+1 971 231 5523 info@pkisolutions.com

Windows Server 2003 ADCS Hotfixes & Known Issues

PKI Solutions Inc. Windows Server 2003 ADCS Hotfixes & Known Issues

Windows Server 2003

The purpose of this page is to maintain a list of known Microsoft hotfixes, patches and known issues related to the Active Directory Certificate Services role. The page will be updated as new releases are made by Microsoft as well as when new issues are identified. You can subscribe to the page to receive automated alerts when the content has changed. If you have any feedback or comments, or notice something that is missing, let us know.

 

Change Log – Last Updated July 8, 2015

July 8, 2015 – Added Hotfix/Resolution 283789 regarding capolicy.inf processing.

July 7, 2015 – New format and OS specific pages, added known issue for renewing root CA certificate with shorter lifetime.

 

HotFixes

 

  • http://support.microsoft.com/kb/961515 – The subject name of a computer certificate that is issued by a Windows Server 2003-based server is set to the user principal name (UPN) of the computer account after you apply hotfix 943089

 

 

 

 

 

 

 

  • http://support.microsoft.com/en-us/kb/283789 – The Issuer Statement Specified in the Capolicy.inf File Is Not Included in the Issued Certificate. *Though indicated as Windows Server 2000, this article is applicable to all newer operating systems. The issue is relevant only for End Entity certs using certificate templates where the subject info is built from AD. The Microsoft site appears to have deleted this article, so here is a WayBack Time Machine archive of the article.

 

Known Issues

  • Renewing a Root CA certificate and changing the Validity Period with CAPolicy.inf fails
    When renewing a Root CA’s certificate, the validity period of the new certificate is equivalent to the validity period of the certificate being renewed (since Server 2008). If an alternate validity period is desired, the RenewalValidityPeriod and RenewalValidityPeriodUnits settings can be placed in a capolicy.inf to reflect a different value for the new certificate. However, ADCS will only use this value if it is equal to, or longer than the value of the certificate being renewed. You can not configure ADCS to renew a Root CA certificate for a lifetime shorter than the previous certificate.
    Fix: Use certutil –sign to sign and specify the desired lifetime of the certificate, add the modified cert to the CA’s computer personal store and associate it with the private key, modify the CA’s registry (CACertHash) and restart the CA.

  © Copyright 2013-2016 PKI Solutions Inc. // All Rights Reserved // Terms of Service // Privacy Policy // Pricing and Refund Policies