The purpose of this page is to maintain a list of known Microsoft hotfixes, patches and known issues related to the Active Directory Certificate Services role. The page will be updated as new releases are made by Microsoft as well as when new issues are identified. You can subscribe to the page to receive automated alerts when the content has changed. If you have any feedback or comments, or notice something that is missing, let us know.
Change Log – Last Updated July 8, 2015
July 8, 2015 – Added Hotfix/Resolution 283789 regarding capolicy.inf processing.
July 7, 2015 – New format and OS specific pages, added known issue for renewing root CA certificate with shorter lifetime.
- http://support.microsoft.com/kb/927169 – Custom extensions in the CAPolicy.inf file do not take effect after you renew the root CA certificate by using a new key
- http://support.microsoft.com/kb/961515 – The subject name of a computer certificate that is issued by a Windows Server 2003-based server is set to the user principal name (UPN) of the computer account after you apply hotfix 943089
- http://support.microsoft.com/kb/922706 – Install this update to resolve an issue with enrolling web certificates against a Windows Server 2003 Certificate Services Web enrollment.
- http://support.microsoft.com/kb/933430 – Clients cannot make connections if you require client certificates on a Web site or if you use IAS in Windows Server 2003
- http://support.microsoft.com/kb/872810 – A certificate with a policy extension URL is not accepted by some programs in Windows Server 2003
- http://support.microsoft.com/kb/834389 – Certificate Services ignores the HighSerial registry entry after the first restart in Windows Server 2003
- http://support.microsoft.com/kb/2661254 – Microsoft Security Advisory: Update for minimum certificate key length
- http://support.microsoft.com/kb/2518295 – Vulnerability in Active Directory Certificate Services Web Enrollment could allow elevation of privilege: June 14, 2011
- http://support.microsoft.com/en-us/kb/283789 – The Issuer Statement Specified in the Capolicy.inf File Is Not Included in the Issued Certificate. *Though indicated as Windows Server 2000, this article is applicable to all newer operating systems. The issue is relevant only for End Entity certs using certificate templates where the subject info is built from AD. The Microsoft site appears to have deleted this article, so here is a WayBack Time Machine archive of the article.
- Renewing a Root CA certificate and changing the Validity Period with CAPolicy.inf fails
When renewing a Root CA’s certificate, the validity period of the new certificate is equivalent to the validity period of the certificate being renewed (since Server 2008). If an alternate validity period is desired, the RenewalValidityPeriod and RenewalValidityPeriodUnits settings can be placed in a capolicy.inf to reflect a different value for the new certificate. However, ADCS will only use this value if it is equal to, or longer than the value of the certificate being renewed. You can not configure ADCS to renew a Root CA certificate for a lifetime shorter than the previous certificate.
Fix: Use certutil –sign to sign and specify the desired lifetime of the certificate, add the modified cert to the CA’s computer personal store and associate it with the private key, modify the CA’s registry (CACertHash) and restart the CA.