To configure the Active Directory Domain Services (AD CS) certification authority (CA) service (CertSvc) to listen on a static DCOM port

  1. Log on with an account that has local administrator permission on the CA
  2. Open the Component Services snap-In (dcomcnfg.exe).
  3. In the left pane of the Component Services snap-In, expand Component Services, Computers, My Computer, and then DCOM Config.
  4. In the right pane, select CertSrv Request.
  5. On the Action menu, click Properties.
  6. On the Endpoints tab, click Add.
  7. Select Use static endpoint, enter an unused TCP port number, for example, 4000, and then click OK twice.
  8. Close the Component Services snap-In.
  9. Restart the certification authority service.
        net stop certsvc
        net start certsvc

Return to contents

If you also want to disable the RPC Interface on the computer running the CertSvc

 Important
  • You may not need to perform this step in order to make requests using an alternate port. For example you could potentially use certreq -submit allows the -rpc option (be sure to use lowercase with that option).
  • You may not be able to edit the properties of CertSrv Request by default, since the registry key may be owned by Trusted Installer. In this case, you need to take ownership of HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D99E6E74-FC88-11D0-B498-00A0C90312F3} and grant Administrators full control to the registry key
  1. At the command-line prompt, run one of the following commands (both accomplish the same task):
    • certutil -setreg ca\interfaceflags +0x8
    • certutil -setreg ca\interfaceflags +IF_NORPCICERTREQUEST 
  2. The command output lists the flags that are enabled. Verify that IF_NORPCICERTREQUEST is part of the InterfaceFlags in the command output list. If not, try running the command again (use the command that you did not use the first time from the previous step above, also verify that you have the appropriate permissions, as mentioned in the Important note above).
  3. Restart the certification authority service.
 Note
The CA will not change listening ports until the first certificate request comes in, so do not expect that you will see the port change in NETSTAT or other tools until that happens.

Return to contents


Additional information

This article originates from the Security Forum discussion from 2008 R2 CA not using static DCOM port

Return to contents