Thursday, January 17, 2013 10:31 PM
Awhile back we re-issued certificates in our Forest/domains with 1024 key. We were at 512. We are now having a problem with an application trying to use SLDAP and allow the user to change passwords. Others are saying the DC's are not using the new 1024 key.
1. Is there a way to verify this?
2. If the DC's are using the 512 bit key, then how do we get the DC's to utilize them instead.
One person has mentioned re-enrollment, but I can't find anything on the net about doing that manually for the dc's. Note: This first came up because of the bullentin 2661254.
Lastly, our Forest has 3 domains underneath it.
Any help would be greatly appreciated!
Thursday, January 24, 2013 2:42 AM
you can verify that LDAPS is working with ldp.exe or from command line with: openssl.exe s_client -connect serverip:636
OpenSSL would also show you the certificate in base64 encoded. Just copy everything from -----BEGIN CERT----- to -----END CERT----- including those two lines into a text file and rename it to .crt. Open it with a double-click and you have a human-readable format.
Anyway I recommend to clean out the old certificates, they did their job a long time ago.
Thursday, January 24, 2013 8:31 AM
You can easily check certificate status and manage DC certificates using certutil (run as an Enterprise Admin in an Admin command prompt.
1) What certs are deployed to the DCs
This reports the trusted root CAs and KDC cert for each DC in the environment. It does not report the key length, you would have to dig a bit more or use the method suggested by Lutz to view the cert
2) For reenrollment and get rid of all previous KDC certs (probably best for your scenario
certutil -dcinfo deleteall
This deletes all previous KDC certs and requests a new one. Have the Domain Controller Authentication or Kerberos Authentication template published and ready to go
- Marked As Answer by K_evin ZhuMicrosoft Contingent Staff, Moderator Friday, January 25, 2013 5:33 AM