↑ Back to top
Windows®8 and Windows Server® 2012
Certificate services in Windows® 8 and Windows Server® 2012 can be configured to utilize Active Directory Domain Service (AD DS) sites to help optimize certificate services client requests. This functionality is not enabled by default the certification authority (CA).
To set the msPKI-Site-Name attribute value on a CA, you can run the following command:
certutil -f -setcasites set
The command enumerates all CAs in the enterprise using directory services APIs. The CA site memberships are checked for their current site membership. Then, the CA objects in AD DS are configured for the site name that is appropriate for their network configuration.
To set the the msPKI-Site-Name attribute on a single CA object in AD DS to a specific name, you can run the following command:
certutil -setcasites -f -config "<CAConfigName>" <SiteName>
certutil | findstr "Config"
Running the certutil -setcasites command displays and also corrects the name conflict, as shown in the following figure.
Note: A CA may return no site cost if the msPKI-Site-Name attribute is not set on the CA. If no site cost is available for an individual CA, then the highest possible cost is assigned to that CA.
The following statements apply to the way that a certificate services client contacts the appropriate CA:
When the clients and certification authorities are both configured for AD DS site awareness, you can use the certutil -ping command to verify the site costs. For example, the certutil command shown in the following figure is: certutil -ping "CPANDL-CA1.cpandl.com,CPANDL-CA2.cpandl.com"
As for support for this feature (site awareness provided by specifying msPKI-Site-Name value on pKIEnrollmentService objects) from client side, in fact it's enabled by default on all clients running Windows 8+ and you don't need to do anything additionally.
There has been some confusion. Some articles indicated that the following command must be run to set the EnrollFlags=0x2 to support this, which is not accurate.
certutil -setreg Enroll\EnrollFlags 2
In fact this only applies to Windows 7/Windows Vista clients. In addition, this flag enables the following behavior on these clients:
1. Get the list of enterprise CA servers by querying for all pKIEnrollmentService objects in CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,...
2. For each of CA server in the list, query its dNSHostName
3. By calling dsgetsitename (with dNSHostName being the input syntax), the client works out the site name for each CA server.
4. Clients then figure out which CA server to send out requests to based on the costs.
Obviously this behavior does not rely on msPKI-Site-Name and is a different mechanism compared with what we see on Windows 8+ clients.