Category Archives: PKI

Autoenrollment is not working.

Problem: Group Policy says that autoenrollment is switched on but the autoenrollment function is not working. None of your Root, Issuing or Machine certificates are enrolled. If you try to trigger the autoenrollment process you get an error. certutil -pulse CertUtil: … Continue reading

Posted in PKI, Windows | Comments Off on Autoenrollment is not working.

Base64 encoding with certutil

Encode certutil -encode inputFileName encodedOutputFileName Decode certutil -decode encodedInputFileName OutputFileName

Posted in PKI | Comments Off on Base64 encoding with certutil

Smartcard – Force reading all certificates on smartcard

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider] “ForceReadingAllCertificates”=dword:00000001 

Posted in PKI, Windows | Comments Off on Smartcard – Force reading all certificates on smartcard

Write CSR with SAN-attributes

Openssl.cnf[ req] distinguished_name = req_distinguished_name req_extensions = v3_req [req_distinguished_name] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = MyProvince localityName = Locality Name (eg, city) localityName_default = Mycity 0.organizationName … Continue reading

Posted in OpenSSL, PKI | Tagged , , | Comments Off on Write CSR with SAN-attributes

Verify certificate and private key with Openssl

Openssl can be used for verifying if there is a match between a private key and certificate. Enter these commands and analyze the output. openssl x509 -noout -text -in server.crt openssl rsa -noout -text -in server.key Compare the two sections … Continue reading

Posted in OpenSSL, PKI | Comments Off on Verify certificate and private key with Openssl

Smartcard logon problems

You are able to logon to Windows but when logged on you cannot use “Run as another user” Error Message: A specified logon session does not exist. It may already have been terminated Reason: Certificates on the smart card is … Continue reading

Posted in Active Directory, PKI | Tagged , , | Comments Off on Smartcard logon problems

OpenSSL Error Codes

TXT_DB error number 2 This thing happens when you try to sign a certificate that shares the same common data as another certificate. You cannot have two certificates that look the same. Soloution: Either remove them by hand from the database, … Continue reading

Posted in OpenSSL, PKI | Comments Off on OpenSSL Error Codes

Publish a CRL created with Openssl into Active Directory

When you sign a CRL with Openssl you don’t have the attribute “Published CRL Locations”. It tells where the revocation lists are or should be published. Without this attribute there is no way for certutil to know where to save … Continue reading

Posted in Active Directory, PKI | Tagged , , , , , | Comments Off on Publish a CRL created with Openssl into Active Directory

Recover an archived certificate from a Microsoft CA

Prerequisites: You KRA certificate must be installed in your certificate store on your machine. Find the serial number of the certificate you want to recover. certutil -getkey [serial number] [outfile] Ex. certutil -getkey 45137316467 d:key.file certuil -recoverkey [infile][outfile_pfx] Ex. certutil … Continue reading

Posted in PKI | Tagged , , , | Comments Off on Recover an archived certificate from a Microsoft CA

Write a CSR to a CA with Openssl

If you order i.e a wildcart certificate you dont want to generate the keys on a webserver because you cant just export them without special tools. Instead you can use openssl to make the CSR. 1. First we create a … Continue reading

Posted in PKI | Tagged , , , , | Comments Off on Write a CSR to a CA with Openssl