Configuring the certificate authority to a static port (RPC endpoint)

In the default configuration, the certificate authority's certificate request interface is configured to negotiate dynamic ports for the incoming RPC/DCOM connections (for more details, see the article "Firewall rules required for Active Directory Certificate Services„).

Network protocolDestination portProtocol
TCP135RPC Endpoint Mapper
TCP49152-65535RPC dynamic ports

This configuration is not feasible in every enterprise environment. Often there are restrictive firewall rules that do not allow the use of dynamic network ports.

In such a case, the certificate authority must be configured to a static port.


Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

Configuration is done through the Component Services Management Console (dcomcnfg.msc).

In the console, navigate to "Component Services" - "Computers" - "My Computer" - "DCOM Config". Look there for the entry "CertSrv Request". It is edited by right-clicking and then selecting "Properties".

In the "Endpoints" tab, click on "Add..." to add a new endpoint.

Here you select the option "Use static endpoint" and assign a network port.

For the settings to take effect, the Certification Authority service must be restarted.

Related links:

One thought on “Konfigurieren der Zertifizierungsstelle auf einen statischen Port (RPC-Endpunkt)”

Comments are closed.