none
Issue with Multiple Enterprise Issuing CAs RRS feed

  • Question

  • My environment originally:

    • Single Forest/Domain at 2003 functional level running on Windows 2008 x64 SP DCs
    • Offline standalone root CA on Windows 2003
    • Single subordinate Enterprise issuing Ca using SHA1 hashing on Windows 2003 Enterprise Edition
    • All Cs auto-enrolled for a DomainController template and were issued it


    Due to SHA2 migration requirements the following was introduced:

    • Offline standalone root CA on Windows 2012 R2
    • Single subordinate Enterprise issuing Ca using SHA2 hashing on Windows 2012 R2


    Now, when all our DCs got to 6 weeks before their DomainController cert expiration date, the all naturally tried to renew. What happened was that half renewed against the original issuing CA with SHA1 (all kept same thumbprint/serial etc.) but the other half got a new DominController cert from the new issuing CA with SHA2 i.e. they enrolled with the new issuing CA. This broke some legacy client application communication.

    Since both issuing CAs have published their info into the configuration container, is this expected? I read on the PKI guide that if the client finds multiple CA registered it will use a random one. Is this what might have happened i.e. the DC looked up the config container, saw 2 CAs registered there and choose to use the new one.It couldn't renew against the new one so it re-enrolled and got a new DomainController cert?



    • Edited by shocko Saturday, January 16, 2016 8:50 AM
    Saturday, January 16, 2016 8:37 AM

Answers

  • In your environment, the client will look at Enrollment Services to determine which CAs have a needed certificate template published. You are correct that deleting them in the Certification Authority console is the correct way to unpublish the certificate template (remove from the list of CertificateTemplates in the enrollment services container object.

    If multiple CAs are found, the first one to respond to an RPC ping is used for the enrollment (hence your deployment of certs between the two CAs (SHA1 and SHA256) because you had the template available at both CAs.

    If the CAs were running Server 2012 / Server2012 R2 and the clients were running Windows 8+, then you could implement AD Site costs to determine which CA to use, but not in your environment.

    Brian

    • Marked as answer by shocko Sunday, January 17, 2016 11:07 AM
    Sunday, January 17, 2016 5:07 AM

All replies

  • If you do not wish to enroll certificates of a specific certificate template from the SHA1 issuing CA, do not publish the certificate templates at the SHA1 CA (delete them from the Certificates Templates container in the Certification Authority console).

    I would also recommend a few things:

    1) Enable Autoenrollment in the Domain Controllers Default Policy for computer certificates.

    2) Remove the Domain Controller certificate template from all issuing CAs

    3) Publish the Kerberos Authentication certificate template at the SHA2 issuing CA

    4) Ensure that all DCs enroll the Kerberos Authentication certificate template

    Brian

    Saturday, January 16, 2016 4:36 PM
  • Thanks for taking the time to reply Brian. So if i open the certificates container from a particular issuing CA and deleted the template, does that not delete it from the domain and for all other issuing CAs in that same domain? I do notice that in the configuration container in AD there is an entry for each issuing CA under:

    • CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=mydomain,DC=net

    Each object therein is of class pkiEnrollmentService and has an attribute CertificateTemplates. Is this hat is actually being acted upon when you use the CA console to delete templates?

    In terms of the other recommendations, I will definitely evaluate them. I guess I'm trying to confirm if my suspicions on how half the DCs did not renew against the CA that issued their DC certs are correct.

    Saturday, January 16, 2016 9:41 PM
  • In your environment, the client will look at Enrollment Services to determine which CAs have a needed certificate template published. You are correct that deleting them in the Certification Authority console is the correct way to unpublish the certificate template (remove from the list of CertificateTemplates in the enrollment services container object.

    If multiple CAs are found, the first one to respond to an RPC ping is used for the enrollment (hence your deployment of certs between the two CAs (SHA1 and SHA256) because you had the template available at both CAs.

    If the CAs were running Server 2012 / Server2012 R2 and the clients were running Windows 8+, then you could implement AD Site costs to determine which CA to use, but not in your environment.

    Brian

    • Marked as answer by shocko Sunday, January 17, 2016 11:07 AM
    Sunday, January 17, 2016 5:07 AM
  • Thanks again Brian. I didn't realise that when deleting a certificate from the Certificate authority console , that actually amounts to removing that templates publishing info from that targeted CA. Conversely , if I right click and use the manage templates option, this launches the certificate templates MMC deletion there amounts to the actual template being removed (not good )
    Sunday, January 17, 2016 11:12 AM
  • That is why I was very careful to state to use the Certification Authority console, not the Certificate Templates console. HUGE difference.

    Brian

    Sunday, January 17, 2016 4:36 PM
  • Agreed :) ! Would be nice if that was documented a little clearer. I found it through some discussions/lab experimentation more that any documentation. Thanks again Brian.
    Sunday, January 17, 2016 5:40 PM
  • I realise this is an old post but I can't find anyone in the same boat as me and the above is the closest scenario I can find.

    I have an offline 2012 R2 SHA1 root, and a single 2012 R2 SHA1 issuing sub CA. I very quickly need a small number of SHA2 certificates for an important project but don't have time to fully test my environment for full support of SHA2 so i was intending on creating a new SHA2 sub CA sitting along side my existing SHA1 CA. However i want to make sure my existing clients all keep going to the old SHA1 CA. Do I do this by controlling which certificate templates are published by the new SHA2 CA?

    For example, do I simply delete (or not publish) all certificate templates from the new SHA2 CA in the CA CONSOLE, not the certificate template console, and then publish a new template only from the new SHA2 CA  console so I can go it for my few SHA2 certs?

    Thursday, August 31, 2017 5:00 AM
  • I ended up creating a test PKI with a root and two SUB CAs just like above and what I described above worked.
    Friday, September 1, 2017 2:11 AM
  • Yes! You can use permission on the template to control who can enroll/auto-enroll. 
    Friday, September 1, 2017 9:47 AM