![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
bigstusexy
2[H]4U
- Joined
- Jan 28, 2002
- Messages
- 3,194
UPDATE: Okay the CES site still isn't working as far as I can tell but my renewals are going through so... don't care as much.
What did I do? The one thing we tell everyone to do and they think we're giving them the business. I restarted the CA. Now to my credit I thought I restarted the CA earlier today, but maybe it was one of the other DCs. Anywho. Just after I post this, about the walk out the door hoping I can forget this until tomorrow before I give work unpaid work... I bounced it again. It comes back. I go to a machine, try to renew it says... okay. Go to another machine and it already renewed.
GOODNIGHT ALL!
I was debating between here and the OS but I think since it's server it's more here.
I've had issues with the AD Certificate server for a while, I'm just mention this because I think all of that is over now. The CA was on a server that got hit and scared by a crypto virus. One of the files in the certificate database was a root certificate but there was no backup of this file. Turns out the file was not needed and finally I got the CA running again. I was able to renew certificates or they auto did so and I let it be. Last year while everyone was at home, I got the idea to toss in the new servers I was going to do later and migrate over while no one was there. Got that done and then got to the DC doing the CA. Looked up stuff and got it moved over. Renewed a couple of certificates and it worked so I left it. Later wanted to make a cert for an in house web server. Found the SHA-1 to SHA-256 issue, copied the server and tested the upgrade proceedure to change providers - finally got that to work. Did it in production last year. Issued the new 256 cert, things in house trusted it. Cool.
I only have one CA, it's on a domain controller, it is server 2019.
The problem, I think even as far as on the old serer the CES site did not work or failed sometime after the server was scared. I hoped in moving to the new server it would work or it did and now it doesn't. I think this is my problem. What I need to do is renew the Certificates for my other Domain Controllers that do NPS/Radius for wireless. When I do, I get the error that the CA can't be found, if I click details/properties and the CA tab, nothing is listed unless I show all and the provider is greyed out.
I have tired things like certutil -config - -ping and it shows the CA, and can ping it, I can get to remote shares, I looked in ADSI configuration\services\public key services\certification authorities and \enrollment services and the provider is listed there. There are however other, older CAs listed there and one that is the server that the provider is on now.
If I go through the motions on the CA it's self, it finds it's and would be willing the issue a new certificate (which I didn't do) Also I found that the two servers I needed to get renewed today also had been requesting certificates and getting them issues until 3 months ago. These newer issued certificate though, are not in the system but the CA registered issuing them - 1 every day. The CA's cert is in the machines trusted root provider and I see that I have a new cert that I remember issuing probably when I changed providers last year, and now a second new cert on the same day that I didn't really know about.
I was searching all over as I hardly deal with this and there is a lot I don't know and finally all seems to lead to this. One of the pages I saw a comment that seemed like an option close to nuclear but I wanted to try it later, then I closed the page and can't find it anymore. Someone had a similar problem and their CES page wasn't working either. The person told them they advise to backup the CA, remove it, put it back and restore the backup then they gave an MS link on doing so. Frightening, but I can do this on a virtual copy.
I could use ideas, even if you think I already checked.
What did I do? The one thing we tell everyone to do and they think we're giving them the business. I restarted the CA. Now to my credit I thought I restarted the CA earlier today, but maybe it was one of the other DCs. Anywho. Just after I post this, about the walk out the door hoping I can forget this until tomorrow before I give work unpaid work... I bounced it again. It comes back. I go to a machine, try to renew it says... okay. Go to another machine and it already renewed.
GOODNIGHT ALL!
I was debating between here and the OS but I think since it's server it's more here.
I've had issues with the AD Certificate server for a while, I'm just mention this because I think all of that is over now. The CA was on a server that got hit and scared by a crypto virus. One of the files in the certificate database was a root certificate but there was no backup of this file. Turns out the file was not needed and finally I got the CA running again. I was able to renew certificates or they auto did so and I let it be. Last year while everyone was at home, I got the idea to toss in the new servers I was going to do later and migrate over while no one was there. Got that done and then got to the DC doing the CA. Looked up stuff and got it moved over. Renewed a couple of certificates and it worked so I left it. Later wanted to make a cert for an in house web server. Found the SHA-1 to SHA-256 issue, copied the server and tested the upgrade proceedure to change providers - finally got that to work. Did it in production last year. Issued the new 256 cert, things in house trusted it. Cool.
I only have one CA, it's on a domain controller, it is server 2019.
The problem, I think even as far as on the old serer the CES site did not work or failed sometime after the server was scared. I hoped in moving to the new server it would work or it did and now it doesn't. I think this is my problem. What I need to do is renew the Certificates for my other Domain Controllers that do NPS/Radius for wireless. When I do, I get the error that the CA can't be found, if I click details/properties and the CA tab, nothing is listed unless I show all and the provider is greyed out.
I have tired things like certutil -config - -ping and it shows the CA, and can ping it, I can get to remote shares, I looked in ADSI configuration\services\public key services\certification authorities and \enrollment services and the provider is listed there. There are however other, older CAs listed there and one that is the server that the provider is on now.
If I go through the motions on the CA it's self, it finds it's and would be willing the issue a new certificate (which I didn't do) Also I found that the two servers I needed to get renewed today also had been requesting certificates and getting them issues until 3 months ago. These newer issued certificate though, are not in the system but the CA registered issuing them - 1 every day. The CA's cert is in the machines trusted root provider and I see that I have a new cert that I remember issuing probably when I changed providers last year, and now a second new cert on the same day that I didn't really know about.
I was searching all over as I hardly deal with this and there is a lot I don't know and finally all seems to lead to this. One of the pages I saw a comment that seemed like an option close to nuclear but I wanted to try it later, then I closed the page and can't find it anymore. Someone had a similar problem and their CES page wasn't working either. The person told them they advise to backup the CA, remove it, put it back and restore the backup then they gave an MS link on doing so. Frightening, but I can do this on a virtual copy.
I could use ideas, even if you think I already checked.
Attachments
Last edited: