Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Standalone CA

Status
Not open for further replies.
Teknoratti

Teknoratti

Technical User
Aug 11, 2005
183
US
I'm having problems testing a new standalone CA and encrypting files using the certificates just downloaded.

scenario: I have a laptop which i've logged into locally. I built a standalone CA, not part of a domain. from the web browser on my local laptop I request a certificate from the CA. I issue the certificate from the server and download the cert on my laptop. When i attempt to encrypt a file it uses a cert already installed. At this point I went into my certificate store, deleted all the certificates except the one I wanted to use, then I went inside the registry and renamed the certificate hash entry so that it couldn't be used. The next time I tried to encrypt, a new cert was created in the certificate store and another certificate hash entry was made inside the registry.

My question is, how come the certificate I downloaded from the CA wasn't used, being as I deleted all the other certs. Why did it create a self signed cert?

In a workgroup environment I could see this as with no domain present the local laptop can't go out and find a CA, but I dont know why the cert I previously d'loaded didnt work.
 
Sort by date Sort by votes
The most likely reason is that the issued certificate does not have the correct "Enhanced Key Usage" OID configured. The issued certificate should have the following OID configured: 1.3.6.1.4.1.311.10.3.4 (which is the OID for Encrypting File System)

More than likely, the certificate will also need specific settings in the subject and subject alternative name fields, but I would have to test.

Generally, you would use an Enterprise CA so that the machine would automatically acquire a template generated certificate. Since you don't have this available, you will have to get these settings configured by modifying the certificate request at the CA using the certutil command before issuing the certificate to the client.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
253
microsGuy16
microsGuy16
maybeimaleo
  • Locked
  • Question
Is There a Best Windows OS to Upgrade a CA Server to?
Replies
5
Views
150
maybeimaleo
maybeimaleo
mangentle
  • Locked
  • Question
What could be the potential causes if a Microsoft Windows Server is experiencing slow network!
Replies
1
Views
452
gbaughma
gbaughma
juniper911
  • Locked
  • Question
Smartcard PIN Cache - is it configurable?
Replies
0
Views
102
juniper911
juniper911
StevenFromSouth
  • Locked
  • Question
VPN Connects but cannot access remote network computers or folders
Replies
1
Views
123
StevenFromSouth
StevenFromSouth

Part and Inventory Search

Sponsor

Back
Top