This article presents a list of common questions and answers related to Active Directory Certificate Services (AD CS) and Public Key Infrastructure (PKI).
If you need an answer that is not covered on this page or linked to by this page, you will probably get it quickest through search. However, if you cannot find the answer, you can post your certificate services questions to the Windows Server Security Forum (http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads). Please, be sure to search the forum before posting, to see if that question has already been answered in another thread. If you find that you've got a commonly asked question and answer, please, add it to this article.
The following resources elaborate on the differences between the two server versions:
Windows Server editions prior to Windows Server 2008 do not support Server Core installation. If you are running Windows Server 2008 R2, then you should also review the Edition Comparison by Server Core Installation Option, to see if your edition supports running AD CS on Server Core. ↑ Return to Top
The error "Certificate enrollment failed to enroll for a DigitalSignature certificate with request ID 43 from <caname>. (The requested certificate template is not supported by this CA 0x80094800 (-2146875392)). Denied by Policy Module 0x80094800?"can occur if targeted user group does not have access to Enroll or if targeted computer or user accounts do not have access to read a Group Policy Object (GPO) distributing the policy. Ensure that Authenticated Users or targeted group of users and computers has Read access to the GPO. See also Troubleshooting Certificate Autorenewal in Active Directory Certificate Services (AD CS) and Troubleshooting (Advanced Certificate Enrollment and Management). ↑ Return to Top
Yes, there is a SCEP Add-On for Windows Server 2003 called Microsoft Simple Certificate Enrollment Protocol (MSCEP).
No, the Online Responder was introduced with Windows Server 2008 in the Enterprise and Datacenter editions only. For more about the differences between versions and editions of AD CS, see the table in the Active Directory Certificate Services Overview.
Starting with Windows Vista, the process goes: 1. A list is built containing the CAs that support the relevant template and for which the client has enroll permission. 2. The list is sorted randomly. 3. After that, each CA in the list is tried in order until one responds. To load-balance CAs or control where clients enroll and renew, you can use the enroll permissions on the templates and CAs themselves. The client computers are not Active Directory Domain Services (AD DS) site aware. ↑ Return to Top
Yes. In order for this to work the Online Responder needs is a certification authority (CA) certificate, a signing certificate, and access to the certificate revocation list (CRL). ↑ Return to Top
You can configure a template on the CA to be published to the user account when its published (http://technet.microsoft.com/en-us/library/cc730861.aspx). This in turn makes it available for Outlook to use. ↑ Return to Top
Yes, you can compact the CA database. See http://blogs.technet.com/b/askds/archive/2010/08/31/the-case-of-the-enormous-ca-database.aspx for more information. ↑ Return to Top
See the TechNet Wiki articles specific to building and maintaining offline CAs. They are:
↑ Return to Top
A CA running on Windows Server can support an extension of 4096 bytes, which is where the Subject Alternate Names (SANs) are placed. Any request that exceeds that limit will be rejected and no certificate will be issued. ↑ Return to Top
Yes, you can use a Network Load Balancing (NLB) cluster. For details, see Implementing an OCSP Responder: Part V High Availability. ↑ Return to Top