Category Archives: PKI

Publish a CRL created with Openssl into Active Directory

When you sign a CRL with Openssl you don’t have the attribute “Published CRL Locations”. It tells where the revocation lists are or should be published. Without this attribute there is no way for certutil to know where to save … Continue reading

Posted in Active Directory, PKI | Tagged , , , , , | Comments Off on Publish a CRL created with Openssl into Active Directory

Recover an archived certificate from a Microsoft CA

Prerequisites: You KRA certificate must be installed in your certificate store on your machine. Find the serial number of the certificate you want to recover. certutil -getkey [serial number] [outfile] Ex. certutil -getkey 45137316467 d:key.file certuil -recoverkey [infile][outfile_pfx] Ex. certutil … Continue reading

Posted in PKI | Tagged , , , | Comments Off on Recover an archived certificate from a Microsoft CA

Write a CSR to a CA with Openssl

If you order i.e a wildcart certificate you dont want to generate the keys on a webserver because you cant just export them without special tools. Instead you can use openssl to make the CSR. 1. First we create a … Continue reading

Posted in PKI | Tagged , , , , | Comments Off on Write a CSR to a CA with Openssl

Add third party CA in Active Directory to enable smart card logon

If you want to be able to use a smartcard issued by a third pary CA to logon to your Active Directory there are a few steps you have to do. You have to tell Active Directory to trust the … Continue reading

Posted in Active Directory, PKI | Tagged , , | Comments Off on Add third party CA in Active Directory to enable smart card logon

How to issue a new revocation list without the CA online

The CA certificate must be installed in the computers certificate store. Re-sign CRL InFile OutFile Validity period Days:Hours certutil -v -f -sign “PKI LAB ISSUING CA.crl” “PKI LAB ISSUING CA2.crl” 90:00

Posted in PKI | Tagged , , | Comments Off on How to issue a new revocation list without the CA online

Working with openssl and pkcs12 files

Extract the private key without password (encryption) from your pkcs12 file openssl >pkcs12 –in keyexport.pfx –nocerts –nodes –out keyexport.prv Enter the password used to create your pkcs12 (.pfx) file Extract the private with password (encryption) from your pkcs12 file openssl >pkcs12 –in keyexport.pfx … Continue reading

Posted in PKI | Tagged , | Comments Off on Working with openssl and pkcs12 files

Howto delete certificates on a .Net Smartcard

Card information Certutil -scinfo Remove certificate Certutil -delkey -csp “Microsoft Base Smartcard Crypto Provider” Container GUID

Posted in PKI | Tagged , , | Comments Off on Howto delete certificates on a .Net Smartcard