PKI & Certificate Management
Expired TLS/SSL certificates, ADCS enrollment failures, certificate chain trust, OCSP/CRL unreachability, NDES/SCEP for mobile, code-signing blocks, and Let's Encrypt short-lived certs.
-
Expired SSL/TLS Certificate Causing Service Outage — IIS, RDS, Exchange or ADFSAn SSL/TLS certificate has passed its NotAfter date causing browsers to block access, RDS clients to refuse connection, Exchange to stop processing mail, or ADFS federation to fail. Emergency path is…
-
Active Directory Certificate Services — Certificate Enrollment Failing for Users or MachinesUsers or computers cannot enrol for certificates from the internal CA via manual enrollment, the web enrolment interface, or auto-enrollment. Commonly caused by firewall blocking RPC to the CA, missi…
-
SSL Certificate Not Trusted — Incomplete Chain or Missing Intermediate CAClients reject an SSL/TLS certificate because the server is not presenting the full certificate chain, an intermediate CA is missing from the Windows certificate store, or a self-signed certificate h…
-
Secure Boot Certificate Migration Using PowerShell Scripts in Windows 11 (KB5089549)The May 2026 cumulative update KB5089549 introduces C:\Windows\SecureBoot\ExampleRolloutScripts, containing seven Microsoft-provided PowerShell scripts to assist enterprise administrators in migratin…
-
OCSP / CRL Distribution Point Unreachable — Certificate Validation FailuresApplications, browsers, or Windows machines fail to validate certificates because OCSP responders or CRL distribution points (CDPs) are unreachable. Symptoms range from slow TLS handshakes (30-60s OC…
-
Windows NDES/SCEP Certificate Enrollment Failing for Mobile DevicesIntune or JAMF-managed devices fail to receive certificates via SCEP (Simple Certificate Enrollment Protocol) through Windows NDES (Network Device Enrollment Service). Devices show certificate deploy…
-
Code Signing Certificate Blocking Software Deployment — SmartScreen or Endpoint AVSigned executables, scripts, or packages are blocked by Windows SmartScreen, endpoint AV, or AppLocker because the code signing certificate is expired, revoked, missing from the trusted root store, o…
-
Obtaining Short-Lived (6-Day) and IP Address TLS Certificates from Let's EncryptLet's Encrypt now offers short-lived certificates valid for approximately 160 hours (~6 days) and IP address certificates as generally available features, accessible by selecting the 'shortlived' ACM…
-
Inspect Full Remote SSL Certificate Details via OpenSSL CLIcurl's verbose mode (-vvI) only exposes basic certificate common names during HTTPS connections, making it insufficient for verifying issuer chains, validity dates, Subject Alternative Names, or sign…
-
Adding or Removing a Passphrase from an Existing OpenSSL Private KeyA private key generated without passphrase protection can have one added later using 'openssl rsa -aes256' without regenerating the key pair. Conversely, an existing passphrase can be removed by omit…
-
cURL Error 60 – DST Root CA X3 Expiry Breaks HTTPS on Ubuntu 14On Ubuntu 14 (end-of-life) servers, all HTTPS requests to Let's Encrypt-secured sites fail with cURL error 60 ('SSL certificate problem: certificate has expired') because the DST Root CA X3 root cert…
-
Assign custom SSL certificate to RDP on Windows Server 2012+ without RDS role (Remote Administration mode)Windows Server 2012 removed tsconfig.msc and the RDP-Tcp properties GUI, making it non-obvious how to assign a custom SSL certificate to RDP when the Remote Desktop Services role is not installed. Th…
-
Git on Windows fails with 'unable to get local issuer certificate' using HTTPS and self-signed certificateGit for Windows uses cURL with its own certificate bundle (curl-ca-bundle.crt) rather than the Windows system certificate store, causing HTTPS SSL verification failures even when a self-signed certif…