I'm sorry but I cannot provide you an authoritative answer, however I would like
to share what I think is going on. I would be also quite happy if someone could
correct me if I'm wrong.
As far as I understand, autoenrollment first checks "CN=Public Key
Services,CN=Services,CN=Configuration naming context" container for uSNChanged
attribute of certificationAuthority objects. You can check this using wireshark
or network monitor.
The maximum USN returned by query and object count is stored in registry
(AEMaxUSN, AEObjectCount). These values are stored per DC (DC is identified by
invocationId attribute). If the query has different number of responses
(something got deleted) or uSNChanged is different from AEMaxUSN (new cert is
published) autoenrollment queries AD for CA certs and installs them.
In general if you delete a CA certificate from store the store will not update
automatically (unless you connect to a domain controller that has different
update sequence number than the USN stored in registry, or you publish or delete
CA certs in AD).
Best regards
Martin
Ondrej Sevecek wrote:
> thank you, but what I wanted to know is an authoritative confirmation
> about a by-design behavior. it is not relevant whether there is the
> AEcache or not, I need to know whether one can be sure that the manually
> deleted root certs can automatically return or need a manual repair.
>
> o.
>
>
>
> "Martin Rublik" <> wrote in message
> news:uuK%...
>> Ondrej Sevecek napisal:
>>> hello,
>>>
>>> when I installed an Enterprise root CA, its certficate has been
>>> automatically installed into all computers' Trusted Root Certification
>>> Authorities.
>>>
>>> When I then deleted the certificate manually from a computer's Trusted
>>> Root CAs it never reappeared and the Ent Root CA remained untrusted. Is
>>> that an expected behaviour? I tried to issue GPUPDATE /FORCE and also
>>> CERTUTIL -PULSE but without any effect.
>>>
>>> Does it mean that the Enterprise Root CA's cert is installed
>>> automatically only once and never reinstalled if missing?
>>>
>>> thank you very much.
>>>
>>> ondrej.
>>>
>>>
>>
>> If root CA certificates are distributed using autonenrollment (meaning
>> you have
>> a standard enterprise CA install, and you don't use group policy for
>> distributing CA certs) then the certificates are downloaded only once.
>>
>> Here is a quote from technet
>> (http://technet.microsoft.com/en-us/l...01(WS.10).aspx)
>>
>> Autoenrollment automatically downloads root certificates and
>> cross-certificates
>> from Active Directory whenever a change is detected in the directory
>> or when a
>> different domain controller is contacted. If a third-party root
>> certificate or
>> cross-certificate is deleted from the local machine store,
>> autoenrollment will
>> not download the certificates again until a change occurs in Active
>> Directory or
>> a new domain controller is contacted.
>>
>> To manually force a new download, delete the following registry key
>> and all
>> subordinate keys on all affected machines.
>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography \AutoEnrollment\AEDirectoryCache
>>
>>
>> So after you delete the specific registry entry try to issue gpupdate
>> /force or
>> certutil -pulse and you'll get your certs back.
>>
>>
>> HTH
>>
>> Martin
>>
>> --
>> Replace nospam with google's mail for e-mail communication
>
--
--
Replace nospam with google's mail for e-mail communication
Similar Threads
Linear Mode
