certutil over ssh (RPC server is unavailable)

Question

When executing a certutil request from a local powershell everything is ok.

PS C:\Users\admuser> certutil -ping -config 'caserver\ca'
Connecting to caserver\ca ...
Server "ca" ICertRequest2 interface is alive (32ms)
CertUtil: -ping command completed successfully.
PS C:\Users\admuser>

Doing the same from a Linux host connected with OpenSSH to the same Windows server we get an error.

PS C:\Users\admuser> certutil -ping -config 'caserver\ca'
Connecting to caserver\ca ...
Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE) -- (16ms)

CertUtil: -ping command FAILED: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
CertUtil: The RPC server is unavailable.
PS C:\Users\admuser>

Any ideas what is wrong with connecting over ssh and then executing the command, both is executed from a local powershell?

Answer 1

The problem here is authenticating with a ssh key. If you do this, you are not able to use further authentication, which is required by the certutil and hence the RPC service. This behavior is somewhat hidden documented my MS.

https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement

A remote session opened via key based authentication does not have associated user credentials and hence is not capable of outbound authentication as the user, this is by design.

So if you need further authentication against the MS ecosystem you are not able to use key based authentication. You have to go with username and password for ssh.