Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [ad-certificate-services]

Active Directory Certificate Services is a role first made available in Windows Server 2008. Previously it was known as certificate services.

Active Directory Certificate Services is a set of technologies from Microsoft that offer the ability to create a PKI infrastructure.

Active Directory Certificate Services specific documentation are collated at http://social.technet.microsoft.com/wiki/contents/articles/windows-pki-documentation-reference-and-library.aspx

242 questions
0
votes
1 answer

Can we add a subordinate enterprise certificate authority linked to an existing enterprise Root certificate authority

The Root CA is domain joined. The Sub CA will be domain joined. The Sub CA will deliver workstation Authentification (template) to PC clients via GPO. Is there any known issue with this configuration? Should the root CA be only standalone? I know…
dr23trik
  • 3
  • 2
0
votes
1 answer

Having trouble issuing the 2nd enterprise CA on the same offline Root CA as the 1st. Windows Server 2016

I am running into an issue and hoping someone can help me. We were asked to set up a new Root CA and 2 subordinate (issuing) CAs under it (the request includes using Azure and placing each VM in a different region for redundancy). We issued the…
Woogi
  • 1
0
votes
1 answer

Must all services of ADCS run under the same service account on the same server?

While deploying ADCS, on the documentation Microsoft recommends using service accounts for the services making up ADCS. The problem is that it doesn't address if these should be individually managed, if they could share a host, nor it is addressed…
Vita
  • 111
  • 1
  • 1
  • 7
0
votes
2 answers

How can I set the ACL of a CA programmatically?

When launching the CA console (certsrv.msc), I can right-click on my CA, select Properties and then I can modify the ACL of my CA in the Security tab. When I modify it, the changes are applied to the AD object at: CN=MY-CA,CN=Enrollment…
stackprotector
  • 596
  • 1
  • 8
  • 27
0
votes
1 answer

Domain Member Servers - Accessing Certificate Revocation List (CRL)

In my environment I have a Enterprise Root CA installed on a domain controller and a separate domain controller configured as a Subordinate CA - I know this isn't recommended for security reasons but it's what I inherited. The Certificate Enrollment…
jrd1989
  • 698
  • 15
  • 48
0
votes
2 answers

Windows Certificate Authority - Adding Additional Attributes

In AD Certificate Templates the templates have an option to build from AD information and includes Email, DNS, UPN, etc. When creating a CSR using powershell, openssl and the certificate mmc snap-in I know its possible to add additional attributes…
jrd1989
  • 698
  • 15
  • 48
0
votes
1 answer

How does OCSP handle deleted certificates?

We have a Microsoft Certificate Authority running on Windows Server 2019. We are issuing certificates to Android devices via a MDM. The Android device users browse to a web application (hosted by Apache, implemented in PHP 8) using the Chrome web…
user2140583
  • 3
  • 1
0
votes
1 answer

What controls the timing of the Windows Certificate Services event "Close to expiration" ID 1003?

I have a Windows Server which started logging this warning event 36/37 days before a certificate's expiry date and I would like to understand what controls/sets this timing and how it can be configured. The certificate in question was not…
bchen
  • 3
  • 2
0
votes
0 answers

How to configure AD Certificate Services to get past this WS_E_ENDPOINT_ACCESS_DENIED error?

I have followed the Microsoft test lab instructions for setting up a two-tier CA hierarchy. I have the Certificate Enrollment Policy Web Service (CEP) installed on the same machine as the issuing Certificate Authority (CA). And the Certificate…
Roman
  • 405
  • 1
  • 7
  • 21
0
votes
1 answer

CDP container in Active Directory required if not part of AD?

We have a Microsoft Active Directory Certificate Services Enterprise CA. After installing the service, an AD container is created within CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=example,DC=com Our CDP is http-only. There…
Daniel
  • 6,940
  • 6
  • 33
  • 64
0
votes
1 answer

Target specific Enterprise CA for auto-enrollment?

We have two intermediate Enterprise CAs (Windows AD CS) in our AD domain. Both CAs only have the Certification Authority role enabled. CA1 is responsible for issuing certificates to workstations and users and has a template Workstation Auth. CA2 is…
Daniel
  • 6,940
  • 6
  • 33
  • 64
0
votes
2 answers

Auto-Enrollment with manager approval, but auto-approval for re-enrollment

I have a certificate template (auto-enrolled) that must require manager approval. To achieve this, I checked the CA certificate manager approval checkbox in the Issuance Requirements tab. The computer does auto-enroll and the certificate is placed…
Daniel
  • 6,940
  • 6
  • 33
  • 64
0
votes
1 answer

This site is missing a valid, trusted certificate || Apache2 webserver, Windows root CA

I'm learning about certificates, HTTPS together and after 4 days I'm out of idea how to set up to become trusted. In my lab env. I have a Windows server with a CA role. Previously I installed a VM-Dell OpenManage for my server. It has a graphical…
Finaria
  • 23
  • 3
0
votes
1 answer

PKI trust in Active Directory

Assuming that the certificate of the ADCS CAs joined to a given domain are signed by an offline root CA which is then trusted by all systems in the domain/forest. If that offline root was then used to issue/sign a CA certificate (no constraints) and…
5y5tem5
  • 51
  • 1
  • 3
0
votes
1 answer

AD Certificate Services - Add a new domain?

My AD domain name is domainname.local. I have Certificate Services set up to issue certs for this domain. I now want to add domainname.com as an AD integrated zone and have Certificate Services issue certificates for this new domain as well. Is it…
Romual Piecyk
  • 3
  • 1
1 2 3
16 17