Certificate Authority Quagmire
-
I used a procedure similar to the one in the URL you linked, in a production environment. The case I used it in was to completely remove a PKI and create a new one. I know a little different than in your case, but as long as you do not delete anything you need you will be fine.
I have two questions to ask that will determine whether or not I can help you:
-
What command did you use to get that output in PS?
-
For what purposes are you using your PKI?
... and because I can't count
3. Is it the subject name of the certificate that is not correct? Not sure I understand what you are referring to. -
-
@Tim_G said in Certificate Authority Quagmire:
I used a procedure similar to the one in the URL you linked, in a production environment. The case I used it in was to completely remove a PKI and create a new one. I know a little different than in your case, but as long as you do not delete anything you need you will be fine.
I have two questions to ask that will determine whether or not I can help you:
-
What command did you use to get that output in PS?
-
For what purposes are you using your PKI?
... and because I can't count
3. Is it the subject name of the certificate that is not correct? Not sure I understand what you are referring to.- Certutil. Use it on any windows system that's connected to your domain.
- Internal validation, especially on VDI and internal web servers.
- Yes.
-
-
@Grey said in Certificate Authority Quagmire:
@Tim_G said in Certificate Authority Quagmire:
I used a procedure similar to the one in the URL you linked, in a production environment. The case I used it in was to completely remove a PKI and create a new one. I know a little different than in your case, but as long as you do not delete anything you need you will be fine.
I have two questions to ask that will determine whether or not I can help you:
-
What command did you use to get that output in PS?
-
For what purposes are you using your PKI?
... and because I can't count
3. Is it the subject name of the certificate that is not correct? Not sure I understand what you are referring to.- Certutil. Use it on any windows system that's connected to your domain.
- Internal validation, especially on VDI and internal web servers.
- Yes.
You can't change the name on the certificate. You will need to request a new one from your DC which you can do via certlm.msc.
How did the DC get a certificate with an incorrect name in the first place?
-
-
@Tim_G said in Certificate Authority Quagmire:
@Grey said in Certificate Authority Quagmire:
@Tim_G said in Certificate Authority Quagmire:
I used a procedure similar to the one in the URL you linked, in a production environment. The case I used it in was to completely remove a PKI and create a new one. I know a little different than in your case, but as long as you do not delete anything you need you will be fine.
I have two questions to ask that will determine whether or not I can help you:
-
What command did you use to get that output in PS?
-
For what purposes are you using your PKI?
... and because I can't count
3. Is it the subject name of the certificate that is not correct? Not sure I understand what you are referring to.- Certutil. Use it on any windows system that's connected to your domain.
- Internal validation, especially on VDI and internal web servers.
- Yes.
You can't change the name on the certificate. You will need to request a new one from your DC which you can do via certlm.msc.
How did the DC get a certificate with an incorrect name in the first place?
Imported from an old DC.
-
-
That seems weird why would you import a certificate from another active directory server instead of making a new one or requesting a new one
-
@Dashrender said in Certificate Authority Quagmire:
That seems weird why would you import a certificate from another active directory server instead of making a new one or requesting a new one
I can advise, suggest and document, but at the end of the day I still have to work with what I have and follow the business directive. Unfortunately, this is one of those times.
-
Have you had a chance to replace the certificate yet?
-
@Tim_G said in Certificate Authority Quagmire:
Have you had a chance to replace the certificate yet?
I have a new wildcard cert. I'm not sure I want to use that on the DC. Has anyone done that? I'm unsure if it's a best practice or not.
-
On the DC, can't you request another one from your CA via certlm.msc?
-
@Tim_G said in Certificate Authority Quagmire:
On the DC, can't you request another one from your CA via certlm.msc?
The DC is the CA.
-
@Grey said in Certificate Authority Quagmire:
@Tim_G said in Certificate Authority Quagmire:
On the DC, can't you request another one from your CA via certlm.msc?
The DC is the CA.
Not good... But I guess it is what it is. So let's just focus on fixing it.
Is starting over an option?
If not...
How is your pki set up? How many tiers? From where did you import the wrongly named cert? -
@Tim_G said in Certificate Authority Quagmire:
@Grey said in Certificate Authority Quagmire:
@Tim_G said in Certificate Authority Quagmire:
On the DC, can't you request another one from your CA via certlm.msc?
The DC is the CA.
Not good... But I guess it is what it is. So let's just focus on fixing it.
Is starting over an option?
If not...
How is your pki set up? How many tiers? From where did you import the wrongly named cert?No. Unsure; I inherited this and I'm hazy on CAs. A previous DC was in use and is decommissioned, but the old cert was imported to keep some cisco products from complaining.
-
@Grey said in Certificate Authority Quagmire:
@Tim_G said in Certificate Authority Quagmire:
@Grey said in Certificate Authority Quagmire:
@Tim_G said in Certificate Authority Quagmire:
On the DC, can't you request another one from your CA via certlm.msc?
The DC is the CA.
Not good... But I guess it is what it is. So let's just focus on fixing it.
Is starting over an option?
If not...
How is your pki set up? How many tiers? From where did you import the wrongly named cert?No. Unsure; I inherited this and I'm hazy on CAs. A previous DC was in use and is decommissioned, but the old cert was imported to keep some cisco products from complaining.
You still need to renew the certificate. You can do it in CA management.
-
Is there an article for that on technet? I don't want to screw it up.
-
Do you have an offline root CA or is do you just have a single CA that does it all: certificate issuing, CDP, etc.?