Setting up Linux to use Active Directory Certificate Services
-
I am attempting to switch our internal web services over to https and have it centrally managed and trusted. I had opted to use ADCS for this since we are running AD.
Have any of you done this? If so, what documentation did you use? I'm using https://blogs.technet.microsoft.com/jeffbutte/2016/12/16/236/, but I haven't been able to get the CSR to complete.
It appears that communication between the test server and the CA is fine, and the CA is issuing certificates. Here are the errors I'm getting:
sscep: finding attribute pkiStatus sscep: allocating 1 bytes for attribute sscep: pkistatus: FAILURE sscep: finding attribute failInfo sscep: allocating 1 bytes for attribute sscep: reason: Transaction not permitted or supported sscep: illegal size of payloadAny thoughts or questions?
-
@kelly said in Setting up Linux to use Active Directory Certificate Services:
sscep: pkistatus: FAILURE
This is step 4 where you get this?
In a two tier hierarchy, the command will pull down four certificate files
contosoCA.crt-0 The certificate for the issuing subordinate CA root Registration Authority (RA)
contosoCA.crt-1 The certificate for the subordinate CA root CEP Encryption (CE)
contosoCA.crt-2 The certificate for the CA root.
contosoCA.crt-3 The certificate for the issuing subordinate CA root. -
What is it that's causing problems? Importing and using the correct certificate formats after exporting them from Windows?
-
Here are my notes on doing the conversion:
openssl pkcs12 -in wildcard_cert.pfx -out wild-encrypted.key openssl pkcs12 -in wildcard_cert.pfx -clcerts -nokeys -out wild-certificate.crt openssl rsa -in wild-encrypted.key -out wild-decrypted.key openssl pkcs12 -in wildcard_cert.pfx -out domain-ca.crt -nodes -nokeys -cacerts cat wild-certificate.crt domain-ca.crt > full_cert.crt === Certificate convert PFX to PEM === (converts .pfx certificate file to .PEM with non encrypted private key) openssl pkcs12 -in key.pfx -out key.pem -nodes -
@tim_g said in Setting up Linux to use Active Directory Certificate Services:
What is it that's causing problems? Importing and using the correct certificate formats after exporting them from Windows?
I'm trying to automate using sscep, but I may fall back on doing it manually just to get this done. This is failing during enrollment. I've generated the certreq and several of the steps are succeeding, so I know that the communication is working.
-
@momurda said in Setting up Linux to use Active Directory Certificate Services:
@kelly said in Setting up Linux to use Active Directory Certificate Services:
sscep: pkistatus: FAILURE
This is step 4 where you get this?
In a two tier hierarchy, the command will pull down four certificate files
contosoCA.crt-0 The certificate for the issuing subordinate CA root Registration Authority (RA)
contosoCA.crt-1 The certificate for the subordinate CA root CEP Encryption (CE)
contosoCA.crt-2 The certificate for the CA root.
contosoCA.crt-3 The certificate for the issuing subordinate CA root.It is after the fourth PKCS7 block. I do have all four of the cert files, but the command in the linked article only has me reference two of them.
-
@kelly said in Setting up Linux to use Active Directory Certificate Services:
I am attempting to switch our internal web services over to https and have it centrally managed and trusted. I had opted to use ADCS for this since we are running AD.
Have any of you done this? If so, what documentation did you use? I'm using https://blogs.technet.microsoft.com/jeffbutte/2016/12/16/236/, but I haven't been able to get the CSR to complete.
It appears that communication between the test server and the CA is fine, and the CA is issuing certificates. Here are the errors I'm getting:
sscep: finding attribute pkiStatus sscep: allocating 1 bytes for attribute sscep: pkistatus: FAILURE sscep: finding attribute failInfo sscep: allocating 1 bytes for attribute sscep: reason: Transaction not permitted or supported sscep: illegal size of payloadAny thoughts or questions?
I've only done the CSR part, sorry. I gave the wildcard CSR to one of the Windows admins and they gave me the cert back. I just grabbed the CA cert from a site and pushed it out to our nix boxes. I didn't have anything to do with the signing.
-
Have you gone to
http://yourCA.domain.com/certsrv/mscep_admin
If so is it showing a page like in the walkthrough?
Have you tried without enrollment challenge password requirement? -
@momurda said in Setting up Linux to use Active Directory Certificate Services:
Have you gone to
http://yourCA.domain.com/certsrv/mscep_admin
If so is it showing a page like in the walkthrough?
Have you tried without enrollment challenge password requirement?Yes to the first. I used the information there to run the mkrequest.
I haven't tried without a password.
-
@kelly said in Setting up Linux to use Active Directory Certificate Services:
@momurda said in Setting up Linux to use Active Directory Certificate Services:
Have you gone to
http://yourCA.domain.com/certsrv/mscep_admin
If so is it showing a page like in the walkthrough?
Have you tried without enrollment challenge password requirement?Yes to the first. I used the information there to run the mkrequest.
I haven't tried without a password.
Same error when no password is used in the mkrequest command.
