PKI – Certificates – Certutil -restrict or how to dump CA database

Certutil view restrict description: http://blogs.technet.com/b/pki/archive/2008/10/03/disposition-values-for-certutil-view-restrict-and-some-creative-samples.aspx Disposition values for requests in the queue: Disposition Description 8 request is being processed 9 request is taken under submission 12 certificate is an archived foreign certificate 15 certificate is a CA certificate 16 parent CA certificates of the CA certificate 17 certificate is a key recovery agent certificate DispositionContinue reading “PKI – Certificates – Certutil -restrict or how to dump CA database”

PKI – Certificates – Troubleshooting certificate enrollment RPC server is unavailable

Web references: http://www.networksteve.com/forum/topic.php/CCertRequest::Submit:_The_RPC_server_is_unavailable._0x800706ba/?TopicId=54320&Posts=3 http://blogs.technet.com/b/askds/archive/2007/11/06/how-to-troubleshoot-certificate-enrollment-in-the-mmc-certificate-snap-in.aspx https://social.technet.microsoft.com/Forums/windowsserver/en-US/f3de8600-cf4e-4a39-a42e-7f929e1b8d6d/certificate-enrollment-the-rpc-server-is-unavailable http://blogs.msdn.com/b/windowsvistanow/archive/2008/04/08/troubleshooting-certificate-enrollment.aspx   Symptoms: Trying to enroll a webserver cert (or a computer cert or user cert) gets the error The RPC server is unavailable. This CA has also issued certs in the past for computers and webservers. certutil -ping -config server.domain.com\domain-server-ca Connecting to server.domain.com\domain-server-ca … Server could not be reached:Continue reading “PKI – Certificates – Troubleshooting certificate enrollment RPC server is unavailable”

AD CS (PKI) – Multiple PKI on a same forest?

Is it possible to cohabit with an old PKI hierarchy and a new PKI in a same Forest? “Yes you can have multiple root CAs and even multiple PKIs in a single Active Directory forest. Because of the way the objects are representing those CAs are named and stored, you couldn’t possibly experience a conflictContinue reading “AD CS (PKI) – Multiple PKI on a same forest?”

AD CS (PKI) Choosing a Hash and Encryption Algorithm for a new PKI?

Reference: http://blogs.technet.com/b/askpfeplat/archive/2013/04/22/choosing-a-hash-and-encryption-algorithm-for-a-new-pki.aspx ” If you absolutely must support legacy applications that don’t understand CNG algorithms, and are building out a new public key infrastructure, my advice today is to build two hierarchies. The first hierarchy – a legacy hierarchy if you will – would have a lower key lifetime aimed at a documented point atContinue reading “AD CS (PKI) Choosing a Hash and Encryption Algorithm for a new PKI?”

AD CS (PKI) Resources (and Migration to 2012 R2)

Here are resources and comments about ADCS migration to 2012 R2: https://windorks.wordpress.com/2014/08/12/migrating-a-microsoft-pki/ http://blog.datacenterfromhell.net/2014/12/migrating-two-tier-microsoft-pki-from.html Is it possible to cohabit with an old PKI hierarchy and a new PKI in a same Forest? “Yes you can have multiple root CAs and even multiple PKIs in a single Active Directory forest. Because of the way the objects areContinue reading “AD CS (PKI) Resources (and Migration to 2012 R2)”

AD CS 2008 R2 Two-tier Install Procedure

2013: Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy : http://technet.microsoft.com/en-us/library/hh831348.aspx Certificate Services Concepts: http://technet.microsoft.com/en-us/library/cc778992(WS.10).aspx Certificate Services Best practices: http://technet.microsoft.com/en-us/library/cc738786(WS.10).aspx This step-by-step guide explains how to install and configure public key  infrastructure, based on: Windows 2008 R2 Server core – offline Root CA Windows 2008 R2 domain controller Windows 2008 R2 enterprise edition –Continue reading “AD CS 2008 R2 Two-tier Install Procedure”

AD CS (PKI) – how to configure SAN (subject alternative names)

If you want to use Subject Alternative Names on internal SSL certificates issued by Active Directory Certificate Services you have to configure CA (Certificate Authority) to accept SAN attribute from a certificate request. By default (for security reasones) the AD CS CA does not issue certificates with SAN attribute. Ability to connect without certificate issuesContinue reading “AD CS (PKI) – how to configure SAN (subject alternative names)”