question

EF75 avatar image
0 Votes"
EF75 asked DaisyZhou-MSFT commented

Root and sub CA not getting automatically published

we are having a strange issue, since we are using Enterprise CA installed on a domain joined Root CA and Sub-ordinate CA servers ( not DC's ) , we are expecting and by design to have the root and intermediate published automatically to the trust root certificate authority and intermediate certificate authority local stores once we add/join the servers to the domain, which is not the case right now, can anyone help on this ? Do we need to apply changes on the rootca server or intermediate ca server to get this done ?
Thanks

windows-server
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello anonymous user,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello anonymous user,

Thank you for posting here.

Based on the description, you have two-tier CA with Root CA and Sub-ordinate CA.

Is your two-tier PKI with offline Standalone root CA and online Enterprise issuing CA or online Enterprise root CA and online Enterprise issuing CA?

Offline Standalone root CA server is not in the domain.

Online Enterprise issuing CA server is in the domain.

If your root CA is Offline Standalone root CA, you should run the command below on one DC to publish
root CA cert to the domain. Then it will dispatch this root cert to all domain joined clients root store.

certutil -f -dspublish <the full path of CA certificate> RootCA


For more information, please refer to link below.

AD CS Step by Step Guide: Two Tier PKI Hierarchy Deployment
https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx

Q: Which is not the case right now, can anyone help on this?
Do you mean there is no root CA cert in the trust root certificate authority and there is no sub CA cert in the intermediate certificate authority local stores on all domain-joined machines?

Hope the information above is helpful to you.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EF75 avatar image
0 Votes"
EF75 answered

Hi Daisy,
Thanks for your message.
Both CA servers are domain joined , online Enterprise root CA and online Enterprise issuing CA. So why the root ca's and sub are not getting published automatically to domain joined members ?
However, this is not a very secure way of dealing with certs i guess , we would better switch off the ROOT CA server ...so would it be possible to take de ROOT CA server out of the domain and make it a standalone offline and issue the command certutil -f -dspublish <the full path of CA certificate> RootCA ??
By the way what should be the path of CA certificate? is that a default path ?

Pls advise the best approach ..
Thanks

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello anonymous user,

Thank you for your update.

Here are the answers for your reference.

So why the root ca's and sub are not getting published automatically to domain joined members ?
A1: If both your root CA server and sub CA server are in the domain, this should eventually happen automatically.

Currently, I am sorry, I do not know why. But you can try to publish root CA cert and sub CA cert to domain via command above to see if it helps.

Similar thread for your reference.
How Does A Root CA Certificate Get Distributed To Domain Clients?
https://social.technet.microsoft.com/Forums/windowsserver/de-DE/dc4891be-e3ea-4321-972f-e66eee6ed1d1/how-does-a-root-ca-certificate-get-distributed-to-domain-clients?forum=winserversecurity


However, this is not a very secure way of dealing with certs i guess , we would better switch off the ROOT CA server ...so would it be possible to take de ROOT CA server out of the domain and make it a standalone offline and issue the command certutil -f -dspublish <the full path of CA certificate> RootCA ??
A2: If you want to make your existing enterprise root CA to standalone root CA, the steps you mentioned should be not correct.

Because if you take ROOT CA server out of the domain, the CA type is not changed from enterprise root CA to standalone root CA.

117226-ca1.png

For the correct steps, you can refer to the similar thread below.

Convert Enterprise Root CA to Standalone Root CA and create new Subordinate CAs
https://social.technet.microsoft.com/Forums/windows/en-US/df2105e3-844d-4ead-a202-e49a227511df/convert-enterprise-root-ca-to-standalone-root-ca-and-create-new-subordinate-cas?forum=winserversecurity

Note: If you really want to do this type of CA migration, please first migrate in the test environment to check whether everything is normal. If everything is normal in the test environment, you then consider whether you need to operate in the production environment.


By the way what should be the path of CA certificate? is that a default path ?
A3: You can open CA Properties and select AIA extension and check the location of the CA certificate.

117129-ca2.png

Hope the information above is helpful to you.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



ca1.png (97.8 KiB)
ca2.png (14.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EF75 avatar image
0 Votes"
EF75 answered EF75 rolled back

Hi Daisy, Thanks for your time and the answers, below you will find my response : A1: If both your root CA server and sub CA server are in the domain, this should eventually happen automatically. Currently, I am sorry, I do not know why. But you can try to publish root CA cert and sub CA cert to domain via command above to see if it helps. Could be the case that a GPO is blocking this from happening ? below you will the default domain policy, i don't that this could be the reason, as block inheritance is enabled on the OU where the systems are located.. ![117937-screenshot-2021-07-26-at-125847.png][1] A well did try to run the commands as advised and got the message that the certs are already published to AD . Certificate already in DS store. CertUtil: -dsPublish command completed successfully. Similar thread for your reference. How Does A Root CA Certificate Get Distributed To Domain Clients? https://social.technet.microsoft.com/Forums/windowsserver/de-DE/dc4891be-e3ea-4321-972f-e66eee6ed1d1/how-does-a-root-ca-certificate-get-distributed-to-domain-clients?forum=winserversecurity I did check the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEDirectoryCache key and we don't have that key on the systems.. pls advise how to troubleshoot as am running out of ideas. Using the GPO to auth enrol the enterprise certs ( root and subordinate ) is not the way we would like to use, as i need to renew them every now and then when they expires as this suppose to be done automatically in our case. Thank you Daisy. [1]: /answers/storage/attachments/117937-screenshot-2021-07-26-at-125847.png

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EF75 avatar image
0 Votes"
EF75 answered DaisyZhou-MSFT commented

just a side note :
When I run certutil -cainfo on the Subordinate CA server :

C:\Windows\system32>certutil -cainfo
Exit module count: 1
CA name: xxx-Subordinate-CA
Sanitized CA short name (DS name): xxx-Subordinate-CA
CA type: 1 -- Enterprise Subordinate CA
ENUM_ENTERPRISE_SUBCA -- 1
CA cert count: 2
KRA cert count: 0
KRA cert used count: 0
CA cert[0]: 3 -- Valid
CA cert[1]: 3 -- Valid
CA cert version[0]: 0 -- V0.0
CA cert version[1]: 1 -- V1.0
CA cert verify status[0]: 0
CA cert verify status[1]: 0
CRL[0]: 3 -- Valid
CRL[1]: 1 -- Error: No CRL for this Cert
CRL Publish Status[0]: 5
CPF_BASE -- 1
CPF_COMPLETE -- 4
Delta CRL Publish Status[0]: 6
CPF_DELTA -- 2
CPF_COMPLETE -- 4
DNS Name: CA02.xxxxnet
Advanced Server: 1
CA locale name: en-US
Subject Template OIDs: 1.2.840.113549.1.9.1
2.5.4.3
2.5.4.11
2.5.4.10
2.5.4.7
2.5.4.8
0.9.2342.19200300.100.1.25
2.5.4.6
CertUtil: -CAInfo command completed successfully.
Getting CRL error, could this be the issue ?



below the output command as well but now on the Root CA server :
C:\Windows\system32>certutil -cainfo
Exit module count: 1
CA name: xxxx-Root-CA
Sanitized CA short name (DS name): xxx-Root-CA
CA type: 0 -- Enterprise Root CA
ENUM_ENTERPRISE_ROOTCA -- 0
CA cert count: 1
KRA cert count: 0
KRA cert used count: 0
CA cert[0]: 3 -- Valid
CA cert version[0]: 0 -- V0.0
CA cert verify status[0]: 0
CRL[0]: 3 -- Valid
CRL Publish Status[0]: 5
CPF_BASE -- 1
CPF_COMPLETE -- 4
Delta CRL Publish Status[0]: 6
CPF_DELTA -- 2
CPF_COMPLETE -- 4
DNS Name: CA01.xxx.net
Advanced Server: 1
CA locale name: en-US
Subject Template OIDs: 1.2.840.113549.1.9.1
2.5.4.3
2.5.4.11
2.5.4.10
2.5.4.7
2.5.4.8
0.9.2342.19200300.100.1.25
2.5.4.6

CertUtil: -CAInfo command completed successfully.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello anonymous user,

Thank you for your update.

1.Please check if you change the following gpo setting from "Disabled" to "Not Defined", then update the gpo setting on domain-joined machine to see if it helps.

2.On one domain-joined machine, import the root cert to the trusted root certificate authority local store and import the sub CA cert to the intermediate certificate authority local store, then reopen the mmc to see if the certs disappears or not.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
EF75 avatar image
0 Votes"
EF75 answered DaisyZhou-MSFT commented

Hi Daisy,
1- I did create a a test GPO and set to not configured, gpupdate didn't publish the certs automatically.
2- I did import the certs to the proposed locations, and reboot the workstation, the certs stays there.
But this is not the solution we are looking for, as this means we always need to update the GPO when the these certs are getting renewed.
Thanks Daisy.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello anonymous user,

Thank you for your update.

The two threads discuss similar question, please refer to them to see if they helps.

https://social.technet.microsoft.com/Forums/Lync/en-US/dc4891be-e3ea-4321-972f-e66eee6ed1d1/how-does-a-root-ca-certificate-get-distributed-to-domain-clients?forum=winserversecurity

https://social.technet.microsoft.com/Forums/en-US/0026788d-34fe-4647-8e3b-ce5db9ba9a57/root-ca-certificate-not-being-readded-after-it-is-deleted?forum=winserversecurity

If it still does not work, I suggest you submit a service request to MS Professional tech support service so that a dedicated support professional can further assist you with this request.

The following web site for more detail of Professional Support Options and incident submission methods is for your reference:

https://support.microsoft.com/en-in/gp/contactus81?forceorigin=esmc&Audience=Commercial

https://support.microsoft.com/en-us/help/4051701/global-customer-service-phone-numbers


Thank you for your understanding and support.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.


0 Votes 0 ·