Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [ad-certificate-services]

Active Directory Certificate Services is a role first made available in Windows Server 2008. Previously it was known as certificate services.

Active Directory Certificate Services is a set of technologies from Microsoft that offer the ability to create a PKI infrastructure.

Active Directory Certificate Services specific documentation are collated at http://social.technet.microsoft.com/wiki/contents/articles/windows-pki-documentation-reference-and-library.aspx

242 questions
6
votes
1 answer

Automatically create Subject Alternate Name (SAN) Certificates

We are running an enterprise CA on Windows 2008R2. I just did an update to windows 7 on my workstation. Now every time I connect to a remote server using rdp I get a warning stating that the servername is wrong. This is because I use just the…
Jonathan
  • 575
  • 1
  • 7
  • 18
5
votes
3 answers

In a Windows PKI, what is a Workstation Authentication CA Template used for? What happens if it expires?

Many workstations have an expiring computer certificate that was issued using the Workstation Authentication CA template. The CA of this template expires in 2 days. I've deployed a new CA, with an extended date, and have successfully enrolled many…
makerofthings7
  • 8,911
  • 34
  • 121
  • 197
5
votes
2 answers

Does the "Enterprise PKI" MMC allow for any automated testing of the PKI?

I'm using the Enterprise PKI snap in to diagnose and check the health of a MSFT PKI system. Is there any way to script/automate this tool to alert me to the pending expiration of a CRL or missing AIA?
makerofthings7
  • 8,911
  • 34
  • 121
  • 197
5
votes
1 answer

Generate new self-signed CA for Windows 2012 CA

Set up a Enterprise CA for Windows 2012. While generating the initial root CA, SHA512 was selected. This has proven to cause issues with TLS 1.2 that we were unaware of. I'm trying to generate a new self-signed CA that isn't SHA512. The only…
lmickh
  • 350
  • 1
  • 3
  • 11
5
votes
1 answer

What is the purpose of a custom Certificate Trust List?

You can create and deploy a certificate trust list as detailed here, but I'm trying to understand the advantages of this over just deploying root and intermediate certs with group policy the normal way. Why would I want\need to do this?
red888
  • 4,183
  • 18
  • 64
  • 111
5
votes
1 answer

How do I configure AD CS to support Name Constraints (4.2.1.11 in RFC 2459)?

I am trying to figure out how to do Qualified Subordination with the critical extension set, but I'm unable to figure out how to do this in MSFT AD CS. For a given certificate, how do I make sure that the name constraints are set appropriately on…
makerofthings7
  • 8,911
  • 34
  • 121
  • 197
5
votes
1 answer

New Domain Controller Cannot Enroll for KerberosAuthentication Certificate

I have an AD domain. 2003 FFL/DFL. The schema was upgraded to version 56 for Server 2012. The domain contains a mix of domain controllers from Server 2003, Server 2008, Server 2008 R2, and now Server 2012. I have an Enterprise Issuing Certificate…
Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
5
votes
5 answers

Java Deployment Rule Set via AD Enterprise CA

My goal is to get a Java Deployment Rule Set in place in my organization, but I do not want to pay third-party certificate authority for a code signing cert when we have a working CA running through Active Directory. I have followed what I think is…
Julius
  • 71
  • 1
  • 1
  • 6
5
votes
1 answer

How to configure what certificates can be issued using Web Enrollment in Windows Server 2008 R2 Enterprise?

I have a CA installed on of my Windows Servers in a small farm of systems. I've installed the Certification Authority Web Enrollment and Certificate Enrollment Web Service roles on the CA. I want to issue a Computer certificate to a computer not…
antik
  • 246
  • 1
  • 2
  • 9
5
votes
2 answers

Error enrolling "Kerberos Authentication" certificate in a sparse network

I'm currently working on implementing an Enterprise Certification Authority for a customer whose network is not fully connected; it spans several geographical sites, and some of them don't have routing to the site where the CA is located. In order…
Massimo
  • 70,200
  • 57
  • 200
  • 323
4
votes
2 answers

Can I restrict an intermediate CA to only sign client certificates?

I want to use SCEP to give out client certificates, probably using ADCS. We already have an internal offline root CA in place (securely in a safe, only used for signing and revoking intermediate certificate authorities), and this root is trusted by…
Roel Harbers
  • 143
  • 4
4
votes
1 answer

Remove expired CA certificates

My Win2012R2 Subordinate Enteprise CA certificate has expired. I already have a new one working. How can i remove the expired certificate? I see the expired certificate on the general tab of MMC CA console of the Enterprise CA but it does not have…
Bit Cat
  • 41
  • 1
  • 1
  • 2
4
votes
1 answer

Re-install ADCS CA Certificate & CRL on Workstation

I installed Active Directory Certificate Services and created a Standalone CA. Everything went fine and it automatically installed the CA certificate and CRL on all my domain workstations. On one of the workstations, I deleted all instances of the…
Monstieur
  • 536
  • 3
  • 15
4
votes
1 answer

Where does a Windows Certification Authority store its root private key?

I have a Windows Server 2012 R2 Enterprise Root Certification Authority on a Hyper-V virtual machine which, due to currently unkown reasons, doesn't boot anymore. I don't know if the VM will ever come back online, but what I know is, I have its…
Massimo
  • 70,200
  • 57
  • 200
  • 323
4
votes
1 answer

Fixing "server unavailable" login problems in exchange 2013 and outlook 2010

We've been facing some problems pertaining to expiring user passwords, causing "server unavailable" login problems for Outlook Outlook 2007 and 2010 clients on exchange 2013. The quick fix to this was to delete the profile in control panel > mail32,…
Dimitri Shukuroglou
  • 141
  • 1
  • 4
1
2
3
16 17