Certificate Authority Revocation issues: CRL db lost in migration
We currently have a CA which was migrated from a retired server no longer available - over 6 months now but they didn't complete the migration, and the revocation database is missing. We're now experiencing issues with certs issued but the former server that it cannot issue renew certs. What is the best approach to this? I can create another CA server but what about the root certificate of the current one? How do you point renew requests to the new server if there is no revocation DB for the already issued certs? What about the current certs issued by the current server if I migrate the current one to a new CA? I do have copies of the system32\certsrv folder and CA backup from the retired server, but this backup was used to migrate the current one which resulted in its current state. Can the revocation db just be imported? Any help would be appreciated! Thanks.Designing and Implementing a PKI: Part V Disaster Recovery
First published on TechNet on Apr 07, 2011 The series: Designing and Implementing a PKI: Part I Design and Planning Designing and Implementing a PKI: Part II Implementation Phases and Certificate Authority Installation Designing and Implementing a PKI: Part III Certificate Templates Designing and Implementing a PKI: Part IV Configuring SSL for Web Enrollment and Enabling Key Archival Designing and Implementing a PKI: Part V Disaster Recovery Chris here again.Designing and Implementing a PKI: Part IV Configuring SSL for Web Enrollment and Enabling Key Archival
First published on TechNet on Apr 06, 2011 The series: Designing and Implementing a PKI: Part I Design and Planning Designing and Implementing a PKI: Part II Implementation Phases and Certificate Authority Installation Designing and Implementing a PKI: Part III Certificate Templates Designing and Implementing a PKI: Part IV Configuring SSL for Web Enrollment and Enabling Key Archival Designing and Implementing a PKI: Part V Disaster Recovery Chris here again.Designing and Implementing a PKI: Part III Certificate Templates
First published on TechNet on May 27, 2010 The series: Designing and Implementing a PKI: Part I Design and Planning Designing and Implementing a PKI: Part II Implementation Phases and Certificate Authority Installation Designing and Implementing a PKI: Part III Certificate Templates Designing and Implementing a PKI: Part IV Configuring SSL for Web Enrollment and Enabling Key Archival Designing and Implementing a PKI: Part V Disaster Recovery Chris here again.Certificate templates
Hello, We have a 2016 domain controller that is also our Enterprise CA server. We need to retire this server so I've built a server 2022 box, which sole purpose will be for the enterprise CA. while there are plenty of guides with MS and other sources on how to move the CA, I cant seem to find an answer to if the certificate templates are lost when the role is removed from the CA server (in our case a domain controller.) In the MS guide there is the following information: the certificate templates settings are stored in Active Directory. They are not automatically backed up. You must manually configure the certificate templates settings on the new XA to maintain the same set of templates. Does this mean the the new dedicated CA server will be able to see the certificate templates and will be able to add/reissue them? this is a brief summary of our plan. -backup CA config on dc01 -remove the CA role from dc01 -add the CA role to the new CA01 (dedicated CA server/non domain controller) -restore the CA configuration -reissue the templates? -demote and retired dc01 please note we have another 3 domain controllers in the domain.Certification Authority not showing up in IIS Server Certificates Dialog
Got an Online Certification Auhtority that is not showing up in IIS when you are trying to renew a certificate? If so, this is the post for you. Sit back, grab a cup of coffee and start reading as we go over what you need to do to get your desired Online Certification Authority back in IIS.
An error occurred while obtaining certificate enrollment policy.
Recently I was following: KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) After various changes I got to the point where I could not fully disable NTLM on EnterpriseCA server, because I simply could not login to the MSADCA: Audit NTLM authentication requests within this domain that would be blocked if the security policy Network Security: Restrict NTLM: NTLM authentication in this domain is set to Deny for domain servers or Deny domain accounts to domain servers. But also the changes caused the error while accessing from mmc/certificates An error occurred while obtaining certificate enrollment policy. Url: https://entca.domain.local/ADPolicyProvider_CEP_Kerberos/service.svc/CEP Error: The remote endpoint could not process the request. 0x803d000f (-2143485937 WS_E_ENDPOINT_FAILURE) I can click Continue & everything works fine, but would like to understand why the error Help appreciated Seb
