If you want to perform maintenance work such as Migration to another server or perform more extensive configuration changes requiring a functional test on a certification authority, you want to ensure that the certification authority service is running, but at the same time prevent certificates from being automatically requested from and issued by the certification authority during this phase.
This state can be achieved relatively easily by removing the right of users to request certificates from the certification authority.
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
By default, an entry for the "Authenticated Users", which thus includes all users in the Active Directory forest, with the "Request Certificates" permission is entered in the security options of the certification authority.
To achieve a maintenance mode, it is sufficient to temporarily remove this entry. This is done via the Certificate Authority Management Console (certsrv.msc). The security options for the certification authority can be accessed by right-clicking on the certification authority and selecting "Properties".
For a functional test, the accounts with which the tests are performed should be granted the "Request Certificates" right here manually as a transitional measure.
The settings are effective directly and without restarting the certification authority service.
A particularly practical aspect of this procedure is that the permissions configured here are also transferred to the pKIEnrollmentService object in Active Directory. Clients therefore automatically know that they cannot request certificates from the certification authority and therefore do not make any certificate requests during maintenance mode.
However, this circumstance can also lead to undesirable side effects. If, for example, during the Migration of a certification authority to another server first makes the backup of the certification authority registration and then switches to maintenance mode, after restoring the registry on the new server, the pKIEnrollmentService object is not updated correctly. It is therefore essential to pay attention to the correct sequence in this case.
Related links:
- Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to a new server
- Requesting a certificate fails with the error message "A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted."
7 thoughts on “Eine Active Directory integrierte Zertifizierungsstelle (Enterprise Certification Authority) in den Wartungsmodus versetzen”
Comments are closed.