Hi, I would be interested to know if you got this sorted in the end and whether you found those missing certs. I want to deploy in production for VPN eventually and want to get the topology right. I have done it in the lab and believe I know what I'm doing but your message made me wonder if it was correct. Thanks. Andrew. -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Ryan Shugart Sent: 19 October 2014 23:28 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Windows Certificate Services Hi Andrew: Hmm, interesting. All three of these servers are on and on the domain at all times. We only have one CA that’s used for everything, again assuming there is no offline CA no one has told me about. We’ve contacted the old admin to find out, so far haven’t heard back. Thanks. Ryan
On Oct 19, 2014, at 12:43 PM, Andrew Hodgson <andrew@hodgsonfamily.org> wrote:
Hi,
If you have a root CA and issuing servers then the root CA is usually not integrated into AD and is known as an offline CA. There should only be a limited number of certs on the root CA, which are then used for the issuing CA. The root CA can be turned off and only used when reissuing certs for the issuing CAs.
Do you have different CAs for different purposes?
Andrew.
-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Ryan Shugart Sent: 19 October 2014 18:41 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Windows Certificate Services
Hi Andrew: I don’t know if we’re using an offline CA or not for sure, so far it looks like they just installed them in AD and didn’t worry about an offline CA. Certs are mainly used for our VPN, we don’t use smart cards or anything like that. We have an auto-enrolled computer cert and user cert for each user, and I’ve found three cert servers so far, one root CA (which is why I don’t think there’s an offline CA) and two issuing servers (one of which I ran into by chance as it wasn’t documented to exist anywhere.) If I look in enrolled certificates, one issuing server has about 40 certs, the other 60. Since we have over 2000 devices and a similar number of users, I think I’m missing something as I should be seeing more than that. On a more random note, one thing that really annoys me about the cert console is it appears to show the binary hash of the certificate in the list view. Ugg. Try listening to that, its really annoying. And if you turn that column off from the view menu, the list then doesn’t read properly at all for some reason, and that setting isn’t remembered when the console is restarted. Anyone know how to get the MMC console’s view settings to stick? That makes the cert console really difficult to work with. Ryan
On Oct 18, 2014, at 4:08 AM, Andrew Hodgson <andrew@hodgsonfamily.org> wrote:
Hi,
Are you using an offline root cert or did they just install the cert services in AD and let everything rip from there?
What are you using cert services for specificly? I find that certs are quite often cheap these days, and for most of what you want some good wildcard certs are better than investing in a proper cert infrastructure. Of course if using digital certs or smartcards then that is different
Andrew.
-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Ryan Shugart Sent: 18 October 2014 00:33 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Windows Certificate Services
Thanks Chris, I did read some stuff on the Wiki and its helped get me started, At this point its doing a very good job at making me ask questions about our specific environment that no one has the answers to. Ah well. Thanks again. Ryan On Oct 17, 2014, at 7:40 AM, Christopher McMillan <christophermcmillan@hotmail.com> wrote:
Dear Ryan:
Here is the first site I start with
http://social.technet.microsoft.com/wiki/contents/articles/701.wiki- p l atform s-portal.aspx
Then I post questions to the following site:
http://technet.microsoft.com/en-us/default.aspx
CHRISTOPHER MCMILLAN CHIEF OPERATING OFFICER, CEEKTECHNOLOGY
980-333-7400(w) | 980-333-7400(m) christophermcmillan@outlook.com @CEEKTechnology www.linkedin.com/in/christophermcmillan/
Microsoft Partner for Accessibility
-----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Ryan Shugart Sent: Friday, October 17, 2014 9:22 AM To: Blind sysadmins list Subject: [Blind-sysadmins] Windows Certificate Services
Hi: I was recently handed our existing certificate infrastructure and told that I now manage it. The guy who used to manage it has left the company and didn't really leave any documentation behind so I have no clue how things are set up beyond knowing we have three cert servers in the environment and what they do (on paper.) Anyone out there have some good resources for getting started with the Windows Cert environment and learning how Microsoft organized their UI? It seems simple and all MMC-based, so in theory shouldn't be a big deal, but I'm seeing some odd things, like only 40 issued certificates when I should be seeing over 500, etc. This is all Windows 2012 BTW. Thanks. Ryan _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins