08. Install and Configure Enterprise Subordinate Root CA Part-1

Рет қаралды 39,030

Күн бұрын

Пікірлер: 32

@mohittandon1931 3 ай бұрын

at 16:09 by mistake instead of choosing install CA, i did request CA certificate; i realised later, but how can i fix it? after realising I am not getting otion to install CA.

@mohittandon1931 4 ай бұрын

You have an excellent presentation kills. Literally speaking awesome explanation explaining the smallest of things - so much focus you have; Kindly let me know what you do to maintain so much focus.

@fbifido2 3 жыл бұрын

@17:16 - what are the default templates needed for ADCS to operate properly in Windows Server 2019 & Windows 10 network ??? Users Computers OCSP Domain Controller web server RDP Cert

@leonardolemos1003 2 жыл бұрын

On which server should I run the certutil.exe commands (minute 4:00) (root - subordinate or domain controller) ?

@MSFTWebCast 2 жыл бұрын

On member server where you are planning to setup enterprise subordinate CA. So it may be member server or domain controller as per your setup. I have used dedicated member server for enterprise subordinate CA.

@leonardolemos1003 2 жыл бұрын

@@MSFTWebCast Thanks for the answer, in my project the server with the CA Subordinate role is independent from the Domain Controller, I have followed all the steps according to your explanation, but when executing the certutil.exe -dsPublish commands, it returns the following error : DecodeFile returned The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND) Could not load Certificate or CRL from file (The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)) CertUtil: -dsPublish command FAILED: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND) CertUtil: The system cannot find the file specified.

@robertjude7880 2 жыл бұрын

and in the template why am i see duplicate template. all the template are dual.

@robertjude7880 2 жыл бұрын

why is my Sub CA server certificate showing only 1year validity... where have i gone wrong.

@GohWenShin0107 2 жыл бұрын

Hi, how could I change the DeltaCRL Location http url? Seem like I couldn't change under CDP extension, it doesn't take effect... please help me...

@MSFTWebCast 2 жыл бұрын

Go to CA properties. Click the Extensions tab. Make sure that Select extension is set to CRL Distribution Point (CDP). From the Specify locations, add or remove the locations.

@GohWenShin0107 2 жыл бұрын

@@MSFTWebCast Yes, I did that but it doesn't help. At first, I followed your guide to set to www. but the status of AIA, CDP and DeltaCRL still showed "Unable To Download" even after enabling "Directory Browsing" on IIS. Then I changed the to FQDN of the Subordinate CA server, the status of AIA and CDP changed to "OK", but DeltaCRL is still "Unable To Download" and the URL is still showing the old that I set, which is "www.". Any other ways to change it? I have already tried a few times remove and add but still doesn't work on DeltaCRL...

@paultt66 4 жыл бұрын

I ended up getting the AIA location in PKIview as the same location as the CDP. The entire URL with the .crl not the .crt. Not sure what happened.

@Manu--wc9yq Жыл бұрын

Does anyone has the problem that once install the subordinate CA the LDAP Still appearing as Unable to download? In ADSIedit, appears the respective Enterprise CA CRLs and CDPs, but does not update in the PKIview, do you have an Idea?

@ianwillis5292 7 ай бұрын

did you ever figure this out? im seeing the same thing right now

@gertthoonen7101 2 жыл бұрын

Hi, my CDP and AIA not updating. If I look in pkiview and copy the URL, I can reach the URL but my files are not there :-( If I copy the generated files from C:\Windows\System32\certsrv\CertEnroll to the URL directory then it is all ok. I miss something in writing to the folder, I gave full control to "cert publisher". Please Help?

@gertthoonen7101 2 жыл бұрын

Anyone???

@gauravkadam7964 4 жыл бұрын

you are great man, this video helped me a lot. thanks..

@swatisharma7691 2 жыл бұрын

What will happen if loaddefaulttemplate =0 on ca policy. Inf. Will the default template be visible on enterprisecA?

@MSFTWebCast 2 жыл бұрын

Yes, setting the LoadDefaultTemplates=0 prevent the default templates from being added to the Enterprise CA. By default the value is 1 so the default templates are added automatically.

@lahirunimnajith3519 Жыл бұрын

thank you brother

@alexey256 3 жыл бұрын

Could you please post here the commands from your notepad?

@MSFTWebCast 3 жыл бұрын

Here you go: Notepad C:\Windows\CAPolicy.inf [Version] Signature=”$Windows NT$” [PolicyStatementExtension]Policies=InternalPolicy[InternalPolicy] OID= 1.2.3.4.1455.67.89.5[Certsrv_Server]RenewalKeyLength=4096 RenewalValidityPeriod=Years RenewalValidityPeriodUnits=10 LoadDefaultTemplates=0 Save the file. certutil.exe -dsPublish -f "C:\NameofCert with .crt" RootCA certutil.exe -dsPublish -f "C:\NameofCert with .crl" RootCA certutil.exe -addstore -f root "C:\NameofCert with .crt" certutil.exe -addstore -f root "C:\NameofCert with .crl"

@zephteo6029 2 жыл бұрын

@@MSFTWebCast Hello there, love the video and the walk through, i would like to ask you how you know what OID to use

@MSFTWebCast 2 жыл бұрын

@@zephteo6029 The OID (Object ID) I used in this example is the Microsoft OID. You can get your own OID via PEN registration on IANA.

@justjonvlogs9178 2 жыл бұрын

Wheres the file to copy paste?

@MSFTWebCast 2 жыл бұрын

Sorry. Here is the text. [Version] Signature=”$Windows NT$” [PolicyStatementExtension]Policies=InternalPolicy[InternalPolicy] OID= 1.2.3.4.1455.67.89.5 [Certsrv_Server] RenewalKeyLength=4096 RenewalValidityPeriod=Years RenewalValidityPeriodUnits=10 LoadDefaultTemplates=0

@rohithsaran6749 4 жыл бұрын

You didn't showed that to install AD certificate server role on member server.Do we need to install?if we didn't install we won't be able to execute commands on PS with cerutil