StanTastic's questions

Suppose I have a CSR in which some Subject fields were not created according to X.509 - there are forbidden characters in Subject, or Country was provided as "England".

Is there any way to recover from that?

I tried:

• using policy.inf to resign the certificate, but I can't find any way to change existing Subject
• editing request directly on CA, but since there's some forbidden stuff in the CSR, the request immediately fails, and using certutil -setattributes results in "CERTSRV_E_BAD_REQUESTSUBJECT" (kind of expected, but a bit weird since you can try to reissue a request that's in "Failed" list).

I don't think that "fixing" bad CSR is possible here, but perhaps I'm wrong?

I want to verify operation of Microsoft OCSP server from Linux. I tried using OpenSSL, but it always returns:

Error querying OCSP responder 140643157128320:error:27076072:OCSP routines:parse_http_line1:server response error:../crypto/ocsp/ocsp_ht.c:260:Code=405,Reason=Method Not Allowed

I checked on the server side and noticed that OpenSSL uses POST method, as opposed to GET method used by certutil (which works fine):

# certutil Request
2021-09-28 10:26:51 10.11.12.13 GET /ocsp/<OCSP request> - 80 - 10.11.12.14 Microsoft-CryptoAPI/10.0 - 200 0 0 4583
# OpenSSL Request
2021-09-28 10:26:51 10.11.12.13 POST / - 80 - 10.11.12.15 - - 405 0 1 5991

Seems that OpenSSL can't be forced to use GET instead of post, but perhaps there's some other utility?

Or conversely, is there a method to force MS OCSP responder to work with POST as well?

I need to update one of my Active Directory Certificate Services (ADCS) certificate templates from schema v2 to v3, to support KSP providers. It seems that I can only do this by cloning the template (only then I get an option to select KSP).

Is it possible to do it in situ? If so, how?

Here's the deal: the company's policy is to update Service Account passwords every 180 days. Problem is, I'm using those service accounts on about 20 servers, running various jobs - so every 180 days, I have to spend like 4 hours updating them all (if not for KeepassXC's autotype, would take me more like 2 days, gotta love RDP to DC half world away).

There has to be a better way, but what would it be?

We're talking about W2k12r2.

I have more and more cases (let's say, 5-10 per day) in my organization (100k+ PCs) where people suddenly can't connect to VPN, and the reason is because the private key of their certificate no longer exists. What's interesting, when you open the "Manage user certificates" plugin, it shows the padlock icon, but VPN software can't use the certificate. Running "certutil repair" against the certificate also results in failure, and the only way to help them is to get new certificate.

I am trying to find some reason for that for past 2 months, and I really don't know what's going on, and how to troubleshoot this further. I had been looking through Windows Event Log, but I can't find anything that would seem relevant to the certificate store. It's like one day they're working fine, the next day suddenly can't connect. The only legit reason for private key corruption that I know is forcibly changing user password, but this is not what's happening here.

How can I approach troubleshooting what happened?

In my AD environment, I deployed a template that provides RDP certificates for servers. It's set on autoenroll.

The problem is, most of the servers work as I would expect: the got the certificate and it's enough for them. However, few servers get a new certificate every 12 hours. I read the article https://social.technet.microsoft.com/wiki/contents/articles/38085.certificate-autoenrollment.aspx and I understand what is happening, but I don't get WHY this is happening - what triggers the server to request a new cert even though one already exists?

I don't want to publish the certs in AD, especially since only a few servers are showing this anomaly - others are fine. All the certificates generated this way are still valid, and the private key exists.

I'm not sure if it's even possible. Also, OpenSSL is one ugly motherlover of an utility :/

I need top upload certificate+private key as DER to ESET Security Management Center (ESMC), at least according to their technical support.

I use XCA for this small deployment, and there's no option to export public+private as DER, only PEM (or a few other formats). So the question is: how to convert PEM private+public to DER?

I'm quite new to ACME, but already somewhat experienced with ADCS (Active Directory Certificate Services).

We use ADCS for all our internal needs: client auth, VPN, EFS etc., also for issuing TLS certificates.

Now, you may have already heard that Apple will no longer honor certificates with >1 year lifetime starting September 1st; this will put some strain on our limited webmaster resources (and to add insult to injury, every department has their own webmasters). I figured that maybe the easy way out is to implement in-house ACME using ADCS, but after some googling I have to admit I haven't found a solution that does it. Is it my poor googling skills, or there's just no such software?

I want to store a private key for an application in such a way that only authorized users can use it. In this scenario, Domain Admins are not authorized for this private key.

I want to setup an account so that the key is stored in the account Certificate Store, and encrypted with DPAPI. From what I read, domain account is out of question - based on https://support.microsoft.com/en-us/help/309408/how-to-troubleshoot-the-data-protection-api-dpapi, Domain Admin can reset the password and the Store gets reencrypted.

But this leaves an option of using local account - is it correct that if local admin resets the password, access to master key is lost?

I have a few hundred systems that are not AD-joined, for which I'd like to issue RDP certificates from an internal hierarchy (built with ADCS). I can do it manually, by generating CSRs, then signing with ADCS CA, then installing certs - easy, but multiply by a hundred, every 2 years or so, and it doesn't look attractive anymore.

How should I automate it?

Is it 'legal' and possible in DNS to chain NS records like this:

com. NS:

example.com NS ns1.example.com.
ns1.example.com A a.b.c.d

example.com. NS:

example.com NS azuredns.com.
azuredns.com. A x.y.v.z

The reason why I'm attempting such configuration is that one of our non-technical departments wants us to have all domains configured on our DNS system; but some of them utilize features of "cloud" DNS providers. I'm not looking forward to do such abominations, but I owe due diligence to my company :-)

I get a lot of memory dumps in dmesg, It seems to me every time the OS is trying to use any more than about 100 MB of RAM weird things are happening.

How can I test RAM on ARM, on running Linux system? For a standard server, I'dI'd run memtest x86, but that's for x86, and is loaded instead of OS.

Here, I've got ARM embedded system (Kirkwood CPU), without console - I can only access it after it boots. I know that test in such environment would be less than perfect, but it's always something.

I have a weird problem.

I am working on setting up "Sites and Subnets" properly, so that my AD clients connect to proper DC (instead of one on opposite side of the globe).

To do this, I started filtering logs on DC for "NO_CLIENT_SITE" error - and, while most of the client addresses I can easily locate, there are some that are... impossible.

I use solely private IP addressing in my organization, some people are allowed to use VPN (also utilizing private IPs for tunnel interface). But in the logs, there are some clients that report public IP address, or APIPA address, for example:

05/24 16:28:45 APAC: NO_CLIENT_SITE: CN070E141 169.254.87.93

This is, quite frankly, impossible - I am 100% certain that client using APIPA will not be able to connect anywhere. Similarly client using public IP address will be unable to reach DC.

The only explanation that comes to my mind is that there are multiple interfaces on the client, one of which is working fine - and facilitating communication with DC, and another one has APIPA or public IP - and this address is reported to DC.

Which brings me to main question: how can I make sure that the address provided to DC is always the address of the interface used for communication?

Or perhaps someone can provide alternative explanation?

I'm trying to figure out a way to measure RTT for SSH connection, but my google-fu is too weak (perhaps I'm asking wrong questions?).

Something akin to ping , for cases where SSH works, but ICMP does not.

Funny situation, and I'm not sure if this is my fault or Google's.

I have a domain, example.com, which has 2 subdomains: main.example.com, and spf.example.com. For main.example.com domain, my TXT record used to be defined as: v=spf1 redirect=example.com with relevant TXT for example.com defined.

For various reasons, I decided to create "main" TXT SPF for spf.example.com, and redirect there. Please note that SOA and NS exists only for example.com. I changed main.example.com TXT to read v=spf1 redirect=spf.example.com and Google (according to DMARC report) does not see the SPF record anymore. Yahoo and Microsoft do.

So I run a second test: created backup.example.com, sent a few email without TXT SPF defined, DMARC report from all of Yahoo, MS and Google reflects that there's no TXT SPF. Defined TXT as v=spf1 redirect=spf.example.com and bam, MS and Yahoo noticed that, while Google still did not.

Any explanation except for "Google mail software sucks"?

My organization shelled out for a gTLD, and we currently use 3rd party (Verisign) to host it on their DNS servers. However, there are 2 issues: we pay quite a bit for that yearly (that's the lesser issue); updating data there is... convoluted (also for our organizational reasons).

However, we run quite huge DNS system for our other (non-TLD) domains. I have tried searching if it's possible to self-host gTLD, but while I found some info for new gTLDs, I haven't for transferring existing gTLDs.

Can anyone point me to some overview/howto/readme, or can just speak from experience?

EDIT: for sake of having a reference point, let's say I already own .example. gTLD. Currently it is maintained on Verisign DNS servers. I want to be able to maintain it on my own DNS servers.

Before anyone asks: I've seen When do DNS queries use TCP instead of UDP? and it doesn't answer my question.

All I keep hearing is "if the answer is too long, DNS will use TCP". This does not explain how it happens though.

So here's the situation: DNS client asks for resolution of a record using UDP. The record is too long for UDP:

1. server answers with specific opcode, to have client switch to TCP
2. server doesn't answer at all, and client re-tries over TCP
3. server opens TCP connection to client (stupid, if you count NAT, but who knows?)
4. client somehow (?) 'knows' that given query should be run over TCP so it doesn't bother with UDP in the first place
5. DNS pixies magically turn UDP into TCP when needed

I've been looking all over the internet for the answer, but there's lot of noise (see above), and I can't seem to write proper Google query for that (nor can I find the info in RFCs, for that matter).