question

AdyR avatar image
0 Votes"
AdyR asked AdyR answered

certreq/certutil over ssh

Hi,

I'm trying to generate certificates over SSH from a script located on a Linux server.
I made a script that, at some point, access the domain controller via SSH where the certificate should be generated but the issue is that the user doesn't have the required permissions when access the DC over SSH.
The user used for SSH is a domain admin and running the same command directly from Powershell is working fine

This is a ping using certutil. The same result is when trying "certreq -submit. .."

ssh user@domain_controller powershell -Command "certutil -ping -config 'CA.domain'"
Connecting to CA.domain ...
Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE) -- (16ms)

I searched a lot but couldn't fine any solution.

Does anyone have any clue or advice about this?

Regards,
Adi

windows-server
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

IanXue-MSFT avatar image
0 Votes"
IanXue-MSFT answered

Hi,

Have you ever tested the connection to CA.domain from the domain controller?

When the certutil runs over ssh, it connects CA.domain from the domain controller, not the host that runs the ssh client.

Best Regards,
Ian Xue
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AdyR avatar image
0 Votes"
AdyR answered

Hi and thanks for your reply.

As I said, the user used for SSH doesn't have permissions to run certutil.

I ended up creating a ps1 script inside the bash script on the linux machine, transfer it to the domain controller, execute it over ssh and then remove it.
Not the greatest thing to do but is the only solution I could found

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.