Security - Page 7 - Uwe Gradenegger

Transfer certificate revocation lists to revocation list distribution points using SSH Secure Copy (SCP) with public key authentication (Windows Server 2019).

If the servers providing the revocation list distribution points are located in a Demilitarized Zone (DMZ), for example, or data transfer via Server Message Block (SMB) is not possible for other reasons, the blacklists can be transferred to the distribution points using SSH Secure Copy (SCP). As of Windows Server 2019, the OpenSSH server and client packages are available. The following describes the setup with authentication via public keys (Public Key Authentication) instead of passwords as an example

Requesting a certificate fails with the error message "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)".

Here's the scenario:

A user applies for a certificate from an Active Directory integrated certification authority (Enterprise Certification Authority).
The certificate of the certification authority is trusted, i.e. it is located in the Trusted Root Certification Authorities store.
The certificate request fails with the following error message:

A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)

Required Windows security permissions for the Network Device Enrollment Service (NDES)

Assuming one implements Microsoft's Active Directory Administrative Tiering Model, or applies similar hardening measures to one's servers, this will have an impact on NDES components.