Exporting certificate from computer personal store using certutil

February 29, 2016, 6:51 am

≫ Next: Certificate for local system with Thumbprint...is about to expire...

≪ Previous: Disable static key cipher suites on Domain Controllers.

Hi all,

I'm trying to install an entrust SSL Certificate on my Microsoft Active Directory LDAP server for LDAPS.

I need to do this on a Windows Server 2012 r2 Core, so i have no option to do it graphically. I need to use certutil command to perform the functions.

Now i have already completed Importing the SSL Certificate to local computer personal store using certutil. I have also installed the associated Root and Intermediate root using certutil command line.

Now i need to export the SSL Certificate in a .pfx format with private key to import it under NTDS\Personal store.

I need to achieve the below graphical options. Could you please let me know the certutil syntax to achieve that.

I tried the below, but not working

certutil  -privatekey -p Password -exportpfx 1.pfx

Regards,
Rafic

If you found this post helpful, please give it a "Helpful" vote.
If it answered your question, remember to mark it as an "Answer".
This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

↧

Certificate for local system with Thumbprint...is about to expire...

July 13, 2012, 5:39 am

≫ Next: Account Locked - Event 4771 Failure Code 0x18

≪ Previous: Exporting certificate from computer personal store using certutil

I tired the steps found at: http://technet.microsoft.com/en-us/library/cc774595(v=WS.10).aspx

I get to the list of certificats.....the list doesn't have thumbprints so I'm not sure which is the certificate that is producing the warning. I select a certificate that has expired. TryRenew with Same Key.

I get:

Enrollement Error The requested certificate template is not supported by this CA.

Where do I go from here?

↧

Account Locked - Event 4771 Failure Code 0x18

March 23, 2011, 7:26 am

≫ Next: Network folder permission question

≪ Previous: Certificate for local system with Thumbprint...is about to expire...

Can someone help me with this. Over the last few weeks, a users account is constantly getting locked out, without them trying to log on.

I wanted to being to find out where the login attempts are originating. In the Event I see Network Information

Client Address: ::ffff:192.168.x.x

Client Port: 4889

well this address happens to be one of our domain controllers. Can anyone help me understand if this domain controller (which is a backup DC, not FSMO roles) is taking part in the lockout? Users Password has not been change in a few weeks.

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 3/23/2011 9:58:35 AM

Event ID: 4771

Task Category: Kerberos Authentication Service

Level: Information

Keywords: Audit Failure

Description:

Kerberos pre-authentication failed.

↧

Network folder permission question

February 29, 2016, 9:25 am

≫ Next: Online Responder gives internal server error intermittently

≪ Previous: Account Locked - Event 4771 Failure Code 0x18

I have a user who is a member of a Global Security group that has full control to a network share and all sub-folders within the share.

A check of the Effective permissions shows the user with Full Control on the folder and all sub-folders, the user is also the owner of all the folders and sub-folders.

This user needs to be able to change permissions on folders they create within the share. However, when the user attempts to apply a change they get an access denied error. Any ideas as to what is causing the access denied error?

The user is accessing the share from a drive mapping rather than logging into the server via RDP.

Is it possible I need to give some permissions on the server as well?

↧

Online Responder gives internal server error intermittently

February 29, 2016, 11:21 am

≫ Next: Publish CRL/AIA to LDAP-only for CertSrv web enrollment site and WSUS cert?

≪ Previous: Network folder permission question

Hi,

I have configured Online Responders in Load Balancing mode controlled through external Load Balancer. One of the Online Responder intermittently gives Internal Server Error for some OCSP requests. The behaviour is random and I am not able to find out the pattern. Is there any way to trouble shoot this issue. Not much information on troubleshooting is available in technet. Any help in figuring out the cause is highly appreciated

1. Is there a way to find out the responses given out from web proxy?

2. Can I find out the no. of cached responses ?

3. Is there any other way to identify if the cache limit has reached?

4. Is configuring 20k cache entries a good idea?

Kris

↧

Publish CRL/AIA to LDAP-only for CertSrv web enrollment site and WSUS cert?

February 14, 2016, 8:16 pm

≫ Next: Subordinate CA - Install Certificate failing

≪ Previous: Online Responder gives internal server error intermittently

Any reason to not use LDAP-only for these types of servers?

I could revoke them and request new certificates with http locations, but I can't think of any reason machines not joined to our domain would need to do a CRL lookup for those specific certificates.

↧

Subordinate CA - Install Certificate failing

February 21, 2016, 10:18 am

≫ Next: User version 1 template missing from web enrollment after CA migration

≪ Previous: Publish CRL/AIA to LDAP-only for CertSrv web enrollment site and WSUS cert?

Hi,

I support a large organisation's PKI and it's time for Issuing CA renewal against an offline Root CA. I manage the PKI but do not have Enterprise Admins nor have we delegated control of the Public Key Services container within the forest Configuration partition.

I performed the usual renewal steps, selecting re-use keys (as we're confident of the current and future integrity, and wanted to ensure full compatibility), and generated a CSR (with suffix xxxx(1).req) which I duly presented to our offline CA, and received a signed certificate. Let me point out at this stage that the offline Root CA is stored in a high security vault and is not that simple to just "get it out of the cupboard." I really don't want to go around this loop again, if I can avoid it.

When attempting to install the certificate on the Issuing CA, I get:

"The new Certification Authority certificate cannot be installed because the CA Version extension is incorrect.The most recently generated request file should be used to obtain the new certificate:
C:\****-CA(1).req The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)"

I checked out the version identifier in the CSR and the certificate and it is indeed the same as the original:

CA Version
V0.0

I just assumed it would be the same as it's the same private key.

I guessed (and then read in another post) that this may be related to permissions so, today, we tried with Enterprise Admins permissions and still no go.

My question is this:

Can we manually deploy the CA certificate to the Configuration partition, the local CA store and then update the registry?

certificateAuthority object.. Located in CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=<var class="sbody-var">ForestRootDomain</var>
certificationAuthority object.. Located in CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=<var class="sbody-var">ForestRootDomain</var>
If necessary, pKIEnrollmentService object.. Located in CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=<var class="sbody-var">ForestRootDomain</var>
If necessary, CN=NtAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<var class="sbody-var">ForestRootDomain</var><var class="sbody-var"></var>
Add the new CA cert into the Truisted Intermediaries store on the CA itself
Thumbprint value into HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\"Name of your Certificate Authority"\CACertHash

Am I missing something?

I will raise a PSS call tomorrow under our Enterprise Agreement but I just wondered if anyone had solved this the hard way?

TIA

Dave

↧

User version 1 template missing from web enrollment after CA migration

February 29, 2016, 11:07 am

≫ Next: Windows Server 2012 R2 protection - Antivirus / Active protection suggestions

≪ Previous: Subordinate CA - Install Certificate failing

I have migrated my development CA ( it's root but issued certs) from Server 2008 to server 2012 R2. The db, registry and ca cert all migrated as expected and I can see the full set of templates in manager or if requesting a cert via MMC snapin on a client. However web enroll shows no User or any other V1 template. Publishing and permissions look ok (mmc snapin works), and if I duplicate a V1 the duplicate IS available in web enroll. Anyone come across this ? AFAIK V1 templates should work in 2012.

↧

Windows Server 2012 R2 protection - Antivirus / Active protection suggestions

February 29, 2016, 6:05 am

≫ Next: AD self-signed certificates to be removed

≪ Previous: User version 1 template missing from web enrollment after CA migration

Hello

Since number of our clients has increased and all clients have some type of antivirus protection I've been looking for some antivirus protection for server.

Found few but they're all quite pricey.

Looking for some simple and possibly free solution.

Thanks in advance.

↧

AD self-signed certificates to be removed

February 29, 2016, 5:56 am

≫ Next: No change

≪ Previous: Windows Server 2012 R2 protection - Antivirus / Active protection suggestions

we initially have self-signed certs when Exchange was installed (they are still there as the expiration will be in the next decade). the DC server that initially hosted or acted as CA is no longer available hence i'm getting all sorts of event id 13.

since the original DC server that have this has been out of commission for months now, from Exchange point of view, will it be safe to delete all this PKI, self-signed certificates, and such?

i really don't know how to word what's needed but basically i'm trying to get rid of event id 13 always appearing (as well as event id 29).

↧

No change

February 29, 2016, 11:42 am

≫ Next: How to find the OCSP logs

≪ Previous: AD self-signed certificates to be removed

I cannot chane Administrative template settings 》computer configuration 》 group policy (gpedit.msc)

in Windows Server 2008 R2 Enterprise edition

I want chage "enable" to "no config" for windows update (reset windows update settings to default)

↧

How to find the OCSP logs

November 13, 2015, 3:11 am

≫ Next: Automated compliance monitoring for password policy compliance

≪ Previous: No change

Dear All,

I have configured a Windows Server 2012 R2 Standard server to run a Certificate Authority and a Online Responder to use OCSP to check on the validity of the issued certificates (a ClearPass appliance is being used to check the certificates). From what I can see, the Online Responder is working and giving OCSP responses that the appliance is interpreting correctly when the certificate is valid, but if I revoke a certificate, OCSP persists in giving them the OK. To troubleshoot this I would like to see event logs of the operation of the Online Responder including each of the responses it gives and why.

My questions are:

1) How do I enable the Online Responder logs?

2) Once enabled, where can I find these logs in Event Viewer? And if they are in an existing Event Log, which IDs do I use to filter them?

3) Is there a cache, time-out, or similar process which is delaying the Online Responder noticing the revoked certificates?

Hoping to hear from you soon.

Yours,

↧

Automated compliance monitoring for password policy compliance

March 1, 2016, 11:25 am

≫ Next: 2012 R2 Offline Root CA / Online Issuing Subordinate CA

≪ Previous: How to find the OCSP logs

I am IT Audit and I work with a big FI in N.A.

Currently engaged on an audit assignment related to automated controls for monitoring complaince to password policy for local accounts on windows and unix servers.

My client has deployed the Bladelogic Server Automation tool to monitor password complaince for local users across windows and unix platform. My client is currently monitoring Maximum password Age through the BSA tool. ( The BSA tool is an agent base tool) and jobs are created to pull relevent files from inviduals servers and feed into analytics tool.

Issue.: My client is not currently monitoring all other elements of password policy (MinAge, Passlenght, Complexity,PwdHistiry, Lockthrshold and LockoutDuration). When i brough this observation to my client attention, the response is that the passowrd elements left out cannot be monitored at the local user level. is this correct?

Is there a file on windows and unix servers that contains all this information? If there is such a file, i would think that what they need to do is let the BSA job pull the content of the file and send that to the analytics software.

what is the name of file on Unix /Windows server that contain local user password policy information?

Thanks

↧

2012 R2 Offline Root CA / Online Issuing Subordinate CA

January 11, 2016, 7:38 am

≫ Next: Event 4625 - Failed Logon for Guest

≪ Previous: Automated compliance monitoring for password policy compliance

The subject describes our current configuration. We're running into an issue where apparently whoever implemented these servers went with SHA1 and we have a requirement for some SHA2 certificates. I can increase the key length to 4096, but I am unable to select SHA256.

What can we do to enable support for SHA2 and what is the impact on current certificates?

↧

Event 4625 - Failed Logon for Guest

February 16, 2016, 9:43 pm

≫ Next: KB3063858 for Windows Server 2012 Fails

≪ Previous: 2012 R2 Offline Root CA / Online Issuing Subordinate CA

I have just setup some monitoring for my company's server event logs, and noticed these logon failures appearing for a particular server. The user in question had both an RDP session, and explorer session running (via his local PC \\SERVER\C$\). I would like to know why these logon failures are occurring, and I can't work it out.

These events are occurring quite often (sometimes 10-20 times within 10 minutes).
The guest account is disabled on both the local desktop, and the server.
The user in question (User.Name) is a domain admin.
The server is NOT a domain controller, it's a simple IIS web server

An account failed to log on.

Subject:
	Security ID:		S-1-5-###########################-1114
	Account Name:		User.Name
	Account Domain:		DOMAIN
	Logon ID:		0x##########

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		S-1-0-0
	Account Name:		Guest
	Account Domain:		SERVER1

Failure Information:
	Failure Reason:		%%2310
	Status:			0xc000006e
	Sub Status:		0xc0000072

Process Information:
	Caller Process ID:	0x2ac0
	Caller Process Name:	C:\Windows\explorer.exe

Network Information:
	Workstation Name:	SERVER1
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		Advapi
	Authentication Package:	Negotiate
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

↧

KB3063858 for Windows Server 2012 Fails

March 1, 2016, 5:36 pm

≫ Next: How Does A Root CA Certificate Get Distributed To Domain Clients?

≪ Previous: Event 4625 - Failed Logon for Guest

HI there,

I try to install the update

https://download.microsoft.com/download/9/E/E/9EEB707E-2896-4890-8082-2D9FB930C615/Windows8-RT-KB3063858-x64.msu

I get the error saying that the update is not applicable for the machine.

I just noticed that the update file for 2012 & the update file for Win 8 systems are the same.

Is that the reason this is happening .?

Can you please confirm.

↧

How Does A Root CA Certificate Get Distributed To Domain Clients?

March 19, 2015, 8:14 am

≫ Next: No HTTP CDP Location in pkiview

≪ Previous: KB3063858 for Windows Server 2012 Fails

Just setup a 2012 R2 Root CA in a lab. I have a few Windows 2012 R2 member servers in the lab forest and noticed that they do not have the CA Root Cert in their Rusted Root Certification Authorities store. I thought this happened automagically in Active Directory. Do I need to create a Group Policy to deploy it?

Orange County District Attorney

↧

No HTTP CDP Location in pkiview

March 1, 2016, 2:38 am

≫ Next: Exporting certificate from computer personal store using certutil

≪ Previous: How Does A Root CA Certificate Get Distributed To Domain Clients?

Hello All,

I have a 2 tier hierarchy with offline stand alone CA and a standard SUBCA. I have http://servername.domain.local/CertEnroll/subca.crl added in the extension of SubCA under CDP location. However this doesn't show up in the pkiview. I can see the ldap URL in pkiview but no http.

Chitresh Pandit

↧

Exporting certificate from computer personal store using certutil

February 29, 2016, 6:51 am

≫ Next: Located Secret pinhole camera in my room

≪ Previous: No HTTP CDP Location in pkiview

Hi all,

I'm trying to install an entrust SSL Certificate on my Microsoft Active Directory LDAP server for LDAPS.

I need to do this on a Windows Server 2012 r2 Core, so i have no option to do it graphically. I need to use certutil command to perform the functions.

Now i need to export the SSL Certificate in a .pfx format with private key to import it under NTDS\Personal store.

I need to achieve the below graphical options. Could you please let me know the certutil syntax to achieve that.

I tried the below, but not working

certutil  -privatekey -p Password -exportpfx 1.pfx

↧

Located Secret pinhole camera in my room

March 2, 2016, 8:24 am

≫ Next: Looking forward to do an auditing for the domain administrator

≪ Previous: Exporting certificate from computer personal store using certutil

Hello i have detected a wireless pinhole camera and microphone filming my room at college, it is connected through the wifi but i do not know where it is physically, it would be a great relief if i could block this device from the wifi.

How do i block the devices? i have control over the router will this help me?

Is there anything that the Windows 10 system can do to help me on this?

Thanks

↧