Questions tagged as ['certificate-authority']

In cryptography, a certificate authority, or certification authority, (CA) is an entity that issues digital certificates.
Score: 0
Traveling Merchant avatar
Windows Firewall Connection Security Rule setup certificate authentication using thumbprint
cn flag

Unable to setup thumbprint because once I configure to Validation only, client machine getting error. Here are the sample screenshot of my Connection Security Rule setup.

  1. Selection Setup enter image description here

  2. Validation Setup enter image description here

My client certificate I made are my reference thumbprint because I want to secure that the client certificate should be in pfx format with ...

Score: 0
stackprotector avatar
How can I set the ACL of a CA programmatically?
th flag

When launching the CA console (certsrv.msc), I can right-click on my CA, select Properties and then I can modify the ACL of my CA in the Security tab. When I modify it, the changes are applied to the AD object at:

CN=MY-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=com

When I view it in the ADSI editor, the modified ACL entries are not inherited, but dire ...

Score: 0
Would SCCM require a second SubCA when using HTTPS with 2 domains?
in flag

I have a domain called one.local. It already has it's own Windows Root CA and SubCA.

There is a second domain called two.local that is using SSCM. The team that is managing two.local wants to manage select machines located on one.local using SCCM. Two.local has it's own Root CA and SubCA. The two.local team is requesting I build a new SubCA on one.local so that they can manage the machines with S ...

Score: 0
jrd1989 avatar
Domain Member Servers - Accessing Certificate Revocation List (CRL)
cn flag

In my environment I have a Enterprise Root CA installed on a domain controller and a separate domain controller configured as a Subordinate CA - I know this isn't recommended for security reasons but it's what I inherited.

The Certificate Enrollment Web Services and Online Responder services were not installed on either server, so no IIS services in place.

If I open a certificate I create - select ...

Score: 0
Amal Jesudas avatar
Generate CA signed ECDSA certificate
cn flag

I need a CA signed ECDSA certificate for testing purposes.
I am able to generate an ECDSA certificate and key but I have never signed one.
I use OpenSSL in a Windows environment to generate certificates.
Is there any way to generate a free CA signed ECDSA certificate?
If not, can someone provide the steps (openssl) to sign my generated certificates?

Score: 0
jrd1989 avatar
Windows Certificate Authority - Adding Additional Attributes
cn flag

In AD Certificate Templates the templates have an option to build from AD information and includes Email, DNS, UPN, etc.

enter image description here

When creating a CSR using powershell, openssl and the certificate mmc snap-in I know its possible to add additional attributes like State, City, Organization, Organization Unit, Locality and others. Is it possible to have this type of information pulled from AD so when servers are set ...

Score: 0
DenCowboy avatar
NET::ERR_CERT_AUTHORITY_INVALID error in Chrome but not in Firefox
jp flag

I'm using AWS and I have requested an ACM certificate. I used DNS validation to make it a valid cert. Now I've attached it to a private ALB.

The URL is private.

When I connect with my VPN and I can perform the following command:

curl -vvI 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'


..*  SSL certificate verify ok.
.. ...
Score: 0
RBT avatar
The certificate request was submitted to the online authority, but was not issued. The request was denied
es flag

I've a Hyper-V lab with few VMs. I'm trying to renew expired server certificate for one of my virtual machines which is running Windows Server 2019 (version 1809). I'm trying to renew the certificate from IIS:

enter image description here

Certificate authority is residing on domain controller which is running Windows Server 2016 (version 1607). When I go through the certificate renewal wizard via IIS manager it gives below error:

Score: 0
How does OCSP handle deleted certificates?
sr flag

We have a Microsoft Certificate Authority running on Windows Server 2019. We are issuing certificates to Android devices via a MDM. The Android device users browse to a web application (hosted by Apache, implemented in PHP 8) using the Chrome web browser (on Android) that requires a client certificate.

We are installing a separate Windows Server 2019 instance with the Microsoft OCSP Responder rol ...

Score: 2
GPO to add a purpose to root certificate
cd flag

The root certificate of the DFN-PKI "T-TeleSec GlobalRoot Class 2" is not activated in the Windows certificate store for the certificate purpose "code signing".

I can activate it with certmgr.msc in [Trusted Root Certificates Authorities] > [Certificates] > RMB on "T-TeleSec GlobalRoot Class 2" > [Select role code-signing].

enter image description here

enter image description here

I have some 50+ PCs where this setting is required. In Group Pol ...

Score: 0
Odysseus avatar
Non-working Windows server 2003 Enterprise CA removal
vn flag

Amongst a bunch of server, I have a Windows 2003 server, domain controller, Enterprise CA installed, cannot start CA service, because "a required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file". Backing up CA and check issued certificates from the console does not work.

I have Windows 2012R2 server, domain controll ...

Score: 0
Renewing domain CA SSL/SSTP Certificate from non-domain Clients
ca flag

I have a VPN setup using RRAS/SSTP to authenticate clients. However, some of the clients are connecting via personal computers which are not joined to the domain. Initial setup was done by manually remoting in to every client via TeamViewer and installing the necessary certificates. However, now the client cert is expiring and I'd like to find a way to streamline the renewal process so that I don't have ...

Score: 1
How do I sign my own SSL certificates so that they cover www and non-www domain names?
in flag

When using a commercial Certificate Authority, generating a csr for the common name and sending it to them will result in a certificate being issued that works for both and

The signing request is a single name request- just, so nothing special happens at the csr level:

openssl genrsa -des3 -out 4096

openssl req -new -key mysite ...
Score: 0
Jeff avatar
Is it necessary to include a CA file reference in my Apache vhost config block?
dj flag

I'm upgrading my Apache web server and wondering if I even need to declare a CA file in the vhost config?

My vhost setup is

SSLEngine on
SSLCertificateFile /home/user/ssl/${SITE}-cert.pem
SSLCertificateKeyFile /home/user/ssl/${SITE}-key.pem
SSLCertificateChainFile /home/user/ssl/${SITE}-ca.pem
#SSLCACertificateFile /home/user/ssl/${SITE}-ca.pem

By default Apache ships with just the SSLCertificateFi ...

Score: 0
Jasper avatar
Laptop asking for "action needed" on NPS Computer auth WiFi connect, despite valid Server Thumbprint
ae flag

I have configured computer authentication on WiFi connect to company network, using the microsoft nps server, group policy certificate auto-enrollment and group-policy wifi config. Has been working just fine for several years.

Recently my laptop started showing this prompt upon each reboot/reconnect: "Continue connecting? If you expect to find X in this location, go ahead and connect" Connct prompt

So I checked t ...

Score: 0
Parent Domain Certificate Authority For Child Domains
cn flag

I have a parent domain and 2 child domains of that parent. All servers are Windows Server 2019. I am working on deploying security software and I need to obtain a valid certificate from the Certificate Authority. The Certificate Authority is on a server on the Parent Domain.

When I go to obtain a computer certificate on a Child Domain machine the computer shows no templates or locations to pull t ...

Score: 0
curl: (60) server certificate verification failed CRLfile: none
cn flag

I'm slowly transitioning from an exclusive developer role and into more of a hybrid DevOps role at my company. Which means I'm new to a lot of this, please go easy on me... :-p

My client's server is running Ubuntu 16.04, with PHP 5.6.4 and there is a function in their site's administrative portal that runs a curl command (essentially) back to itself for some sort of file syncing. And it's been failing ...

Score: 0
jrd1989 avatar
How to Properly Migrate Active Directory Certificate Services
cn flag

I have Active Directory Certificate Services installed on a Windows 2016 domain controller. We plan on spinning up Windows 2019 instances to replace our 2016 domain controllers. We have one DC with ADCS services installed, specifically it has the certificate authority role and is set as an Enterprise CA (not stand-alone).

What is the best process for migrating the AD CS services to this new 2019 s ...

Score: 1
What does the "crt" abbreviation mean in certificates?
nl flag

I can find what all the other abbreviations mean like PEM and CSR as is mentioned here:

but what does CRT stand for?

Score: 3
Domain Controller autoenrollment - changing issuing CA
us flag

We are cleaning up our Windows PKI/CA environment and replacing our root CA with a new server. The current root CA has been issuing the following certificate templates for years now (in addition to the Subordinate certificate template):

  • Kerberos Authentication
  • Domain Controller Authentication (we know this is superseded now by the Kerberos Authentication template)
  • Domain Controller (we know this is sup ...
Score: 0
FreeRadius with mixed CAs
ph flag

Is it possible to run FreeRadius (version 3.0.13) with two different CAs? So that I have a server certificate from one CA and the client certificates come from a different CA?

Our current setup in /etc/raddb/mods-enabled/eap looks a bit like that:

tls-config tls-common {
  certificate_file = ${certdir}/server.pem  # certificate only from CA ONE
  ca_file = ${cadir}/ca.pem                 # comp ...
Score: 0
aws client vpn - choice of certificate authority
ru flag

I am tasked to research on how to use aws client vpn service. After some reading I am a bit confused with the choice of certificate. It seems to use the client vpn, we will need to use aws private CA, instead of public CA because the public one is for domains. But the pricing of private CA is somewhat a surprise, $400 for one CA per month plus any additional applicable.

Please correct me if it's not priva ...

Score: 1
jrd1989 avatar
Replace Self Signed RDP Cert with CA Signed Cert
cn flag

A few servers are getting picked up by security scans with the following message:

The following certificate was at the top of the certificate chain sent by the remote host, but it is signed by an unknown certificate authority. | Subject : CN=serverabc.local | Issuer : CN=serverabc.local

The port referenced in the scan is port 3389 (RDP). The default RDP certs on each server (in the Remote Desktop c ...

Score: 0
How long are certificates available in ADCS Web Enrollment page after issued
in flag

I have a windows 2008 enterprise ADCS server with web enrollment. I want to know/configure how long do issued certificates last on the page before a user has to submit another request.

While researching this question, this seams to be different from's "nPendingTimoutDays" since this controls pending requests, not already issued certificates.

Score: 1
lepe avatar
NET::ERR_CERT_AUTHORITY_INVALID with self-signed CA in Windows
ug flag

I created a (self-signed) root certificate and signed a web server certificate using a system I developed in Java (the web certificate is used in Apache 2.4.41).

The certificates work without issues in Linux and Mac (tested in different Webkit browsers and Firefox). The certificate and the server setup scores A+ using

The CA certificate is correctly installed without any warning, but n ...

Score: 0
2fast2cee avatar
created a new offline root CA . All of the certs that are based off of this ca cert root for fail, when used on non Microsoft systems
ie flag

The reason it is failing is because I used a Microsoft example as the the policy.inf file. I edited the file to match my data but I left in the line: AlternateSignatureAlgorithm=1

How do I fix this without rebuilding a whole new ca?

The root ca cert has to be re-issued based off of a new capolicy.inf file and then all of the certs that are based off of the old root cert need to be re-issued.

I have cha ...

Score: 0
Submitting CSR to Microsoft CA from linux bash best practice
th flag

Similar questions:

The link above presents an answer but it is far too complicated for me.

Below is an example that would work if our CA public and private key are in the same directory, on a linux machine. Lets assume our .cnf is setup correctly and CA has been created. These commands do not work, but close enou ...

Score: 0
ikhvjs avatar
How networking secures the connection between Certificate Authority and Client?
us flag

I know HTTPS is based on the Certificate Authority (CA). If a client tries to send a request to a server (Assuming there is a Certificate), is it possible that a middleman can take the certificate from client and get the public key from the CA? At the same time, the middleman gives a fake Certificate to the Client and when the client sends a Certificate to CA, the middleman again intercepts it and give  ...

Score: 0
Steps to update certificate in edge servers
mk flag

Onprem mailbox servers is in exchange 2013 and edge servers in dmz. Can someone please share the steps to renew third part cert in edge servers. I am unable to find a ms article. Please help

Score: 0
How does XCEP policy (XML) define SubjectType for User or Computer constraint?
io flag

We've developed our own implementation of a XCEP/CES WCF service that uses a combination of our certificate management solution and the Microsoft CA to issue the certificates. The standard XCEP XML definition is used (same as the standard Microsoft XCEP/CES WCF service). We use the same WSDL for the WCF service. This works fine for CEP and CES.

Now, we extended the software to use a different Cer ...