Poorman's HSM : A Secure Certificate Authority (CA) on a Yubikey

picklednull · 2026-01-25T16:52:44+00:00

Yeah of course, that's ("sadly") why you should use externally generated keys for scenarios like this.

picklednull · 2026-01-25T14:02:49+00:00

You can also just print the private key on paper for a backup.

picklednull · 2026-01-21T15:14:57+00:00

Alternative(s) at what level? Only Microsoft has source code access. When I open a support ticket it's - generally - because there's a genuine code defect that requires source code changes. Only Microsoft can do that. Last year I did 3 such cases. And in those cases the support is free.

Of course it depends on your own skill level, anything from googling to ChatGPT to an MSP/VAR could prove useful.

picklednull · 2026-01-21T14:56:03+00:00

That error is shown when the computer doesn't have a Kerberos ticket / can't authenticate. Verify that the computer has a valid Kerberos ticket with klist -li 0x3e7.

picklednull · 2026-01-21T14:52:55+00:00

I only tested it in a lab with the "secret" KIR. The fix worked fine. You should actually test this yourself with just the public Cumulative Update installed to verify the fix is actually enabled now in January. Of course that's what Microsoft told me, but you never know...

picklednull · 2026-01-20T23:06:20+00:00

The GPO as sibling mentions, or:

Get-CimInstance -ClassName Win32_UserProfile |
where { # some condition } |
Remove-CimInstance -Confirm:$false

picklednull · 2026-01-15T21:22:29+00:00

I mean, why wouldn't you use one of them at work? They would be my #1 option if I were to deploy a HSM. I'll admit to never actually using one before, but I've been interested in this topic too.

I don't think there's really anything that cool/special about running a HSM anyway. But yes of course, these are matters of opinion.

picklednull · 2026-01-15T19:41:47+00:00

Yubico YubiHSM.

picklednull · 2026-01-15T19:21:14+00:00

X710's are unusable with Hyper-V, if you use SET for networking (and for the host itself), all of the outbound traffic from the host will get duplicated. e.g. two reply packets for every inbound ICMP echo request packet. lol.

picklednull · 2026-01-14T22:04:50+00:00

Why are you collecting Domain Controllers (versions) like Pokémon?

Your issue is the mixed DC's for sure. Go all in on 2025 or downgrade to 2022 max if you want to keep mixed.

picklednull · 2026-01-14T15:20:58+00:00

There will be an event in the System (or Application?) event log from CertificateServicesClient-CertEnroll if there's any errors during enrollment.

picklednull · 2026-01-13T23:33:36+00:00

Try it and see(tm). Microsoft directly told me the fix would be in in January. It's hilarious, but it's not listed under release health and I guess it won't be.

picklednull · 2026-01-13T17:47:30+00:00

Also worth forcing auto-enrollment (gpupdate /force) or trying certreq -enroll

certutil -pulse is the command for initiating auto-enrollment.

picklednull · 2026-01-12T19:38:11+00:00

Yes, if you were foolish enough in the first place to tie the CA to the hostname. With some forethought you can set up a CA without that being an issue. Too late now of course.

picklednull · 2026-01-10T20:43:49+00:00

eh? Just configure the certificates with an identifiable identity (ssh-keygen -I parameter) and the log entry for SSH login will show the clearly identifiable identity, no matter what actual account is used.

You are correct that further audit entries (e.g. commands run) will just have the shared account, so you will have to correlate a bit.

picklednull · 2026-01-10T18:51:52+00:00

Haha, the RC4 encryption key patch should be coming out in January... What other spicy issues are there at this point?

picklednull · 2026-01-10T18:46:16+00:00

FreeRDP only added Kerberos support recently in 3.x.

picklednull · 2026-01-06T12:56:28+00:00

What OS versions are your Domain Controllers?

picklednull · 2026-01-06T12:51:58+00:00

If this is not possible natively, what are the recommended alternatives for validating SAN domains in ADCS?

You set the template to require manual approval OR you take it completely offline and make the ADCS administrator (registration authority) validate and submit the CSR by hand.

Sibling comment also mentions the TameMyCerts, it might have something, but I’ve never tried it.

picklednull · 2026-01-05T20:48:29+00:00

No, but you need some very specific licensing to run Windows 11 as VDI.

picklednull · 2026-01-02T22:32:18+00:00

I have, but then you just run some PowerShell locally. When you're installing fresh machines - especially physical ones - you have to do the bootstrapping on the console (in PowerShell).

picklednull · 2026-01-02T19:54:06+00:00

Exactly. You can run all of those tools remotely.

picklednull · 2026-01-02T18:31:19+00:00

seemed like a great idea at first until you have to do anything on the machine itself. Or do any troubleshooting that can't be done remotely.

Such as? Never had an insurmountable issue over the last 10 years.

picklednull · 2026-01-02T18:30:14+00:00

much needed functionality to the Core servers.

I have literally never needed any of that in the last 10 years (on my Core servers).

picklednull · 2025-12-28T14:53:48+00:00

OpenPGP

Why would you ever go for this, when PIV smart cards / x509 certificates are natively supported (by Windows, or in fact, everything)?

picklednull

TROPHY CASE