question

Chong-7118 avatar image
0 Votes"
Chong-7118 asked FanFan-MSFT commented

Force application connect to target enterprise CA in multi CA domain

Hi Support,

We have a Win2008 enterprise CA1 which generate certificate for our internal application in our domain. And we setup another Win2016 enterprise CA2 which used to generate certificate for some web application only. Both of them published the root certificate to domain client and enabled auto enrolment so system can renew certificate automatically.
After a few months, we found some internal application generate certificate in CA2, not CA1.

First, how can we prevent internal domain application generate certificate from CA2? Or force application work with target CA only?
Second, for those system auto generated certificate by CA2, any workaround can force the system re-generate certificate in CA1?

Thanks
Chong

windows-server
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

cthivierge avatar image
0 Votes"
cthivierge answered FanFan-MSFT commented

Well... both CA's are using the same templates because they are stored in Active Directory configuration partition "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=Contoso,DC=Com"

But you are correct, if both CA publish the same certificate template, then the servers may request the certificate from any servers.

One thing that is possible to do is to configure autoenrollment CA based on AD Sites. You could set a CA for autoenrollment for each site. This may help you if you have multiple sites.

To force a server to regenerate a certificate, you can use the command line "certutil -pulse". But, if the server is already having a certificate from the template that has autoenrollment permission, you will not receive a new certificate. You may have to delete the existing certificate first.

If you want to set the CA autoenrollment based on the AD Sites, this is the command line to run:
certutil -setcasites -f -config "<CAConfigName>" <SiteName>
replace <CAConfigName> with the name of the certificate server.

This will add the value of the AD Site on the msPKI-Site-Name attribute of the enrollment CA
at this location "CN=Contoso Issuing CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=Contoso,DC=Com"

hth

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,


Just want to confirm the current situations.
If there's anything you'd like to know, don't hesitate to ask.

Best Regards,

0 Votes 0 ·

Hi,
I am checking to see if the problem has been resolved.
If there's anything you'd like to know, don't hesitate to ask.
Best Regards,

0 Votes 0 ·
FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,
Based on my understanding, before enrolling a certificate manually, automatically, we must ensure that the certificate templates are available for enrollment at a CA. This process is known as "publishing the certificate template at the CA."
For your questions:

First, If you want to prevent internal domain application generate certificate from CA2, we just need to make sure that CA2 doesn't have the templates for the internal domain application.
Second, based on my understanding, CA1 and CA2 are 2 separate PKI structure, right?
Make sure the templates are available on CA1.

Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

cthivierge avatar image
0 Votes"
cthivierge answered

Hmmm... Having multiple Enterprise CA that does AutoEnrollment may gives you headache.

First, does both CA publish the same certificate template or is it a different template ? (you should have 2 different templates)
Second, does any servers could have certificates from both templates ?

If you have 2 different templates (you should actually), in that case, only publish the template for internal application on your CA1 and only publish the certificate template for web application on your CA2.

Then, create 2 AD Groups, 1 for internal applications and 1 for web applications and add the servers into the group they should be member of (You need to restart all servers that will be added to the group)

Then, you could restrict your template using the security tab to allow enroll/autoenroll only to a specific AD Group.

hth

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Chong-7118 avatar image
0 Votes"
Chong-7118 answered

Hi @FanFan-MSFT and @cthivierge ,

Thanks for the advise. Yes, 2 CA servers are separate PKI structure.

So if both CA servers have the same templates, for example "Domain Controller", DCs will generate the certificate from 2 CA randomly?
Same example, for the DCs which using the wrong CA server certificate, we only can manual generate the certificate again by correct CA in each DC one by one. There are no cmdlet or GUI to force all DC regenerate certificate?

Best Regards
Chong

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.