certificate authority « rakhesh.com

Certificate stuff (as a note to myself)

Posted: August 21st, 2017 | Tags: certificate authority, certificates | Category: Infrastructure | §

Helping out a bit with the CA at work, so just putting these down here so I don’t forget later.

For managing user certificates: certmgr.msc.

For managing computer certificates: certlm.msc.

Using CA Web enrollment pages and SAN attributes requires EDITF_ATTRIBUTESUBJECTALTNAME2 to be enabled on your CA.

Enable it thus:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

net stop certsvc

net start certsvc

When making a request, in the attributes field enter the following for the SANs: san:dns=corpdc1.fabrikam.com&dns=ldap.fabrikam.com.

Certificates, Subject Alternative Names, etc.

Posted: May 23rd, 2017 | Tags: certificate authority, certificates, subject alternative names | Category: Infrastructure, Windows | §

I had encountered this in my testlab but never bothered much coz it was just my testlab after all. But now I am dabbling with certificates at work and hit upon the same issue.

The issue is that if I create a certificate for mymachine.fqdn but I visit the machine at just mymachine, then I get an error. So how can I tell the certificate that the shorter name (and any other aliases I may have) are also valid? Turns out you need to use the Subject Alternative Name (SAN) field for that!

You can’t add a SAN field to an existing certificate. Got to create a new one. In my case I had simply requested a domain certificate from my IIS server and that doesn’t give any option to specify the SAN.

Instructions for creating a new certificate with SAN field are here and here. The latter has screenshots, so check that out first. In my case, at the step where I select “Web Server” I wasn’t getting “Web Server” as an option. I was only getting “Computer”. Looking into this, I realized it’s coz of the permissions difference. The “Web Server” template only has Domain Admins and Enterprise Admins in its ACLs, while the “Computer” template had Domain Computers too with “Enrol” rights. The fix is simple – go the Manage Templates and change the ACL of “Web Server” accordingly. (You could also use ADSI Edit and edit the ACL in the Configuration section).

[Aside] Useful CA/ Certificates info

Posted: May 18th, 2017 | Tags: CA, certificate authority, certificates | Category: Asides, Infrastructure, Windows | §

Obtaining a certificate on Windows Server without IIS
CA Web Enrollment
Determining the type of CA (standalone or AD integrated)
- Another option is certutil -CAinfo – look for CAType.
Difference between Standalone and Enterprise (AD integrated) CA. In case of Enterprise CA:
- Cert is automatically pushed out to all machines.
- Configuration is stored in AD: CN=Public Key Services,CN=Services,CN=Configuration,DC=mydomain.
- CAs and their certs can be found via AD itself: CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=mydomain.
- Requesting a new cert is easy (IIS for instance has an option to request domain certificate). Plus renewal happens automatically.
- Can define templates, which are stored in AD itself, and can be used to create new certs.
- Can archive the private key in AD?

Creating an AD certificate for NetScaler 10.5

Posted: March 6th, 2017 | Tags: CA, certificate authority, certificate store, certificates, CSR, netscaler | Category: Citrix | §

This post is based on a post by someone else that I found while I had to do this today. I wanted to configure NetScaler 10.5 with Citrix Storefront 3.9 and found that post useful, but some of the screenshots were different in my case – so thought I’d write it down for my future self. This post is going to be less on writing and more of screenshots as I am feeling very lazy.

So without much further ado –

Login to the NetScaler and create an RSA Key

1-2-3 as below.

Fill in the following fields and click “Create”.

The file name and extension doesn’t matter but we will refer to it later.

Create a Certificate Signing Request (CSR) on the NetScaler

Again, the request file name does not matter. The key filename & password is same as what we used earlier. There’s few more fields to fill – obvious ones like the organization name etc, the mandatory ones have an asterisk – then click “Create”.

Open the CSR

Click the link to view. Then click the link to “save text to a file”.

Login to your AD Certification Authority and submit the request

I am going to use the command line as the CSR doesn’t contain info on what template the CA should use, and that gives an error on the GUI: “0x80094801 – the request contains no certificate template information”.

Using the command line is simple. Open the command prompt and type the following:

certreq -attrib "CertificateTemplate:WebServer"

1	certreq -attrib "CertificateTemplate:WebServer"

This will prompt you for the location of the CSR and also the CA to use etc.

If you get any error about missing templates here, it’s possible you haven’t added the “Web Server” template to your CA templates. You can via this menu –

The command will also prompt for a location to save the generated certificate at. Save it someplace, then go back to the NetScaler.

Login to the NetScaler and install this certificate

Click the Install button as above. Then fill in the details as below. The certificate-key pair name does not matter. The certificate file name is chosen by clicking on “Browse”, then “Local”, and selecting the certificate file that you previously saved. The key file name and password are same as what you typed in the initial screenshot.

Finally, click “Install”.

That’s it! The NetScaler now has a certificate issued by the AD CA.

rakhesh.com

Search

Contact

Subscribe via Email

Subscribe via RSS/JSON

Categories

Recent Posts

Archives

Elsewhere