157 questions
157 questions with Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI) tags
0 answers
RDS Connection Broker is not working after Expired SSL Cert and as such I cannot update the SSL Cert
The SSL Certificate for our RDS Server expired. We attempted to apply a new SSL Certificate, but I cannot edit the Deployment Propertied, because the RD Connection Broker will not start properly. I think it is related to the License Server having an…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-08-12T10:47:32.6166667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 32%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIS%3C/text%3E%3C/svg%3E)
IT Support
0
Reputation points
edited the question 2025-08-13T01:10:27.0133333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 26%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKP%3C/text%3E%3C/svg%3E)
Kate Pham (WICLOUD CORPORATION)
0
Reputation points Microsoft External Staff
Moderator
0 answers
Subodinate CA Key Length
Hi all, After looking through all the public certificate (Eg. DigiCert,GlobalSign), I notice that most of the subordinate CA key length is 2048 bits. May I know why nobody is using 4096 bits for subordinate CA ? If I were to use 4096 bits for my internal…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-08-12T16:57:01.4166667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 37%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELP%3C/text%3E%3C/svg%3E)
Learning PKI
1
Reputation point
asked 2025-08-12T16:57:01.4166667+00:00
Learning PKI
1
Reputation point
0 answers
Deploy new AD CS Infra running in parallel with old one - What are the steps ?
Hi, I need to create a new PKI infrastructure using the recommended multi-tier where the Root CA is offline and Issuing CA is joined to the domain. Currently, both are joined to the Domain. I want to have them running in parallel for a while to make sure…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-08-08T08:45:45.3166667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 54%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Moreira, Adonis
0
Reputation points
asked 2025-08-08T08:45:45.3166667+00:00
Moreira, Adonis
0
Reputation points
1 answer
How to mark AD CS Root CA key usage certificate extension critical upon initial configuration
As per RFC 5280, the key usage extension of a CA must be marked critical, however it appears, by default Windows Server 2022 AD CS does not mark it critical and seems to ignore the flag to make it so in the CAPolicy.inf file. This seems like a bug. Does…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-07-31T19:37:27.7866667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 61%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Marcus Serrao
0
Reputation points
edited an answer 2025-08-01T10:46:01.4766667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 95%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHP%3C/text%3E%3C/svg%3E)
Hoang Phan0701
75
Reputation points
Independent Advisor
1 answer
Standalon Subordinate Server not shoeing in PKIView
I have an root CA and two subordinate CA, one an Enterprise the other standalone. The Two subordinate CA are both domain members. When I run PKIView I can only see the Root and Enterprise CAs. I know its possible to see the other CA as well, because I…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-05-08T00:27:48.7333333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 90%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFS%3C/text%3E%3C/svg%3E)
Fraser Simon
0
Reputation points
answered 2025-08-01T10:30:31.7333333+00:00
Hoang Phan0701
75
Reputation points
Independent Advisor
1 answer
Cert Base Authentication Using Yubikey
We have manually installed the updated YubiKey Mini driver, and following this installation, we are able to successfully enroll the certificate from the MMC console using the YubiKey and PIN. However, when attempting to connect via Remote Desktop…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-07-30T13:09:47.72+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 68%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVJ%3C/text%3E%3C/svg%3E)
Vikrant Jain
0
Reputation points
answered 2025-07-30T19:37:24.7933333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 59%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
MADY56
40
Reputation points
1 answer
Microsoft CA CRL not showing showing Current CA Certificate AKI
Hello, We have situation with our Microsoft CA CRL showing the wrong Authority Key Identifier (AKI) for the current CA certificate. The AKI in the CRL is the SKI for the first CA certificate issued on the CA which expired 4 years ago. The CRL is…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-07-16T12:51:58.2733333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 17%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELA%3C/text%3E%3C/svg%3E)
Lee Anderson
0
Reputation points
answered 2025-07-19T07:10:52.4066667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 81%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECT%3C/text%3E%3C/svg%3E)
Chen Tran
1,645
Reputation points
Independent Advisor
1 answer
ADCS Private Key
Hi all, Private Key of Root CA/Subordinate CA can be exported when using a local administrator to do backup of the CA. I have tried exporting the private key myself, however, there is no windows event log generated for me to detect when someone is…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-07-02T15:27:18.8433333+00:00
Learning PKI
1
Reputation point
edited an answer 2025-07-02T16:19:48.4333333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Marcin Policht
53,675
Reputation points MVP
Volunteer Moderator
1 answer
Enterprise PKI (pkiview.msc) Not Displaying CDP/AIA Locations – Stuck at Blank Screen
We are facing an issue with pkiview.msc (Enterprise PKI console) on our Intermediate CA (Subordinate Enterprise CA joined to domain). When launching the console, it opens but does not display the CDP (CRL Distribution Point) or AIA (Authority Information…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 8%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
1 answer
Microsoft CA High Availability
Hi All, I am working on analyzing the PKI infrastructure for one of our clients. They are having 2 PKI servers in different locations with same PKI Templates published. The clients are getting certificate from both the server simultaneously. As per my…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-05-16T19:33:06.1966667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 45%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Sukhwinder Singh
51
Reputation points
answered 2025-05-30T09:01:12.04+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous
1 answer
Securing PKI (AD CS)
Hello, I was reading an old document about Securing PKI https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786443(v=ws.11) as well as the built-in security group Cert…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-05-28T20:45:21.5966667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 45%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET0%3C/text%3E%3C/svg%3E)
TheNewGuy-0614
60
Reputation points
edited an answer 2025-05-29T11:26:33.18+00:00
Chen Tran
1,645
Reputation points
Independent Advisor
0 answers
NDES Server - works with "localhost", but fails to authenticate with FQDN
It's the first time I'm setting up a CA in combination with NDES. I am trying to set up SCEP in JAMF. I've checked the security settings on the template and made sure the template I want to use is in the MSCEP registry entry on the NDES server. I've set…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-05-13T07:59:18.3+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 69%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWV%3C/text%3E%3C/svg%3E)
Ward Verduyn
0
Reputation points
asked 2025-05-13T07:59:18.3+00:00
Ward Verduyn
0
Reputation points
4 answers
mTLS 0- Schannel Not Requesting Client Cert for LDAPS mTLS on Windows Server 2022
Setup: I have an application running on external machine (machine.test.local) that uses LDAP to authenticate users against a Windows Server 2022 Active Directory Domain Controller (W22Server.test.local) over LDAPS (port 636). I want to secure and…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-02-25T17:44:17+00:00
Anonymous
answered 2025-02-27T12:46:59+00:00
Anonymous
7 answers
How to select a new certificate for Windows Admin Center v 2.4?
Want to replace the auto-signed certificate with a new one created and available in the computer's certificate store. How to select a new certificate for Windows Admin Center v 2.4? Thanks.
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-01-16T07:48:32+00:00
Anonymous
answered 2025-02-25T22:21:06+00:00
Anonymous
1 answer
Deploying Multiple ADCS Root CAs in the Same Domain
Hi Everyone and the master of PKI: @Vadims Podāns :) A challenge has arisen regarding Active Directory Certificate Services (ADCS) while transitioning from SHA1 CSP to SHA256 KSP on a Windows Server 2019 Root CA with no subordinate CA. The current…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-03-21T16:51:31.8566667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 61%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
SenhorDolas
1,326
Reputation points
edited an answer 2025-03-24T03:16:28.3866667+00:00
Anonymous
1 answer
non-Domain joined computers Certificate Enrollment Web Service for certificate key-based renewal
Hi, everyone! I have a problem with non-domain computer certificate auto-renewal and I've done a lot of search and troubleshooting and seems I'm stuck. Refer to this kb…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-03-31T09:48:39.8433333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 47%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAW%3C/text%3E%3C/svg%3E)
Alex Wu
0
Reputation points
answered 2025-04-01T09:07:07.15+00:00
Anonymous
2 answers
Can NPS authenticate non-Domain computers via EAP-TLS?
Hi Everyone! I tried to implement NPS to authenticate non-Domain joined computers by using computer certificate to access Cisco Wi-Fi, but failed. My environment: Windows 2019 DC Windows 2019 CA + NPS Cisco WL3504 + AP1832I Windows 10 + Windows 11…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-03-31T10:11:48.86+00:00
Alex Wu
0
Reputation points
answered 2025-05-06T18:27:41.8966667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 52%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJH%3C/text%3E%3C/svg%3E)
Jose Hernandez
0
Reputation points
0 answers
CDP Location #2 expired and unable to download while the OCSP server has a bad signing cert
I have inherited an environment where the http location for CDP and AIA are both configured to point to a DNS name that resolves to the same server hosting the OCSP. The certenroll folder on that server is configured properly in IIS and its files are…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 60%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
1 answer
One of the answers was accepted by the question author.
We have an expired certificate in the certificate chain for Kerberos, 0x800b0101 (-2146762495 CERT_E_EXPIRED). Can this certificate just be deleted?
We have an expired key that is part of the chain for Domain Controller Authentication and Kerberos Authentication. Can this certificate just be deleted? Thanks
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-05-06T20:36:45.9733333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 74%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERN%3C/text%3E%3C/svg%3E)
Ron Nahmensen
20
Reputation points
accepted 2025-05-07T13:31:29.22+00:00
Ron Nahmensen
20
Reputation points
0 answers
Using USB key to authenticate login
I have registered the USB key at https://www.yubico.com/us/store/ under this portal: https://mysignins.microsoft.com/security-info for my login purposes without issue. Why can't I log in using RDP to my on-premises server? Any help would be greatly…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2025-05-13T02:06:45.2433333+00:00
EnterpriseArchitect
6,161
Reputation points
asked 2025-05-13T02:06:45.2433333+00:00
EnterpriseArchitect
6,161
Reputation points