Generate Kerberos Domain Controller Certificates
  • 13 Dec 2024
  • 1 Minute to read
  • Dark
    Light
  • PDF

Generate Kerberos Domain Controller Certificates

  • Dark
    Light
  • PDF

Article summary

During the PKI authentication process, the end user’s machine sends a request to a Domain Controller. The Domain Controller signs the request (after processing) before sending it back to the end user’s machine. 

Generate Kerberos Domain Controller Certificates via Axiad Conductor

In a standard Axiad ID Cloud deployment, the Domain Controller certificates are generated by Axiad ID Cloud. The Axiad team sends you a DC_cert_issuance.zip file (the archives with the script), which you need for this procedure.

  1. On each Domain Controller, copy the archive within the DC_cert_issuance.zip file. 
  2. Extract the content of the archive in the same location (for example, C:\temp).
  3. Open a command line interface (as an administrator) and navigate to the folder where you extracted this archive.
    Example command
    cd C:\temp\DC_cert_issuance
  4. Run the CreateDcRequest.bat <FQDN_of_DC> command.
    CreateDcRequest.bat dc01.<instance>.com
     
     Axiad 2023 Copyright - Axiad ID Cloud Trusted User
     ""
     
     CertReq: Request Created
     Your domain controller Certificate Signing Request is ready
     Provide the "dc01.<instance>.com".csr file to the Axiad on-boarding team 
    A CSR file named <FQDN>_of_DC.csr generates and saves to the same location.
  5. Send the file to the Axiad team via a secure message application.
  6. Axiad requests the certificate in the PKI stack and sends it back via a secure message application directly to the person who requested the CSR file.
    The return file is named FQDN>_of_DC.der.
  7. Copy this file to the C:\temp folder.
  8. Run the InstallDcCertificate.bat <cert_filename> command.
    Example output from this command:
    InstallDcCertificate.bat dc01.<instance>.com.der
     Axiad 2023 Copyright - Axiad ID Cloud Trusted User
     ""

Validate a Kerberos Certificate

On the Domain Controller, the validation happens by checking that the Kerberos certificate is available, valid, and contains the right information (parameters).

  1. Open the machine certificate store on the local Domain Controller.
  2. Open a session on the Domain Controller with domain or enterprise administrator privileges
  3. Press Windows key + R to open the machine store console.
  4. Enter certlm.msc.
  5. Navigate to Certificates - Local Computer > Personal > Certificates.
  6. Locate your Kerberos Authentication certificate and open it.
  7. Check the validity:
    kerb1
  8. Check the enhanced key usage field in the Details tab and ensure the following displays:
    • KDC Authentication
    • Smart Card Logon
    • Server Authentication
    • Client Authentication
    kerb2
  9. Verify that the root chain is trusted (certification path):
    kerb3The certificate is validated.

Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.