Tom Werner's questions

I am having to generate a CSR for a private RPC interface that is secured using certificates. As part of the requirements, it is specified that the only compatiable suite is:

SSL_RSA_EXPORT_WITH_RC4_40_MD5

My knowledge is rather limited but I have tried:

openssl genrsa -out mykey.private -des3 512

Then extract the public key via

openssl rsa -in mykey.private -pubout -out mykey.public

Then convert into a CSR via

openssl req -new ???

The unknown part is what parts of the cipher suites match to the parts if the CSR request, I have been told that it is a 512 bit key, however, I don't understand the relevance of the RC4 or the MD5 part!

Before people ask why I don't submit and see what happens, we get charged per CSR signing process failed or successful.

Regards,

Tom

Hopefully a very simple question, if I wanted several servers providing the same service to hold a certificate (e.g interface.internal.org) would the procedure be;

• Generate Public/Private Pair on one web server
• Generate CSR and receive Certificate
• Copy Private/Public Key Pair and Certificate to each server

Although there is the potential to place certificates at the load balancing layer, I wanted to investigate other ways - plus the servers have SSL accelerators so performance isn't really a factor.

Regards,

Tom

I have got stumped on a privileges issue on a Windows AD Domain.

I have a Windows Server 2008 Server (with Several Windows Server 2003 vms) which are all members of a domain (but in no way backup controllers etc - this is dealt with via another server). Some of these servers need administering by people who normally have just Domain USer rights, so I created a new group (VMAdmins) added them to it and started to build a specific GPO to be applied to the machines.

The VMs are in their own OU for Group Policy and Tidyness reasons and I have created a GPO linked to that specific OU.

I have assigned various privileges to test the theory under Computer Configuration>Windows Settings>Security Settings>Local Policies>USer Rights Assignment to the group mentioned above.

I have gpupdate /force and bounced the servers and run rsop.msc to determine the applied policy. The tool correctly shows the GPO that is being applied under 'Source GPO' and the group is listed as having that privilege.

However, the crux of the problem;

whoami /priv is inconsistent with what rsop.msc says, for example rsop says that the user has the Shutdown privilege, yet under whoami it says 'Disabled'.

Can anyone shed some light onto why this might be happening?

Many thanks,

Tom

After playing with some Group Policy settings and breaking privileges for System accounts, I have learnt the hard lesson to have a proper configuration management policy in place. So that will cover the future, but the current messup, can I either;

Restore the Group Policy files ontop of the SYSVOL folder from a recent tape backup?

or

Piece together the old policy - I have looked at a previous backup and found the GptTmpl.ini file under MACHINE\Microsoft\Windows NT\SecEdit, with what appears to be all the settings to be applied, however, most of the Users/Groups have been converted to their SID equivelants which I don't know what users/groups they equate to. I found the whoami tool, but I couldn't see an option to specify a user to show details!

Tips / warnings would be greatly appreciated,

Regards,

Tom