The Benefits Of Two-Level Certificate Authority Hierarchy

Friday, August 16, 2013

A common question may arise during a two-level certificate authority hierarchy planning state:What are the advantages of using two-level certificate authority hierarchy model.To summarize the main advantages of using two-level certificate authority hierarchy model we can count five main advantages: 1. Performance & Scalability & RedundancyUsing multiple Subordinate CA/Intermediate CA allow the organization to split the load of processing of PKI tasks to multipleserver. By using multiple Subordinate CA/Intermediate CA the organization can provides answer to a common scenarios like:a. Failure of one (or more) Subordinate CA/Intermediate CA server wouldn’t reduce the availability of the PKI service in the...

How to renew User/Computer certificate without require to do application side changes

Saturday, April 21, 2012

The renewal process of user/computer certificate require (in the most of the cases) to implemented changes in the application side (e.g. IIS,Outlook etc.), As a workaround for this “limitation”, the renewal process of the User/computer certificate can be set to use exiting certificate key. However, using exiting certificate key may reduce the system security level, and this may lead to system/certificate compromise. Warring: To reduce the security risk of implementing changes in the Enterprise PKI (Public Key Infrastructure), its highly recommended to test this changes in a lab - before making changes in the production environment. To...
one comment

Monitoring Workgroup computers by using SCE 2010

Friday, October 7, 2011

Microsoft SCE 2010 is a light edition of Microsoft System Center products line. Monitoring Workgroup computers by using SCE 2010 is cover by the following Microsoft post: How to Prepare the Essentials Management Server to Manage Workgroup-Joined Computers However, you may found out that no information is available on the correct process to create a server certificate (that used for mutual authentication). The following Microsoft post cover the process how to create a server certificate. When you try to install a System Center Operations Manager 2007 agent on a workgroup computer without using a gateway...
no comments

How to resolve Exchange 2010 error message: The Certificate Status could not be determined because the revocation check failed

Tuesday, September 20, 2011

The following error/s may appear in the Exchange 2010 Management Console: “Exchange 2010 Certificate Revocation Checks and Proxy Settings” or “The Certificate Status could not be determined because the revocation check failed” Cause: 1. You may use a Proxy server that block access to the CRL. 2. The CRL isn't available. How to Debug this issue: Obtain any (current) certificate from the Certificate Authority and run the following command: “certutil –verify –urlfetch C:\CertificateName.cer >Log.txt” Usually you may find out issues like errors messages on expired CRL or Offline CA. Resolutions: 1. Review Proxy settings by using “netsh winhttp show...

How to Publish Root Certificate and Intermediate Root Certificate in Active Directory

Wednesday, September 14, 2011

To Publish Root Certificate and Intermediate Root Certificate in Active Directory, please use the following commands: Root certificate: certutil -dspublish -f RootCACertificate.crt RootCA Intermediate certificate: certutil -dspublish -f SubCACertificate.crt SubCA   To publish the certificate/s to NTAuth store, please review the following knowledgebase:  How to import third-party certification authority (CA) certificates into the Enterprise NTAuth store   Note: NTAuth store point to: CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=MyDomain,DC=com
tags: ,
no comments

How to add Root Certificate and Intermediate Certificate to a Windows Operating System

Tuesday, September 13, 2011

If you are using a PKI (Public Key Infrastructure), you may found out that Root Certificate and Intermediate Certificate may need be installed manually for Workgroup computers. Also, in case that you don’t use Active Directory (e.g. GPO etc.) to publish the Root Certificate and Intermediate Certificate details, you may need to add this certificates manually. To accomplish this task, please use the following commands:   Installing Root Certificate: “Certutil -addstore -f Root MyRootCACertificate.crt” Installing Intermediate Certificate: “Certutil -addstore -f CA MySubCACertificate.crt”   You can use the following commands...
tags: ,
one comment

Finding DSConfigDN and DSDomainDN values by using Certutil

Thursday, September 1, 2011

DSConfigDN and DSDomainDN are two objects that should be taken care while designing PKI implementation (specially in case  of using a Stand Alone Root CA and a Enterprise Sub CA). The following output provides you instructions how to obtain the required values from your Certificate Authority: C:\Users\administrator>certutil -getreg  ca\DSConfigDN HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\lyncd omain-SRV5-CA\DSConfigDN:   DSConfigDN REG_SZ = CN=Configuration,DC=lyncdomain,DC=local CertUtil: -getreg command completed successfully. C:\Users\administrator>certutil -getreg  ca\DSDomainDN HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\lyncd omain-SRV5-CA\DSDomainDN:   DSDomainDN REG_SZ = DC=lyncdomain,DC=local CertUtil: -getreg command...
tags: ,
no comments