Hi Team
I have published my CRL in AD store using DSpublish command. I also got a confirmation saying that the publishing is successful. Now when i see the status in PKIview.msc it says that the CRL is "UNABLE TO DOWNLOAD" in LDAP location. The same CRL is working fine with http location. Please suggest me on this.
Shriram.R
Shriram
Hi folks;
I'm running '08 R2 with Certificate Services. The problem is that I have two root certificates, one that is no longer used from a previous install and one that is valid so both are being distributed as valid root certs even though one is no longer needed.
Does anyone know how I can remove the extraneous one so that I no longer see it?
Thanks!
I was under assumption that you can deploy certificate with private key through GPO to client computers. I can not seemed to make it work though. I created thread in GPO forum but they told me that it's probably better question for Security forum (https://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/8ffa738a-89d7-43ef-9d45-2dd6f8d4bf23/)
I imported key into GPO with private key and it's in fact deployed to client computers, UI even showing that I have private key, yet it's actually missing from certificate.
Hi,
I got several CA templates published in my domain. I want the PKI managers to have full control on the templates to manage access rights for other groups. My problem is, that as soon I tick "full control" the "autoenrollment" checkbox gets ticked too. Now all the CA managers get autoenrolled for certificates and popups apper on their clients to add a subject name (subject name --> supply in request is configured in some templates) . Is there a way to avoid that behaviour?
Cheers
Arno
Hi fellows,
I am currently trying to re-sign a certificate on a Windows Server 2008 R2 (fully patched) system (ADCS CA):
certutil -sign <oldfile> <newfile>
Signing keys are in software (Microsoft Software Key Storage Provider), the cert was issued by this CA, is a CA itself (sub) and is not revoked
Output command
301.3561.0:<2015/11/26, 10:0:3>: 0xc0000005 (-1073741819): 0x0 @ 0x00000000FFF33864
CertUtil: -sign command FAILED: 0xc0000005 (-1073741819)
CertUtil: The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
301.3792.0:<2015/11/26, 10:0:3>: 0xc0000005 (-1073741819)
certutil.log
========================================================================
402.511.948: Begin: 11/26/2015 10:09 AM 53.224s
402.516.0: certutil
402.520.0: GMT + 1.00
301.3888.0: certcli.dll: 6.1:7601.18833 retail
301.3888.0: certutil.exe: 6.1:7601.18151 retail
301.3788.465:<2015/11/26, 10:9:53>: Command Line: CertUtil -sign \temp\sub\sub.cer \temp\sub\new.cer
301.3561.0:<2015/11/26, 10:9:53>: 0xc0000005 (-1073741819): 0x0 @ 0x00000000FFFC3864
301.3792.0:<2015/11/26, 10:9:53>: 0xc0000005 (-1073741819)
301.3807.509:<2015/11/26, 10:9:53>: Command Status: The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. 0xc0000005 (-1073741819)
402.377.949: End: 11/26/2015 10:09 AM 53.255s
certutil verify
Verified Issuance Policies: None
Verified Application Policies: All
Cert is a CA certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
Nothing interesting in the CAPI2 log, certsrv.log, etc. I can sign with the key, as I can publish a new CRL.
Installed KB2615174. (Actually the sub CA is v1.1 and I want to resign it to v2.1 manually).
Anyone has an idea? :)
I have a question relating to the Basic EFS cert template. We are decommissioning our 2003 legacy estate and part of our plan is to hide the Basic EFS template as it’s not a feature we plan to support on the new environment. In addition, it’s not a feature we’ve ever advertised to our users and it’s unlikely any of them have used it. It was also poorly implemented to begin with and not maintained afterwards – 3 of our 4 domains have DRA certs that expired back in 2009 or earlier, whereas our 4<sup>th</sup> domain has no DRA cert being deployed at all.
I understand that preventing users from renewing their Basic EFS cert would only prevent them continuing to encrypt files, and that any files that they may have historically encrypted could still be decrypted using the expired cert key.
My question relates to those users whose Basic certs are being automatically renewed upon expiry – it appears there are a number of these, and I’m not sure whether this is because the Basic EFS template was once set to auto-enrol (it isn’t now) or if another setting was in play.
I just need to confirm: when a user’s Basic EFS cert expires and the Basic EFS template is no longer available to allow a renewal, will they actively get any kind of on-screen error advising this (periodically, upon logging in etc), or will this only be apparent to the user if they then try to encrypt a file? (I’m not concerned if users get an error if they try to encrypt a file, as we’ve never really advertised this feature and it isn’t currently working in 3 of the 4 domains anyway thanks to the expired DRA certs.)
Sorry if this is an obvious answer – my assumption would be that the user would be completely unaware of the expired cert unless they actively try to encrypt a file, but just want to be certain. Thanks in advance.
Hi,
If I am logged into my WS08 R2 PKI server and connect to my https://pki/certsrv server and try to "Download a CA certificate, certificate chain, or CRL"
I get this error message: An unexpected error has occurred: The Certification Authority Service has not been started.
Also if I try an 'Advanced Certificate Request" I see only 'User' and 'Basic EFS' templates.
However, if I am logged into any other machine on my network and then connect tohttps://pki/certsrv server, the "Download a CA certificate, certificate chain, or CRL" works correctly and the 'Advanced Certificate Request' page shows all the default certificate templates.
Any ideas?
Hi Team,
I have a 3 tier PKI infrastructure, we are planning to migrate to SHA2. I have plans only to migrate my issuing CA to SHA2. If this is the case can you please suggest me the vulnerabilities i face if i am not moving my Root and Intermediate CA to SHA2. It will be great if you could give me any links which describe this. :)
Thanks in Advance
Shriram
Shriram
Hi. I have read up on the issue of SHA Deprecation and want to confirm that I have covered all the bases with regard to our network (around 1200 PCs, Windows 7, with AD 2012 non-R2 and a mixture of Windows 2012 R2, Windows 2012, 2008 and some older 2003 servers.
a) We have a GlobalSign SSL wildcard certificate used for security various Windows / Linux websites including webmail for Exchange 2010 - this certificate expires in Feb 2014, so replace it with one that is SHA2 compliant.
b) We have an older Windows 2003 non-AD integrated standalone root CA used for some older servers internally - get rid of this and replace, if needed with a new Windows 2012 R2 CA
c) Windows 7 client PCs are all 32 bit and we don't patch automatically. We should patch them with the Microsoft Update that provides SHA2 compliance
But
What about device drivers? and other software that is code signed with SHA1 and is installed on all my desktops and servers? Is this all going to stop working?
Hi,
I've just migrated my issuing CA over to sha256, before doing so I published a new CRL with a 1 month lifetime. Usually when you renew a CA cert, the CA will continue to issue CRLs for the old and new cert. The CA still has the old sha1 cert installed and it's valid, but I've added a sha256 cert and configured my CA for sha256, so it no longer issues sha1 certs.
Given that CRLs are signed by the private key of the corresponding CA certificate, once my old sha1 CRL expires, will my CA be able to renew the old CRL?
If not, do I need to renew all old sha1 certs in my environment now (as opposed to allowing them to expire).
Thanks
O
Otherwise I cannot explain what is happening, files disappear, do secure FTP only, accept encryption certificate server, password 20 characters and strong two weeks old
Microsoft account password could have leaked out
I trust my datacenter completely
hello,
One of our clients was recently infected by cryptolocker. i was wondering if a safeguard against cryptolocker would be to disable encryption through a gpo?
Hi all,
I am trying to give security permisison to a user on a folder. When i try to search for the user i get error "Security compromised". Checked event id 40960 getting logged on the Server which has the folder.
tried google but not getting any resolution.
someone having a solution plz advise.
read on google - it says tcp & udp 88 should be opened on the firewall. I tried to telnet from source to destination on 88 it works fine but UDP port not having an idea how to test.
e.g. telnet dc1 88 - works fine
tried gpupdate /force but still same issue - cannot add the user.
Your inputs appreciated.
tfernandes
I have built a brand new PKI infrastructure consisting of 1 standalone offline root CA, and 2 enterprise subordinate CAs.
I now want to create an OCSP online responder that must be used for revocation checking of :
1) All certificates issued by the 2 new enterprise subordinate CAs :- This does not pose an issue. I can update the AIA extension of the 2 subordinate CAs with the OCSP location, and all certificates issued by these 2 CAs moving forward will contain the OCSP location in their AIA field.
2) The 2 subordinate CA certificates issued by the root CA :- Since the subordinate CA certificates were already issued by the root CA before I created the online responder, the sub CAs don't have the OCSP URL in their AIA extension. I'm assuming what will happen here is that clients will use OCSP when validating any certs issued by the subordinate CAs, but when validating the subordinate CA certs themselves, CRLs will be used.
I would prefer that OCSP be used by clients for validating the subordinate CA certs as well. I'm thinking that this must be a common situation when folks introduce OCSP at a later date into an active PKI infrastructure. What options do I have ?
Thanks in advance for your help, and please let me know if I'm missing something obvious :)
Thanks,
Mario
Hi all,
We need to configure our servers that they will be able to support all TLS versions (1.0, 1.1, 1.2) - they hold Windows Server 2012 R2.
When we send a request, the Security Layer of our request is SSL, TLS – it means TLS version is 1.0 maximum, and since the receiver of the message supports more advanced TLS protocols (1.1 and 1.2) our request fails.
From one PC which is Windows 7 we see all versions of Security Protocols (TLS, TLS1.1, TLS1.2), but from the Server which is Windows Server 2012 R2 we ran 2 tests:
• Console application – all Security Protocol were supported
• Website application – Only SSL, TLS are supported
The only solution we found in the internet (MSDN and Stack Overflow) asking the developers to define it explicit in the code since that is the only supported method available with .NET 4.0 and above. We would like to have better handling from configuration instead of changing the code. We tried to change the registry and some other techniques we found, but it did not solve our issue. In addition, since we would like to have support for all types of Security Protocols, what will be the right configuration?
Thanks,
Nir.
Hello, so I have an interesting situation.
I have taken on a client that has a workgroup setup with a single 2012 Server in place. The person that knew where their IT information has since left and their previous IT provider has not kept any records or documentation either.
So what I now need to do is find a way to gain access to the server. I am familiar with the option to use the recovery media to reset the administrator password but I am hoping to find a method that doesn't involve restarting the server as I have no way of assessing the impact a restart could cause.
If it comes down to it I will bite the bullet and perform the restart outside of their office hours. But I wanted to check first if there's a method that would avoid this?
Thanks,
James
Hi!
I have two questions before to start SHA1 to SHA256 Migration, Please clarify quires,
1) Regarding the timeline, will Microsoft Enterprise issuing CA stop issuing the new certificates automatically after 1st January 2016
2) I am running two tier architecture with multiple issuing CAs. We have thousands of applications, servers, Workstations, Users, Network
devices and mobile devices using SHA1 certificates internally. So some of the non supported for SHA256 entities exist in network and we have few unknown components as well. so is there any possibility to use the same issuing CA to issue SHA1 and SHA2 after
migration.
Thanks in advance!
//Bala R
Hi
I have a issuing CA which issues Delta CRL interval of 24 hours. Now i see that that the delta CRL is not published on time resulting a outage. when i checked the event log i got the error message {(0xc800042d (ESE: -1069)}. It says me to restart the CA service. I have restarted the CA service and i was able to publish a new delta CRL manually. Issue got resolved, but I need the root cause of the issue since it is hindering the production.
Here is the Error Message: "Active Directory Certificate Services could not create a certificate revocation list. Error 0xc800042d (ESE: -1069). This may cause applications that need to check the revocation status of certificates issued by this CA to fail. You can recreate the certificate revocation list manually by running the following command: "certutil -CRL". If the problem persists, restart Certificate Services."
Thanks in Advance
Shriram.R
Shriram
I need to check users that logged into the server and what application they have accessed or made any changes to application or even changed data on the SQL DB is there a way to do this from event viewer.
Thanks
Kind Regards
Zakaria Khan
My environment has a very strange issue going on that is occurring with servers.
- A server will need rebooted for any reason, could be patch Tuesday, could be just because an admin wanted to reboot it...
- Server will boot normally, absolutely no issues whatsoever.
- At attempt to login, "Access Denied" message is displayed.
It doesn't matter what account is used, domain admin, local admin, every attempt is given 'access denied".
The workaround, thus far, has been to reboot the machine again and enter safe mode, then log in with no problems, then reboot again, this time normally. Attempt to login succeeds and all goes back to normal before it happens again. This has been the ONLY way to get around this thus far.
There are HUNDREDS of articles online that deal with the 'access denied' issue in relation to RDP, this however is occurring when logging on to the local console session and is not related.
Nothing is logged in the event viewer. Services, Registry, remote shutdown...all are accessible from another server when the troubled server is in this 'access denied' state.
Any insight or experience with this issue is appreciated.