Archive

Posts Tagged ‘Certifikat’

The Nerd Herd – Avsnitt 44 – PKI

May 22nd, 2013 Comments off

I en bunker långt under Normalms gator finns “The Nerd Herd” studion, där produceras det varje vecka tunga teknikprogram med erkända experter!

Tillsammans med Johan Persson, Michael Anderberg och Fredrik ”DXter” Jonsson försöker vi under detta avsnitt ge våra synpunkter och tankar om och kring PKI i och PKI relaterade frågor och funderingar…

Avsnittet kan laddas ner här… (Du kan även prenumerera på showen i iTunes och gPodder – ge gärna en positiv review också, så att fler kan hitta showen, tack!)

Du kan givetvis följa The Nerd Herd på http://thenerdherdse.wordpress.com, DXter på hans blogg http://poweradmin.se

/Hasain

Categories: ADCS, certificate, certifikat, PKI Tags: , ,

Certificate Selection & Certificate Friendly Name Tool

November 4th, 2011 Comments off

The certificate selection user interface in Windows supports filtering logic to provide a simplified user experience when an application presents multiple certificates. But some applications are not designed to use filtering logic (developers not aware of functionality…) or uses filters that does not provide efficient reduction of the number of certificates presented to the user making it almost impossible for a user to know witch certificate to choose unless opening the certificate and looking at the details of template name, EKU, etc.

This is particularly true when all certificates has been automatically enrolled using the same user DN/CN attribute based on the users Active Directory user object attributes. In addition to that, Autoenrollment does not support variations in certificate subject name unless using some third party policy module installed on the Active Directory Certificates Services.

Knowing that the certificate selection UI supports certificate friendly names. Setting the certificate friendly name to include information about the certificate template can simplify the users task to select the correct certificate.

Friendly names are properties in the X.509 certificate store in Windows that can be set at any time after the certificate has been created/installed in the store.

One way to set the friendly name is through the certificate MMC SnapIn. Alternatively certutil.exe can be used in the following way:

Create a text file containing the following information:

[Version]
Signature = “$Windows NT$”
[Properties]
11 = “{text}My Friendly Name”

Save the file as friendlyname.inf

Determine the serialnumber of the certificate where the friendly name should be changed.

Run the following command at a command-line:
certutil –repairstore –user my {SerialNumber} FriendlyName.inf

Automating the friendly name can be achieved by either automating/scripting the steps above alternatively by creating a tool that enumerates all certificates in the personal store and assign the friendly name.

A proof of concept CertFN.exe tool was created to automate the above. The tool receives a parameter for the template name to use when filtering the user store, it then sets the friendly name based on the schema “Template Name – Certificate Subject Name”

  CertFN - Certificate Friendly Name Tool download:(39.3 KiB, 4,325)

  CertFN - Certificate Friendly Name Tool - The Powershell Edition download:(1.1 KiB, 5,551)

Categories: ADCS, certificate, certifikat, certutil.exe, GUI tool, PKI, säkerhet, Security, Tool Tags: , , , , , , , ,

IPSec StrongCRLCheck does not work on Windows Server 2008 R2-based RRAS

September 15th, 2011 Comments off

SYMPTOMS:

  • You install the Routing and Remote Access Service (RRAS) role on a server that is running Windows Server 2008 R2.
  • You configure the server to accept Layer Two Tunneling Protocol with IPsec (L2TP/IPsec) connections.
  • You run the Netsh ipsec dynamic set config property=strongcrlcheck value=2 command to configure the StrongCRLCheck setting on the server.
  • You revoke a certificate on a client computer. The certificate is used to make L2TP/IPsec connections to the RRAS server.
  • You establish an L2TP/IPsec connection from the client computer to the server.
  • The connection to the RRAS server is successful. However, you expect that the client computer cannot connect to the server.
The issue occurs because the Remote Access Service (RAS) ignores the StrongCRLCheck setting!
To correct this you need a hot fix and a new registry key as instructed by KB2351254 http://support.microsoft.com/kb/2351254
Categories: certificate, certifikat, CRL check, L2TP/IPSec, Revocation, säkerhet, Security Tags: , , , , , ,

FIM CM 2010 links from Microsoft Donwloads

July 13th, 2011 Comments off

Some interesting FIM CM 2010 links from Microsoft Donwloads:

Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management Smart Card Centralized Registration

Demonstrating FIM CM using a centralized smart card registration model in a test lab.

Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management User Smart Card Self-Service

Demonstrating User Smart Card Self-Service using FIM CM in a test lab.

Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management Delegated Smart Card Registration

Delegated smart card registration with FIM CM in a test lab.

Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management User Certificate Self-Service

Demonstrate using FIM CM for Self-Service certificate management.

Test Lab Guide: Installing Forefront Identity Manager 2010 Certificate Management with Constrained Delegation, Update 1, and FIM 2010 Integration

Install FIM CM with Constrained Delegation, Update 1, and FIM 2010 in a test lab.

 

Categories: ADCS, certificate, certifikat, FIM 2010, säkerhet, Security, Smart Card, smartkort Tags: , , , , , ,