François
François 23.01.2020 11:00 (GMT+2) Add multiple Certificate Enrollment Service instances

Thank Vadims for your quick answer!

Perhaps I didn't fully understand this article but there are screenshots about IIS console with two CEP Applications ("ADPolicyProvider_CEP_UsernamePassword" and "ADPolicyProvider_CEP_Certificate") for example this one.

 

Vadims Podāns
Vadims Podāns 22.01.2020 21:03 (GMT+2) Add multiple Certificate Enrollment Service instances

It is correct: you cannot have multiple CEP (policy servers) instances on same server. Only multiple enrollment services (CES) are supported. And this blog post talks about CES, not CEP.

François
François 22.01.2020 19:55 (GMT+2) Add multiple Certificate Enrollment Service instances

Hello Vadims, here is a doc from Microsoft where it says that "Two CEP/CES instances that are configured on one server" : https://docs.microsoft.com/en-us/windows-server/identity/solution-guides/certificate-enrollment-certificate-key-based-renewal

As far as I tested it, these powershell commands used to configure the second instances of CEP/CES don't work for me (for now) : https://docs.microsoft.com/en-us/windows-server/identity/solution-guides/certificate-enrollment-certificate-key-based-renewal#step-1-install-the-cep-and-ces-for-key-based-renewal-on-the-same-server

Here the error I get :

PS ...> Install-AdcsEnrollmentPolicyWebService -AuthenticationType Certificate -SSLCertThumbprint "xxxxxxxxxxxxxxxxxxxxxxxxx"

...
Performing the operation "Install-AdcsEnrollmentPolicyWebService" on target "XXXXXXXX".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y
Install-AdcsEnrollmentPolicyWebService : Setup could not add this role service because it already exists in the default Web site. Please remove the existing role
service or select a different certification authority (CA) or authentication type. Cannot create a file when that file already exists. 0x800700b7 (WIN32/HTTP: 183
ERROR_ALREADY_EXISTS)

At line:1 char:1
+ Install-AdcsEnrollmentPolicyWebService -AuthenticationType Certificat ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Install-AdcsEnrollmentPolicyWebService], EnrollmentPolicyServiceSetupException
    + FullyQualifiedErrorId : Install,Microsoft.CertificateServices.Deployment.Commands.CEP.InstallAdcsEnrollmentPolicyWebService

 

Could you please tell me what is your opinion about this doc ? 

Thank you in advance !

 

For your information :

PS ...> certutil -config "<myCA>" -enrollmentserverurl
Enrollment Server Url[0]:
  Priority 1
  Authentication 4
    UserName -- 4
  AllowRenewalsOnly 0
  https://myServer/...-CA_CES_UsernamePassword/service.svc/CES
  AllowKeyBasedRenewal 0
CertUtil: -enrollmentServerURL command completed successfully.

 

Vadims Podāns
Vadims Podāns 14.01.2020 14:10 (GMT+2) Certificate Policies extension – all you should know (part 2)

Try to delete it:

certutil -oid <OidDisplayName> delete

 

consult with help: certutil -oid -?

Rafal
Rafal 14.01.2020 13:45 (GMT+2) Certificate Policies extension – all you should know (part 2)

By accident I have changed policy extention name, certutil -oid [number] [policy name]...I can't back to old name, please any advice?

No I see at View Obkect Identifiers:

Policy name        Object Identifier   Policy Type    

"bad name"          "number"            Application