Hi All,
Can you please tell me how to publish delta crl using certutil to AD
Regards,
Kamal
↧
how to publish delta crl using certutil to AD store
↧
What and where a private key in the Microsoft CA?
I need a certificate to exchange a data with some service provider. This provider suggests to useOpenSSL, they provide example for every step to create a certificate:
1. Create new private key.
2. Create certificate request (CSR) based on the private key from Step 1.
3. Send them CSR and upon receiving new certificate, merge it with a key from Step 1.
4. Use certificate with key to sign a data.
I tried to replicate these steps with Microsoft CA:
1. In the Certificates snap-in I created manual certificate request (*.req that I believe is the same as *.csr). There were no options to indicate which key to use
2. I sent them request and successfully received certificate without key
3. When imported this received certificate into my Personal store, a key was added automatically (to my surprise) but I have no idea what was that key.
4. Now I can export this certificate with a key (*.pfx) and able to sign the data. However, service providers reports error ("signed by unknown certificate").
The question is: what was a key used to create CSR? What was a key that was merged? Where is error in my steps?
↧
↧
File transfer. A technical solution for transferring files between two separate network zones.
Hi,
We need a secure way to have file transfer. A technical solution for transferring files between two separate network zones.
Might not be the right forum, but i hope someone can advice on anything or how you do it in your environment.
We industry system, so no office users, In this environment there is not internet, but you can connect with VPN for access. This system contains several smaller systems, that several vendors have admin access to. So for example vendor A has local admin access on 10 windows 2016 servers, and vendor B has this same on their system..... all the systems are part of one domain.
One challenge is that the vendors often need to copy files over to update the systems. As of today the users just map their laptop drive when they do RDP, and copy the files over. We need to have more control over this, so we are looking for a system that can have the following possibilities...
- No public cloud filedrop since there is no internet connectivity
- Transfer files in a secure way
- Have the possibility to log, so we can see who, when and what has been uploaded
- Ok to use 3 part tools
- Should also use the same tool inside the network, to copy files between machines, so no network mapping
Thanks for any answers.
/Regards Andreas
↧
No Certification with CES\CEP
Hello Guys
I had CES and CEP installed on a server. I then changed the url in the Application Settings. I then released the url through the Web Application Gateway. From the client I can access the url and log in. However, no Certificates Templates are displayed to me. What is the problem?
↧
Access denied configuring ADCS Role Services
Hi, I am stepping through post deployment configuration on an enterprise issuing CA.
After clicking "Next" on the Credentials page, I selected "Certification Authority" on the Role Services page and got the following error: ccertsrvsetup::InitializeDefaults:Access is denied. 0x80070005 (WIN32:5 ERROR_ACCESS_DENIED)
Lab Environment:
VMWare VMs running Windows Server 2016
Two tier CA
HSM protecting the Root and Issuing CA private keys (KSP installed)
Please advise.
Thanks.
↧
↧
Separate Admin Account & Machine
I know it's best practice to separate your administrator account and your regular user account into two accounts. I also know it's best practice to separate your administrator computer from your regular computer. Question. Is it OK if the administrator computer runs as a virtual machine on your regular computer? In other words, i would have my regular computer logged in with my regular (non-admin) account. When i need to do admin tasks, i would start my virtual admin computer on the same hardware as my regular physical computer. I would log into the virtual admin computer with my admin account, do my admin tasks, and then logoff and shut off the virtual admin computer.
Is this approach OK? or does the virtual computer need to be hosted somewhere else besides my regular computer?
↧
NDES trust relationship
Hello, I am going to configure an NDES server role within my domain.
I have an existing NPS server within the same domain.
My question is, will my NPS server automatically trust the EAP-TLS certificates issued by my new NDES server ?
If not, what do I have to do to ensure trust ?
Thank you kindly.
↧
Extracting Certs from Server Cert Store?
Like how there's a way to extract certs from the root cert store, isn't there also a way to extract certs from the server cert store? In my current situation I'm hard-coding the certificate into the ASIO SSL context for my app, but I want to know how to get them from the store in a loop. I installed a new certificate just now and I want to use it, but I want to avoid having to hard-code it again if possible.
Also, if I do this, will I still have to hard-code the RSA Private Key? There doesn't seem to be a way to install it anywhere after all.
Please note: this is not meant to be a question about Boost. I want to know how to extract certs from a server cert store on Windows, so I think it's better to ask on a Windows forum.
↧
ADCS: Trouble backing up CA DB from command prompt
I'm attempting to take a full backup of the CA database from command line, and having no luck:
>certutil -backupdb c:\temp\cabackupFull database backup for CAServer.contoso.com\Contoso Infrastructure Authority
Not a valid backup target directory: c:\temp\cabackup.
CertUtil: -backupDB command FAILED: 0x80070005 (WIN32: 5)
CertUtil: Access is denied.
Here's my situation:
- Role separation is enabled.
- I am running a console window running as the CA Backup account.
- The CA Backup account has permissions to back up the CA.
- The CA Backup account has full permissions on the folder I'm specifying for the backup to be written
- I've tried pre-creating the "backup061719" subfolder
- I confirmed I can write to the directory as the CA Backup account by running
break > c:\temp\cabackup\test.txt
I'm completely out of ideas. Any suggestions?
↧
↧
Unencrypted Remote Authentication Available - RPC
Hi, I have run an vunerbelirty scan and one outcome is this. I have done some investigatin but not come up with any solution. What to do? This RPC service allows cleartext or very weak authentication protocols without any encryption encapsulating login sessions. |
RPC can be secured by wrapping the service in SSL. If you do not need this service to be running, however, disable/filter access to it. | ||
Any suggestions how to handle this?
Zorky HPC
↧
Renaming the domain Administrator account in Active Directory
Hi Technet,
I've been searching and reading up on renaming the Administrator account. We want to rename thedomain Administrator account. I'm not talking about the local admin account on member servers and domain joined workstations at this time.
I've seen some references to renaming the domain Administrator account via GPO and some references to just renaming it in Active Directory Users and Computers.
What is the correct way to go about it?
Thanks.
↧
Trusted Root CA Certificate purposes is been changed alone
Hi everyone!
I have a Windows 2012 Server that a Trusted Root CA Certificate property is been changed alone everyday.
The Brazilian Root CA has been installed e all purposes were set. Certificate purpose is been changed everyday to "Enable only the following purposes" as you can see in the image bellow.
There is no policy set. The server has Symantec Endpoint Protection. I don't know why those settings are been changed everyday.
I've tried to search, but there are few information about this issue...
Any ideias?
Thanks!
↧
Install Enterprise CA option is greyed out
I'm having issues with the "enterprise CA" option being grayed out during installation of the ADCS role for a 2008 R1 Enterprise Edition server (for a new Ent. Sub. CA). The account I was using had Enterprise Admin rights in the root domain and Domain Admin rights for the child domain that the CA will be installed into (I don't need root domain admin since I have enterprise admin, right?). The server is already joined to the domain. I verified Enterprise Admins have full control for Public Key Policy container and all child containers. I have not tried to re-create this as another CA (2003) is online within the same domain/forest - I would prefer not having to do this if at all possible. I tried moving the capolicy.inf out of windir in case it was getting in the way. I believe I have the firewall cleaned up - is there an official resource that documents how to configure the firewall for just the CA? I'm not installing web services or anything else - this is a dedicated box.
Thanks in advance...
↧
↧
AutoEnrollment for certs with manually supplied SANs
We're trying to implement a solution that would allow us to have a separate cert for each website on an IIS server. The initial cert request for each website will require a CA manager's approval and renewals will happen automatically without user input.
To do this we created a new version 4 template called WebServerAutoRenew base off of the WebServer template with the following relevant options.
Subject Name tab:
Supply in the request.
Use subject information from existing certificates for autoenrollment renewal requests.
Issuance Requirements tab:
Require the following for enrollment:
CA certificate manager approval.
Require the following for reenrollment:
Valid existing certificate
Compatibility tab:
Compatibility Settings
Certification Authority: Windows Server 2012 R2
Certificate recipient: Windows 8 / Windows Server 2012
Security tab:
Allow ServerA Read, Enroll and Autoenroll
The server ServerA is domain joined and has AutoEnrollment enabled via GPO. From our testing auto-renewal works fine with just 1 cert, but when thereare 2 or more certs only the cert with the latest expiration date gets auto-renewed via Autoenrollment.
ServerA and the CA are Windows Server 2012 R2.
For example:
1. ServerA request cert for websiteA using WebServerAutoRenew template
2. CA manager approves request for websiteA from CA
3. GPO refreshes on ServerA and cert for websiteA gets installed
4. ServerA request cert for websiteB using WebServerAutoRenew template
5. CA manager approves request for websiteB from CA
6. GPO refreshes on ServerA and cert for websiteB gets installed
At this point both certs are in ServerA's personal cert store. Now when we get to within the renewal period and GPO refreshes and kicks off Autoenrollment,
we only see the renewal request for the websiteB cert and events in "Microsoft-Windows-
new websiteB cert replaced the websiteA and old websiteB certs.
Anyone know if there is a way we can have both websiteA and websiteB certs renew? Are we missing come configuration options?
It seems to us when using the same cert template, autoenrollment will only renew the latest issued cert.
TIA
↧
Unexpected DeltaCRL Location Seen
I installed the Root and Issuing CA, only specifying http locations for the CRLs. However, when I look at the Issuing CA, I see that it published a DeltaCRL Location #1 to LDAP. I did not expect this as I was trying to only have http locations. Below is
the script I used for Issuing CA Post installation. Is this normal or do I need to specify something else in the config file below?
::Issuing CA Post Installation Script
::Define CRL Publication Intervals
certutil -setreg CA\CRLPeriodUnits 2
certutil -setreg CA\CRLPeriod "Days"
certutil -setreg CA\CRLOverlapUnits 4
certutil -setreg CA\CRLOverlapPeriod "Hours"
certutil -setreg CA\CRLDeltaPeriodUnits 12
certutil -setreg CA\CRLDeltaPeriod "Hours"
::Apply the required CDP Extension URLs
certutil -setreg CA\CRLPublicationURLs "65:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n6:http://pki.domain.com/CertEnroll/%%3%%8%%9.crl"
::Apply the required AIA Extension URLs
certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://pki.domain.com/CertEnroll/%%1_%%3%%4.crt\n32:http://ocsp.domain.com/ocsp"
::Enable all auditing events for the Issuing CA
certutil -setreg CA\AuditFilter 127
::Set Maximum Validity Period for Issued Certificates
certutil -setreg CA\ValidityPeriodUnits 2
certutil -setreg CA\ValidityPeriod "Years"
::Restart Certificate Services
net stop certsvc & net start certsvc
MCITP Exchange 2010 | MCTS Exchange 2007 | MCITP Lync Server 2010 | MCTS Windows 2008 | MCSE 2003
↧
WS2016 - Windows Defender service won't start - 0x80070003
Hello.
I have a WS2016 server where I cannot start the defender service. I found out about the issue when Windows Update couldn't install Defender updates/signatures (but other WU work fine).
When i attempt to start the WinDefend service manually, it returns "Error 0x80070003: The system cannot find the path specified".
In the event log (Microsoft-Windows-Windows Defender/WHC) there are two events signalling the attempted service start:
"Windows Defender state updated to 10." and "Windows Defender state updated to 2." (in the same second).
Microsoft-Windows-Windows Defender/Operational has this error logged (in the same second of the attempted service start):
Windows Defender Real-Time Protection feature has encountered an error and failed.Feature: On Access
Error Code: 0x8007007e
Error description: The specified module could not be found.
Reason: Antimalware protection has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.
I have tried:
- installing latest WU
- sfc /scannow - no problems/corruptions found
- dism /online /cleanup-image /restorehealth - no problems found
- removing the Defender feature, rebooting, (deleting C:\ProgramData\Microsoft\Windows Defender folder), reinstalling (Install-WindowsFeature -Name Windows-Defender-Features -IncludeAllSubFeature
None of the above helped.
Any ideas (other than reinstall/refresh/reset Windows) are welcome.
↧
Windows Defender in Server 2016 slowed sequential writes to a crawl
We have an application which automates excel with data from our application reports. To speed things up when the the volume of the report is relatively high, we write a sequential csv file and then import it into the spreadsheet.
This file write process takes a few seconds on Windows Server 2012R2 - but when we upgraded to Server 2016 it was running over 5 minutes and slowed to a crawl.
On a guess we disabled Windows Defender on both Windows Server Standard 2016 systems - and the speed returned to a few seconds.
What is going on here? I wouldn't expect the AV to slow things down by a factor of 100 or more???
Glenn Barber
↧
↧
New Certificate Template to issue Cannot find certificate template.
I have create a new certificate template.
But I cannot find it on the Enable Certificate Template.
The certificate template Compatibility Settings is Windos Server 2012 R2 and Windows 7/Server 2008 R2.
What should I do?
↧
Change Event log path location, empty folder
I'm trying to change event log location for my servers , i did the changed to the gpo and i can see the policy is applied and on the event log properties the location in change to the new location but the folder is empty !!
SE.Mohammed
↧
New template options
In the process of renewing come internal certs for some web servers when I noticed that the current template we utilize is using Legacy cryptographic service provider and a 1024 key size. Can I create a new template and select the newer KSP and key size 2048?
Also what is the process for these certs to get automatically renewed?
Our Root CA is using Mircosoft software KSP and SHA256.
↧