Home » Posts tagged 'certificates'

Tag Archives: certificates

Certificate Generator & Request Tool / Script

This tool was born out of my frustrations of having to pre-create certificate requests on servers without IIS or Skype for Business management tools.  A while back I posted an article that showed how to do this through Certreq.exe on any Windows workstation or server. You can see this post here: https://skype4b.uk/2015/05/05/generating-csr-using-certreq-exe/

However, I am bored of having to create an inf file all the time, and there are times where I forget and spend unaffordable minutes of my day wasting time with Google. So this script I have created does all the heavy lifting I need. It allows me to answer some simple questions and then goes off and does it’s thing!


Skype for Business Certificate Requirements (The Definitive Guide)

I wanted to address this topic because it appears to be cropping up on TechNet regularly. In this post we will discover what is and is not supported, what certificates we need for each server and their requirements. Before we start delving into the details, it is important to understand from the outset that Skype for Business has very strict certificate requirements and should you attempt to deviate from the supported model, then you will find that certain modalities will not work at all. The temptation is to try and save money on certificates, the most common error I see is people trying to use wildcard certificates. These are not supported for non web traffic whether you use Skype for Business or not, these are not intended for Unified Communications across all vendors. The justification for using a wildcard is to save money. This I can tell you is false economy. If you ignore the requirements and purchase a wildcard certificate, you will end up having to purchase a SAN certificate in the end to get your services working. In so doing wasted about £200 in the process. The justification for doing it the right way and not trying to cut costs on certificates is simple; you’ve spent £30K on servers, £100K on licencing Skype for Business, £50k on peripherals, £30K on SBCs for your Skype for Business deployment without worry, so why try so hard to save £50 on a certificate?? So there is no argument or justification for not doing it right in my opinion.


ADFS Multifactor Authentication – Not Good for Office 365

Continuing down the road for implementing ADFS Multi-factor Authentication (MFA) using PKI I have come across a few issues and a major show stopper when implementing this for Office 365 services. I wanted to share my experience so that this you can avoid the same pain as I have been through.


Multi Factor Authentication (MFA) Using ADFS 3.0 and Certificates

I had to implement MFA using ADFS 3.0 and internally signed certificates in order to authenticate external users against Office 365 services. There were a few niggles along the way but on the whole it was a relatively easy process to complete. The design brief stated that only domain joined devices from outside the corporate LAN can consume Office 365 services. In addition these users must perform multi-factor authentication when outside the corporate LAN only. I am pretty sure that the design could have been achieved using Azure MFA and a few claim rules in ADFS. However, the customer liked the idea of the relatively simple management and roll out that certificate based MFA provides.


Generating CSR using Certreq.exe

I wanted to get this down on paper for reference as I seem to be doing this frequently, but not that frequent to remember each step.

There are times when you need to generate a certificate signing request (CSR) on a machine without IIS installed. Examples of these are Web Application Proxy and ADFS 3.0 servers. So how do you go about doing this?

Simple – use the built in application certreq.exe


Forcing SSL Certificate to Associate with Server’s Private Key

Have you ever been handed a certificate exported (without the private key) from a server or directly from a CA to install on a different server than the one used to create the CSR? Whilst some IIS functions and apps allow you to use a certificate without a private key, there are others that demand it. In any case best practice is to import a certificate with the private key used to create the CSR in the first place. However, there are circumstances where this may not be possible. Perhaps the admin who installed the certificate on the original server forgot (or intentionally) to mark the private key as exportable. Perhaps this is not the first export of the certificate and the private key has got lost. In these events using these certificates without the proper private key can prevent applications and web services functioning. Classic examples are Lync and UM for Exchange.

Fortunately, there is a way to resolve this issue without purchasing a new certificate.

First we need to get the serial number of the certificate. If your certificate is not yet imported, please import this now. You can use the Certificate MMC Snap-in or if PFX file you can double click and install it. To get the serial number of the certificate either open the certificate and browse the details tab for the serial number or run this PowerShell command

Get-ChildItem -Path cert:\LocalMachine\my | Select-Object Subject,Serialnumber

Replace the Path with the correct one you installed the certificate. the above command uses the local machine personal store, which is usually the place certificates get installed.

This command will produce a similar output to this

Subject                                                     SerialNumber
-------                                                     ------------
CN=localhost                                                4CA2A1EF3CF850B24A6F8841382950AC
E=admin@goldenfrog.com, CN=goldenfrog-client, O=GoldenFr... 1A
E=admin@goldenfrog.com, CN=GoldenFrog-Inc CA, O=GoldenFr... 00D776530B7B49A6EC

Copy the serial number of the certificate you want to edit from the table

Next we need to associate forcefully the private key of the server to the certificate we have imported.

Open Command Prompt as an administrator and type on the following command

certutil.exe -repairstore my <serial number of cert>

And Magic the certificate is now associated with the server’s private key

%d bloggers like this: