Marcel 07.10.2021 14:57 (GMT+3) Certificate Autoenrollment in Windows Server 2016 (part 2)


i do have a question regarding auto-enrollment. Does the client only use LDAP (389) for retriving the needed PKI information from AD ?

- Is LDAPs possible ?

- If a child domain existing and the PKI is placed above the client domain, will the Client always get information from his own domain, or will the client be sent to the domain controller where the CA is located in ?

Vadims Podāns
Vadims Podāns 06.10.2021 15:12 (GMT+3) Introducing to certificate enrollment APIs (part 4) — domain certificate enrollment

You cannot modify any property once Enode or InitializeDecode methods are called. Why this happens -- CSR is digitally signed, therefore you cannot alter it in any way, because you will break the signature. What you can try -- is to embed signed request in CMC and try to set the subject again. You will have to re-sign entire request again with Enrollment Agent certificate.

Kjetil Bustnes
Kjetil Bustnes 06.10.2021 14:27 (GMT+3) Introducing to certificate enrollment APIs (part 4) — domain certificate enrollment

Hi Vadim,

Initially I want to thank you for a very useful site!

We are working on a RA to issue certificates based on existing PKCS#10's.  Using the information I have found on your site I've been able to create a script which will take the PKCS#10, create a request and get a certificate.  We want to be able to override the subject provided in the PKCS#10, however, I'm not able to set the Subject. The following snippet shows my attempt:

$PKCS10 = New-Object -ComObject X509Enrollment.CX509CertificateRequestPkcs10
$pkcs10.InitializeDecode("ContextMachine", 0x2) #XCN_CRYPT_STRING_BINARY
$pkcs10.InitializeDecode($p10,0x0) #XCN_CRYPT_STRING_BASE64HEADER

$dn=New-Object -ComObject X509Enrollment.CX500DistinguishedName
$PKCS10.Subject = $dn

This results in the following error:
CertEnroll::CX509CertificateRequestPkcs10::put_Subject: The specified file is read only. 0x80071779 (WIN32: 6009 ERROR_FILE_READ_ONLY)
At C:\temp\get-request.ps1:103 char:1
+ $CertRequest.Request.GetInnerRequest(0).Subject = $dn
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], COMException
    + FullyQualifiedErrorId : System.Runtime.InteropServices.COMException


Do you have any suggestions as to why this happening and what can be done to get this to work?

With regards

Kjetil R Bustnes


Dennis 03.10.2021 18:07 (GMT+3) Database log files are not truncated when you perform a full Certification Authority database backup.

When I run this command the checkpoint file is older than the fullbackup file. Why is this the case and what does it mean ?

Vadims Podāns
Vadims Podāns 29.09.2021 18:00 (GMT+3) Retrieve timestamp attribute from digital signature

> signtool.exe still shows correct timestamp in that case, but I cannot find that info in the SignedCms-data.

interesting, how it can show the timestamp if the signature is not counter-signed by TSA.