The purpose of this page is to maintain a list of known Microsoft hotfixes, patches and known issues related to the Active Directory Certificate Services role. The page will be updated as new releases are made by Microsoft as well as when new issues are identified. You can subscribe to the page to receive automated alerts when the content has changed. If you have any feedback or comments, or notice something that is missing, let us know.
Change Log - Last Updated July 8, 2015
July 8, 2015 - Added Hotfix/Resolution 283789 regarding capolicy.inf processing.
July 7, 2015 - New format and OS specific pages, added known issue for renewing root CA certificate with shorter lifetime.
- http://support.microsoft.com/kb/942076 - Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 404.11 – URL_DOUBLE_ESCAPED"
NOTE: Not strictly an ADCS Patch and ADCS will resolve the issue if installed on the same machine as IIS. However, if hosting Delta CRL files on an alternate computer, this will be an issue
- http://support.microsoft.com/kb/2603469 - System state backup does not include CA private keys in Windows Server 2008 or in Windows Server 2008 R2
- http://support.microsoft.com/kb/959193 - Two improvements are available that shorten the time that is required to manage SCEP certificates by using the Network Device Enrollment Service in Windows Server 2008
- http://support.microsoft.com/kb/2633200 - NDES does not submit certificate requests after the enterprise CA is restarted in Windows Server 2008 R2 SP1 or Windows Server 2008 SP2
- http://support.microsoft.com/kb/959887 - You cannot use a smart card certificate to log on to a domain from a Windows Vista-based client computer
- http://support.microsoft.com/kb/960549 - Some third-party Online Certificate Status Protocol (OCSP) clients may reject a response from an OSCP responder if this OCSP responder receives a Response Signing certificate from a Windows Server 2008 certification authority
- http://support.microsoft.com/kb/959052 - The FQDN option does not appear in the Subject name format list in the Certificate Templates console
- http://support.microsoft.com/kb/952722 - The Active Directory Certificate Services service does not start on a Windows Server 2008-based certification authority server if the key storage provider does not support SHA1 hash signing
- http://support.microsoft.com/kb/2635621 - A Windows Server 2008-based OCSP responder logs incorrect "thisUpdate" time stamp in the OCSP response
- http://support.microsoft.com/kb/960809 - The Windows Server 2008 Online Certificate Status Protocol (OCSP) responder does not work with signing certificates that do not use the SHA1 algorithm
- http://support.microsoft.com/kb/961715 - Active Directory Certificate Services crashes during its startup process when the FIM 2010 Certificate Management Exit Module setting is enabled on Windows Server 2008-based systems
- http://support.microsoft.com/kb/956580 - You cannot enroll for a certificate that is larger than 4096 bits on an SCEP client in Windows Server 2008
- http://support.microsoft.com/kb/967696 - The memory usage of the Windows Server 2008 Active Directory Certificate Services (Certsrv.exe) may keep increasing when third-party plug-ins are installed and certificate requests are rejected
- http://support.microsoft.com/kb/2661254 - Microsoft Security Advisory: Update for minimum certificate key length
- http://support.microsoft.com/kb/2960124 - The Online Responder service does not return a deterministic GOOD for all certificates not included in the CRL
- http://support.microsoft.com/kb/2518295 - Vulnerability in Active Directory Certificate Services Web Enrollment could allow elevation of privilege: June 14, 2011
- http://support.microsoft.com/en-us/kb/283789 - The Issuer Statement Specified in the Capolicy.inf File Is Not Included in the Issued Certificate. *Though indicated as Windows Server 2000, this article is applicable to all newer operating systems. The issue is relevant only for End Entity certs using certificate templates where the subject info is built from AD. The Microsoft site appears to have deleted this article, so here is a WayBack Time Machine archive of the article.
- Renewing a Root CA certificate and changing the Validity Period with CAPolicy.inf fails
When renewing a Root CA's certificate, the validity period of the new certificate is equivalent to the validity period of the certificate being renewed (since Server 2008). If an alternate validity period is desired, the RenewalValidityPeriod and RenewalValidityPeriodUnits settings can be placed in a capolicy.inf to reflect a different value for the new certificate. However, ADCS will only use this value if it is equal to, or longer than the value of the certificate being renewed. You can not configure ADCS to renew a Root CA certificate for a lifetime shorter than the previous certificate.
Fix: Use certutil –sign to sign and specify the desired lifetime of the certificate, add the modified cert to the CA's computer personal store and associate it with the private key, modify the CA’s registry (CACertHash) and restart the CA.