openwec icon indicating copy to clipboard operation
openwec copied to clipboard
verified publisher icon cea-sec

Incantation required for AD CS to generate compatible client cert?

Open z3ndrag0n opened this issue 2 years ago • 5 comments

I've set up openwec using TLS and certs generated using the example scripts (thanks for the clear and comprehensive docs), however have some boxes which are autoenrolled in AD CS. I've managed to have these boxes connect to the wec and mutually auth without error, however I never see Event ID 100 (The subscription my-test-subscription is created successfully). I was wondering if any one can help me generate a compatible key and cert pair through AD CS and what settings specifically are required.

z3ndrag0n avatar Dec 20 '23 11:12 z3ndrag0n

Hi,

I haven't tried to use certificates generated by ADCS with openwec yet so I don't have an out-of-the-box solution.

However, there are a few places where you should find some clues about what is going on:

  • use openwec server in DEBUG or TRACE verbosity mode and look at the server logs: can you find any authentication errors? Does it say why?
  • enable Windows Remote Management and Eventlog-ForwardingPlugin Operational, Analytics and Debug event log channels on the box you try to configure. There is very likely an event in there saying that something is not working as expected.

PS : By the way, if you are in an Active Directory environment, you may want to consider using Kerberos authentication which is much easier to deploy and to maintain.

vruello avatar Dec 20 '23 16:12 vruello

Thanks, I will go hunting. (I really don't think it's an authentication error - I fought through enough of those on the way here!)

(The reason I chose to use certificates was that not everything is domain joined.)

z3ndrag0n avatar Dec 22 '23 02:12 z3ndrag0n

Examining the certs generated by OpenSSL vs ADCS, I noticed a disagreement in the X509v3 key usage attributes: the ADCS cert is setup for Digital Signature, Key Agreement whereas the OpenSSL cert is setup for Digital Signature, Key Encipherment.

HTH anyone else attempting to deal with this!

a139786 avatar May 09 '24 04:05 a139786

@a139786: I guess both certificates should work as long as they have the TLS Client Authentication EKU. Did you test them?

vruello avatar May 09 '24 19:05 vruello

I did - the OpenSSL cert worked (auth and traffic flowed). The ADCS cert had no auth error, but there was no traffic flow.

a139786 avatar May 13 '24 07:05 a139786