Domain computers do not trust certificates generated from active directory certificate authority

Lotfi BOUCHERIT 91 Reputation points
2020-12-31T10:24:15.74+00:00

Hello,
We have active directory domain running on Windows Server 2016 virtual machines. Where Active Directory Certificate Authority is deployed in a different machine acting as Radius server.
After renewing the root certificate, the new certificate is not automatically deployed or received by computers,
I would like to know, how can we resolve this problem?
Thank you in advance

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,521 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,622 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,849 questions
{count} votes

Accepted answer
  1. SUNOJ KUMAR YELURU 14,466 Reputation points MVP
    2020-12-31T11:08:24.91+00:00

    @LotfiBOUCHERIT-4930

    Server certificate deployment process overview
    **Note-**The details of how to perform these steps are provided in the section Server Certificate Deployment.

    1. The process of configuring server certificate enrollment occurs in these stages:
    2. On WEB1, install the Web Server (IIS) role.
    3. On DC1, create an alias (CNAME) record for your Web server, WEB1.
    4. Configure your Web server to host the CRL from the CA, then publish the CRL and copy the Enterprise Root CA certificate into the new virtual directory.
    5. On the computer where you are planning to install AD CS, assign the computer a static IP address, rename the computer, join the computer to the domain, and then log on to the computer with a user account that is a member of the Domain Admins and Enterprise Admins groups.
    6. On the computer where you are planning to install AD CS, configure the CAPolicy.inf file with settings that are specific to your deployment.
    7. Install the AD CS server role and perform additional configuration of the CA.
    8. Copy the CRL and CA certificate from CA1 to the share on the Web server WEB1.
    9. On the CA, configure a copy of the RAS and IAS Servers certificate template. The CA issues certificates based on a certificate template, so you must configure the template for the server certificate before the CA can issue a certificate.
    10. Configure server certificate autoenrollment in Group Policy. When you configure autoenrollment, all servers that you have specified with Active Directory group memberships automatically receive a server certificate when Group Policy on each server is refreshed. If you add more servers later, they will automatically receive a server certificate, too.
    11. Refresh Group Policy on servers. When Group Policy is refreshed, the servers receive the server certificate, which is based on the template that you configured in the previous step. This certificate is used by the server to prove its identity to client computers and other servers during the authentication process. **Note-**All domain member computers automatically receive the Enterprise Root CA's certificate without the configuration of autoenrollment. This certificate is different than the server certificate that you configure and distribute by using autoenrollment. The CA's certificate is automatically installed in the Trusted Root Certification Authorities certificate store for all domain member computers so that they will trust certificates that are issued by this CA.
      1. Verify that all servers have enrolled a valid server certificate.

    refer below url
    https://www.sysadmins.lv/blog-en/certificate-autoenrollment-in-windows-server-2016-part-2.aspx

    An administrator may force all users to re-enroll for a given template by updating the major version number of the template. When Active Directory is queried during logon for required certificate templates, the version number is examined. If the version number has incremented, the certificate template is considered to be updated and the user must re-enroll for that template.

    To manually force the template version to be updated (thereby forcing re-enrollment): right-click the template and select Reenroll All Certificate Holders
    52527-image.png


    Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.