Questions tagged as ['ad-certificate-services']
When launching the CA console (
certsrv.msc), I can right-click on my CA, select Properties and then I can modify the ACL of my CA in the Security tab. When I modify it, the changes are applied to the AD object at:
CN=MY-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=com
When I view it in the ADSI editor, the modified ACL entries are not inherited, but dire ...
In my environment I have a Enterprise Root CA installed on a domain controller and a separate domain controller configured as a Subordinate CA - I know this isn't recommended for security reasons but it's what I inherited.
The Certificate Enrollment Web Services and Online Responder services were not installed on either server, so no IIS services in place.
If I open a certificate I create - select ...
In AD Certificate Templates the templates have an option to build from AD information and includes Email, DNS, UPN, etc.
When creating a CSR using powershell, openssl and the certificate mmc snap-in I know its possible to add additional attributes like State, City, Organization, Organization Unit, Locality and others. Is it possible to have this type of information pulled from AD so when servers are set ...
We have a Microsoft Certificate Authority running on Windows Server 2019. We are issuing certificates to Android devices via a MDM. The Android device users browse to a web application (hosted by Apache, implemented in PHP 8) using the Chrome web browser (on Android) that requires a client certificate.
We are installing a separate Windows Server 2019 instance with the Microsoft OCSP Responder rol ...
I have a Windows Server which started logging this warning event 36/37 days before a certificate's expiry date and I would like to understand what controls/sets this timing and how it can be configured.
The certificate in question was not auto-enrolled.
Ultimately, I would like to use this event to send a notification X days before the cert is going to expire.
The source of this event in Event Viewer i ...
I'm trying to install a subordinate CA with Microsoft ADCS and when I do, it creates a .req file. Then I use that at the root CA to issue a certificate. The resulting certificate is always for 5 years. I want it to be 10. I have tried setting ValidityPeriod=Years and ValidityPeriodUnits=10 in the CAPolicy.inf file on the subordinate CA. And I have tried various other things, but nothing seems to make an ...
I have followed the Microsoft test lab instructions for setting up a two-tier CA hierarchy. I have the Certificate Enrollment Policy Web Service (CEP) installed on the same machine as the issuing Certificate Authority (CA). And the Certificate Enrollment Web Service (CES) installed on a separate machine. All three of those in the same domain: a.local. I have serverB1 in another domain b.local which has ...
When I start a remote desktop connection to the server I get the following warnings
when launching double click on my shortcut:
The advertiser of this remote connection can NOT be identified.
editor: unknown publisher
and after entering the username and password:
The identity of the remote computer cannot be verified Unable to perform a revocation check for the certificate unknown publisher
The certifi ...
We have a Microsoft Active Directory Certificate Services Enterprise CA.
After installing the service, an AD container is created within
CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=example,DC=com
Our CDP is http-only. There is no LDAP path added. Should I keep or remove this container?
We are cleaning up our Windows PKI/CA environment and replacing our root CA with a new server. The current root CA has been issuing the following certificate templates for years now (in addition to the Subordinate certificate template):
- Kerberos Authentication
- Domain Controller Authentication (we know this is superseded now by the Kerberos Authentication template)
- Domain Controller (we know this is sup ...
We have two intermediate Enterprise CAs (Windows AD CS) in our AD domain. Both CAs only have the Certification Authority role enabled.
CA1 is responsible for issuing certificates to workstations and users and has a template Workstation Auth.
CA2 is responsible for issuing certificates to servers and has a template Server Auth.
Auto-Enrollment is enabled on all Workstations and servers in our domain and w ...
I have a certificate template (auto-enrolled) that must require manager approval.
To achieve this, I checked the CA certificate manager approval checkbox in the Issuance Requirements tab.
The computer does auto-enroll and the certificate is placed on the Pending queue on the CA.
My wish is that once the pending certificate was manually approved, certificates should be renewed, or updated if the ...
I'm learning about certificates, HTTPS together and after 4 days I'm out of idea how to set up to become trusted. In my lab env. I have a Windows server with a CA role.
Previously I installed a VM-Dell OpenManage for my server. It has a graphical interface for requests and an import certificate for HTTPS access. I successfully generated a Certificate Signing Request and get a cert from my windows ...
Assuming that the certificate of the ADCS CAs joined to a given domain are signed by an offline root CA which is then trusted by all systems in the domain/forest. If that offline root was then used to issue/sign a CA certificate (no constraints) and that CA then issued user/computer/smart card certificates for resources of the domain in question would they be trusted (i.e. would a certificate issued in ...
My AD domain name is domainname.local. I have Certificate Services set up to issue certs for this domain.
I now want to add domainname.com as an AD integrated zone and have Certificate Services issue certificates for this new domain as well.
Is it possible to do this? If yes, where do I begin? Any thoughts would be most appreciated. Thanks.
We are using Windows CA for S/MIME certificates and in order for this to work with external recipients, we routinely exchange signed mails in order to establish trust or sometimes transmit our root CA in particular when multiple interlnal users are needed. Now, I face a problem with an external recipient not being able to establish this in a straighhtforward manner (they are using Thunderbird). The caus ...