question

AmolVyawahare-7885 avatar image
0 Votes"
AmolVyawahare-7885 asked ·

How clients get a certificate if there are multiple Ca installed in AD?

I have a environment where 2 Subordinate Cas are installed in each domain. I can see that the clients from that domain are equally getting certificates form both. Who is doing round robin in this case? When clients discoverers Ca, and if AD replies, does it provide the name of Ca in round robin fashion? Second question, i understood that certificate authority is forest entity, then why my clients are getting certificates only from that domains Ca server? (Domain Computers is added in cert security template to read and enroll? is that the reason?) Any GPO setting, or any AD setting can tell clients, this is your domain, and this is your CA? OR, this template you need to get. Autoenroll is enforced on clients via GPO.

windows-server-security
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @AmolVyawahare-7885,

Thank you for posting here.

And thank you for your update and sharing.

As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!



Best Regards,
Daisy Zhou

0 Votes 0 ·
AmolVyawahare-7885 avatar image
0 Votes"
AmolVyawahare-7885 answered ·
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crypt32 avatar image
0 Votes"
Crypt32 answered ·

The CA selection is approximately this:

Without Enrollment Policy Service:

  1. Get all enterprise CAs from AD and create List1

  2. Select CAs that have requested certificate templates and create List2

  3. If List2 is empty, stop processing

  4. Select CAs that are site-aware and match client site and create List3

  5. if resulting List3 is empty, use list obtained in step 2 and create List3

  6. randomize List3 and pick arbitrary CA

With Enrollment Policy Service:

  1. build a list of Policy Servers using: Group Policy, local cache, locally configured policies

  2. order policy servers in ascending order by Cost property. Policy servers with lower cost will be tried first

  3. Iterate over Policy Server list and for each server:

  4. Get list of CAs advertised by policy server and create List1

  5. Select CAs that have requested certificate templates and create List2

  6. If List2 is empty, continue with next Policy Server
    6.1. If there is no next Policy Server, return error

  7. Order List2 by Cost property. CAs with lower cost will be tried first.

this is very high-level flow on a client.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.