Is there any way on standard Windows Server (such as with certutil?) to decrypted a pkcs8 pem encrypted private key?
i.e. What is the equivalent on windows of:
openssl pkcs8 -in key.enc -out key.pem
I tried looking through certutil doc for ages and cannot figure out any way to do it.
I am trying to debug why Windows does not accept the responses from my OCSP responder as valid. I am using the command
CertUtil -downloadOcsp .\certs .\ocsp_responses downloadonce
A single p7b certificate is in the certs directory. I read the log of my openssl 1.1.1f OCSP responder in real-time, and I can see that
the connection is made. And the output from certutil looks like it downloads the response. But certutil reports an error, and no ocsp response is saved in .\ocsp_responses
The output from certutil is:
7/6/2021 2:43 PM 14.488s :: Check certificate files in directory <certs>
7/6/2021 2:43 PM 14.488s :: Open OCSP subject certificate file -- saratoga.candy-land.name_exchange_20210630145440_exchange.p7b
7/6/2021 2:43 PM 14.498s :: Add OCSP response file -- <8958F37AF76E2151B548E950719789A1FA705F0A> <saratoga.candy-land.name> <ca-sub.candyland.org> <saratoga.candy-land.name_exchange_20210630145440_exchange.p7b>
7/6/2021 2:43 PM 14.498s :: Waiting for 1 download OCSP reponses to complete
==== Downloaded OCSP Responses ====
7/6/2021 2:43 PM 14.498s :: Error => Pending OCSP response download -- <8958F37AF76E2151B548E950719789A1FA705F0A> <saratoga.candy-land.name> <ca-sub.candyland.org> <saratoga.candy-land.name_exchange_20210630145440_exchange.p7b>
Total: 1 Downloaded: 0 Warnings: 0 Pending: 1 Errors: 0 Maximum Thread Count: 2
CertUtil: -downloadOcsp command completed successfully.
I get the same behavior on Windows 10 Pro, and Windows Server 2019. The OCSP responder is openssl 1.1.1f
What might the problem be, and How can I correct it?
I have a CA setup on Server 2012 R2, the person who ran the server left the company and I have setup a new CA server.
I am trying to figure out what systems / URL's the certs are for.
In the List of Issued Certificated is the following:
Request ID: 71
Requester Name: DOMAIN\UserName
Certificate Template: Basic EFS (EFS)
Serial Number: 5f00000047c60993f6dff61ddb000000000047
Certificate Effective Date: 11/05/2015 8:46
Certificate Expiration Date: 11/04/2016 8:46
Issued Country/Region:
Issued Organization:
Issued Organization Unit: Org Users Employees
Issued Common Name: Employee Name <-- Acutal Name of Employee
Issued City:
Issued State:
Issued Email Address:
When I ask the employee why they requested the certificate they don't remember why or what system it was for.
I am looking for a way to see all requested certs and what machines they are tied to:
Things I have tried/Googled:
A command similar to Netstat that could tell me any listening or established connection to the server on 443, I may be way off base on my logic and thinking.
I have looked through the event viewer looking at the "Certificate Effective Date: 11/05/2015 8:46" time stamp and cannot find any logs that show me anything.
I tried to look at the database using certutil command however I have to stop the service before I can view the database, looking over the schema it looks like a lot of the information I am looking for might be in there.
If i stop the service will SSL certs still be ok or will the end user get that SSL warning?
If I take a backup of the database can i move the file to a differnet PC and be able to read it.
Does anyone know if I will be able to find what servers / URL's are using the certs on my CA?
Is there a different better way I can find the information?
I am searching for another way to manage my CA.
I wrote a powershell script, which allows me to show all my certificates for a specified requester name or request id and to revoke those certificates.
Is it possible to do this in certutil?
I can't find any information about the request id or the requester name
I've recently installed AD Certification Authority on one of our DCs. It acts as a subordinate enterprise CA, the Root CA is a standalone offline root CA and there is no connection between those two CAs. I've requested a Certificate for the Subordinate Enterprise CA and successfully installed it. The CA on the DC seems to work (i can request certificates etc.).
No I wanted to install Network Device Enrollment Service, I went through the configuration Wizard, created a User, Added it to IIS_IUSERS etc but in the end I got an Error saying that the configuration was not successful. No details, no error code. I wanted to re-do the configuration but now NDES is greyed out, as shown here:
I realized, that IIS had a problem and the Certsrv Application did not start. After I assigned CertSrv to a different Application Pool the application started and runs now but even after a restart the configuration of NDES is greyed out.
Can someone please tell me what went wrong or how to fix it? (Windows Server 2012 Standard, Forest and Domain level 2008 R2)