Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Certificate Chain and verification

Answered Certificate Chain and verification

  • Thursday, January 17, 2013 10:31 PM
     
     
    Sign In to Vote
    0

    Awhile back we re-issued certificates in our Forest/domains with 1024 key.  We were at 512.  We are now having a problem with an application trying to use SLDAP and allow the user to change passwords.  Others are saying the DC's are not using the new 1024 key.  

    1. Is there a way to verify this?

    2. If the DC's are using the 512 bit key, then how do we get the DC's to utilize them instead.  

    One person has mentioned re-enrollment, but I can't find anything on the net about doing that manually for the dc's.  Note: This first came up because of the bullentin 2661254.

    Lastly, our Forest has 3 domains underneath it.

    Any help would be greatly appreciated!

     

All Replies

  • Thursday, January 24, 2013 2:42 AM
     
     Answered
    Sign In to Vote
    0

    Hi,

    you can verify that LDAPS is working with ldp.exe or from command line with: openssl.exe s_client -connect serverip:636

    OpenSSL would also show you the certificate in base64 encoded. Just copy everything from -----BEGIN CERT----- to -----END CERT----- including those two lines into a text file and rename it to .crt. Open it with a double-click and you have a human-readable format. 

    Anyway I recommend to clean out the old certificates, they did their job a long time ago.

    Regards,

    Lutz

     
  • Thursday, January 24, 2013 8:31 AM
     
     Answered
    Sign In to Vote
    1

    You can easily check certificate status and manage DC certificates using certutil (run as an Enterprise Admin in an Admin command prompt.

    1) What certs are deployed to the DCs
    certutil -dcinfo
    This reports the trusted root CAs and KDC cert for each DC in the environment. It does not report the key length, you would have to dig a bit more or use the method suggested by Lutz to view the cert

    2) For reenrollment and get rid of all previous KDC certs (probably best for your scenario

    certutil -dcinfo deleteall
    This deletes all previous KDC certs and requests a new one. Have the Domain Controller Authentication or Kerberos Authentication template published and ready to go

    Brian