Generate Kerberos Domain Controller Certificates
  • 24 Jul 2023
  • 1 Minute to read
  • Dark
  • PDF

Generate Kerberos Domain Controller Certificates

  • Dark
  • PDF

Article summary

During the PKI authentication process, the end user’s machine sends a request to a Domain Controller. The Domain Controller signs the request (after processing) before sending it back to the end user’s machine. 

Generate Kerberos Domain Controller Certificates via Axiad Cloud

In a standard Axiad ID Cloud deployment, the Domain Controller certificates are generated by Axiad ID Cloud. The Axiad team sends you a file (the archives with the script), which you need for this procedure.

  1. On each Domain Controller, copy the archive within the file. 
  2. Extract the content of the archive in the same location (for example, C:\temp).
  3. Open a command line interface (as an administrator) and navigate to the folder where you extracted this archive.
    Example command
    cd C:\temp\DC_cert_issuance
  4. Run the CreateDcRequest.bat <FQDN_of_DC> command.
    CreateDcRequest.bat dc01.<instance>.com
     Axiad 2023 Copyright - Axiad ID Cloud Trusted User
     CertReq: Request Created
     Your domain controller Certificate Signing Request is ready
     Provide the "dc01.<instance>.com".csr file to the Axiad on-boarding team 
    A CSR file named <FQDN>_of_DC.csr generates and saves to the same location.
  5. Send the file to the Axiad team via a secure message application.
  6. Axiad requests the certificate in the PKI stack and sends it back via a secure message application directly to the person who requested the CSR file.
    The return file is named FQDN>_of_DC.der.
  7. Copy this file to the C:\temp folder.
  8. Run the InstallDcCertificate.bat <cert_filename> command.
    Example output from this command:
    InstallDcCertificate.bat dc01.<instance>.com.der
     Axiad 2023 Copyright - Axiad ID Cloud Trusted User

Validate a Kerberos Certificate

On the Domain Controller, the validation happens by checking that the Kerberos certificate is available, valid, and contains the right information (parameters).

  1. Open the machine certificate store on the local Domain Controller.
  2. Open a session on the Domain Controller with domain or enterprise administrator privileges
  3. Press Windows key + R to open the machine store console.
  4. Enter certlm.msc.
  5. Navigate to Certificates - Local Computer > Personal > Certificates.
  6. Locate your Kerberos Authentication certificate and open it.
  7. Check the validity:
  8. Check the enhanced key usage field in the Details tab and ensure the following displays:
    • KDC Authentication
    • Smart Card Logon
    • Server Authentication
    • Client Authentication
  9. Verify that the root chain is trusted (certification path):
    kerb3The certificate is validated.

Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.