Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, July 9, 2015 2:24 PM
Hi all,
Got a slightly odd query that I'm hoping someone can provide some guidance on relating to the Enterprise CA and Domain Controller certificates...
We need to authenticate to an application server using LDAPS and for that we've set up ADCS using an Enterprise CA. That in turn has done the usual behaviour of auto-enrolling the DCs via the Computer Personal Store.
However we're using an SSO application for Office 365 that also places some certs in the Computer Personal Store so now we have two lots of certificates that could be used.
I'm aware of the NTDS Service Personal Store, however I'm unable to export an auto-enrolled certificate with Private Key (as it's unsupported from what I've read) so can't Import it back in. Also the auto-enrolled certificates are only 1 year, whereas I'd really like something longer to avoid the certificates expiring and needing replacing on a regular basis.
Is it possible (and would there be any side effects by doing so) to create a CSR for the Domain Controller then issuing it using the custom template method that's usually described for Standalone CAs? I'd then end up with:
http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
Computer Personal Store - auto-enrolled certificate (1 year expiry)
NTDS Service Personal Store - custom certificate (longer expiry)
In theory the NTDS Store should override the Computer Store and use the new certificate with longer expiry, although not sure how it would work in practice? It's quite an unusual requirement it would seem so can't find many similar scenarios elsewhere as guidance.
The main link I've been reading is below, although it does lean towards removing the other certs from the Computer Personal Store (not an option here)
http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
Any info much appreciated :)
All replies (3)
Thursday, July 9, 2015 2:44 PM ✅Answered
What is your goal here? You indicated that your SSO application already has certificates in place for the DCs in the Computer Store. So, do you even need the Auto enrolled certificates? FYI, The DCs are actually performing an old enrollment process called Automatic Certificate Request Service and will only do the enrollment if the default 'Domain Controller" V1 template is on the CA - which it is by default on install. If you take a look at http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx#AD_DS_Certificate_Storage you will see this note:
- Automatic certificate enrollment (auto-enrollment) cannot be utilized with certificates in the NTDS\Personal certificate store.
So your only option is going to be to manually enroll for a DC cert, and then export it to the NTDS service store. You will need to manually renew it.
Perhaps there is a way to combine your SSO certificate needs with the DC LDAP/S certificate?
Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com
Saturday, July 11, 2015 12:11 AM ✅Answered
AD will use the most specific certificate, so if there is one in its personal store, it will use that one. You as the administrator might be confused to see one in the computer store. So revoke them once the more specific one is in place so you can properly track what is, and isn't in use.
Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com
Friday, July 10, 2015 10:28 AM
Hi Mark,
Thanks for replying. The SSO certificate would work but we may be migrating away from that product in the not too distant future and think it may be better to compartmentalize the use of that certificate so it's only used for the original intended purpose and thus removing the product doesn't have any knock-on effects for unrelated systems.
Would you recommend revoking \ disabling the auto-enrollment template for the Domain Controllers or would it be OK to leave that in place and create the new CSR in addition? Just wondering if there's any issues CA-wise with having two almost identical certificates issued to the same server?
Regards,
Gerrard