Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [active-directory-adcs]

20 questions
1
vote
1 answer

High available PKI related questions with regards to CA/OCSP and NDES

I have some specific questions with regards a high available PKI based on ADCS. The questions are as follows. Please see the detailed info below to get more info on the casus. --------------------------- questions ------------------------ In an…
MyPkiProblems
  • 11
  • 2
1
vote
1 answer

Windows Certificate Authority server

A default installation of a Microsoft PKI running Windows includes LDAP URL's as first within CRL distribution points (CDP's) and Authority Information Access (AIA). Question 1 : I want to issue a certificate from my windows certificate authority…
nithyanadham singaravadivelu
  • 11
  • 1
1
vote
1 answer

How to use AD CS to auto-renew certs for securing IIS websites that use SNI?

I have AD CS which automatically provisions and renews machine certificates for servers bound to the directory. (There is a certificate template which controls this auto-issuance.) I have an IIS server bound to the directory which serves some…
NReilingh
  • 484
  • 3
  • 9
  • 24
1
vote
1 answer

Instaliing microsoft ADCS using brainpool ECC keys

I got a request from a custumer to install ADCS using ECDSA while using a specific ECC curve for the keys (bp384r1). This curve is not listed in the ADCS installation process when creating a new key and choosing the CSP (Only the NIST ECDSA_P384 is…
CryptoDan
  • 85
  • 7
1
vote
0 answers

Cannot configure or uninstall AD CS role

We installed the AD Certificate Services role on Windows 2016 Server version 1607. We cannot complete the post deployment configuration. We get the error "Value does not fall within expected range." After doing some digging, I found that it is…
JonB
  • 11
  • 1
0
votes
0 answers

What is the point of the Domain certificate option in IIS?

I have been looking for days and I can't seem to understand how to use Domain Certificates in IIS. Is there even a point to it? From what I understand, you absolutely cannot change which template it will use and you cannot update the WebServer…
bendem
  • 1
  • 2
0
votes
1 answer

How can we stop a repeated request for the same certificate in ADCS?

If I submit the same CSR file twice to my Active Directory Certificate Services (online via the certsrv web interface), I am issued two different certificates (judging by the serial numbers). Is there a way to configure ADCS to only allow a single…
tjlds
  • 3
  • 2
0
votes
1 answer

ADCS WebServer Autoenrollment best practise

As in any IT environment, the number of web server certificates is constantly increasing. With the reduction of the duration to 1 year, the administration effort increases at the same time if such processes are not automated. Currently we have a…
Sinista
  • 87
  • 1
  • 2
  • 10
0
votes
1 answer

Publish Root CA CRL to network drive

I am currently "prototyping" a Windows PKI with AD CS Role. I have two-tier hierarchy (Root Offline CA -> Enterprise Sub-CA -> Digital Certs). Furthermore, I am trying to publish the CRL of my Root CA to a network drive. Let me explain my setup: I…
isuckatservers69
  • 3
  • 2
0
votes
1 answer

Target specific Enterprise CA for auto-enrollment?

We have two intermediate Enterprise CAs (Windows AD CS) in our AD domain. Both CAs only have the Certification Authority role enabled. CA1 is responsible for issuing certificates to workstations and users and has a template Workstation Auth. CA2 is…
Daniel
  • 6,940
  • 6
  • 33
  • 64
0
votes
0 answers

How long are certificates available in ADCS Web Enrollment page after issued

I have a windows 2008 enterprise ADCS server with web enrollment. I want to know/configure how long do issued certificates last on the page before a user has to submit another request. While researching this question, this seams to be different from…
JuanKB1024
  • 133
  • 1
  • 2
  • 7
0
votes
1 answer

Microsoft ADCS: change Subject in existing CSR

Suppose I have a CSR in which some Subject fields were not created according to X.509 - there are forbidden characters in Subject, or Country was provided as "England". Is there any way to recover from that? I tried: using policy.inf to resign the…
StanTastic
  • 860
  • 1
  • 8
  • 25
0
votes
0 answers

Can I use AD CS to Authenticate Domain Users Instead of a Password?

I have a number of Active Directory Domain User Accounts, which function essentially as service accounts. I'd like to avoid having to rotate the passwords for all of those domain user accounts, and rather allow/force those domain user accounts to…
cuddlydingo
  • 1
0
votes
1 answer

Windows Server 2019: Install the Certificate for an Issuing CA (signed by offline Root CA) using PowerShell

I'm working on automating the deployment of a multi-tier PKI system based on ADCS (I have a general product IT solution that we then deploy on projects mostly in a cookie cutter fashion). I have the entire process automated using powershell except…
Helstrom
  • 1
0
votes
1 answer

PKI trust in Active Directory

Assuming that the certificate of the ADCS CAs joined to a given domain are signed by an offline root CA which is then trusted by all systems in the domain/forest. If that offline root was then used to issue/sign a CA certificate (no constraints) and…
5y5tem5
  • 51
  • 1
  • 3
1
2