Questions tagged as ['ad-certificate-services']

Active Directory Certificate Services is a role first made available in Windows Server 2008. Previously it was known as certificate services.
Score: 0
stackprotector avatar
How can I set the ACL of a CA programmatically?
th flag

When launching the CA console (certsrv.msc), I can right-click on my CA, select Properties and then I can modify the ACL of my CA in the Security tab. When I modify it, the changes are applied to the AD object at:

CN=MY-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=com

When I view it in the ADSI editor, the modified ACL entries are not inherited, but dire ...

Score: 0
jrd1989 avatar
Domain Member Servers - Accessing Certificate Revocation List (CRL)
cn flag

In my environment I have a Enterprise Root CA installed on a domain controller and a separate domain controller configured as a Subordinate CA - I know this isn't recommended for security reasons but it's what I inherited.

The Certificate Enrollment Web Services and Online Responder services were not installed on either server, so no IIS services in place.

If I open a certificate I create - select ...

Score: 0
jrd1989 avatar
Windows Certificate Authority - Adding Additional Attributes
cn flag

In AD Certificate Templates the templates have an option to build from AD information and includes Email, DNS, UPN, etc.

enter image description here

When creating a CSR using powershell, openssl and the certificate mmc snap-in I know its possible to add additional attributes like State, City, Organization, Organization Unit, Locality and others. Is it possible to have this type of information pulled from AD so when servers are set ...

Score: 0
How does OCSP handle deleted certificates?
sr flag

We have a Microsoft Certificate Authority running on Windows Server 2019. We are issuing certificates to Android devices via a MDM. The Android device users browse to a web application (hosted by Apache, implemented in PHP 8) using the Chrome web browser (on Android) that requires a client certificate.

We are installing a separate Windows Server 2019 instance with the Microsoft OCSP Responder rol ...

Score: 0
What controls the timing of the Windows Certificate Services event "Close to expiration" ID 1003?
us flag

I have a Windows Server which started logging this warning event 36/37 days before a certificate's expiry date and I would like to understand what controls/sets this timing and how it can be configured.

The certificate in question was not auto-enrolled.

Ultimately, I would like to use this event to send a notification X days before the cert is going to expire.

The source of this event in Event Viewer i ...

Score: 2
Roman avatar
How to set the lifetime of a CA certificate?
us flag

I'm trying to install a subordinate CA with Microsoft ADCS and when I do, it creates a .req file. Then I use that at the root CA to issue a certificate. The resulting certificate is always for 5 years. I want it to be 10. I have tried setting ValidityPeriod=Years and ValidityPeriodUnits=10 in the CAPolicy.inf file on the subordinate CA. And I have tried various other things, but nothing seems to make an ...

Score: 0
Roman avatar
How to configure AD Certificate Services to get past this WS_E_ENDPOINT_ACCESS_DENIED error?
us flag

I have followed the Microsoft test lab instructions for setting up a two-tier CA hierarchy. I have the Certificate Enrollment Policy Web Service (CEP) installed on the same machine as the issuing Certificate Authority (CA). And the Certificate Enrollment Web Service (CES) installed on a separate machine. All three of those in the same domain: a.local. I have serverB1 in another domain b.local which has  ...

Score: 0
Eric avatar
Warnings when starting a remote desktop connection Windows server
ca flag

When I start a remote desktop connection to the server I get the following warnings

when launching double click on my shortcut:

The advertiser of this remote connection can NOT be identified.

editor: unknown publisher

and after entering the username and password:

The identity of the remote computer cannot be verified Unable to perform a revocation check for the certificate unknown publisher

The certifi ...

Score: 0
Daniel avatar
CDP container in Active Directory required if not part of AD?
in flag

We have a Microsoft Active Directory Certificate Services Enterprise CA.

After installing the service, an AD container is created within CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=example,DC=com

Our CDP is http-only. There is no LDAP path added. Should I keep or remove this container?

Score: 3
Domain Controller autoenrollment - changing issuing CA
us flag

We are cleaning up our Windows PKI/CA environment and replacing our root CA with a new server. The current root CA has been issuing the following certificate templates for years now (in addition to the Subordinate certificate template):

  • Kerberos Authentication
  • Domain Controller Authentication (we know this is superseded now by the Kerberos Authentication template)
  • Domain Controller (we know this is sup ...
Score: 0
Daniel avatar
Target specific Enterprise CA for auto-enrollment?
in flag

We have two intermediate Enterprise CAs (Windows AD CS) in our AD domain. Both CAs only have the Certification Authority role enabled.

CA1 is responsible for issuing certificates to workstations and users and has a template Workstation Auth.

CA2 is responsible for issuing certificates to servers and has a template Server Auth.

Auto-Enrollment is enabled on all Workstations and servers in our domain and w ...

Score: 0
Daniel avatar
Auto-Enrollment with manager approval, but auto-approval for re-enrollment
in flag

I have a certificate template (auto-enrolled) that must require manager approval.

To achieve this, I checked the CA certificate manager approval checkbox in the Issuance Requirements tab.

enter image description here enter image description here

The computer does auto-enroll and the certificate is placed on the Pending queue on the CA.

My wish is that once the pending certificate was manually approved, certificates should be renewed, or updated if the ...

Score: 0
Finaria avatar
This site is missing a valid, trusted certificate || Apache2 webserver, Windows root CA
bh flag

I'm learning about certificates, HTTPS together and after 4 days I'm out of idea how to set up to become trusted. In my lab env. I have a Windows server with a CA role.

Previously I installed a VM-Dell OpenManage for my server. It has a graphical interface for requests and an import certificate for HTTPS access. I successfully generated a Certificate Signing Request and get a cert from my windows ...

Score: 0
5y5tem5 avatar
PKI trust in Active Directory
gb flag

Assuming that the certificate of the ADCS CAs joined to a given domain are signed by an offline root CA which is then trusted by all systems in the domain/forest. If that offline root was then used to issue/sign a CA certificate (no constraints) and that CA then issued user/computer/smart card certificates for resources of the domain in question would they be trusted (i.e. would a certificate issued in ...

Score: 0
Romual Piecyk avatar
AD Certificate Services - Add a new domain?
cn flag

My AD domain name is domainname.local. I have Certificate Services set up to issue certs for this domain.

I now want to add as an AD integrated zone and have Certificate Services issue certificates for this new domain as well.

Is it possible to do this? If yes, where do I begin? Any thoughts would be most appreciated. Thanks.

Score: 0
Hagen von Eitzen avatar
Strange hex-code in Windows root certificate prevents trust in Thunderbird
cn flag

We are using Windows CA for S/MIME certificates and in order for this to work with external recipients, we routinely exchange signed mails in order to establish trust or sometimes transmit our root CA in particular when multiple interlnal users are needed. Now, I face a problem with an external recipient not being able to establish this in a straighhtforward manner (they are using Thunderbird). The caus ...