June 14 2017

Create certificate from CSR on a Microsoft Certificate Authority using command line

Do you have a Certificate Signing Request (CSR) from a device with which you need to create a certificate from a Microsoft Windows Certificate Authority?  This is actually pretty straight forward.  On a domain machine, launch a command prompt and save the CSR into a file on that machine (CSR.REQ in the example below).  Then just use the command:

certreq -submit -attrib "CertificateTemplate:WebServer" CSR.req cert.cer

You’ll get a prompt to select the issuing CA you want to use.  Substitute WebServer for whichever template you need to use.  You then have your certificate – cert.cer.

 

 

April 22 2015

How to find an internal/local Certificate Authority

Many times when I’m new to an organisation I’ll need to do a discovery within the environment to see what technology exists – including local Microsoft Windows Certificate Authorities. A very quick and easy way to do this is to use the certutil command with the follow syntax:

certutil -config - -ping

If there is a Certificate Authority published in Active Directory then you will get a popup box with a list of them. If not, you’ll see something like this:

certutil
certutil

The command is also useful for testing the responsiveness of a Certificate Authority – if you select an existing Certificate Authority from the popup box, certutil will ping it.

July 11 2014

Free public SSL certificates

I recently needed to do some testing and needed to have a valid public SSL certificate and since it was only for testing, I preferred if there was no cost for this.
I came across StartCom – https://www.startssl.com/ – who offer FREE Class 1 SSL certificates.

These free certificates are Class 1 – meaning that there is minimal validation is done when they are requested and issued – however this is fine for testing but not really recommended for commercial use. From my testing, it appears that the issuing CA was automatically trusted by Internet Explorer and Chrome. These certs are perfect for testing over SSL.

For more info see the StartCom website – https://www.startssl.com/?app=40

September 25 2012

Defining multifactor authentication

I was recently having a discussion about the definition of multifactor authentication and what actually constitutes one, two or three factor authentication.  There seems to be confusion around these definitions, so I am posting some industry accepted definitions for all to see or reference.  Authentication methodologies involve three basic “factors”:

  1. Something the user knows (eg. password, personal identification number, personally identifiable information)
  2. Something the user has (eg. smartcard, security token, telephone, signed digital certificate)
  3. Something the user is (eg. fingerprint, voice, retinal pattern, DNA)

 

According to the Federal Financial Institutions Examination Council’s Authentication in an Internet Banking Environment, August 15, 2006, two-factor authentication (aka multifactor authentication) is described as:

 

“By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category would not constitute multifactor authentication.”

 

Therefore, two factor (aka multifactor) authentication is a combination of any two of these factors. For example – a fingerprint scan and a password is two factor authentication; a password and a signed computer digital certificate is two factor authentication.  However if you use a password, a signed computer digital certificate, a PIN and a number generated from your RSA SecurID token then you are still using two factor authentication as the identifiers only come from two of the three categories listed above.

There is a great article here (http://pciguru.wordpress.com/2010/05/01/one-two-and-three-factor-authentication/) which discusses this in detail, and it is also worth checking out the PCI Security Standard Council Quick Reference Guide, especially section 8.3 (https://www.pcisecuritystandards.org/documents/pci_ssc_quick_guide.pdf), FFIEC’s Authenitcation Guidance whitepaper (http://www.ffiec.gov/pdf/authentication_guidance.pdf) and Australia’s DSD security advice article (http://www.dsd.gov.au/publications/csocprotect/multi_factor_authentication.htm).

 

 

December 9 2011

Microsoft Certificate Expiration Alerting tool

I came across this very useful free tool for alerting when a certificate that has been issued by an internal Microsoft Certificate Authority is going to expire (SCOM can do this too but this is a good alernative). In the words of the developer:

The Certificate Expiration Alerter helps IT departments monitor the expiration status of all their certificates which are issued from an internal Windows Server Certificate Authority (CA). When a certificate is about to expire, the Certificate Expiration Alerter sends a notification email with information about the certificate. This allows IT administrator to be proactive and take action by renewing the certificates before they expire and prevent possible service downtimes.

For more info, see these 2 websites – http://blogs.technet.com/b/nexthop/archive/2011/11/18/certificate-expiration-alerting.aspx and http://sourceforge.net/projects/certexpalerter.
 
 

October 7 2011

Extend the validity period of a Certificate Authority certificate

During a new deployment of a Certificate Services, I needed to increase the validity period of the CA certificate issued from the root (and offline) CA to the issuing CA (online and domain joined). By default this is only valid for 1 year. After unsuccessful hunting around the GUI options, I realised that this is going to be a registry change:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesCertSvcConfiguration
Find ValidityPeriod. Set the value one of the following – Days, Weeks, Months or Years.
Find ValidityPeriodUnits and set this to the numeric value that you want.
Then restart the Certificate Services NT service.

I made this change on both the root CA and issuing CA because I wanted to increase the validity period of not just the CA certificate that is issued from the root CA, but also any certificates that are issued from the issuing CA also. Be aware that validity period may also be set in the certificate template and templates supported by Windows 2000 and Windows Server 2003 Standard Edition cannot be modified. Templates supported by Windows Server Enterprise Edition (Version 2 templates) do support modification.

There is a bit more detail here if required – http://support.microsoft.com/kb/254632.