CA Certificate CES/CEP not show all certificates in trusted domain

Raul Guchinife 60 Reputation points


I have installed a CA in a domain and I want to publish the certificates of this CA in a trusted domain. To do this, I have installed the CES and CEP services on the CA server.

As the CES and the CA are on the same server I have not created a service user for it.

I have created a custom user certificate in the CA but from the trusted domain it does not see it.

From a computer of the trusted domain I have added the CES UI to make the certificate requests, but the created certificate is not seen when I make the request through the CES UI, however a "user" certificate that is created by default is shown.

In the created certificate, I have given read and enroll permissions to the trusted domain user and in the CA properties in security, read permissions to the same user.

Why I can not see the certificate created and if the default "user" certificate?

Azure Active Directory Domain Services
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,425 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vadims Podāns 8,561 Reputation points MVP

    Ensure that template compatibility settings aren't set to higher than Windows Server 2012 R2/Windows 8.1. CEP/CES doesn't support templates with newer compatibility settings.

    In addition, template propagation isn't immediate. Clients cache templates for 8hrs and do not sync with server until cache expires.

    As the CES and the CA are on the same server I have not created a service user for it.

    CEP is pointless without CES. CEP alone isn't sufficient.

1 additional answer

Sort by: Most helpful
  1. Raul Guchinife 60 Reputation points

    It seems that the problem is that the 8h had not passed. Now the template appears.

    I have another doubt, I want to give access to this template only to a group of one of the trusted domains. I add the group to the certificate security (rectura and enroll).

    Do I have to remove the "authenticated users" group from the security of this certificate? I think that by removing this group, the members of the trusted domain group will not see the certificate.