Backup AD CS

Hi guys,

With the following steps you can backup a CA.

  • Export registry with the following line from command line:

reg export “HKLM\System\CurrentControlSet\Services\CertSvc\Configuration”  c:\CaConfig\backup\configuration.reg /y

  • Open AD CS mmc and make a backup pushing Backup CA, these are the steps:

BackupCA01

When wizard appears push Next.

BackupCA02

Select all check boxes and insert a specified path.

BackupCA03

Insert a passphrase and push Next.

BackupCA04

Push Finish.

BackupCA05

In the folder where you have saved the backup you will find the CA Certificate and the database files.

BackupCA06

Regards!

Anuncios

Disable install certificates on a desktop computer for users

Hi!

Below I put how to block that a user cannot install certificates on a desktop.

Regards!

In a new GPO on User config configure the following settings to block a user for can not install certificates with internet explorer or use the certificates snapin:

Imagen

The next step is to block by GPP than a user cannot install cert doing double click on the cert. The path to configure this is Computer Configuration\Windows Settings\Security Settings\File System

Imagen

There we add the following exe´s:

%SystemRoot%\system32\certutil.exe

%SystemRoot%\system32\CertEnrollCtrl.exe

%SystemRoot%\system32\certmgr.msc

%SystemRoot%\system32\certreq.exe

%SystemRoot%\system32\cryptext.dll

Imagen

And add a new user group denying permissions.

Imagen

When user will do double click will appear the following message.

Imagen

Regards

Warning in Win XP accessing to HTTPS websites

Hello!

Today an end user told me that when she go to a secure website (HTTPS) it show a warning message like that:

Imagen

The problem is that she is using Windows xp an need a fix to solve it, she can´t access to any website with HTTPS. The issue is interesting because affect to all certificates with less than 1024 bits. Here I put the link to the KB.

http://blogs.technet.com/b/pki/archive/2012/07/13/blocking-rsa-keys-less-than-1024-bits-part-2.aspx

http://support.microsoft.com/kb/2661254/en-us

Regards!

How to know if a CA is Enterprise or Standalone

Hi there!

I´m going to migrate a CA from windows 2003 (x86) to 2008 R2 and to know if the CA is Standalone or Enterprise I need to do one of the following:

  • typing the command: certutil -getreg ca\catype
  • Open CertSrv.msc console and locate Certificate Templates node. This node exist on Enterprise CAs only.
  • In Site and Services, Select Show Service node in the view pane. Go to Services, Public Key Services, Enrollment Services. If you view there the CA name like an object your CA is an Enterprise CA, if not is a StandAlone.

Regards!