Questions tagged [pki]
Public Key Infrastructure is a cryptography system based on X.509 digital certificates, commonly used for encrypted communication and authentication.
234
questions
1
vote
0
answers
23
views
keytool error: java.security.cert.CertificateParsingException: signed fields invalid
I have a X509 certificate pem file I got from Mongo Atlas. I'm trying to import it into the keystore like so:
keytool -importcert -file X509-cert.pem -alias myalias -keystore mykeystore.p12 -storetype ...
- 139
1
vote
1
answer
146
views
What determines the CRL expiration date and validity in PKI?
I'm working with Microsoft's Public Key Infrastructure (PKI) and I'm interested to know more about how the expiration date of a CRL is determined and how it can be adjusted in a Microsoft PKI ...
- 41
0
votes
1
answer
47
views
Attributes Windows CA templates
Windows Enterprise CA.
I have been requested that in the certificates appear the following attributes: OU, C (country) and O (organization).
I have seen that in the certificate template in the "...
- 29
0
votes
0
answers
28
views
NPS Certificate
I am changing a CA in the domain to a new one. The old CA will be deactivated.
I have an NPS server configured with the certificate of the old CA in "Network Policies -> Policy1 -> ...
- 29
0
votes
1
answer
73
views
CA Offline Standard publish Active Directory
I have a hierarchy of one offline CA (standard) and 2 subCAs (enterprise).
The offline CA is not published in Active Directory and the 2 SubCa's are published in AD.
Can the offline CA be modified to ...
- 29
0
votes
0
answers
19
views
CA template Windows
In a Windows CA, I have mistakenly removed permissions from a template and now I can't modify it.
How do I modify or delete this template to create it again?
Thanks
- 29
0
votes
0
answers
33
views
Request Certificate CA
I have a Windows server configured as a Certificate Authority (CA).
When requesting a certificate via https://server/certServ and choosing the template to request (Request Certificate->Advance ...
- 29
0
votes
1
answer
39
views
Best Practices for Setting Up Multiple OpenVPN Instances for Different Clients
I'm working on a project where I need to set up OpenVPN instances to connect IoT devices from various customers to a central server. Each client should have its own isolated VPN connection. I'm ...
- 3
0
votes
1
answer
245
views
How to force Domain Controller to get new certificate from PKI Server
I bluntly created a PKI Server (AD CS) that sits inside the Domain.
My Domain Controllers got a DomainController Certificate from it.
After that I thought that it would be better, to create a Root CA ...
- 785
0
votes
1
answer
39
views
CA: Certificate User for VPN
From a subordinate Enterprise CA I want to generate a user certificate that serves as an authentication method for VPN connections.
I want to install this certificate with autoenroll on the domain ...
- 29
1
vote
1
answer
71
views
SubCA certificate of trust
I have deployed a PKI infrastructure with a Stand-Alone Root CA (which will be kept off) and 4 Enterprise SubCA's which depends on this Root CA.
To make the computers trust the Root CA, I am going to ...
- 29
0
votes
0
answers
21
views
How to integrate .Net application to ADCS using API
We have to integrate own app to MS ADCS environment for autoenrollment digital certificates. Is there any guide to integrate our app to MS Certificate Authority using API?
1
vote
1
answer
50
views
Is it possible to specify Active Directory PKI key size throuth CSR
When I request certificate from Letsencrypt, put key and fullchain.cer in nginx config - everything works fine.
The same for Active Directory is not working.
-I generate key (tried rsa 2048 or 4096 ...
- 59
1
vote
1
answer
68
views
High available PKI related questions with regards to CA/OCSP and NDES
I have some specific questions with regards a high available PKI based on ADCS.
The questions are as follows. Please see the detailed info below to get more info on the casus.
-------------------------...
0
votes
2
answers
80
views
Change certificate issuer
Is it possible to change the "issuer" value in a CA so that when a new certificate is issued, the new "issuer" value appears?
In the case of having several SubCa, is it possible to ...
- 29
0
votes
1
answer
257
views
PKI hierarchy. Root CA CAand subordinate
I have to deploy a new PKI hierarchy
I have one domain and several subdomains
I had thought about having a Root CA and a Sub CA.
What are the advantages of this option over having a root CA only?
Do ...
- 29
0
votes
0
answers
36
views
CA root and CA subordinate administrator
I want to deploy a new PKI infrastructure on a domain that has several subdomains and trusted domains.
I would like to be able to delegate the administration between several administrators ...
- 29
0
votes
1
answer
135
views
Windows Server 2019 ADCS. CA subordinate
I have a "CA1" server with Windows 2019 that has the CA root Enterprise service. Additionally I have another server "CA-Subordinate" with Windows 2019 with the CA subordinate ...
- 29
0
votes
2
answers
100
views
How to get a google issued certificate for my service behind l4 load balancer
I am running a mqtt broker behind gke LoadBalancer type service. The lb type service is a l4 load balancer and I need to handle the tls termination at my service/broker level.
I have associated an A ...
- 103
1
vote
1
answer
498
views
Windows AD cert renewal implementation vs cert copying
Windows PKI policy has a setting for what I think is automated renewal of AD template issued certificates when they expire.
It must be also enabled on the certificate authority (CA) side. Question - ...
- 207
0
votes
1
answer
383
views
Trouble setting up CES and CEP PKI in a trusted forest scenario
I have two AD domains with a two-way forest trust. I want computer accounts in DomainB to enroll for computer client auth certificates from the two-tier Windows CA in DomainA. I configured a ...
- 1
1
vote
0
answers
181
views
Fedora Server 37 CA certificate store most equivalent to LocalMachine\root
Fedora Server 37 CA certificate store most equivalent to LocalMachine\root in a Windows environment?
Background notes: I have plenty of experience in the Windows area for certificate management, but ...
- 308
0
votes
1
answer
686
views
Publish Root CA CRL to network drive
I am currently "prototyping" a Windows PKI with AD CS Role. I have two-tier hierarchy (Root Offline CA -> Enterprise Sub-CA -> Digital Certs).
Furthermore, I am trying to publish the ...
0
votes
0
answers
29
views
2 Issuing CAs are Effected by Subnet Region
We are working to set up a 2-tier pki with 2 issuing CAs in different regions/subnets. We were able to get everything looking right on pkiview.msc. We are still having trouble though with the second ...
- 1
0
votes
1
answer
853
views
Having trouble issuing the 2nd enterprise CA on the same offline Root CA as the 1st. Windows Server 2016
I am running into an issue and hoping someone can help me. We were asked to set up a new Root CA and 2 subordinate (issuing) CAs under it (the request includes using Azure and placing each VM in a ...
- 1
2
votes
1
answer
138
views
Changing the OU for a Windows Subordinate CA
We have a Subordinate CA that is servicing our AD domain. For reasons of tidiness, we want to change the OU that the Sub CA is in. I know that you can't do things like change the name of the Sub CA or ...
2
votes
1
answer
1k
views
openssl - cross sign certificate
I want to cross-sign a third-party root ca (third-party-ca) with my own root ca (r1). (Background: restricting usage)
To do this, I use
openssl x509-in third-party-ca.crt -CA /etc/pki/r1/ca.crt -CAkey ...
- 4,173
0
votes
0
answers
118
views
1 ICA and CRL serving 2 different domain
I have 1 ICA and 1 CRL and I would like it to serve 2 different domain in my setup. Is that possible? I'm running Windows Server 2019.
Note, I'm not able to set a trust relationship between the 2 ...
- 1
0
votes
1
answer
616
views
Windows doesn't create assign "Key Container" when adding cert tied to Cavium (AWS CloudHSMv2)
I've got two windows systems tied to the AWS CloudHSM v2 (the cavium HSM). On one, I generated the CSR, and accepts/added the cert purchased with that CSR. I can sign and the private key is pulled ...
- 207
0
votes
1
answer
520
views
CDP container in Active Directory required if not part of AD?
We have a Microsoft Active Directory Certificate Services Enterprise CA.
After installing the service, an AD container is created within CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=...
- 6,970
1
vote
1
answer
1k
views
FreeRadius with mixed CAs
Is it possible to run FreeRadius (version 3.0.13) with two different CAs? So that I have a server certificate from one CA and the client certificates come from a different CA?
Our current setup in /...
- 145
0
votes
1
answer
471
views
Target specific Enterprise CA for auto-enrollment?
We have two intermediate Enterprise CAs (Windows AD CS) in our AD domain. Both CAs only have the Certification Authority role enabled.
CA1 is responsible for issuing certificates to workstations and ...
- 6,970
0
votes
2
answers
1k
views
Auto-Enrollment with manager approval, but auto-approval for re-enrollment
I have a certificate template (auto-enrolled) that must require manager approval.
To achieve this, I checked the CA certificate manager approval checkbox in the Issuance Requirements tab.
The ...
- 6,970
1
vote
1
answer
410
views
How to import a CSR on a root CA into the Pending Requests queue and viewing the applied policy on the command line?
I have a standalone root CA base on Windows Server 2019 Core.
I know that with certutil.exe -dump certificate.req I can inspect the CSR, but the root CA's policies may override the requested extension ...
- 6,970
1
vote
1
answer
589
views
Standalone Root CA does not enforce KeyUsage settings from CAPolicy.inf when issuing certificates
I have a standalone root CA (RootCA) and an enterprise subordinate CA (SubCA). Both Windows Server 2019.
The RootCA seems to ignore the CAPolicy.inf file configuration settings, when attempting to ...
- 6,970
0
votes
1
answer
1k
views
Create new SubCA certificate fails with NTE_PROV_TYPE_NOT_DEF
I am trying to manually create a key and CSR for a new Windows AD CS Enterprise Subordinate CA (Windows Server 2019).
I'd like to store the key in the modern Microsoft Software Key Storage Provider.
...
- 6,970
0
votes
1
answer
487
views
Microsoft ADCS: change Subject in existing CSR
Suppose I have a CSR in which some Subject fields were not created according to X.509 - there are forbidden characters in Subject, or Country was provided as "England".
Is there any way to ...
- 880
1
vote
1
answer
4k
views
hashicorp vault - load pre-existing CA certificate into PKI engine
I'm looking to migrate a process that generates client certificates from a custom root CA into hashicorp vault.
The root is already trusted by a lot of applications, so I'd like to import it (or an ...
- 999
0
votes
1
answer
992
views
Ldap service not running on Windows Server 2019
I have 2 windows server 2019. e.g. server1 and server2.
server1 is the domain controller.
server1 has below roles installed: ADDS, ADCS, DNS, FILE STORAGE, IIS.
server2 is connected to that domain ...
- 101
3
votes
1
answer
2k
views
Do I need Active Directory Certificate Services
I have an AD setup that apparently has a vulnerability related to the Certificate Services feature. Thinking back through the MS Server courses I've sat, I don't remember anything on it, so I dug ...
- 331
0
votes
1
answer
367
views
PKI trust in Active Directory
Assuming that the certificate of the ADCS CAs joined to a given domain are signed by an offline root CA which is then trusted by all systems in the domain/forest. If that offline root was then used to ...
- 51
0
votes
2
answers
2k
views
Retire internal Windows root CA
A former colleague created an internal root CA named CA1 with server2008. During migration to a newer OS version a Server CA2 was created and CA1 turned off. Now my problem is, all systems still think ...
2
votes
1
answer
2k
views
Finding out if a certificate is due for renewal without triggering the actual renewal with Certbot
I am trying to use Certbot to allow for semi-automated certificate updates. I don't want fully-automated updates to avoid automatic certificate replacements that could interrupt business and ensure ...
- 1,745
0
votes
1
answer
514
views
Where is the data about certificate is stored when i run dspublish in a domain joined computer?
When is run the command certutil -f -dspublish "CA01_Fabrikam Root CA.crt" RootCA
Output is
ldap:///CN=Fabrikam Root CA,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=...
- 13
0
votes
1
answer
588
views
Root CA certificate missing from chain but only in IE, Chrome is fine
Does anyone have any idea why the root CA certificate is completely absent (not just present but untrusted) from the HTTPS chain but only in Internet Explorer?
The certificate is installed as a ...
- 905
0
votes
1
answer
1k
views
RDP and GPO setting Server Authentication certificate template (Microsoft Windows Server 2016)
We want to force Remote Desktop to use a certificate based on a particular named template rather than using a self-signed certificate. This works in forests with a Certificate Authority server, but ...
1
vote
0
answers
2k
views
Enabling SSL on Tomcat 9
There are a few questions I have regarding setting up SSL on Tomcat 9 as some of the things I've read have some inconsistencies and I'm also new to PKI. Ultimately, there are two things I'm trying to ...
- 25
0
votes
2
answers
334
views
Windows Certificate Templates CSP certificate with Exportable Private Key
I recently created a certificate for a developer using a certificate template. The template was based from an existing one which I believe is based on CNG.I was able to export the private key, but the ...
- 595
1
vote
0
answers
92
views
How to get the issuing certificate authority from an apple push notification certificate
I want to import the Apple push notification certificate into AWS ACM. So first, I had to convert it to pem. Using openssl pkcs12, I was able to get the Certificate and the Private Key. But when ...
- 11
0
votes
1
answer
552
views
What is the best method for adding RSA Key Fingerprints to known_hosts upon provisioning each server?
This question was inspired by this thread
The hypothetical scenario, for context is as follows:
SSH servers, whether they be routers, firewalls etc. are all firstly provisioned within a private + ...
- 103