locked
Could enabling Extended Validation in a corporate PKI infrastructure do any harm? RRS feed

  • Question

  • Hello,

    I have a PKI infrastructure, consisting of one offline root CA en two Enterprise AD Joined SubCA's. One of them is a services CA, we use to generate web server certificates. The other one is a workstation CA for simple computer and user certificates.

    After upgrading my offline root CA to sign the root CA with SHA256, I am considering to enable the EV attribute on this certificate. I would like to be able to create EV certificates for internal web servers. Since both subCA's are used for computer accounts for servers and workstations, I am a bit concerned about any issues in the automatic certificate deployment. I do not want to impact AD, Exchange, or Skype4Business negatively. 

    After enabling EV on my offline root CA, I will update the SubCA certificates also with EV. Can this be done safely, without impacting any basic functionality of my Ms Infrastructure?

    Tuesday, February 28, 2017 3:54 PM

All replies

  • Hi,

    》》After enabling EV on my offline root CA, I will update the SubCA certificates also with EV. Can this be done safely, without impacting any basic functionality of my Ms Infrastructure?

    1.After enable EV on offline root CA,the existing certificates will still valid.

    2.If you revoke the original SubCA certificate, then you would invalidate all previously issued client certificates that chain to the original Sub CA.

    You could check this similar thread for more informations:

    EV Certificates and Multilayer Internal PKI

    https://social.technet.microsoft.com/Forums/windows/en-US/29fd4225-aab3-4097-929f-383ed208b112/ev-certificates-and-multilayer-internal-pki?forum=winserversecurity


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, March 1, 2017 3:32 AM
  • Hi,

    I am checking to see if the problem has been resolved. If there's anything you'd like to know, please feel free to ask.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, March 8, 2017 1:40 AM
  • Hi,

    I have put the new PKI servers in production. The CA certificates are renewed with the same private key.

    I tried to enable EV, but that did not work yet.

    The steps I did are on: http://www.vkernel.ro/blog/issuing-extended-validation-ev-certificates-from-an-internal-windows-ca

    When I issue a new EV certificate, it gets in the Failed Requests container with message: "Error Constructing or Publishing Certificate. Invalid Issuance Policies: <OID> Resubmitted by <my username>

    Tuesday, March 14, 2017 9:16 AM
  • Hi,

    >>it gets in the Failed Requests container with message: "Error Constructing or Publishing Certificate. Invalid Issuance Policies: <OID> Resubmitted by <my

    Please check this thread about same error for your reference:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/d6beffaf-9e97-42a1-aa06-008654b2b77f/invalid-issuance-policies-problem?forum=winserversecurity


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, March 16, 2017 9:47 AM