Login
      Contents x
      Generate Kerberos Domain Controller Certificates
      • 24 Jul 2023
      • 1 Minute to read
      • Print
      • Dark
        Light
      • PDF
      Contents

      Generate Kerberos Domain Controller Certificates

      • Updated on 24 Jul 2023
      • 1 Minute to read
      • Print
      • Dark
        Light
      • PDF
      Article summary

      During the PKI authentication process, the end user’s machine sends a request to a Domain Controller. The Domain Controller signs the request (after processing) before sending it back to the end user’s machine. 

      Generate Kerberos Domain Controller Certificates via Axiad Cloud

      In a standard Axiad ID Cloud deployment, the Domain Controller certificates are generated by Axiad ID Cloud. The Axiad team sends you a DC_cert_issuance.zip file (the archives with the script), which you need for this procedure.

      1. On each Domain Controller, copy the archive within the DC_cert_issuance.zip file. 
      2. Extract the content of the archive in the same location (for example, C:\temp).
      3. Open a command line interface (as an administrator) and navigate to the folder where you extracted this archive.
        Example command
        cd C:\temp\DC_cert_issuance
      4. Run the CreateDcRequest.bat <FQDN_of_DC> command.
        CreateDcRequest.bat dc01.<instance>.com
 
 Axiad 2023 Copyright - Axiad ID Cloud Trusted User
 ""
 
 CertReq: Request Created
 Your domain controller Certificate Signing Request is ready
 Provide the "dc01.<instance>.com".csr file to the Axiad on-boarding team
        A CSR file named <FQDN>_of_DC.csr generates and saves to the same location.
      5. Send the file to the Axiad team via a secure message application.
      6. Axiad requests the certificate in the PKI stack and sends it back via a secure message application directly to the person who requested the CSR file.
        The return file is named FQDN>_of_DC.der.
      7. Copy this file to the C:\temp folder.
      8. Run the InstallDcCertificate.bat <cert_filename> command.
        Example output from this command:
        InstallDcCertificate.bat dc01.<instance>.com.der
 Axiad 2023 Copyright - Axiad ID Cloud Trusted User
 ""

      Validate a Kerberos Certificate

      On the Domain Controller, the validation happens by checking that the Kerberos certificate is available, valid, and contains the right information (parameters).

      1. Open the machine certificate store on the local Domain Controller.
      2. Open a session on the Domain Controller with domain or enterprise administrator privileges
      3. Press Windows key + R to open the machine store console.
      4. Enter certlm.msc.
      5. Navigate to Certificates - Local Computer > Personal > Certificates.
      6. Locate your Kerberos Authentication certificate and open it.
      7. Check the validity:
        kerb1
      8. Check the enhanced key usage field in the Details tab and ensure the following displays:
        • KDC Authentication
        • Smart Card Logon
        • Server Authentication
        • Client Authentication
        kerb2
      9. Verify that the root chain is trusted (certification path):
        kerb3The certificate is validated.
      Was this article helpful?
      What's Next
      900 Lafayette St. Suite 600
      Santa Clara, CA 95050
      United States
      Social
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout