Pushing out the Policy CA cert to all clients

Chau Le 96 Reputation points
2021-05-24T19:50:49.347+00:00

Hello Gurus

I inherited a MS PKI Environment. It goes as follows

Root CA - In a workgroup
Policy CA - in a workgroup
Issues CA - part of the domain

Policy CA cert on client machines is about to expire in 6/26/21 . When I go on the policy CA, I see the expiring cert in 6/26/21 but I also see a cert #3 that has expiration of 2027.

99263-image.png

Clients don't have this 2027 expiration cert. What's the best way to get the clients this cert? Do we have to use GPO?

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,299 questions
{count} votes

11 answers

Sort by: Most helpful
  1. Daisy Zhou 22,311 Reputation points Microsoft Vendor
    2021-05-25T02:04:05.54+00:00

    Hello @Chau Le ,

    Thank you for posting here.

    Based on "Policy CA cert on client machines is about to expire in 6/26/21", would you please show us what container Policy CA cert on client machines in?

    We can copy the 2027 expiration cert to one domain controller, and run the following command:

    certutil -dspublish -f <the full path of the Policy CA cert>

    Then check if the 2027 expiration cert will be on the client machine.

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  2. Chau Le 96 Reputation points
    2021-05-25T23:29:14.1+00:00

    Hi Daisy

    The Policy CA is in the intermediate cert store in all the clients.

    Let me try the command you suggested and report back asap!

    0 comments No comments

  3. Chau Le 96 Reputation points
    2021-05-25T23:36:42.253+00:00

    HI Daisy

    I created a self signed cert in my lab on my lab DC and placed it on my userprofile desktop: When I tried to publish it this is the error I'm getting it.

    First I put the full path with the file name...then second try I put the full path without the file name

    PS C:\Windows\system32> certutil -dspublish -f C:\users\chau\Desktop\cert1.cer
    ERROR: Could not find a matching user or computer in Active Directory.CertUtil: -dsPublish command FAILED: 0x80092004 (-
    2146885628 CRYPT_E_NOT_FOUND)
    CertUtil: Cannot find object or property.

    PS C:\Windows\system32> certutil -dspublish -f C:\users\chau\Desktop
    DecodeFile returned Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
    DecodeFile returned Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
    Could not load Certificate or CRL from file (Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED))
    CertUtil: -dsPublish command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
    CertUtil: Access is denied.
    PS C:\Windows\system32>

    0 comments No comments

  4. Daisy Zhou 22,311 Reputation points Microsoft Vendor
    2021-05-26T03:50:58.277+00:00

    Hello @Chau Le ,

    Thank you for your update.

    Please create a new folder in C drive (such as C:\folder) and put the certificate in this folder (such as C:\folder\cert1.cer).

    And run command certutil -dspublish -f C:\folder\cert1.cer to see if it helps.

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  5. Chau Le 96 Reputation points
    2021-05-26T17:41:19.807+00:00

    Hi Daisy.....

    Same error...i created c:\test

    PS C:\Windows\system32> certutil -dspublish -f C:\test\cert1.cer
    ERROR: Could not find a matching user or computer in Active Directory.CertUtil: -dsPublish command FAILED: 0x80092004 (-
    2146885628 CRYPT_E_NOT_FOUND)
    CertUtil: Cannot find object or property.
    PS C:\Windows\system32>

    What does it mean "could not find a matching user or computer in Active Directory" .... what user or computer is it searching for?

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.