Why when I deploy my roots and intermediate CA Certificates to AD do some servers automatically download them and others do not?

Chamby112 1 Reputation point
2020-10-22T14:35:26.24+00:00

I am very confused by the process of publishing Root and Intermediate certificates to AD and how they deploy to servers across an enterprise. When I publish the Root and Intermediate CA certs to the AIA and Certification Authorities Containers in AD, some servers will pull the new certificates into their trust stores and others will not.

When looking for any documentation around this process, I cannot find much. Does anyone out there know the process from beginning to end? Also, does anyone have an idea of why some would pull the certs from AD and others would not?

Thank you to anyone who can shed light on these dark times.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,124 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,852 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,720 questions
0 comments

12 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hannah Xiong 6,231 Reputation points
    2020-10-26T08:02:01.037+00:00

    Hello @Chamby112 ,

    You are welcome. Thank you so much for your kindly reply.

    If the root CA is an offline root CA (standalone root CA), we should publish the root certificate into AD using the above command. This will then distribute the certificate to the trusted root store of all domain joined clients. If the root CA is joined to the domain, this will eventually happen automatically, but it can take up to 8 hours (default GPO application time).

    No GPO is configured to distribute the root certificate. If we manually deleted the root CA certificate from the local computer store, it would not come back if we updated policies using gpupdate /force or ran certutil -pulse.

    There is a registry key that caches downloaded root CA certificate requests using auto enrollment.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEDirectoryCache

    To manually force a new download, delete the following registry key and all subordinate keys. It will cause the client to redownload the CA objects from the DC during the next GPO refresh.

    In my test, I deleted the subordinate key and then ran certutil -pulse or gpupdate /force, the deleted Root CA certificate came back.

    For more information, we could refer to:

    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-xp/bb456981(v=technet.10)?redirectedfrom=MSDN#ECAA

    https://social.technet.microsoft.com/Forums/Lync/en-US/dc4891be-e3ea-4321-972f-e66eee6ed1d1/how-does-a-root-ca-certificate-get-distributed-to-domain-clients?forum=winserversecurity

    https://social.technet.microsoft.com/Forums/en-US/0026788d-34fe-4647-8e3b-ce5db9ba9a57/root-ca-certificate-not-being-readded-after-it-is-deleted?forum=winserversecurity

    Hope the information is helpful. Thank you so much for your support.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments
  2. Thameur-BOURBITA 32,506 Reputation points
    2020-10-22T22:05:28.03+00:00

    Hi

    You can follow the link below:

    public-key-infrastructure-part-3-implement-pki-active-directory-certificate-services

    Please don't forget to mark this reply as answer if it help you to fix your issue

  3. Thameur-BOURBITA 32,506 Reputation points
    2020-10-22T23:04:17.147+00:00

    Hi,

    If you have installed enterprise PKI , all member machines will detect the certificate automatically when you restart it or run the following command manually: 

    certutil -pulse

    If the client is unable to detect the root certification automatically, I think it may be network flow issue.

    Please don't forget to mark this reply as answer if it help to fix your issue

    0 comments
  4. Chamby112 1 Reputation point
    2020-10-22T23:19:47.297+00:00

    This is where I'm getting to. This is not occurring on all of our systems. The large majority are, but I am seeing some that are not. I am trying to narrow down why they may not be updating on some. Are there instances others have seen where this is an issue? I.e. something disabled on the system, some GPO blocking this, etc.

    I am trying to understand the whole process so I can try and isolate it to something specific, but I cannot find a detailed description of the process end-to-end.

    0 comments
  5. Thameur-BOURBITA 32,506 Reputation points
    2020-10-22T23:25:46.613+00:00

    Try one of the following actions:

    • Check network flow
    • Restart impacted servers and launch the following command certutil -pulse
    • Rejoin impacted server to domain

    Please don't forget to mark this reply as answer if it help to fix your issue