Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Certificates’ Category

(2019-05-28) Windows Hello For Business – Certificate Template For DCs

Posted by Jorge on 2019-05-28


When implementing Windows Hello for Business, either using the “Hybrid AAD Joined Certificate Trust” method or the “Hybrid AAD Joined Key Trust” a PKI infrastructure is needed to at least implement a certificate template for DCs to support WH4B. When already having a (Microsoft) PKI infrastructure you may already have a certificate template for DCs that may have a provider and algorithm (Cryptography TAB) configured as or similar to as displayed below.

clip_image002

Figure 1: Existing Cryptography Settings In Legacy DC Certificate Template

When deploying WH4B, the following cryptography settings are required. You will only be able to configure this when in the compatibility TAB the certification authority is set to at least Windows Server 2012.

 clip_image004

Figure 2: Cryptography Settings In New DC Certificate Template Required By WH4B

Now a question may be: what is the impact on DCs when configuring a new certificate template and deploying that to the DCs to replace the existing certificate template?

A good question, might I say!

Important to note is that autoenrollment is configured and it is configured correctly, for this to succeed, then at least following high-lighted settings must be set and targeted against DCs in AD. See below.

You may also want to read: Troubleshooting Autoenrollment and Configuring Autoenrollment

image

Figure 3: Autoenrollment Settings

In addition, make sure to supersede the old certificate templates in the newest certificate template, as displayed below.

With regards to PKI, the WH4B documentation says the following:

By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template a baseline to create an updated domain controller certificate template

image

Figure 4: Superseded Settings

From what I have understood, it changes the storage provider from CSP to KSP and it keeps the RSA algorithm. After doing this myself in multiple environments and asking around for experiences, the answer to the “impact” question is:

No negative impact anticipated or experienced

Nevertheless, make sure to test in your representative test environment!

Enjoy and have fun!,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Active Directory Certificate Services (ADCS), Active Directory Domain Services (ADDS), Certificate Templates, Certificates, WH4B, Windows Client | Leave a Comment »

(2013-12-14) SHA1 Deprecation Policy

Posted by Jorge on 2013-12-14


This is an important message for anyone still using SHA1 certificates.

Read more here.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), Certificates, SHA1 | Leave a Comment »

(2013-10-22) Searching For Certificates Matching A Specific DNS Name Or WildCard Name

Posted by Jorge on 2013-10-22


If your computer has lots of certificates in the local computer store and you need to find out if one or more certificates will match a specific name in the subject or subject alternate name, or a certificate will match the first level wildcard, you can use the following PowerShell code:

# Searching For A Certificate With A Specific Name In The Subject Name Or Subject Alternate Name (SAN)
# Searching For A Certificate With A WildCard Name In The Subject Name Or Subject Alternate Name (SAN) Matching The Specific Name

# Define The Specific DNS Name
$dnsName = "<FQDN>"
# Determine The First Level WildCard Name
$wildCardName = "*" + $dnsName.Substring($dnsName.IndexOf("."))
$certs = $null
$certs = @()
$certsInLocalMachine = DIR cert:\LocalMachine\My 
$certsInLocalMachine | ForEach-Object{ 
    $certificate = $_ 
    $certThumbprint = $certificate.Thumbprint 
    $certSubject = $($certificate.Subject).substring($($certificate.Subject).IndexOf("=")+1) 
    If ($certSubject.ToUpper() -eq $dnsName.ToUpper() -or $certSubject.ToUpper() -eq $wildCardName.ToUpper()) { 
        $certs += $certificate 
    }
    $sanCertExtension = $certificate.extensions | Where-Object{$_.oid.FriendlyName.ToLower() -eq "subject alternative name"} 
    $sanObjs = New-Object -ComObject X509Enrollment.CX509ExtensionAlternativeNames            
    If ($sanCertExtension -ne $null) { 
        $altNamesStr = [System.Convert]::ToBase64String($sanCertExtension.RawData)            
        $sanObjs.InitializeDecode(1, $altNamesStr) 
        Foreach ($SAN in $sanObjs.AlternativeNames) { 
            $certAltSubject = $SAN.strValue 
            If ($certAltSubject -ne $null) { 
                If ($certAltSubject.ToUpper() -eq $dnsName.ToUpper() -or $certAltSubject.ToUpper() -eq $wildCardName.ToUpper()) { 
                    $certs += $certificate 
                }
            }
        }
    }
}
$certs | FL

If the DNS Name is "FS.ADCORP.LAB", the output is on my demo machine:

image

Figure 1: Looking For Certificates That Could Support The DNS Name "FS.ADCORP.LAB" (Example)

You might also want to look at the following article, which shows you how to list subject alternate names in a specific certificate:

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Certificates, PowerShell, Tooling/Scripting | 2 Comments »

 
%d bloggers like this: