Questions tagged [ad-certificate-services]

Active Directory Certificate Services is a role first made available in Windows Server 2008. Previously it was known as certificate services.

Active Directory Certificate Services is a set of technologies from Microsoft that offer the ability to create a PKI infrastructure.

Active Directory Certificate Services specific documentation are collated at http://social.technet.microsoft.com/wiki/contents/articles/windows-pki-documentation-reference-and-library.aspx

230 questions
16
votes
3 answers

Distribution of root certificate with Windows AD Certificate Services

Windows Server provides a certificate authority service. However, it's not clear from its documentation how (or if) the root certificate gets distributed to clients. Do domain member computers automatically trust the root certificate? If so, how…
wfaulk
  • 6,828
  • 7
  • 45
  • 75
13
votes
1 answer

What does a domain controller (DC) use a certificate for?

Everyone talks about domain controllers and that they should have a certificate installed, but at the end of the day it is optional. Once installed, what actually makes use of that certificate? My understanding is that it is at least needed…
13
votes
1 answer

What happens to code sign certificates when when root CA expires?

So far clear for me: If the code sign certificate itself expires, signed code will be verified/accepted in case it was signed with a time stamp. If not, the signed code is expired too. But what happens if my CA itself expires (root CA an thus…
13
votes
1 answer

How to find out where a Certificate Request came from

I have a CA setup on Server 2012 R2, the person who ran the server left the company and I have setup a new CA server. I am trying to figure out what systems / URL's the certs are for. In the List of Issued Certificated is the following: Request ID:…
Anthony Fornito
  • 9,526
  • 1
  • 33
  • 122
11
votes
1 answer

certutil -ping fails with 30 seconds timeout - what to do?

The certificate store on my Win7 box is constantly hanging. Observe: C:\>1.cmd C:\>certutil -? | findstr /i ping -ping -- Ping Active Directory Certificate Services Request interface -pingadmin -- Ping Active Directory…
8
votes
2 answers

Is It OK to Use AD Issued Computer Certificates for IIS?

I'm using AD-Certificate Services to issue computer certificates to domain joined Windows computers(both servers and workstations). These certs are obtained via the auto-enroll process defined by Active Directory. My question is: if these computer…
aaron
  • 81
  • 3
8
votes
1 answer

Protecting credentials in Desired State Configuration using certificates

I'm new to DSC and trying to figure out how to make it work for us. What I'm stuck on is how the credentials are actually protected. My current understanding is that it isn't all that great. The big three problems are these. How does using a public…
Simon Gill
  • 201
  • 2
  • 8
7
votes
3 answers

How can I get an OID for a certificate template?

I'm using C# (or VBScript) to issue a certificate from an Enterprise CA. According to this answer, I need to specify the OID instead of the certificate name, and place it in an unexpected portion of code. (IMHO I should place it where the null…
7
votes
1 answer

How to add custom OID for subject field on certificates issued by Windows Server 2008 R2 CA?

I'm using a Windows Server 2008 R2 domain controller with Active Directory Certificate Services installed. It's configured as an Enterprise Root CA. I have configured a custom certificate template so that I can generate extended validation SSL…
7
votes
1 answer

CA and Primary Domain Controller on the same server

I am setting up a Microsoft AD to be my CA. After research, it looks like I need to have a domain controller before I can issue certs thru the CA. Would it be possible to place both the CA and the DC on the same server?
7
votes
5 answers

Certificate Template Missing from "Certificate Template to Issue"

I'm having a problem similar to that posted in this question: Missing Certificate template From certificate to issue The short version is that I've created a duplicate certificate template and I'm trying to add it to my domain CA so that I can issue…
7
votes
2 answers

Adding new root/enterprise CA without disturbing existing one?

I am looking at installing a new AD-integrated enterprise certificate authority structure, but have discovered that somebody already has created a CA (mostly used for SSL on internal websites). I want to build the new structure according to best…
6
votes
1 answer

How can I create and install a domain signed certificate in IIS using PowerShell?

In my environment we host a whole lot of websites and WCF webservices in IIS (on Windows 2008 R2 and Windows 2012). We are in the process of enabling HTTPS on these sites. This goes as follows: Create a domain signed *.environment.domain…
6
votes
1 answer

Microsoft CA certificate templates expires sooner than expected

The certificates my Microsoft CA is generating do not match the time period indicated in the template used. How can I resolve this? I recently created a new certificate template for use on my Linux boxes on my Microsoft CA (2008 R2 Enterprise).…
Tim Brigham
  • 15,465
  • 7
  • 72
  • 113
6
votes
1 answer

How large is the certificate OCSP and CRL cache in my Windows server?

How can I see the size of the in-memory OCSP cache to a CRL cache in my Domain Controllers? In other words, most Windows process that uses CryptoAPIs have an in-memory cache of every CRL and OCSP relevant for that application. This is important…
makerofthings7
  • 8,821
  • 28
  • 115
  • 196
1
2 3
15 16