Questions tagged as ['certificate-authority']
Unable to setup thumbprint because once I configure to Validation only, client machine getting error. Here are the sample screenshot of my Connection Security Rule setup.
Selection Setup enter image description here
Validation Setup enter image description here
My client certificate I made are my reference thumbprint because I want to secure that the client certificate should be in pfx format with ...
When launching the CA console (certsrv.msc), I can right-click on my CA, select Properties and then I can modify the ACL of my CA in the Security tab. When I modify it, the changes are applied to the AD object at:
CN=MY-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=com
When I view it in the ADSI editor, the modified ACL entries are not inherited, but dire ...
I have a domain called one.local. It already has it's own Windows Root CA and SubCA.
There is a second domain called two.local that is using SSCM. The team that is managing two.local wants to manage select machines located on one.local using SCCM. Two.local has it's own Root CA and SubCA. The two.local team is requesting I build a new SubCA on one.local so that they can manage the machines with S ...
In my environment I have a Enterprise Root CA installed on a domain controller and a separate domain controller configured as a Subordinate CA - I know this isn't recommended for security reasons but it's what I inherited.
The Certificate Enrollment Web Services and Online Responder services were not installed on either server, so no IIS services in place.
If I open a certificate I create - select ...
I need a CA signed ECDSA certificate for testing purposes.
I am able to generate an ECDSA certificate and key but I have never signed one.
I use OpenSSL in a Windows environment to generate certificates.
Is there any way to generate a free CA signed ECDSA certificate?
If not, can someone provide the steps (openssl) to sign my generated certificates?
In AD Certificate Templates the templates have an option to build from AD information and includes Email, DNS, UPN, etc.
When creating a CSR using powershell, openssl and the certificate mmc snap-in I know its possible to add additional attributes like State, City, Organization, Organization Unit, Locality and others. Is it possible to have this type of information pulled from AD so when servers are set ...
I'm using AWS and I have requested an ACM certificate. I used DNS validation to make it a valid cert. Now I've attached it to a private ALB.
The URL is private.
When I connect with my VPN and I can perform the following command:
curl -vvI https://mystuff.domain.cloud 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
Output:
..* SSL certificate verify ok.
.. ...
I've a Hyper-V lab with few VMs. I'm trying to renew expired server certificate for one of my virtual machines which is running Windows Server 2019 (version 1809). I'm trying to renew the certificate from IIS:
Certificate authority is residing on domain controller which is running Windows Server 2016 (version 1607). When I go through the certificate renewal wizard via IIS manager it gives below error:
We have a Microsoft Certificate Authority running on Windows Server 2019. We are issuing certificates to Android devices via a MDM. The Android device users browse to a web application (hosted by Apache, implemented in PHP 8) using the Chrome web browser (on Android) that requires a client certificate.
We are installing a separate Windows Server 2019 instance with the Microsoft OCSP Responder rol ...
The root certificate of the DFN-PKI "T-TeleSec GlobalRoot Class 2" is not activated in the Windows certificate store for the certificate purpose "code signing".
I can activate it with certmgr.msc in [Trusted Root Certificates Authorities] > [Certificates] > RMB on "T-TeleSec GlobalRoot Class 2" > [Select role code-signing].
I have some 50+ PCs where this setting is required.
In Group Pol ...
Amongst a bunch of server, I have a Windows 2003 server, domain controller, Enterprise CA installed, cannot start CA service, because "a required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file". Backing up CA and check issued certificates from the console does not work.
I have Windows 2012R2 server, domain controll ...
I have a VPN setup using RRAS/SSTP to authenticate clients. However, some of the clients are connecting via personal computers which are not joined to the domain. Initial setup was done by manually remoting in to every client via TeamViewer and installing the necessary certificates. However, now the client cert is expiring and I'd like to find a way to streamline the renewal process so that I don't have ...
When using a commercial Certificate Authority, generating a csr for the common name www.mysite.com and sending it to them will result in a certificate being issued that works for both www.mysite.com and mysite.com.
The signing request is a single name request- just www.mysite.com, so nothing special happens at the csr level:
openssl genrsa -des3 -out mysite.com.key 4096
openssl req -new -key mysite ...
I'm upgrading my Apache web server and wondering if I even need to declare a CA file in the vhost config?
My vhost setup is
SSLEngine on
SSLCertificateFile /home/user/ssl/${SITE}-cert.pem
SSLCertificateKeyFile /home/user/ssl/${SITE}-key.pem
SSLCertificateChainFile /home/user/ssl/${SITE}-ca.pem
#SSLCACertificateFile /home/user/ssl/${SITE}-ca.pem
By default Apache ships with just the SSLCertificateFi ...
I have configured computer authentication on WiFi connect to company network, using the microsoft nps server, group policy certificate auto-enrollment and group-policy wifi config. Has been working just fine for several years.
Recently my laptop started showing this prompt upon each reboot/reconnect: "Continue connecting? If you expect to find X in this location, go ahead and connect"
So I checked t ...
I have a parent domain and 2 child domains of that parent. All servers are Windows Server 2019. I am working on deploying security software and I need to obtain a valid certificate from the Certificate Authority. The Certificate Authority is on a server on the Parent Domain.
When I go to obtain a computer certificate on a Child Domain machine the computer shows no templates or locations to pull t ...
I'm slowly transitioning from an exclusive developer role and into more of a hybrid DevOps role at my company. Which means I'm new to a lot of this, please go easy on me... :-p
My client's server is running Ubuntu 16.04, with PHP 5.6.4 and there is a function in their site's administrative portal that runs a curl command (essentially) back to itself for some sort of file syncing. And it's been failing ...
I have Active Directory Certificate Services installed on a Windows 2016 domain controller. We plan on spinning up Windows 2019 instances to replace our 2016 domain controllers. We have one DC with ADCS services installed, specifically it has the certificate authority role and is set as an Enterprise CA (not stand-alone).
What is the best process for migrating the AD CS services to this new 2019 s ...
I can find what all the other abbreviations mean like PEM and CSR as is mentioned here:
but what does CRT stand for?
We are cleaning up our Windows PKI/CA environment and replacing our root CA with a new server. The current root CA has been issuing the following certificate templates for years now (in addition to the Subordinate certificate template):
- Kerberos Authentication
- Domain Controller Authentication (we know this is superseded now by the Kerberos Authentication template)
- Domain Controller (we know this is sup ...
Is it possible to run FreeRadius (version 3.0.13) with two different CAs? So that I have a server certificate from one CA and the client certificates come from a different CA?
Our current setup in /etc/raddb/mods-enabled/eap looks a bit like that:
...
tls-config tls-common {
certificate_file = ${certdir}/server.pem # certificate only from CA ONE
ca_file = ${cadir}/ca.pem # comp ...
I am tasked to research on how to use aws client vpn service. After some reading I am a bit confused with the choice of certificate. It seems to use the client vpn, we will need to use aws private CA, instead of public CA because the public one is for domains. But the pricing of private CA is somewhat a surprise, $400 for one CA per month plus any additional applicable.
Please correct me if it's not priva ...
A few servers are getting picked up by security scans with the following message:
The following certificate was at the top of the certificate chain sent by the remote host, but it is signed by an unknown certificate authority. | Subject : CN=serverabc.local | Issuer : CN=serverabc.local
The port referenced in the scan is port 3389 (RDP). The default RDP certs on each server (in the Remote Desktop c ...
I have a windows 2008 enterprise ADCS server with web enrollment. I want to know/configure how long do issued certificates last on the page before a user has to submit another request.
While researching this question, this seams to be different from certdat.inc's "nPendingTimoutDays" since this controls pending requests, not already issued certificates.
I created a (self-signed) root certificate and signed a web server certificate using a system I developed in Java (the web certificate is used in Apache 2.4.41).
The certificates work without issues in Linux and Mac (tested in different Webkit browsers and Firefox). The certificate and the server setup scores A+ using testssl.sh.
The CA certificate is correctly installed without any warning, but n ...
The reason it is failing is because I used a Microsoft example as the the policy.inf file. I edited the file to match my data but I left in the line: AlternateSignatureAlgorithm=1
How do I fix this without rebuilding a whole new ca?
The root ca cert has to be re-issued based off of a new capolicy.inf file and then all of the certs that are based off of the old root cert need to be re-issued.
I have cha ...
Similar questions: https://stackoverflow.com/questions/31283476/submitting-base64-csr-to-a-microsoft-ca-via-curl
The link above presents an answer but it is far too complicated for me.
Below is an example that would work if our CA public and private key are in the same directory, on a linux machine. Lets assume our .cnf is setup correctly and CA has been created. These commands do not work, but close enou ...
I know HTTPS is based on the Certificate Authority (CA). If a client tries to send a request to a server (Assuming there is a Certificate), is it possible that a middleman can take the certificate from client and get the public key from the CA? At the same time, the middleman gives a fake Certificate to the Client and when the client sends a Certificate to CA, the middleman again intercepts it and give ...
Onprem mailbox servers is in exchange 2013 and edge servers in dmz. Can someone please share the steps to renew third part cert in edge servers. I am unable to find a ms article. Please help
We've developed our own implementation of a XCEP/CES WCF service that uses a combination of our certificate management solution and the Microsoft CA to issue the certificates. The standard XCEP XML definition is used (same as the standard Microsoft XCEP/CES WCF service). We use the same WSDL for the WCF service. This works fine for CEP and CES.
Now, we extended the software to use a different Cer ...