Active Directory Create Certificate for DSC usercredential Encryption/Decryption

This topic contains 1 reply, has 2 voices, and was last updated by Profile photo of Don Jones Don Jones 1 month, 1 week ago.

  • Author
    Posts
  • #56074
    Profile photo of Bjørn Roalkvam
    Bjørn Roalkvam
    Participant

    Hi

    Using a Server 2012R2 Active Directory infrastructure, with a Certificate Autority.

    How can we create a certificate for encrypting credentials that follows:
    Key Usage:
    Must contain: 'KeyEncipherment' and 'DataEncipherment'.
    Should not contain: 'Digital Signature'.
    Enhanced Key Usage:
    Must contain: Document Encryption (1.3.6.1.4.1.311.80.1).
    Should not contain: Client Authentication (1.3.6.1.5.5.7.3.2) and Server Authentication (1.3.6.1.5.5.7.3.1).

    I requested a certificate from the certificate-responsible person. But he had problems signing a certificate of this kind. The error he got was "Denied by Policy Module" on the template on the CA server.

    Any help/tips are welcome!

    brgs

    Bjørn

  • #56192
    Profile photo of Don Jones
    Don Jones
    Keymaster

    You're going to have to make a custom template. None of the ADCS default templates (or those from other types of CA, for that matter) are set up for this – they need to be marked for Document Encryption, and not marked for Digital Signature or the other stuff mentioned.

    If your CA is set up to not allow this in some fashion, then you've got to address that – but it's not a PowerShell thing, obviously, its in your CA configuration.

You must be logged in to reply to this topic.