This post does not go into depth of anything really, but serves more as a post to list useful commands/settings in a PKI setup.
If you got anything to add, feel free to leave a comment and I’ll add it to the list as soon as I can.
certutil -pulse – Triggers auto-enrollment and download of trusted root- and intermediate certificates
To increase verbosity in the Application log during auto enrollment, edit the registry (Handy in troubleshooting)
- HKCU\Software\Microsoft\Cryptography\Autoenrollment and HKLM\Software\Microsoft\Cryptography\Autoenrollment
- create a new DWORD value named AEEventLogLevel with the value of 0
certtmpl.msc – also accessible via CA-console > templates > right-click and choose “manage templates”.
To enable templates to be available in web enrollment you need to the make sure “Supply in the request” on the “Subject Name” tab of the certificate template is enabled.
Certificate template must also be imported into the CA template folder after creation.
Publish certificates in AD & Remove certificates from AD
certutil -dspublish -f
certutil -dspublish -f MyOfflineRootCA-cert.cer RootCA
certutil -dspublish -f MySubCA-cert.cer SubCA
The f-switch is used to force/overwrite – comes in handy when importing offline root CA certificates.
pkiview.msc – View containers on the issuing CA and remove old/incorrect certificates from the appropriate containers.
Auto-enrollment permission settings
- To get auto enrollment, the template must have security settings allowing auto-enroll to, for instance, domain computers
- Your CA is a member of AD group “Cert publishers”
- Certsvc_dcom_access is present in DCOM Security Limits
- Administrative Tools > Components Services (or just dcomcnfg.exe)
- Default Properties tab > Enable Distributed COM is ticked off.
- Expand components services > Expand Computers and right click My Computer > Properties
- Com Security Tab – Access Permissions (edit limits) > CERTSVC_DCOM_ACCESS group has Allow Local Access and Allow Remote Access permissions
- Com Security Tab – Access Permissions (edit limits) > CERTSVC_DCOM_ACCESS group has been granted All Local Activation and Allow Remote Activation permissions.
- Builtin\Users group of issuing CA has NT AUTHORITY\Authenticated Users, NT AUTHORITY\INTERACTIVE & Domain Users
- Builtin\Certificate Service DCOM access group has “Authenticated Users” present
The CertSvc uses RPC (TCP/135) and high-ports (49152-65535).
You would also want to open http (TCP/80) for CRL access as well as https (TCP/443) for web enrollment.
Service overview and network port requirements for Windows (kb832017)