1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

First Enterprise Root CA - [WP]

Discussion in 'Windows Security' started by WildPacket, Jul 8, 2009.

  1. WildPacket

    WildPacket Guest

    In production .... deployed my first Enterprise Root CA running on a member
    server windows 2003 enterprise version.

    I have noticed that it has automatically assigned certs to all the DCs in
    the forest/domain. The certs are valid for 1 year.

    Where is this cert/template called "domain controller" sitting. I want to
    make sure that these certs automatically renew after 1 year on the DCs???
    How/Where can I check that?

    Advise Please.

    Thanks
     
    WildPacket, Jul 8, 2009
    #1
  3. WildPacket

    WildPacket Guest

    ok .. I think the Default GPO for DCs has the option under computer config ->
    windows settings -> Public Key Policies -> Autoenrollment and only enroll
    certs automatically is selected.

    I need to select the other 2 options too ... which are renew certs ..... and
    update certs .....

    I was testing in lab and I noticed when the cert is renewed the old cert
    still shows in the CA Admin Console. I have to manually revoke.

    Should they not autmatically go away once the cert is renewed????











    "WildPacket" wrote:
    <!--coloro:blue--><span style="color:blue <!--/coloro-->
    >
    > In production .... deployed my first Enterprise Root CA running on a member
    > server windows 2003 enterprise version.
    >
    > I have noticed that it has automatically assigned certs to all the DCs in
    > the forest/domain. The certs are valid for 1 year.
    >
    > Where is this cert/template called "domain controller" sitting. I want to
    > make sure that these certs automatically renew after 1 year on the DCs???
    > How/Where can I check that?
    >
    > Advise Please.
    >
    > Thanks<!--colorc--><!--/colorc-->
     
    WildPacket, Jul 8, 2009
    #2
  4. WildPacket

    WildPacket Guest

    am getting this error on my Root CA Server ... it appears that only uses
    certs are being issue and machine certs are not ...

    Event Type: Warning
    Event Source: CertSvc
    Event Category: None
    Event ID: 80
    Date: 7/8/2009
    Time: 11:24:21 AM
    User: N/A
    Computer: RCA001

    Description:
    Certificate Services could not publish a Certificate for request 70 to the
    following location on server DC02.dom.com:

    CN=wifi,OU=Users,OU=RANDD GPO,OU=dom,DC=dom,DC=com.

    Insufficient access rights to perform the operation. 0x80072098 (WIN32:
    8344).ldap: 0x32: 00002098: SecErr: DSID-03150A45, problem 4003
    (INSUFF_ACCESS_RIGHTS), data 0

    can't find much help.








    "WildPacket" wrote:
    <!--coloro:blue--><span style="color:blue <!--/coloro-->
    > ok .. I think the Default GPO for DCs has the option under computer config ->
    > windows settings -> Public Key Policies -> Autoenrollment and only enroll
    > certs automatically is selected.
    >
    > I need to select the other 2 options too ... which are renew certs ..... and
    > update certs .....
    >
    > I was testing in lab and I noticed when the cert is renewed the old cert
    > still shows in the CA Admin Console. I have to manually revoke.
    >
    > Should they not autmatically go away once the cert is renewed????
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    > "WildPacket" wrote:
    > <!--coloro:green--><span style="color:green <!--/coloro-->
    > >
    > > In production .... deployed my first Enterprise Root CA running on a member
    > > server windows 2003 enterprise version.
    > >
    > > I have noticed that it has automatically assigned certs to all the DCs in
    > > the forest/domain. The certs are valid for 1 year.
    > >
    > > Where is this cert/template called "domain controller" sitting. I want to
    > > make sure that these certs automatically renew after 1 year on the DCs???
    > > How/Where can I check that?
    > >
    > > Advise Please.
    > >
    > > Thanks<!--colorc--><!--/colorc--><!--colorc--><!--/colorc-->
     
    WildPacket, Jul 8, 2009
    #3
  5. Peter Foldes

    Peter Foldes Guest

    Please post this over to the windows.server.security newsgroup where it belongs

    On the web:




    --
    Peter

    Please Reply to Newsgroup for the benefit of others
    Requests for assistance by email can not and will not be acknowledged.

    "WildPacket" <WildPacket@discussions.microsoft.com> wrote in message
    news:3A242A52-7FCC-4A54-9003-D975DDE658D1@microsoft.com...<!--coloro:blue--><span style="color:blue <!--/coloro-->
    >
    > In production .... deployed my first Enterprise Root CA running on a member
    > server windows 2003 enterprise version.
    >
    > I have noticed that it has automatically assigned certs to all the DCs in
    > the forest/domain. The certs are valid for 1 year.
    >
    > Where is this cert/template called "domain controller" sitting. I want to
    > make sure that these certs automatically renew after 1 year on the DCs???
    > How/Where can I check that?
    >
    > Advise Please.
    >
    > Thanks <!--colorc--><!--/colorc-->
     
    Peter Foldes, Jul 8, 2009
    #4

Share This Page