none
Remote CA Snap-in BUG

    Question

  • OK I'll keep this short... Following this guide....

    I'm at the stage of

    "Configuring the Subordinate CA
    With the certificate file stored locally to the subordinate CA, open the Certificate Authority console – note that the certificate service is stopped. Right-click the CA, select All Tasks and choose Install CA Certificate…"

    The thing is I'm running my CA on a Windows 2016 Core server, so I'm very much used to running "Server Manager" and MMC Snap-ins remotely using a client machine. So like every other step in the guide that required Server Manger or the CA snap-in I was doing it from my Windows 10 machine with the latest RSAT tools installed.

    Load the CA Snap-in -> Point it to my Sub CA (thats domain joined) -> The CA takes a bit of time to load (Yet I notice it load almost instantly if I disable the local firewall on the CA, be nice if all required firewall ports were opened when you configure the service/role) anyway maybe I'll eventually figure out why this is. I simply noticed this cause i figured maybe it was firewall related but doesn't seem to be the case.

    My problem is, I see the CA with the service not started (as to be expected I have to load the signed Certificate from my offline CA before the service can start), so following along I get the All Tasks context menu, pick "install CA Certificate"... then you see a loading part of the snap-in just like when it loads the snap-in for the first time, then nothing... no wizard!

    Then the load screen...


    Then NOTHING! I attempted to see if there was a PowerShell equivalent: running Get-Command Adcs-administrtion

    Shows you can add AIA, CRL and Templates, but no way to add a CA cert...

    I even attempted to install the ADCS mgmt tools on my test honolulu server (server 2016)

    Add-WindowsFeature RSAT-ADCS, RSAT-ADCS-mgmt

    which added the snap-in to MMC, but the same bug happens and I can't move forward?! Please help!



    • Edited by Zewwy Wednesday, January 31, 2018 4:35 PM
    Wednesday, January 31, 2018 4:33 PM

Answers

  • You will need to use the commandline to do this. On the CA itself:

    1) Open a command prompt

    2) Navigate to where your certificate file is located

    3) certutil -installcert <your certificate file name here>


    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    • Marked as answer by Zewwy Thursday, February 1, 2018 6:37 AM
    Wednesday, January 31, 2018 9:29 PM

All replies

  • K, I even grabbed the latest RSAT for windows 7, installed, loaded the CA snap-in, add my CA server, click Install CA Certificate from the context menu and SAME BUG!!

    I've literally tried every work around I can think of how can I accomplish this task if this is so broken!?!?!?

    Also I noticed this. If I attempt to start the service from any of my system CA MMC Snap-in I get the following prompt....

    So one would figure yes, here we go a possible work around... and NOPE! Instead of requesting the certificate in question... no it gives me this....

    Well played MS... well played.... :@

    Seeing this, I figured I'd google it in hopes maybe someone found a manual work around for the problem... All I found was someone with a similar issue, but was caused from a different reason, so can't really play here... 
    Also their reply was...

    The solution was, Microsoft Tech Support found the problem and fixed the issues we were having.

    Great...

    • Edited by Zewwy Wednesday, January 31, 2018 9:17 PM
    Wednesday, January 31, 2018 7:35 PM
  • You will need to use the commandline to do this. On the CA itself:

    1) Open a command prompt

    2) Navigate to where your certificate file is located

    3) certutil -installcert <your certificate file name here>


    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    • Marked as answer by Zewwy Thursday, February 1, 2018 6:37 AM
    Wednesday, January 31, 2018 9:29 PM
  • You are my savor.
    Thursday, February 1, 2018 6:37 AM