The purpose of this page is to maintain a list of known Microsoft hotfixes, patches and known issues related to the Active Directory Certificate Services role. The page will be updated as new releases are made by Microsoft as well as when new issues are identified. You can subscribe to the page to receive automated alerts when the content has changed. If you have any feedback or comments, or notice something that is missing, let us know.
Change Log – Last Updated January 19, 2017
January 19, 2017 – Added KB 938397 regarding Server 2003 being unable to validate SHA2 certificates
November 7, 2016 – Added RDS Certificate Generation/Renewal Errors
July 7, 2015 – New format and OS specific pages
Certificate related issues and updates for client/server operating systems. These updates are targeted to those issues that would affect an internal PKI at an organization. It does not include certificate issues that are general product issues outside of its interaction with a Microsoft ADCS environment.
- http://support.microsoft.com/kb/938397 – Applications that use the Cryptography API cannot validate an X.509 certificate in Windows Server 2003
- http://support.microsoft.com/kb/968730 – Windows Server 2003 and Windows XP clients cannot obtain certificates from a Windows Server 2008-based certification authority (CA) if the CA is configured to use SHA2 256 or higher encryption
- http://support.microsoft.com/kb/2520487 – AD DS database size increases significantly when the Credential Roaming feature is enabled in Windows Vista, in Windows 7, in Windows Server 2008 or in Windows Server 2008 R2
- http://support.microsoft.com/kb/2718646 – Certificate is archived incorrectly when it enters the renewal period on a computer that is running Windows Server 2008 R2
- http://support.microsoft.com/kb/2633205 – Auto-enrollment process for computer certificates fails on a client computer that is running Windows 7 or Windows Server 2008 R2
- http://support.microsoft.com/kb/2078942 – The CertEnroll control does not work in Internet Explorer on a computer that is running Windows 7 or Windows Server 2008 R2
- http://support.microsoft.com/kb/329433 – A Revoked Certificate Is Selected If a Certification Authority in the Chain Has Two Certificates
- http://support.microsoft.com/kb/983557 – Error message when you try to request a certificate in Windows Vista or in Windows Server 2008: “The filename or extension is too long. (0x800700CE)”
- http://support.microsoft.com/kb/956544 – When you enroll a certificate on a computer that is running Windows Vista or that is running Windows Server 2008, you are prompted to insert a smart card even though a smart card is already inserted
- http://support.microsoft.com/kb/955805 – Certain applications become very slow on a Windows Server 2008-based or Windows Vista SP1-based computer when a certificate with the SIA extension is installed
- http://support.microsoft.com/kb/907247 – Description of the Credential Roaming service update for Windows Server 2003 and for Windows XP
- http://support.microsoft.com/kb/2797120 – Name constraint validation fails when a URN is specified in a subject alternative name in Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012
- http://support.microsoft.com/kb/2625430 – Private key permissions are reset to the default values if a machine certificate is renewed by the Certificate Autoenrollment feature in Windows 7 or in Windows Server 2008 R2
- http://support.microsoft.com/kb/903930 – After you publish a certificate in Active Directory on a Windows XP-based computer, certificate renewal may leave the Active Directory certificate store empty
- http://support.microsoft.com/kb/2666300 – You cannot use a certificate-based logon method to authenticate requests on a computer that is running Windows Server 2008 R2
- http://support2.microsoft.com/kb/2973337 – SHA512 is disabled in Windows when you use TLS 1.2
- Computers configured to use a CA issued Certificate for Remote Desktop Services will generate a new certificate repeatedly
When you define a Group Policy to use a specific template for certificate enrollment on your RDS servers (or computer to computer remote desktop services) rather than the self-signed certificate, the computer will generate a new certificate each time GPUpdate is run, Group Policy processing cycles occur, or during bootup. This is due to a bug in the API for detecting the certificate template and certificate display name.
Fix: Ensure the Template Name and Template Display Name in the template properties are identical.
- Computers configured to use OCSP for revocation checking will stop using OCSP and default to CRLs
Microsoft Windows OCSP client will follow any published OCSP extension present in a certificate that is being verified, including Group Policy pushed locations. However, once Windows has made 50 OCSP requests about about certificates from a specific CA keypair, the OCSP client will stop using OCSP queries and directly download the CRL. The client will continue to reference the CRL instead of OCSP until the CRL has expired. At that time the client will return to OCSP queries until it reaches this “magic” number and retrieves the CRL again. This value can be adjusted up, but can’t be disabled. The value is located at HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftSystemCertificatesChainEngineConfigCryptnetCachedOcspSwitchToCrlCount. and more details at http://tinyurl.com/nlamat7
Fix: Adjust this “magic” number to an appropriate value to ensure your OCSP client continues to perform OCSP queries as appropriate in your environment.
- Windows XP computers are unable to enroll for certificates from a Windows 2012+ Certification Authority
When a certificate request is received by a certification authority (CA), encryption for the request can be enforced by the CA via the RPC_C_AUTHN_LEVEL_PKT, as described in MSDN article Authentication-Level Constants. On a Windows Server 2012 or higher CA, this enhanced security setting is enabled by default. The CA enforces enhanced security in the requests that are sent to it. This higher security level requires that the packets requesting a certificate are encrypted, so they cannot be intercepted and read.
Fix: To enable these older clients to enroll, use the command “certutil -setreg cainterfaceflags -IF_ENFORCEENCRYPTICERTREQUEST“ and restart CertSrv to apply the value. This will disable the encryption requirements for ALL clients