Vadims Podāns
Vadims Podāns 05.06.2019 23:04 (GMT+3) Certificate Autoenrollment in Windows Server 2016 (part 3)

Raphael, please check "Initialize enrollment policies" section in part 2. In short, every CEP endpoint is a separate unit and every CEP is processed independently. The fact that both CEP endpoints provide same templates and same CAs doesn't mean anything and any matching is considered as a coincidence. As the result, autoenrollment client processes first CEP and acquires a certificate. The job is done, second CEP is queried: certificate is required, then autoenrollment acquires certificate from second CEP.

Raphael
Raphael 05.06.2019 22:35 (GMT+3) Certificate Autoenrollment in Windows Server 2016 (part 3)

Hi Vadims, while autoenrollment is working fine, I am seeing duplicate certificates being enrolled as soon as I switch from WCCE (Default Policy) to XCEP/WSTEP on CEP/CES.

- two Issuing CAs

- two CEP URIs configured (same weight) on dedicated servers

- on each enrollment server a pair of matching CES pointing back to the CAs

Those duplicate certificates are always issued from the same CA, even if a template is published on both CAs. When putting only one of the CEP endpoints into the GPO, everyting is working as expected - but the clients would only have one CEP path to choose from.

Am I missing someting or is this setup of multiple CEP paths on conjunction with autoenrollment not supported?

Many thanks for all your very helpul posts!

Vaclav
Vaclav 05.06.2019 12:31 (GMT+3) Certutil tips and tricks: query cryptographic service providers (CSP and KSP)

Thank you!

Verb
Verb 05.06.2019 04:36 (GMT+3) Test web server SSL/TLS protocol support with PowerShell

@helen

Make sure that the installed version of .NET you're running this from is 4.5 or greater. The SSLProtocols Enum from previous versions don't have support for TLS 1.1 and above: 

See 4.0 Support:

https://docs.microsoft.com/en-us/dotnet/api/system.security.authentication.sslprotocols?view=netframework-4.0
vs. 4.5 Support:

https://docs.microsoft.com/en-us/dotnet/api/system.security.authentication.sslprotocols?view=netframework-4.5

Vadims Podāns
Vadims Podāns 05.06.2019 00:34 (GMT+3) Certutil tips and tricks: query cryptographic service providers (CSP and KSP)

For public certificate import onto hardware devices (HSM, smart cards), you have to use software provided by HSM. I don't know ways to do this programmatically.