Kerberos certificate not valid for the requested usage

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

We lost our certification authority (no valid backup) and now certutil
-dcinfo verify shows that the KDC certificate is not valid. I simply just
don't know what I can do. Let me attach the result, and hope someone with PKI
knowledge can give me advise.

Thanks for your help and attention.

Certificate 0:
Serial Number: ...
Issuer: ...
Subject: ...
Certificate Template Name: DomainController
Non-root Certificate
Template: DomainController, Domain Controller
Cert Hash(sha1): ...

dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
Application[1] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_NOT_VALID_FOR_USAGE (0x10)
ChainContext.dwRevocationFreshnessTime: 3 Hours, 42 Minutes, 37 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_NOT_VALID_FOR_USAGE (0x10)
SimpleChain.dwRevocationFreshnessTime: 3 Hours, 42 Minutes, 37 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=10
Issuer: ...
Subject: ...
Serial: ...
Template: DomainController
...
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_IS_NOT_VALID_FOR_USAGE (0x10)
CRL 15:
Issuer: ...
Delta CRL 15:
Issuer: ...
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: ...
Subject: ...
Serial: ...
Template: CA
db 5d aa cc 63 53 b1 58 72 d3 50 95 fa 6e 95 6b 8d c7 f7 b0
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
...
Full chain:
...
Issuer: ...
Subject: CN=galileo.axesor.es
Serial: ...
Template: DomainController
The certificate is not valid for the requested usage. 0x800b0110
(-2146762480)
 
certutil -dcinfo deletebad

this will purge the invalid certificate. If you were actually using this
cert you will need to setup your CA again to get a new one.

Brian Delaney
 
Back
Top