The purpose of this page is to maintain a list of known Microsoft hotfixes, patches and known issues related to the Active Directory Certificate Services role. The page will be updated as new releases are made by Microsoft as well as when new issues are identified. You can subscribe to the page to receive automated alerts when the content has changed. If you have any feedback or comments, or notice something that is missing, let us know.
Change Log - Last Updated August 23, 2017
August 23, 2017 - Updated 2008 R2 and 2012 R2 hotfix description for OCSP Bug (2950080) with long CA names. Microsoft article incorrectly describes the issue with the host name, it's the CA name that is the issue.
November 7, 2016 - Moved OCSP Magic Number to Client Issues
July 8, 2015 - Added new Known Issue about sConfig allowing domain and computer name changes. Added Hotfix/Resolution 283789 regarding capolicy.inf processing.
- http://support.microsoft.com/kb/942076 - Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 404.11 – URL_DOUBLE_ESCAPED"
NOTE: Not ADCS will resolve the issue if installed on the same machine as IIS. However, if hosting Delta CRL files on an alternate computer, this will be an issue
- http://support.microsoft.com/kb/2603469 - System state backup does not include CA private keys in Windows Server 2008 or in Windows Server 2008 R2
- http://support.microsoft.com/kb/2831238 - CRL processing causes high CPU usage, heavy network traffic, and service outage on a Windows Server 2008 R2-based or Windows 7-based computer
- http://support.microsoft.com/kb/2633200 - NDES does not submit certificate requests after the enterprise CA is restarted in Windows Server 2008 R2 SP1 or Windows Server 2008 SP2
- http://support.microsoft.com/kb/2799925 - Windows Server 2008 R2-based NDES server cannot submit a certificate request after you restart a server on which an enterprise CA is installed
- http://support.microsoft.com/kb/2483564 - Renewal request for an SCEP certificate fails in Windows Server 2008 R2 if the certificate is managed by using NDES
- http://support.microsoft.com/kb/2615174 - "0x80092013, CRYPT_E_REVOCATION_OFFLINEA" error message when you try to verify a certificate that has multiple chains in Windows Server 2008 R2 or in Windows 7
- http://support.microsoft.com/kb/978034 - Active Directory Certificate Services cannot be reinstalled by using the "Use existing private key" option on a computer that is running in Windows Server 2008 R2
- http://support.microsoft.com/kb/2470092 - You cannot publish a CRL for an imported certificate after the certificate is revoked in Windows Server 2008 R2
- http://support.microsoft.com/kb/2842986 - The "Trusted Root Certification Authorities" setting cannot be removed from a GPO in Windows 7 or Windows Server 2008 R2
- http://support.microsoft.com/kb/2578963 - Members of a security group cannot modify the security settings of a certificate template even if you delegate the full control permission to the group in Windows 7 or in Windows Server 2008 R2
- http://support.microsoft.com/kb/2661254 - Microsoft Security Advisory: Update for minimum certificate key length
- http://support.microsoft.com/kb/2960124 - The Online Responder service does not return a deterministic GOOD for all certificates not included in the CRL
- http://support.microsoft.com/kb/2740017 - PIN dialog box for smart card authentication appears two times when you try to access CA certificates on a computer that is running Windows Server 2008 R2 or Windows Server 2012
NOTE: Can also affect some Card based Hardware Security Modules - such as Thales nCipher ACS/OCS cardsets.
- http://support.microsoft.com/kb/2845624 - OCSP signing certificates are renewed prematurely in Windows Server 2008 R2
- http://support.microsoft.com/kb/2891347 - A hotfix is available that records more information in event ID 5125 for an OCSP response in Windows Server 2012 and Windows Server 2008 R2 SP1
- http://support.microsoft.com/kb/2950080 - "The CA certificate could not be retrieved, element not found" error occurs when the CA server host name is longer than 52 characters.
*NOTE* Article is incorrect - If the CA Name is longer than 52 characters this error will occur, the host name is inconsequential. Confirmed by Microsoft
- http://support.microsoft.com/kb/978265 - The memory allocation and processor usage for the Ocspsvc.exe process keeps increasing if a large CRL is loaded
- http://support.microsoft.com/kb/2518295 - Vulnerability in Active Directory Certificate Services Web Enrollment could allow elevation of privilege: June 14, 2011
- http://support.microsoft.com/en-us/kb/283789 - The Issuer Statement Specified in the Capolicy.inf File Is Not Included in the Issued Certificate. *Though indicated as Windows Server 2000, this article is applicable to all newer operating systems. The issue is relevant only for End Entity certs using certificate templates where the subject info is built from AD. The Microsoft site appears to have deleted this article, so here is a WayBack Time Machine archive of the article.
- You cannot enroll in an Online Certificate Status Protocol certificate (CERT_E_INVALID_POLICY)
Windows Server 2008 through 2012 R2 may be unable to enroll for a OCSP certificate. This is most often caused by a CA in the hierarchy that has specified specific OIDs but does not include the OCSP specific OID in its EKU (184.108.40.206.220.127.116.11.9). Refer to http://support.microsoft.com/kb/2962991 for more information.
Fix: When specifying specific OIDs for CA EKUs, the OCSP OID must be included (18.104.22.168.22.214.171.124.9). No steps are needed when using the default "All Application Policies" configuration.
- Renewing a Root CA certificate and changing the Validity Period with CAPolicy.inf fails
When renewing a Root CA's certificate, the validity period of the new certificate is equivalent to the validity period of the certificate being renewed (since Server 2008). If an alternate validity period is desired, the RenewalValidityPeriod and RenewalValidityPeriodUnits settings can be placed in a capolicy.inf to reflect a different value for the new certificate. However, ADCS will only use this value if it is equal to, or longer than the value of the certificate being renewed. You can not configure ADCS to renew a Root CA certificate for a lifetime shorter than the previous certificate.
Fix: Use certutil –sign to sign and specify the desired lifetime of the certificate, add the modified cert to the CA's computer personal store and associate it with the private key, modify the CA’s registry (CACertHash) and restart the CA.
- Windows Server sConfig Command Line tool allows Domain Membership and Computer Name changes even with an ADCS Certification Authority installed.
When ADCS server roles are installed, controls are placed on the server to prevent domain membership changes and hostname changes. To make changes to either of these, ADCS must first be installed. This behavior is experienced when making changes in the Control PanelSystem applet. However, when using sConfig (Server Core 2008 R2, or any version of Windows Server 2012 +), there are no controls to prevent these changes. Changing the domain membership or computer name can break the functionality of Enterprise CAs and can result in an unsupported configuration.
Fix: Remove ADCS role features prior to using sConfig to make changes to domain membership or computer host name. Alternatively, when using the GUI version of Windows Server, use the Control PanelSystem applet.