Generate Kerberos Domain Controller Certificates
- 13 Dec 2024
- 1 Minute to read
- Print
- DarkLight
- PDF
Generate Kerberos Domain Controller Certificates
- Updated on 13 Dec 2024
- 1 Minute to read
- Print
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
During the PKI authentication process, the end user’s machine sends a request to a Domain Controller. The Domain Controller signs the request (after processing) before sending it back to the end user’s machine.
Generate Kerberos Domain Controller Certificates via Axiad Conductor
In a standard Axiad ID Cloud deployment, the Domain Controller certificates are generated by Axiad ID Cloud. The Axiad team sends you a DC_cert_issuance.zip file (the archives with the script), which you need for this procedure.
- On each Domain Controller, copy the archive within the DC_cert_issuance.zip file.
- Extract the content of the archive in the same location (for example, C:\temp).
- Open a command line interface (as an administrator) and navigate to the folder where you extracted this archive.Example command
cd C:\temp\DC_cert_issuance
- Run the CreateDcRequest.bat <FQDN_of_DC> command.
A CSR file named <FQDN>_of_DC.csr generates and saves to the same location.CreateDcRequest.bat dc01.<instance>.com Axiad 2023 Copyright - Axiad ID Cloud Trusted User "" CertReq: Request Created Your domain controller Certificate Signing Request is ready Provide the "dc01.<instance>.com".csr file to the Axiad on-boarding team
- Send the file to the Axiad team via a secure message application.
- Axiad requests the certificate in the PKI stack and sends it back via a secure message application directly to the person who requested the CSR file.
The return file is named FQDN>_of_DC.der. - Copy this file to the C:\temp folder.
- Run the InstallDcCertificate.bat <cert_filename> command.Example output from this command:
InstallDcCertificate.bat dc01.<instance>.com.der Axiad 2023 Copyright - Axiad ID Cloud Trusted User ""
Validate a Kerberos Certificate
On the Domain Controller, the validation happens by checking that the Kerberos certificate is available, valid, and contains the right information (parameters).
- Open the machine certificate store on the local Domain Controller.
- Open a session on the Domain Controller with domain or enterprise administrator privileges
- Press Windows key + R to open the machine store console.
- Enter certlm.msc.
- Navigate to Certificates - Local Computer > Personal > Certificates.
- Locate your Kerberos Authentication certificate and open it.
- Check the validity:
- Check the enhanced key usage field in the Details tab and ensure the following displays:
- KDC Authentication
- Smart Card Logon
- Server Authentication
- Client Authentication
- Verify that the root chain is trusted (certification path):
The certificate is validated.
Was this article helpful?