Re: Enterprise root CA not re-trusted after manually deleted

I'm sorry but I cannot provide you an authoritative answer, however I would like
to share what I think is going on. I would be also quite happy if someone could
correct me if I'm wrong.

As far as I understand, autoenrollment first checks "CN=Public Key
Services,CN=Services,CN=Configuration naming context" container for uSNChanged
attribute of certificationAuthority objects. You can check this using wireshark
or network monitor.

The maximum USN returned by query and object count is stored in registry
(AEMaxUSN, AEObjectCount). These values are stored per DC (DC is identified by
invocationId attribute). If the query has different number of responses
(something got deleted) or uSNChanged is different from AEMaxUSN (new cert is
published) autoenrollment queries AD for CA certs and installs them.

In general if you delete a CA certificate from store the store will not update
automatically (unless you connect to a domain controller that has different
update sequence number than the USN stored in registry, or you publish or delete
CA certs in AD).



Best regards

Martin


Ondrej Sevecek wrote:
thank you, but what I wanted to know is an authoritative confirmation
about a by-design behavior. it is not relevant whether there is the
AEcache or not, I need to know whether one can be sure that the manually
deleted root certs can automatically return or need a manual repair.

o.



"Martin Rublik" <martin.rublik@xxxxxxxxxx> wrote in message
news:uuK%23xaf3JHA.6004@xxxxxxxxxxxxxxxxxxxxxxx
Ondrej Sevecek napisal:
hello,

when I installed an Enterprise root CA, its certficate has been
automatically installed into all computers' Trusted Root Certification
Authorities.

When I then deleted the certificate manually from a computer's Trusted
Root CAs it never reappeared and the Ent Root CA remained untrusted. Is
that an expected behaviour? I tried to issue GPUPDATE /FORCE and also
CERTUTIL -PULSE but without any effect.

Does it mean that the Enterprise Root CA's cert is installed
automatically only once and never reinstalled if missing?

thank you very much.

ondrej.



If root CA certificates are distributed using autonenrollment (meaning
you have
a standard enterprise CA install, and you don't use group policy for
distributing CA certs) then the certificates are downloaded only once.

Here is a quote from technet
(http://technet.microsoft.com/en-us/library/cc755801(WS.10).aspx)

Autoenrollment automatically downloads root certificates and
cross-certificates
from Active Directory whenever a change is detected in the directory
or when a
different domain controller is contacted. If a third-party root
certificate or
cross-certificate is deleted from the local machine store,
autoenrollment will
not download the certificates again until a change occurs in Active
Directory or
a new domain controller is contacted.

To manually force a new download, delete the following registry key
and all
subordinate keys on all affected machines.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEDirectoryCache


So after you delete the specific registry entry try to issue gpupdate
/force or
certutil -pulse and you'll get your certs back.


HTH

Martin

--
Replace nospam with google's mail for e-mail communication


--
--
Replace nospam with google's mail for e-mail communication
.

Relevant Pages

  • Re: How to extend validity period of Sub CA
    ... > I have an offline root CA ... > Any certs they issue to computers in AD expire in 2006 ... You have to start at the root CA computer and extend the validity period ... Then you have to set the validity periods for certificates issued by the ...
    (microsoft.public.win2000.security)
  • Re: Using Certificates with IPSEC
    ... Make sure the certs are machine certs and not user certs. ... "Brian Komar" wrote in message ... >>> same root CA, or to CAs that are trusted by the opposite endpoint. ... > 1) You have to deploy the certificates to the two endpoint computers ...
    (microsoft.public.win2000.security)
  • Re: Is it reasonable to remove all digital certificates from Windows?
    ... their necessity. ... I know some enterprises have intelligent reviews of root CA certs, ... > machine certificates, this would be the "Third Party Root Certification ... > Updates and driver installs wouldn't succeed anymore. ...
    (microsoft.public.platformsdk.security)
  • Re: UGH! Entourage 2008 and SSL Certificates
    ... remote.domain.com certs) to Always trust and gave my password. ... It looks to me like you imported the SSL certificates, but not the root ... MVPs are not MS employees - Les MVP ne travaillent pas pour MS ...
    (microsoft.public.mac.office.entourage)
  • Re: Slightly OT: SSL certs - best practice?
    ... Thus, I have created several certificates for Apache SSL hosts plus certificates for mail serving, etc. ... I'll probably get some "officially" signed certs. ... certificates signed by a CA that does not do a "real" verification of the requesting person by which I mean that you probably don't need to go somewhere and show some official ID to prove that you are in fact you. ... using an anon "class 1" root. ...
    (FreeBSD-Security)