Yuval Sinay : PKI

How to renew User/Computer certificate without require to do application side changes

yuval14 — Sat, 21 Apr 2012 23:58:02 GMT

The renewal process of user/computer certificate require (in the most of the cases) to implemented changes in the application side (e.g. IIS,Outlook etc.),

As a workaround for this “limitation”, the renewal process of the User/computer certificate can be set to use exiting certificate key.

However, using exiting certificate key may reduce the system security level, and this may lead to system/certificate compromise.

Warring: To reduce the security risk of implementing changes in the Enterprise PKI (Public Key Infrastructure), its highly recommended to test this changes in a lab - before making changes in the production environment.

To renew the certificate by using exiting certificate key, please use the following instructions:

A. PKI Prerequisites:

1. Depending on the certificate template type/settings, the Certificate Authority security settings should allow the user that renew the certificate to have the following privilege: “Request Certificates”.

2. Depending on the certificate template type/settings, the user that renew the certificate may require the following privilege on the relevant Certificate Template: “Enroll” and/or “Autoenroll”.

B. The renewal process:

1. Logon to the computer.

2. Navigate to “Start” –> “Run” and type “mmc” and click “OK” to launch the Management Console

3. Navigate to “File” > “Add/Remove” Snap In… , select “Certificates” and click “Add”.

4. Select “Computer Account” (or “User Account”) and click “Next”. Then", click “Finish”. Once back on the Snap In screen, click “OK”.

5. Expand “Certificates” > “Personal” and click on “Certificates”.

6. Right-click on the required certificate and select “All Tasks” > “Advanced Operations” > “Renew This Certificate with the Same Key”.

7. Click “Next”, and then “Enroll”. Once complete, click “Finish”.

Monitoring Workgroup computers by using SCE 2010

yuval14 — Fri, 07 Oct 2011 05:35:29 GMT

Microsoft SCE 2010 is a light edition of Microsoft System Center products line. Monitoring Workgroup computers by using SCE 2010 is cover by the following Microsoft post:

How to Prepare the Essentials Management Server to Manage Workgroup-Joined Computers

However, you may found out that no information is available on the correct process to create a server certificate (that used for mutual authentication).

The following Microsoft post cover the process how to create a server certificate.

When you try to install a System Center Operations Manager 2007 agent on a workgroup computer without using a gateway server, Operations Manager 2007 cannot see the workgroup computer

Note1: The SCE 2010 Agent Installation wizard should be used for importing the following certificates:

1. Trusted Root Certificate Authority.

2. WSUS certificates.

3. Server certificate of the workgroup computer.

Note2:To assign exiting certificate to the SCE 2010 agent, please use the utility: “MOMCertImport” (from SCE 2010/SCOM 2007/2007 R2 media) – after completing the Agent installation.

How to resolve Exchange 2010 error message: The Certificate Status could not be determined because the revocation check failed

yuval14 — Tue, 20 Sep 2011 21:31:31 GMT

The following error/s may appear in the Exchange 2010 Management Console:

“Exchange 2010 Certificate Revocation Checks and Proxy Settings” or “The Certificate Status could not be determined because the revocation check failed”

Cause:

1. You may use a Proxy server that block access to the CRL.

2. The CRL isn't available.

How to Debug this issue:

Obtain any (current) certificate from the Certificate Authority and run the following command:

“certutil –verify –urlfetch C:\CertificateName.cer >Log.txt”

Usually you may find out issues like errors messages on expired CRL or Offline CA.

Resolutions:

1. Review Proxy settings by using “netsh winhttp show proxy”

You can reset the proxy settings by using the commands:

“netsh winhttp reset proxy”
”netsh winhttp reset tracing”

Note: You can also add Proxy exceptions (e.g. The CRL location) by using the following commands:

“netsh winhttp import proxy ie”

“netsh winhttp set proxy proxy-server=http://192.168.1.1:80 bypass-list="crlserver.DomainName.local"

“netsh winhttp set proxy proxy-server=http://192.168.1.1:443 bypass-list="crlserver.DomainName.local"

2. Review the current CRL settings in the Active Directory by using:

Quick Check on ADCS Health Using Enterprise PKI Tool (PKIVIEW)

Usually, if you are using a Offline CA (Root CA for example), you may find out that the current CRL was expired.

Usually its recommended to change the CRL expire date in the relevant CA and then re-publish the CRL.

Then, import the CRL into the Active Directory by using the command:

“certutil -f -dspublish CRLFileName.crl”

3. If the CRL is published to a File Share and/or Web Server (HTTP/s), please verify that the URL paths exits and aren't blocked by third party system (e.g. Firewall, Antivirus, IPS etc.) Its also recommended to verify that no NTFS/Share permissions blocked access to the CRL.

4. Reset urlcache by using the following power shell commands:

“certutil -urlcache ocsp delete”
”certutil -urlcache crl delete”

5. Reset the Exchange Internet Web Proxy to null by using the following power shell command:

“Set-ExchangeServer -InternetWebProxy $NULL”

6. Delete MMC cache files from:

“C:\Users\%username%\AppData\Roaming\Microsoft\MMC”

7. Verify that CRL for Root & SubCA URL’s/Paths are current. Also,

8. Verify that the Root CA Certificate was added to the computer Trusted Root CA Store.

Also, verify that the SubCA Certificate was added to the computer Intermediate CA Store.

9. As a temporary workaround, you can enable the required certificate by using Exchange Power Shell command: Enable-ExchangeCertificate

However, this workaround wouldn’t resolved the error message, but would enable you to assign the certificate to the Exchange services.

For farther information, please review: Certificate Revocation and Status Checking

How to Publish Root Certificate and Intermediate Root Certificate in Active Directory

yuval14 — Wed, 14 Sep 2011 04:10:17 GMT

To Publish Root Certificate and Intermediate Root Certificate in Active Directory, please use the following commands:

Root certificate: certutil -dspublish -f RootCACertificate.crt RootCA

Intermediate certificate: certutil -dspublish -f SubCACertificate.crt SubCA

To publish the certificate/s to NTAuth store, please review the following knowledgebase:

How to import third-party certification authority (CA) certificates into the Enterprise NTAuth store

Note: NTAuth store point to: CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=MyDomain,DC=com

How to add Root Certificate and Intermediate Certificate to a Windows Operating System

yuval14 — Wed, 14 Sep 2011 03:46:04 GMT

If you are using a PKI (Public Key Infrastructure), you may found out that Root Certificate and Intermediate Certificate may need be installed manually for Workgroup computers.

Also, in case that you don’t use Active Directory (e.g. GPO etc.) to publish the Root Certificate and Intermediate Certificate details, you may need to add this certificates manually.

To accomplish this task, please use the following commands:

Installing Root Certificate: “Certutil -addstore -f Root MyRootCACertificate.crt”

Installing Intermediate Certificate: “Certutil -addstore -f CA MySubCACertificate.crt”

You can use the following commands to review the result of the previous commands:

“certutil -v –store my > LocalCertStore.txt“ or “certutil –verifystore root” / “certutil –verifystore CA”

Finding DSConfigDN and DSDomainDN values by using Certutil

yuval14 — Thu, 01 Sep 2011 05:55:03 GMT

DSConfigDN and DSDomainDN are two objects that should be taken care while designing PKI implementation (specially in case of using a Stand Alone Root CA and a Enterprise Sub CA).

The following output provides you instructions how to obtain the required values from your Certificate Authority:

C:\Users\administrator>certutil -getreg ca\DSConfigDN

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\lyncd
omain-SRV5-CA\DSConfigDN:

DSConfigDN REG_SZ = CN=Configuration,DC=lyncdomain,DC=local

CertUtil: -getreg command completed successfully.

C:\Users\administrator>certutil -getreg ca\DSDomainDN
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\lyncd
omain-SRV5-CA\DSDomainDN:

DSDomainDN REG_SZ = DC=lyncdomain,DC=local
CertUtil: -getreg command completed successfully.

Note: A Stand Alone Root CA / Stand Alone Sub CA details (e.g. Certificate, CRL, AIA etc.) could be published into the Active Directory by using the following commands:

“CertUtil -dsPublish -f RootCACertificate.cer RootCA “

“CertUtil -dsPublish -f SubCACertificate.cer SubCA “

To publish CRL into the Active Directory you should use the following command:

“certutil -dspublish-f MyCRLFile.Crl “

Reference:

Configure an offline root certification authority to support certificate revocation with Active Directory

How to import third-party certification authority (CA) certificates into the Enterprise NTAuth store

Windows 2008 R2 Certification Authority installation guide

yuval14 — Fri, 12 Aug 2011 03:18:47 GMT

Mr. Eyal Estrin wrote an excellent guide on “Windows 2008 R2 Certification Authority installation guide”.

This guide provides a step by step guide how to install a Offline Root Certificate Authority and then setup a Enterprise Subordinate Certificate Authority.

The guide can be obtain from the following link.

Error “Page Cannot be Displayed” may appear after replacing Exchange 2010 Certificate

yuval14 — Mon, 04 Jul 2011 00:19:53 GMT

Symptoms:

After replacing Exchange 2010 Certificate , the following error may appear during accessing Exchange 2010 OWA (Outlook Web Access): “Page Cannot be Displayed”.

Reason:

The imported certificate may not contain a “Private key”.

Solution:

During certificate export process, verify that “Export Private Key” checkbox has been marked. After completing the new certificate, import it the Exchange 2010 server and assigned it to the relevant services.