic Constraints - [Subject Type = CA]
• Key Usage - [Digital Signature, Key Encipherment, and Certificate Signing]
• Extended Key Usage - [Null]

With this template I seem to be able to get all of the extensions listed above except Key Encipherment.  When I duplicate the template to create a new one labeled for my purposes, I am unable to select the Key Encipherment settings when editing the  Extensions.

I would like to know if someone knows how to make those settings editable or if someone could point me to the documentation on how to make those settings editable?

JM

A user brought an issue to my attention and I was hoping to get some clarification on it.

On our Server 2008 R2 domain, a user with a domain admin account with an expired password is able to pass authentication while running elevated commands on remote servers.

He logs onto the remote server first with a separate service account. Then, while logged on with the service account, attempts to run a service as an administrator.  He enters his domain admin account **which has an expired password** and passes authentication.

Does anyone have an explanation as to why this is possible?  Is this a normal function on windows servers?

I would expect a user with an expired password would need to change their password before being able to pass authentication at a UAC prompt.

Thanks!