If you want to perform maintenance work such as Migration to another server or perform more extensive configuration changes requiring a functional test on a certification authority, you want to ensure that the certification authority service is running, but at the same time prevent certificates from being automatically requested from and issued by the certification authority during this phase.
This state can be achieved relatively easily by removing the right of users to request certificates from the certification authority.
By default, an entry for the "Authenticated Users", which thus includes all users in the Active Directory forest, with the "Request Certificates" permission is entered in the security options of the certification authority.
To achieve a maintenance mode, it is sufficient to temporarily remove this entry. This is done via the Certificate Authority Management Console (certsrv.msc). The security options for the certification authority can be accessed by right-clicking on the certification authority and selecting "Properties".
For a functional test, the accounts with which the tests are performed should be granted the "Request Certificates" right here manually as a transitional measure.
The settings are effective directly and without restarting the certification authority service.
A particularly practical aspect of this procedure is that the permissions configured here are also transferred to the pKIEnrollmentService object in Active Directory. Clients therefore automatically know that they cannot request certificates from the certification authority and therefore do not make any certificate requests during maintenance mode.
However, this circumstance can also lead to undesirable side effects. If, for example, during the Migration of a certification authority to another server first makes the backup of the certification authority registration and then switches to maintenance mode, after restoring the registry on the new server, the pKIEnrollmentService object is not updated correctly. It is therefore essential to pay attention to the correct sequence in this case.
Related links:
- Migration of an Active Directory integrated certification authority (Enterprise Certification Authority) to a new server
- Requesting a certificate fails with the error message "A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted."
English 
Deutsch
7 thoughts on “Eine Active Directory integrierte Zertifizierungsstelle (Enterprise Certification Authority) in den Wartungsmodus versetzen”
Comments are closed.