Certificate usage - Page 20

Importing a certificate into a smart card

Sometimes it is necessary to import a certificate that uses a software key into a smart card.

Overview of the different generations of domain controller certificates

Over the generations of Windows operating systems, various certificate templates for domain controllers have been established. In a current Active Directory directory service, one will find three different templates for this purpose.

Domain controller
Domain Controller Authentication
Kerberos Authentication

Below is a description of each template and a recommendation for configuring domain controller certificate templates.

certutil -dcinfo fails with error message "KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)"

Assume the following scenario:

Domain controllers have certificates for LDAP over SSL.
The certificates do not include the Extended Key Usage "Smart Card Logon" or "Kerberos Authentication".
If you run certutil -dcinfo, the command reports the following error message:

0 KDC certificates for DC01
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)

Manual application for a domain controller certificate

There are cases where you cannot or do not want to obtain domain controller certificates from a certification authority in your own Active Directory forest.

In this case, the use of certificate templates is not possible, and one must manually create a Certificate Signing Request (CSR).

Requesting a certificate for domain controller fails with error message "The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_SERVER_UNAVAILABLE)".

Here's the scenario:

Requesting a certificate for a domain controller fails.
On the certification authority, the certificate request is logged in the failed requests. The error message reads:

The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)