Certificate Authority Quagmire

Grey

So I have a weird situation, as you can see. I have 5 entries in my AD integrated cert database for discovery. One of them, number 1 in the list, is my 'primary' DC -- DC001, and it has the wrong name.

• How do I change the cert name?

I found an article from https://mssec.wordpress.com/2013/03/19/manually-remove-old-ca-references-in-active-directory/ that seems like it covers all of the needs I have over removing the old enries from AD so that there's only the 2 I will need (dc001 and a new one I'll create on dc002).

• Has anyone done this? What are the risks and/or things you encountered when doing this?

JaredBusch

Have not used an internal CA but once in like 2004. No clues on this one.

Obsolesce

I used a procedure similar to the one in the URL you linked, in a production environment. The case I used it in was to completely remove a PKI and create a new one. I know a little different than in your case, but as long as you do not delete anything you need you will be fine.

I have two questions to ask that will determine whether or not I can help you:

1. What command did you use to get that output in PS?

2. For what purposes are you using your PKI?

... and because I can't count
3. Is it the subject name of the certificate that is not correct? Not sure I understand what you are referring to.

Grey

@Tim_G said in Certificate Authority Quagmire:

I used a procedure similar to the one in the URL you linked, in a production environment. The case I used it in was to completely remove a PKI and create a new one. I know a little different than in your case, but as long as you do not delete anything you need you will be fine.

I have two questions to ask that will determine whether or not I can help you:

1. What command did you use to get that output in PS?

2. For what purposes are you using your PKI?

... and because I can't count
3. Is it the subject name of the certificate that is not correct? Not sure I understand what you are referring to.

• Certutil. Use it on any windows system that's connected to your domain.
• Internal validation, especially on VDI and internal web servers.
• Yes.

Obsolesce

@Grey said in Certificate Authority Quagmire:

@Tim_G said in Certificate Authority Quagmire:

I used a procedure similar to the one in the URL you linked, in a production environment. The case I used it in was to completely remove a PKI and create a new one. I know a little different than in your case, but as long as you do not delete anything you need you will be fine.

I have two questions to ask that will determine whether or not I can help you:

1. What command did you use to get that output in PS?

2. For what purposes are you using your PKI?

... and because I can't count
3. Is it the subject name of the certificate that is not correct? Not sure I understand what you are referring to.

• Certutil. Use it on any windows system that's connected to your domain.
• Internal validation, especially on VDI and internal web servers.
• Yes.

You can't change the name on the certificate. You will need to request a new one from your DC which you can do via certlm.msc.

How did the DC get a certificate with an incorrect name in the first place?

Grey

@Tim_G said in Certificate Authority Quagmire:

@Grey said in Certificate Authority Quagmire:

@Tim_G said in Certificate Authority Quagmire:

I used a procedure similar to the one in the URL you linked, in a production environment. The case I used it in was to completely remove a PKI and create a new one. I know a little different than in your case, but as long as you do not delete anything you need you will be fine.

I have two questions to ask that will determine whether or not I can help you:

1. What command did you use to get that output in PS?

2. For what purposes are you using your PKI?

... and because I can't count
3. Is it the subject name of the certificate that is not correct? Not sure I understand what you are referring to.

• Certutil. Use it on any windows system that's connected to your domain.
• Internal validation, especially on VDI and internal web servers.
• Yes.

You can't change the name on the certificate. You will need to request a new one from your DC which you can do via certlm.msc.

How did the DC get a certificate with an incorrect name in the first place?

Imported from an old DC.

Dashrender

That seems weird why would you import a certificate from another active directory server instead of making a new one or requesting a new one

Grey

@Dashrender said in Certificate Authority Quagmire:

That seems weird why would you import a certificate from another active directory server instead of making a new one or requesting a new one

I can advise, suggest and document, but at the end of the day I still have to work with what I have and follow the business directive. Unfortunately, this is one of those times.

Obsolesce

Have you had a chance to replace the certificate yet?

Grey

@Tim_G said in Certificate Authority Quagmire:

Have you had a chance to replace the certificate yet?

I have a new wildcard cert. I'm not sure I want to use that on the DC. Has anyone done that? I'm unsure if it's a best practice or not.

Obsolesce

On the DC, can't you request another one from your CA via certlm.msc?

Grey

@Tim_G said in Certificate Authority Quagmire:

On the DC, can't you request another one from your CA via certlm.msc?

The DC is the CA.

Obsolesce

@Grey said in Certificate Authority Quagmire:

@Tim_G said in Certificate Authority Quagmire:

On the DC, can't you request another one from your CA via certlm.msc?

The DC is the CA.

Not good... But I guess it is what it is. So let's just focus on fixing it.

Is starting over an option?

If not...
How is your pki set up? How many tiers? From where did you import the wrongly named cert?

Grey

@Tim_G said in Certificate Authority Quagmire:

@Grey said in Certificate Authority Quagmire:

@Tim_G said in Certificate Authority Quagmire:

On the DC, can't you request another one from your CA via certlm.msc?

The DC is the CA.

Not good... But I guess it is what it is. So let's just focus on fixing it.

Is starting over an option?

If not...
How is your pki set up? How many tiers? From where did you import the wrongly named cert?

No. Unsure; I inherited this and I'm hazy on CAs. A previous DC was in use and is decommissioned, but the old cert was imported to keep some cisco products from complaining.

Obsolesce

@Grey said in Certificate Authority Quagmire:

@Tim_G said in Certificate Authority Quagmire:

@Grey said in Certificate Authority Quagmire:

@Tim_G said in Certificate Authority Quagmire:

On the DC, can't you request another one from your CA via certlm.msc?

The DC is the CA.

Not good... But I guess it is what it is. So let's just focus on fixing it.

Is starting over an option?

If not...
How is your pki set up? How many tiers? From where did you import the wrongly named cert?

No. Unsure; I inherited this and I'm hazy on CAs. A previous DC was in use and is decommissioned, but the old cert was imported to keep some cisco products from complaining.

You still need to renew the certificate. You can do it in CA management.

Grey

Is there an article for that on technet? I don't want to screw it up.

Obsolesce

Do you have an offline root CA or is do you just have a single CA that does it all: certificate issuing, CDP, etc.?