Certicate Authority deletes its own computer certificate
Situation:=================
- Our Certificate Authority deletes its own Computer Certificate day-by-day and therefore, you need to renew the computer certificate every day, or the WPA wireless security authentication will fail.
Analysis:=================
The certificates are archived by some unknown issue. The possible cause is the certificate template incorrect.
Solution:=================
1. On CA, create a duplicate of the "RAS and IAS Server certificate template". Type RAS and IAS Server Authentication into the Template display name field on the General tab of the new template's properties.
2. On the Extensions tab, ensure that the application policies only include Server Authentication (OID 1.3.6.1.5.5.7.3.1).
3. Also on the Extensions tab, edit the Issuance policies and add the Medium Assurance policy.
4. On the Subject Name tab, select Build from this Active Directory information. Also, ensure that Subject name format is set to Common name and that only DNS anme is selected under include this information in subject alternative name.
5. On the Request Handing tab, click the CSPs button, ensure that Request must use one of the following CSPs is selected, and that only the Microsoft RSA SChannel Cryptographic Provider is selected.
6. On the Security tab, add the AutoEnroll RAS and IAS Server Authentication Certificate security group with Read, Enroll, and Autoenroll permissions.
7. Add certificate templates to the CA.
8. From the Certification Authority MMC snap-in, right-click the Certificate Templates folder, select New and then Certificate Template to Issue. Selectthe following certificates, and then click OK.
"RAS and IAS Server Authentication"
9. Log on to the IAS server as a member of the local Administrators group.
10. Open the MMC, and then add the Certificates snap-in. When prompted, select the Computer account option, and then select Local Computer.
11. Select Certificates (Local Computer) from the console tree, select All Tasks from the Action menu, and then click Automatically Enroll Certificates.
Meanwhile, please assume the group policy setting has applied on IAS server.
Computer configuration > Windows Settings > Security Settings > Public Key Policies > Autoenrollment Settings object.
Select "Renew expired certificates, update pending certificates, and remove revoked certificates" in the Properties.
Comments
Post a Comment