Active Directory Create Certificate for DSC usercredential Encryption/Decryption

Welcome Forums DSC (Desired State Configuration) Active Directory Create Certificate for DSC usercredential Encryption/Decryption

This topic contains 1 reply, has 2 voices, and was last updated by

 
Keymaster
2 years, 1 month ago.

  • Author
    Posts
  • #56074

    Participant
    Points: 1
    Rank: Member

    Hi

    Using a Server 2012R2 Active Directory infrastructure, with a Certificate Autority.

    How can we create a certificate for encrypting credentials that follows:
    Key Usage:
    Must contain: 'KeyEncipherment' and 'DataEncipherment'.
    Should not contain: 'Digital Signature'.
    Enhanced Key Usage:
    Must contain: Document Encryption (1.3.6.1.4.1.311.80.1).
    Should not contain: Client Authentication (1.3.6.1.5.5.7.3.2) and Server Authentication (1.3.6.1.5.5.7.3.1).

    I requested a certificate from the certificate-responsible person. But he had problems signing a certificate of this kind. The error he got was "Denied by Policy Module" on the template on the CA server.

    Any help/tips are welcome!

    brgs

    Bjørn

  • #56192

    Keymaster
    Points: 1,704
    Helping HandTeam Member
    Rank: Community Hero

    You're going to have to make a custom template. None of the ADCS default templates (or those from other types of CA, for that matter) are set up for this – they need to be marked for Document Encryption, and not marked for Digital Signature or the other stuff mentioned.

    If your CA is set up to not allow this in some fashion, then you've got to address that – but it's not a PowerShell thing, obviously, its in your CA configuration.

The topic ‘Active Directory Create Certificate for DSC usercredential Encryption/Decryption’ is closed to new replies.