Active Directory Certificate Services
Hi all! I have been doodeling with ADCS and found some strange behavior you guys might help me understand. Behavior publishing Root/Issuer certificate through Active Directory. 2.Tier: Root (non AD member), Issuer (AD integrated). Observed: certutil -dspublish <rootCertificate> RootCA populates the Certification Authorities Container in AD. All AD members is issued this certificate to the local Trusted Root Certification Authorities container. This behavior is expected Publishing Root certificate to AIA container in AD triggers download to all domain members in the local "Intermediate Certification Authorities" container. Not expected I thought that beeing av member of NTAuthCertificates container triggered this behaviour and not merly beeing published in an AIA container. Test issue: This is easy to reproduce using pkiview.msc (right click top container and choose Manage AD containers) Verify certificates published to AIA container, remove Root certificate if present. On a local computer launch mmc and add the certificate snapp-in, select computer. Enter Trusted Root Certification Authorities container and delete root certificate for the given chain, enter Intermediate Certification Authorities container and delete Root certificate and Issuer certificate. Launch regedit and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\AutoEnrollment Delete AEDirectoryCache (the key and all elements). Run certutil -pulse from command line. Confirm that the deleted certificates are populated again. Now if the root certificate is no longer published in the AIA container the certificate will not appear in the Intermediate Certification Authorities container again. If Root certificate is published to AIA repeating the above will see the Root certificate return to the given container. Is this the expected behavior? Regards Morten
July 19th, 2010 3:03pm

This is expected behavior. All certificates in the Certification Authorities container are added to the trusted root store All certificate in the AIA container are added to the intermediate CA store If you look at the output of certutil -dspublish CertFile RootCA, the certificate is placed into both the Certification Authorities and AIA containers Brian
Free Windows Admin Tool Kit Click here and download it now
July 19th, 2010 10:01pm

Thanks for clearing it up for me Brian, was under the influence of the strict separation rule. Root certificate in the root store and not in the intermediate store. Guess my logic was a bit off. Morten
July 19th, 2010 10:23pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics