PKIVIEW download error
We are deploying a 2-tier PKI with an offline Root CA and an Enterprise SubCA. After deploying the Root CA with CRL and AIA pointing to a web server http://crl.company.com we copied there the Root CA's Certificate and CRL. From the subordinate CA server we're able to open the publishing web site and load the crl and crt via Web browser. However when using PKIVIEW to check the setup we saw a "Download error" for both the Root and Subordinate CA. is there anyone that can help on this ? thanksComputer certificate re-enrollment after ADCS architecture change and certificate revocation
Originally, I set up an ADCS server as an Enterprise Root CA. Automatic certificate enrollment was enabled via a GPO and computers were automatically assigned certificates. The more I learned about ADCS this year, the more uncomfortable I became with this configuration from a security perspective. I added an intermediate SubCA recently which was configured to use the Computer template. I removed the Computer template (and all other templates except for the SubCA template) from the Enterprise Root. Then I revoked all of the computer certificates on the Enterprise Root CA. I figured they would all just re-enroll automatically on the SubCA (I'm using a GPO to enable this) but that is not what happened. They are not re-enrolling. I confirmed that I am able to issue Computer certificates from the SubCA manually using MMC and the Certificates snap-in. I discovered how to remove the old, revoked certificates from the clients with PowerShell but the Get-Certificate applet is simply not working so I cannot issue new certificates from the SubCA. If I have to, I can manually assign new Computer certificates but there has got to be an easier way to do this (I was counting on the automatic certificate enrollment option). Ideally, I just want the computers to automatically obtain new certificates from the new SubCA. My hypothesis that the computers would simply re-enroll on the SubCA after their certificates were revoked proved to be incorrect but I cannot understand why. I've been researching this for about a week now and cannot figure out what I am missing so am hoping one of you may be able to offer some insight.ADCS Certificate template shows a number instead of the template name
I'm looking at the Certification Authority console and under Issued Certificates, one of my certificates shows up properly with "client authentication certificate" but the other RAS & IAS certificate shows up with just the number. I'm not sure why it's showing just the number instead of the certificate name. Any ideas about what I've missed here?
Certificate Enrollment Policy
Hello I have a question about Certificate Enrollment Policies. I am seeing two different policies on two different computers and not sure why. Both users are logged into the same domain but when I go to request a certificate from UserA using the certmgr.msc console I see "Configured by your Administrator" Active Directory Enrollment Policy ID: xxxxx-xxxx-xxxx etc.. on one computer and am able to see certificate templates listed. When I log on as UserB on a different computer using certmgr.msc console I see "Configured by your Administrator" Active Directory Enrollment Policy ID: yyyyyy-yyyyyy-yyyyy etc.. and I don't see ANY certificate templates listed. Both users and the computers they are logging into are on the same domain but receiving two different Enrollment Policy ID's. Could someone help me out on why that would be? It is driving me crazy and need to figure this out so I can request certificates using the certmgr.msc Thanks in advance!!
Certificate Authority: Cross Certificates
We have noticed that we have a ton of certificates that were made by the Cross Certificate Temple. I am not even sure how they are getting made but is there a way to stop them and if so can we just delete them without harming anything? We only have one Root CA and one Sub CA. and only one domain. So how can I stop them from being made and if I delete them will it harm anything?
