Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [pki]

Public Key Infrastructure is a cryptography system based on X.509 digital certificates, commonly used for encrypted communication and authentication.

Public Key Infrastructure is a cryptography system based on X.509 digital certificates.

OpenSSL and Windows Certificate Authorities are two commonly-used software certification authorities.

228 questions
0
votes
1 answer

Publish Root CA CRL to network drive

I am currently "prototyping" a Windows PKI with AD CS Role. I have two-tier hierarchy (Root Offline CA -> Enterprise Sub-CA -> Digital Certs). Furthermore, I am trying to publish the CRL of my Root CA to a network drive. Let me explain my setup: I…
isuckatservers69
  • 3
  • 2
0
votes
0 answers

2 Issuing CAs are Effected by Subnet Region

We are working to set up a 2-tier pki with 2 issuing CAs in different regions/subnets. We were able to get everything looking right on pkiview.msc. We are still having trouble though with the second issuing CA, it doesn't seem to be communicating…
Woogi
  • 1
0
votes
1 answer

Having trouble issuing the 2nd enterprise CA on the same offline Root CA as the 1st. Windows Server 2016

I am running into an issue and hoping someone can help me. We were asked to set up a new Root CA and 2 subordinate (issuing) CAs under it (the request includes using Azure and placing each VM in a different region for redundancy). We issued the…
Woogi
  • 1
0
votes
0 answers

Is it possible to generate a new self-signed certificate from an existing private key with powershell?

New-SelfSignedCertificate -ExistingKey "c:\cts_privkey.pem" -Container localhost -Provider "Microsoft Enhanced RSA and AES cryptographic Provider" -DnsName "example.com" -CertStoreLocation "cert:\LocalMachine\My" I get the error: I think I am…
tks.tman
  • 101
  • 2
0
votes
0 answers

1 ICA and CRL serving 2 different domain

I have 1 ICA and 1 CRL and I would like it to serve 2 different domain in my setup. Is that possible? I'm running Windows Server 2019. Note, I'm not able to set a trust relationship between the 2 domains. I was told that the host in the other domain…
tosei
  • 1
  • 1
0
votes
1 answer

Windows doesn't create assign "Key Container" when adding cert tied to Cavium (AWS CloudHSMv2)

I've got two windows systems tied to the AWS CloudHSM v2 (the cavium HSM). On one, I generated the CSR, and accepts/added the cert purchased with that CSR. I can sign and the private key is pulled properly from the HSM via the Key Container. The…
Peter Kahn
  • 207
  • 3
  • 11
0
votes
1 answer

CDP container in Active Directory required if not part of AD?

We have a Microsoft Active Directory Certificate Services Enterprise CA. After installing the service, an AD container is created within CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=example,DC=com Our CDP is http-only. There…
Daniel
  • 6,940
  • 6
  • 33
  • 64
0
votes
1 answer

Target specific Enterprise CA for auto-enrollment?

We have two intermediate Enterprise CAs (Windows AD CS) in our AD domain. Both CAs only have the Certification Authority role enabled. CA1 is responsible for issuing certificates to workstations and users and has a template Workstation Auth. CA2 is…
Daniel
  • 6,940
  • 6
  • 33
  • 64
0
votes
2 answers

Auto-Enrollment with manager approval, but auto-approval for re-enrollment

I have a certificate template (auto-enrolled) that must require manager approval. To achieve this, I checked the CA certificate manager approval checkbox in the Issuance Requirements tab. The computer does auto-enroll and the certificate is placed…
Daniel
  • 6,940
  • 6
  • 33
  • 64
0
votes
1 answer

Create new SubCA certificate fails with NTE_PROV_TYPE_NOT_DEF

I am trying to manually create a key and CSR for a new Windows AD CS Enterprise Subordinate CA (Windows Server 2019). I'd like to store the key in the modern Microsoft Software Key Storage Provider. It fails with Provider type not defined.…
Daniel
  • 6,940
  • 6
  • 33
  • 64
0
votes
1 answer

Microsoft ADCS: change Subject in existing CSR

Suppose I have a CSR in which some Subject fields were not created according to X.509 - there are forbidden characters in Subject, or Country was provided as "England". Is there any way to recover from that? I tried: using policy.inf to resign the…
StanTastic
  • 860
  • 1
  • 8
  • 25
0
votes
1 answer

Ldap service not running on Windows Server 2019

I have 2 windows server 2019. e.g. server1 and server2. server1 is the domain controller. server1 has below roles installed: ADDS, ADCS, DNS, FILE STORAGE, IIS. server2 is connected to that domain controler. server1 has below roles installed: ADCS,…
Ghansham
  • 101
  • 3
0
votes
1 answer

PKI trust in Active Directory

Assuming that the certificate of the ADCS CAs joined to a given domain are signed by an offline root CA which is then trusted by all systems in the domain/forest. If that offline root was then used to issue/sign a CA certificate (no constraints) and…
5y5tem5
  • 51
  • 1
  • 3
0
votes
2 answers

Retire internal Windows root CA

A former colleague created an internal root CA named CA1 with server2008. During migration to a newer OS version a Server CA2 was created and CA1 turned off. Now my problem is, all systems still think they have to ask CA1 to get new certificates. So…
404_username_not_found
  • 3
  • 2
0
votes
1 answer

Where is the data about certificate is stored when i run dspublish in a domain joined computer?

When is run the command certutil -f -dspublish "CA01_Fabrikam Root CA.crt" RootCA Output is ldap:///CN=Fabrikam Root CA,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=fabrikam,DC=com?cACertificate Certificate…
cypherphage
  • 13
  • 2
1 2 3
15 16