This article presents a list of common questions and answers related to Active Directory Certificate Services (AD CS) and Public Key Infrastructure (PKI).
If you need an answer that is not covered on this page or linked to by this page, you will probably get it quickest through
search . However, if you cannot find the answer, you can post your certificate services questions to the
Windows Server Security Forum (http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads). Please, be sure to search the forum before posting, to see if that question has already been answered in another thread. If you find that you've
got a commonly asked question and answer, please, add it to this article.
The following resources elaborate on the differences between the two server versions:
The are also some PKI client changes described in
Client Certificates Overview .
Note: The videos referred above are no longer available.
Windows Server editions prior to Windows Server 2008 do not support Server Core installation. If you are running Windows Server 2008 R2, then you should also review the
Edition Comparison by Server Core Installation Option , to see if your edition supports running AD CS on Server Core.
You can install all AD CS server roles using Windows PowerShell in Windows Server 2012. For details, see
AD CS Deployment cmdlets in Windows PowerShell .
There are two main ways to install Active Directory Certificate Services Roles in Windows Server 2012: User interface or Windows PowerShell.
The additional information for installing using the user interface is divided among several topics (depending on the Server Role you want to install). These are:
The Windows PowerShell installation information is also organized by Server Role, but there is a main page titled AD CS Deployment
cmdlets in Windows PowerShell .
See the TechNet Wiki article
Windows and Windows Phone 8 SSL Root Certificate Program (Member CAs)
The error "Certificate enrollment failed to enroll for a DigitalSignature certificate with request ID 43 from <caname>. (The requested certificate template is not supported by this CA 0x80094800 (-2146875392)). Denied by Policy Module 0x80094800?"can occur if
targeted user group does not have access to Enroll or if targeted computer or user accounts do not have access to read a Group Policy Object (GPO) distributing the policy. Ensure that
Authenticated Users or targeted group of users and computers has
Read access to the GPO. See also Troubleshooting Certificate Autorenewal in Active Directory Certificate
Services (AD CS) and
Troubleshooting (Advanced Certificate Enrollment and Management) .
Yes, there is a SCEP Add-On for Windows Server 2003 called Microsoft Simple Certificate Enrollment
No, the Online Responder was introduced with Windows Server 2008 in the Enterprise and Datacenter editions only. For more about the differences between versions and editions of AD CS, see the table in the
Active Directory Certificate Services Overview .
Yes, the Microsoft Management Console (MMC) Enterprise PKI (PKIView), supports OCSP.
When setting up Certificate Extensions, you must ensure that the Include in the AIA extension of issued certificates is
not selected. That option is located in the Extensions tab of the CA Properties in the Certification Authority console. The correct configuration for an http path specifying the AIA for an Online Responder is shown in the following
Starting with Windows Vista, the process goes:
1. A list is built containing the CAs that support the relevant template and for which the client has enroll permission.
2. The list is sorted randomly.
3. After that, each CA in the list is tried in order until one responds.
To load-balance CAs or control where clients enroll and renew, you can use the enroll permissions on the templates and CAs themselves. The client computers are not Active Directory Domain Services (AD DS) site aware.
Yes. In order for this to work the Online Responder needs is a certification authority (CA) certificate, a signing certificate, and access to the certificate revocation list (CRL).
You can configure a template on the CA to be published to the user account when its published (http://technet.microsoft.com/en-us/library/cc730861.aspx). This in turn makes it available
for Outlook to use.
Yes, you can compact the CA database. See
for more information.
See the TechNet Wiki articles specific to building and maintaining offline CAs. They are:
A CA running on Windows Server can support an extension of 4096 bytes, which is where the Subject Alternate Names (SANs) are placed. Any request that exceeds that limit will be rejected and no certificate will be issued.
Yes, you can use a Network Load Balancing (NLB) cluster. For details, see
Implementing an OCSP Responder: Part V High Availability .
This setting indicates the certificate issued based on the certificate template should be published to the Active Directory Domain Services (AD DS) database.
When this setting is enabled, the user or computer object in the AD DS database is updated with the certificate of the user or computer respectively.
The private key is not published to the AD DS database.
For both computer and user certificates, the userCertificate attribute of the AD DS object is updated with the certificate.
The CA must have write permission to the AD DS database user and computer objects to make this update.
The permission to write to the computer and user objects in the AD DS database is granted to CAs through their membership in the Cert Publishers group by default.
This setting is typically only used with certificates of users. When a user’s certificate is published in the AD DS database, other users can search the AD DS database to find the certificate of that user. The certificate can then be used to encrypt email
or files to the user whose certificate is published in the AD DS database.
Although not recommended because it is not secure, you could use
single password mode on all NDES servers and set the same password, then load-balance. Another option is to create multiple independent NDES servers and if one fails, manually try the other. The certification authority (CA) that is providing the certificates
configured for fail-over .
↑ Return to Top
↑ Return to Top
This is likely a result of the time and date being reset to the default (base) BIOS date. To resolve this issue, you can do the following:
For more information, see
I use a Certification Authority SMTP module to send the information about a new certificate request for SSL certificates to the administrator. With the current setting I get the request ID, the requestor name, the certificate subject name as well as other
information. I would like to add the information about a SAN (Subject Alternative Name) to the email. Can I add an extension to the Certification Authority SMTP module?
No. There is no support for including extensions into the SMTP email notifications
↑ Return to Top