Comments on: Public Key Infrastructure Part 3 – implement a PKI with Active Directory Certificate Services //www.tech-coffee.net/public-key-infrastructure-part-3-implement-pki-active-directory-certificate-services/ Wed, 06 Sep 2017 05:11:30 +0000 hourly 1 https://wordpress.org/?v=4.8.1 By: Romain Serre //www.tech-coffee.net/public-key-infrastructure-part-3-implement-pki-active-directory-certificate-services/#comment-137 Wed, 15 Jul 2015 06:38:33 +0000 //www.tech-coffee.net/?p=1793#comment-137 Hi,

Then you have to copy the CRL to a machine member of the Active Directory and run the certutil cmd from this server 🙂

]]> By: Brucev //www.tech-coffee.net/public-key-infrastructure-part-3-implement-pki-active-directory-certificate-services/#comment-134 Tue, 07 Jul 2015 19:54:19 +0000 //www.tech-coffee.net/?p=1793#comment-134 “The first time, you have to connect with an enterprise admin account to publish certificate and CRL in Active Directory.”

How I do this on a server that is not a member of the domain.

]]> By: Romain Serre //www.tech-coffee.net/public-key-infrastructure-part-3-implement-pki-active-directory-certificate-services/#comment-50 Mon, 03 Nov 2014 19:24:50 +0000 //www.tech-coffee.net/?p=1793#comment-50 In fact VMPKI02 is not a Domain Controller. You can run the certutil command on a RDS server if the command is present on the server 🙂

]]> By: Long //www.tech-coffee.net/public-key-infrastructure-part-3-implement-pki-active-directory-certificate-services/#comment-49 Mon, 03 Nov 2014 19:00:35 +0000 //www.tech-coffee.net/?p=1793#comment-49 Yes, indeed, you did help me! Thank you. Perhaps, it may be a good idea to have a paragraph in the section to indicate that the commands need to be run on VMPKI02, which is the DC of the lab…. Thank you for your prompt response.

]]> By: Romain Serre //www.tech-coffee.net/public-key-infrastructure-part-3-implement-pki-active-directory-certificate-services/#comment-47 Sun, 02 Nov 2014 09:42:48 +0000 //www.tech-coffee.net/?p=1793#comment-47 Hi,

Thanks for your comment 🙂
Because the Root CA should be offline, it is not integrated to Active Directory. SO you can’t publish AIA and CRL from the Root CA.
So you have to generate the CRL from the Root CA and copy this CRL and the Root CA certificate to another server like the Sub CA.
Once you have copied these two files, you can run the certutil command twice to publish the CRL and the certificate in the Active Directory.
In this way, clients could use Active Directory to download CRL and AIA information.
Hope I have helped you 🙂

Romain

]]> By: Long //www.tech-coffee.net/public-key-infrastructure-part-3-implement-pki-active-directory-certificate-services/#comment-46 Sun, 02 Nov 2014 00:13:00 +0000 //www.tech-coffee.net/?p=1793#comment-46 I like this a lot and I intend to set up my own lab using your excellent instruction. In the meantime, I am a bit stumped at “Publish Root CA CRL and AIA to Active Directory” section in that I do not know if the commands should be issued against on the Root CA or the Subordinate server. I am leaning against the latter since the former is a stand-alone and therefore it should not be associated with AD, right?

]]>