Hi, we have an OpenCA in use with several certificates generated and revoked and also a periodically generated CRL.
We want to migrate to MS CA (2008 R2 preferably, Standalone or Enterprise) without revoking and re-creating all the certs.
Is there any way to move from OpenCA to MS CA?
Thanks and Best regards
Sergio
I setup two-tier AD CS with standalone Root CA, and online issuing CA which is also my DC and IIS server. I configured certificate template, auto-enroll and Root CA certificate group policy, and generated a SSL certificate for the IIS server, this all worked fine when I tried from my windows 10 client IE browser.
When I revoked the SSL certificate, I expected the IE browser will pick up the status from CRL, but it still shows the certificate status is valid. Here is what I've done:
(1) Configured to use IIS as the CDP
(2) Verified I can download CRL from client machine
(3) Published CRL from CA MMC.
(4) Manually copied CRL files from default location to the path hosted on IIS.
(5) Checked the SSL certificate has the correct URL for CDP property.
I am running out of ideas why the revocation is not working, did I miss anything? Appreciate any help!
Hi guys,
i have one simple question about TeslaCrypt virus and cloud application like OneDrive, Dropbox ..etc..
How is possible protect your data in cloud if your computer is affected with TeslaCrypt virus? As we know, if you has enabled automatic files and folders sync, data are encrypted in cloud storage too.
Has maybe Microsoft answer for this example?
Thanks and best regards
Ninja 4 IT
Hi,
I support a large organisation's PKI and it's time for Issuing CA renewal against an offline Root CA. I manage the PKI but do not have Enterprise Admins nor have we delegated control of the Public Key Services container within the forest Configuration partition.
I performed the usual renewal steps, selecting re-use keys (as we're confident of the current and future integrity, and wanted to ensure full compatibility), and generated a CSR (with suffix xxxx(1).req) which I duly presented to our offline CA, and received
a signed certificate. Let me point out at this stage that the offline Root CA is stored in a high security vault and is not that simple to just "get it out of the cupboard." I really don't want to go around this loop again, if
I can avoid it.
When attempting to install the certificate on the Issuing CA, I get:
"The new Certification Authority certificate cannot be installed because the CA Version extension is incorrect.The most recently generated request file should be used to obtain the new certificate:
C:\****-CA(1).req The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)"
I checked out the version identifier in the CSR and the certificate and it is indeed the same as the original:
CA Version
V0.0
I just assumed it would be the same as it's the same private key.
I guessed (and then read in another post) that this may be related to permissions so, today, we tried with Enterprise Admins permissions and still no go.
My question is this:
Can we manually deploy the CA certificate to the Configuration partition, the local CA store and then update the registry?
Am I missing something?
I will raise a PSS call tomorrow under our Enterprise Agreement but I just wondered if anyone had solved this the hard way?
TIA
Dave
I am seeing tons or errors regarding CAPI2 Access Denied. I have Windows Server 2008 R2 SP1
Any Suggestions ?
Thanks
The subject describes our current configuration. We're running into an issue where apparently whoever implemented these servers went with SHA1 and we have a requirement for some SHA2 certificates. I can increase the key length to 4096, but I am unable to select SHA256.
What can we do to enable support for SHA2 and what is the impact on current certificates?
Systems are offline, i have imported the "Disallowed cert" into the untrusted certs but seems i have to sync somehow. Every single thing i read is that "iexpress" packages can be used but they simply do not exist for non connected machines.
We can't enable auto update as many pages reference as we are in a closed environment.
I know i have the KB's needed installed as i receive this message but can;t get past this point with a ACAS scan to save my life:
The remote host has KB2677070 or KB2813430, but the disallowed CTL has not been updated.
Any ideas that might help out there?
Thank you very much!
Hi Guys;
I have the request.inf to excute in the local server with the Certreq - new command and i have to create .bat or a script, that will be easy to run by another team in my company who have not full right on the server.
My question is if there is a way to run the command, or another way to do it without logged in to the server.?????
Thank you
Hi,
We have about 8 domain controllers in our environment.
We have obtained a wildcard SSL certificate with all the DC's FQDN's included in SDN.
The servers are installed with Windows Core 2012 R2.
Now i need to install the certificate in both machine local store and NTDS\Personal store.
Can i install this certificate remotely via MMC? Will it create any issues while exporting the personal certificate with Private Key to import in NTDS?
The wildcard certificate, root, intermediate chain root are given in a .txt file format.
Please advice
Regards,
Rafic
If you found this post helpful, please give it a "Helpful" vote.
If it answered your question, remember to mark it as an "Answer".
This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
I came across this article today and in it, it mentions kb 3011780 (came out in 11/2014) and how it needs to be applied to your domain controllers. I opened SCCM and checked this update against my DCs and they reported back that it was not required? I also checked kb 2919355 thinking maybe this replaced it and it also came back as not required.
Does this mean I don't need to worry about installing the patch or do I still need to apply this manually to each of my DCs to clean up the vulnerability? Everything I am reading is leading me to think this is the case. If so, then why is SCCM giving me the everything is OK sign?
Hello,
First time in this forum and I hope to finally get an answer to this. I have been researching this issue to no end. Haven't been able to find an exact replication of the info we get for this error. I have checked similar cases and explored option such as loopback check, time/date issues, etc. Here is the event info on a 2008r2 Datacenter, although we see this on every server in our care. I'm aware of the different logon types. I've seen everything from scripts and task schedulers to brute force attacks. Any ideas from someone who has solved this issue? I can't take being sent to a Microsoft link explaining get difference between the logon types again. My major issue is that I can't find a similar event to ours. They either have a null Security ID or another call process. All the servers are DC's. Any help would be appreciated. Thanks in advance!
An account failed to log on.Hi,
I have what I hope are two quick questions. I've recently come to the conclusion, based on my testing, that Active Directory Certificate Services (ADCS) Certification Authority (CA) certificates in the AIA and Trusted CA containers in Active Directory (AD) will only get downloaded and populated on domain member systems that are subject to a GPO with thePublic Key Policies -> Autoenrollment Settings ->"Enroll certificates automatically" policy enabled. This is regardless of whether these member systems require an auto-enrolled certificate or not.
Can someone please confirm that:
Thanks in advance!
Marcus
Hi all,
So the senerio is that 'an application' is serving web or service content using SCHANNEL and Diffe-Hellman key exchange. Thanks to various updates the minumum key length has been automatically set to 1024bits. My question is how can one go about
setting SCHANNEL to use a minimum key length of 2048bits? Suggestions seem to be setting a HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman\ClientMinKeyBitLengthDWORD value to 800?
A few forums suggest that the maximum possible length Windows Server supports is 1024bits? Is this right as the alternative would suggest disabling DHE and using a different protocol?
Thanks in advance.
On a newly-added 2008 R2 replica domain controller, certificate enrollment as well as autoenrollment works, except for the Kerberos Authentication certificate. An enrollment or autoenrollment request made for this certificate fails, generating Events 6 and 13 in the Application log. The failure reason given in the event text is "the RPC server is unavailable"
The CA receives the request; it appears in the failed request folder. The Request Status Code is "The RPC server is unavailable". The Request Disposition Message is "Denied by Policy Module".
I created a duplicate template based on the Kerberos Authentication certificate template, with all settings the same, except on the Subject name tab,Supply in the request is selected instead of Build from this Active Directory information. When the request is made, the Subject Alternative name is manually populated with the same information as in a standard Kerberos Authentication Certificate (DNS Name=DCName.DomainName.com, DNS Name=DomainName.com, and DNS Name=NetBIOSDomainName). This certficate request succeeds. This makes me think the information built from Active Directory is missing something.
On the PDC role holder, which also has the CA role, enrollment for a Kerberos Authentication certificate succeeds.
How to correct this?
Thanks.
I am coming across several instances where a user will get the error code 0xC0000234 for event 4776 and Failure Reason: Account Locked Out for event 4625 but the account never actually locks out. I cannot find a corresponding event 644 (windows 2003) or 4740 (Server 2008 and up) on any of our AD servers.
Any idea why this would register as an account being locked out, but not actually lock the account out?
Thanks!
Hello,
I am trying to figure out how to configure a Web Server certificate template to autoenroll but have the template require CA manager approval. Once the certificate attempts to reenroll, I'd like it to not require approval again.
On the "Subject Name" tab, I selected "Supply in the request" and checked "Use subject information from existing certificates for autoenrollment renewal requests".
On the "Issuance Requirements" tab, I checked "CA certificate manager approval" and selected "Valid existing certificate" under the "Require the following for reenrollment" section.
On the "Security" tab, I granted a web server the ability to read, enroll, and autoenroll.
Now after enrolling for a certificate using that template from a web server, it goes to a pending mode, waiting for CA manager approval as expected. Once the certificate nears expiration and tries to renew, it ends up going to a pending mode again, waiting for CA manager approval which is not desired.
What am I missing in my configuration to make this work?
Thank you for all of your help.
Hi All,
Hotfix rollup KB2775511 installation not completing in Windows 2008R2 SP1. I dont know if there is any known issue. But in my environment this hot fix rollup is the biggiest issue for my windows 2008R2 SP1 servers. We are supposed to fix this vulnerability for thoes servers by installing this update but every time we install this update it takes 3 days to complete the installation(Trying to install the patch manually by installing msu). So microsoft suggested to install this using CAB file formate Today for my new build servers this too is not working out. The cab file is installed using dism. It completes 100% but the updated is not shown in the update history.
Any body please help me on this.
Hello.
I installed Snort on my Windows server but when I want to run it, Show me below error :
--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "C:\snort\etc\snort.conf"
PortVar 'HTTP_PORTS' defined : [ 36 80:90 311 383 555 591 593 631 801 808 818 9
01 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2578 2809 2980 3029 303
7 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 5814 6080 6173 6988 700
0:7001 7005 7071 7144:7145 7510 7770 7777:7779 8000:8001 8008 8014:8015 8020 802
8 8040 8080:8082 8085 8088 8090 8118 8123 8180:8182 8222 8243 8280 8300 8333 834
4 8400 8443 8500 8509 8787 8800 8888 8899 8983 9000 9002 9060 9080 9090:9091 911
1 9290 9443 9447 9710 9788 9999:10000 11371 12601 13014 15489 19980 29991 33300
34412 34443:34444 40007 41080 44449 50000 50002 51423 53331 55252 55555 56712 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]
PortVar 'SSH_PORTS' defined : [ 22 ]
PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined : [ 36 80:90 110 143 311 383 555 591 593 631
801 808 818 901 972 1158 1220 1414 1533 1741 1830 1942 2231 2301 2381 2578 2809
2980 3029 3037 3057 3128 3443 3702 4000 4343 4848 5000 5117 5250 5600 5814 6080
6173 6988 7000:7001 7005 7071 7144:7145 7510 7770 7777:7779 8000:8001 8008 8014:
8015 8020 8028 8040 8080:8082 8085 8088 8090 8118 8123 8180:8182 8222 8243 8280
8300 8333 8344 8400 8443 8500 8509 8787 8800 8888 8899 8983 9000 9002 9060 9080
9090:9091 9111 9290 9443 9447 9710 9788 9999:10000 11371 12601 13014 15489 19980
29991 33300 34412 34443:34444 40007 41080 44449 50000 50002 51423 53331 55252 5
5555 56712 ]
PortVar 'GTP_PORTS' defined : [ 2123 2152 3386 ]
Detection:
Search-Method = AC-Full-Q
Split Any/Any group = enabled
Search-Method-Optimizations = enabled
Maximum pattern length = 20
ERROR: C:\snort\etc\snort.conf(246) Missing/incorrect dynamic engine lib specifier.
Fatal Error, Quitting..
Any idea?