+1 971 231 5523 info@pkisolutions.com

Windows Server 2008 ADCS Hotfixes & Known Issues

PKI Solutions Inc. Windows Server 2008 ADCS Hotfixes & Known Issues

Windows Server 2008

The purpose of this page is to maintain a list of known Microsoft hotfixes, patches and known issues related to the Active Directory Certificate Services role. The page will be updated as new releases are made by Microsoft as well as when new issues are identified. You can subscribe to the page to receive automated alerts when the content has changed. If you have any feedback or comments, or notice something that is missing, let us know.


Change Log – Last Updated July 8, 2015

July 8, 2015 – Added Hotfix/Resolution 283789 regarding capolicy.inf processing.

July 7, 2015 – New format and OS specific pages, added known issue for renewing root CA certificate with shorter lifetime.

 

HotFixes

  • http://support.microsoft.com/kb/942076 – Error message when you visit a Web site that is hosted on IIS 7.0: “HTTP Error 404.11 – URL_DOUBLE_ESCAPED”
    NOTE: Not strictly an ADCS Patch and ADCS will resolve the issue if installed on the same machine as IIS. However, if hosting Delta CRL files on an alternate computer, this will be an issue

 

 

  • http://support.microsoft.com/kb/959193 – Two improvements are available that shorten the time that is required to manage SCEP certificates by using the Network Device Enrollment Service in Windows Server 2008

 

 

 

  • http://support.microsoft.com/kb/960549 – Some third-party Online Certificate Status Protocol (OCSP) clients may reject a response from an OSCP responder if this OCSP responder receives a Response Signing certificate from a Windows Server 2008 certification authority

 

 

  • http://support.microsoft.com/kb/952722 – The Active Directory Certificate Services service does not start on a Windows Server 2008-based certification authority server if the key storage provider does not support SHA1 hash signing

 

 

  • http://support.microsoft.com/kb/960809 – The Windows Server 2008 Online Certificate Status Protocol (OCSP) responder does not work with signing certificates that do not use the SHA1 algorithm

 

  • http://support.microsoft.com/kb/961715 – Active Directory Certificate Services crashes during its startup process when the FIM 2010 Certificate Management Exit Module setting is enabled on Windows Server 2008-based systems

 

 

  • http://support.microsoft.com/kb/967696 – The memory usage of the Windows Server 2008 Active Directory Certificate Services (Certsrv.exe) may keep increasing when third-party plug-ins are installed and certificate requests are rejected

 

 

 

 

  • http://support.microsoft.com/en-us/kb/283789 – The Issuer Statement Specified in the Capolicy.inf File Is Not Included in the Issued Certificate. *Though indicated as Windows Server 2000, this article is applicable to all newer operating systems. The issue is relevant only for End Entity certs using certificate templates where the subject info is built from AD. The Microsoft site appears to have deleted this article, so here is a WayBack Time Machine archive of the article.

 

Known Issues

  • Renewing a Root CA certificate and changing the Validity Period with CAPolicy.inf fails
    When renewing a Root CA’s certificate, the validity period of the new certificate is equivalent to the validity period of the certificate being renewed (since Server 2008). If an alternate validity period is desired, the RenewalValidityPeriod and RenewalValidityPeriodUnits settings can be placed in a capolicy.inf to reflect a different value for the new certificate. However, ADCS will only use this value if it is equal to, or longer than the value of the certificate being renewed. You can not configure ADCS to renew a Root CA certificate for a lifetime shorter than the previous certificate.
    Fix: Use certutil –sign to sign and specify the desired lifetime of the certificate, add the modified cert to the CA’s computer personal store and associate it with the private key, modify the CA’s registry (CACertHash) and restart the CA.

  © Copyright 2013-2017 PKI Solutions Inc. // All Rights Reserved // Terms of Service // Privacy Policy // Pricing and Refund Policies