151 questions
151 questions with Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI) tags
1 answer
ADCS Private Key
Hi all, Private Key of Root CA/Subordinate CA can be exported when using a local administrator to do backup of the CA. I have tried exporting the private key myself, however, there is no windows event log generated for me to detect when someone is…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-07-02T15:27:18.8433333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 37%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELP%3C/text%3E%3C/svg%3E)
Learning PKI
1
Reputation point
edited an answer 2025-07-02T16:19:48.4333333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Marcin Policht
51,365
Reputation points MVP
Volunteer Moderator
1 answer
Enterprise PKI (pkiview.msc) Not Displaying CDP/AIA Locations – Stuck at Blank Screen
We are facing an issue with pkiview.msc (Enterprise PKI console) on our Intermediate CA (Subordinate Enterprise CA joined to domain). When launching the console, it opens but does not display the CDP (CRL Distribution Point) or AIA (Authority Information…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 8%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
1 answer
Microsoft CA High Availability
Hi All, I am working on analyzing the PKI infrastructure for one of our clients. They are having 2 PKI servers in different locations with same PKI Templates published. The clients are getting certificate from both the server simultaneously. As per my…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-05-16T19:33:06.1966667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 45%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Sukhwinder Singh
51
Reputation points
answered 2025-05-30T09:01:12.04+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 19%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBW%3C/text%3E%3C/svg%3E)
Benjamin Wang
75
Reputation points Microsoft External Staff
Moderator
1 answer
Securing PKI (AD CS)
Hello, I was reading an old document about Securing PKI https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786443(v=ws.11) as well as the built-in security group Cert…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-05-28T20:45:21.5966667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 45%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET0%3C/text%3E%3C/svg%3E)
TheNewGuy-0614
60
Reputation points
edited an answer 2025-05-29T11:26:33.18+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 81%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECT%3C/text%3E%3C/svg%3E)
Chen Tran
1,190
Reputation points
Independent Advisor
0 answers
NDES Server - works with "localhost", but fails to authenticate with FQDN
It's the first time I'm setting up a CA in combination with NDES. I am trying to set up SCEP in JAMF. I've checked the security settings on the template and made sure the template I want to use is in the MSCEP registry entry on the NDES server. I've set…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-05-13T07:59:18.3+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 69%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWV%3C/text%3E%3C/svg%3E)
Ward Verduyn
0
Reputation points
asked 2025-05-13T07:59:18.3+00:00
Ward Verduyn
0
Reputation points
0 answers
Using USB key to authenticate login
I have registered the USB key at https://www.yubico.com/us/store/ under this portal: https://mysignins.microsoft.com/security-info for my login purposes without issue. Why can't I log in using RDP to my on-premises server? Any help would be greatly…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-05-13T02:06:45.2433333+00:00
EnterpriseArchitect
6,061
Reputation points
asked 2025-05-13T02:06:45.2433333+00:00
EnterpriseArchitect
6,061
Reputation points
0 answers
Standalon Subordinate Server not shoeing in PKIView
I have an root CA and two subordinate CA, one an Enterprise the other standalone. The Two subordinate CA are both domain members. When I run PKIView I can only see the Root and Enterprise CAs. I know its possible to see the other CA as well, because I…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-05-08T00:27:48.7333333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 90%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFS%3C/text%3E%3C/svg%3E)
Fraser Simon
0
Reputation points
asked 2025-05-08T00:27:48.7333333+00:00
Fraser Simon
0
Reputation points
1 answer
One of the answers was accepted by the question author.
We have an expired certificate in the certificate chain for Kerberos, 0x800b0101 (-2146762495 CERT_E_EXPIRED). Can this certificate just be deleted?
We have an expired key that is part of the chain for Domain Controller Authentication and Kerberos Authentication. Can this certificate just be deleted? Thanks
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-05-06T20:36:45.9733333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 74%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERN%3C/text%3E%3C/svg%3E)
Ron Nahmensen
20
Reputation points
accepted 2025-05-07T13:31:29.22+00:00
Ron Nahmensen
20
Reputation points
2 answers
Can NPS authenticate non-Domain computers via EAP-TLS?
Hi Everyone! I tried to implement NPS to authenticate non-Domain joined computers by using computer certificate to access Cisco Wi-Fi, but failed. My environment: Windows 2019 DC Windows 2019 CA + NPS Cisco WL3504 + AP1832I Windows 10 + Windows 11…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-03-31T10:11:48.86+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 47%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAW%3C/text%3E%3C/svg%3E)
Alex Wu
0
Reputation points
answered 2025-05-06T18:27:41.8966667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 52%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJH%3C/text%3E%3C/svg%3E)
Jose Hernandez
0
Reputation points
0 answers
CDP Location #2 expired and unable to download while the OCSP server has a bad signing cert
I have inherited an environment where the http location for CDP and AIA are both configured to point to a DNS name that resolves to the same server hosting the OCSP. The certenroll folder on that server is configured properly in IIS and its files are…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 60%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
1 answer
non-Domain joined computers Certificate Enrollment Web Service for certificate key-based renewal
Hi, everyone! I have a problem with non-domain computer certificate auto-renewal and I've done a lot of search and troubleshooting and seems I'm stuck. Refer to this kb…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-03-31T09:48:39.8433333+00:00
Alex Wu
0
Reputation points
answered 2025-04-01T09:07:07.15+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous
1 answer
Deploying Multiple ADCS Root CAs in the Same Domain
Hi Everyone and the master of PKI: @Vadims Podāns :) A challenge has arisen regarding Active Directory Certificate Services (ADCS) while transitioning from SHA1 CSP to SHA256 KSP on a Windows Server 2019 Root CA with no subordinate CA. The current…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-03-21T16:51:31.8566667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 61%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
SenhorDolas
1,326
Reputation points
edited an answer 2025-03-24T03:16:28.3866667+00:00
Anonymous
4 answers
mTLS 0- Schannel Not Requesting Client Cert for LDAPS mTLS on Windows Server 2022
Setup: I have an application running on external machine (machine.test.local) that uses LDAP to authenticate users against a Windows Server 2022 Active Directory Domain Controller (W22Server.test.local) over LDAPS (port 636). I want to secure and…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-02-25T17:44:17+00:00
Anonymous
answered 2025-02-27T12:46:59+00:00
Anonymous
7 answers
How to select a new certificate for Windows Admin Center v 2.4?
Want to replace the auto-signed certificate with a new one created and available in the computer's certificate store. How to select a new certificate for Windows Admin Center v 2.4? Thanks.
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-01-16T07:48:32+00:00
Anonymous
answered 2025-02-25T22:21:06+00:00
Anonymous
1 answer
Impact of KB5052000
Hi, Did anyone facing any impact due to MS latest patch KB5052000 release in Feb 2025. MS didn't mention anything about certificate-based authentication will be changed. But in my environment, CA got changed to another different server, and users are…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-02-25T09:07:11+00:00
Anonymous
answered 2025-02-25T13:12:05+00:00
Anonymous
6 answers
KB5014754: Certificate-based authentication changes on Windows domain controllers- KB not found for server 2022 or 2019
Hi Team, This is regarding the update from Microsoft about the article KB5014754: Certificate-based authentication changes on Windows domain controllers. As per the MS article this update addresses critical security vulnerabilities (CVE-2022-34691,…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-01-06T11:00:08+00:00
Anonymous
answered 2025-02-20T19:57:47+00:00
Anonymous
7 answers
CertSrv service 500.19 internal server error.
We have an issue where our certificate server is showing a status 500.19 Internal Server Error. Error code 0x80070003 Cannot read configuration file Config File \?\c:\Windows\system32\CertSrv\en-US\web.config - I see there is no web.config file listed…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-02-13T16:03:41+00:00
Anonymous
answered 2025-02-20T15:43:53+00:00
Anonymous
3 answers
Impact or known issues of KB5052000
Hi, Did anyone facing any impact due to MS latest patch KB5052000 release on Feb 2025. MS didn't mention anything about certificate based authentication will changed to full enforcement after installing this update or any other related information in the…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-02-18T20:10:07+00:00
Anonymous
answered 2025-02-19T07:00:01+00:00
Anonymous
4 answers
KB5014754 Certificate based authentication changes on DC's
In my small environment of less than 100 users, I'm using windows server 2022 as domain controllers. These are patched to January 2025 updates. I do not see strongcertificatebindingenforcement key in the registry. I would expect that key to show up at…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-01-28T18:33:23+00:00
Anonymous
answered 2025-02-14T04:45:10+00:00
Anonymous
1 answer
Military CAC Certs Keep Getting Wiped
I just bought a new HP Omen 17 with Windows 11. Owned for a month and every time it updates it wipes my CAC trusted certs from the directory. I’ve been reinstalling the certs with CertUtil each time but it’s happening on a weekly basis. Is there any way…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-02-12T21:48:25+00:00
Anonymous
answered 2025-02-13T08:01:24+00:00
Anonymous