219 questions
219 questions with Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI) tags
2 answers
how do i get a new secure boot certificate
Hello I need a new secure boot certificate for Windows 10
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2026-06-12T17:26:20.3466667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 22%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDW%3C/text%3E%3C/svg%3E)
Dennis Wilkinson
0
Reputation points
answered 2026-06-12T19:42:14.4033333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 86%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Scott Nguyen
1,470
Reputation points
Independent Advisor
2 answers
One of the answers was accepted by the question author.
Windows server 2016 RDP TLS /SSL certificate
I am reviewing the TLS/SSL certificate configuration used for remote desktop services on windows server 2016 VM and would like some help During the review of the remote desktop certificate . i observed a message "The root CA certificate is not…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2026-06-10T14:47:44.7633333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 75%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
sara rashid
20
Reputation points
commented 2026-06-11T12:52:27.8566667+00:00
sara rashid
20
Reputation points
2 answers
Windows NPS with CA 802.1x wired
I am experiencing an issue with 802.1X authentication. This is the first user/computer attempting to authenticate in this setup. The environment consists of Windows 11 clients and Windows Server 2025. On the server side, NPS is configured with network…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2026-06-03T13:25:00.5166667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 6%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPW%3C/text%3E%3C/svg%3E)
Paweł Wójcik
0
Reputation points
commented 2026-06-08T08:04:37.1433333+00:00
Paweł Wójcik
0
Reputation points
3 answers
upgrade enterprise CA server from 2016 OS to 2025 OS
Will there be any change in user certificate being used for Citrix FAS solution if we upgrade enterprise CA server from 2016 OS to 2025 OS, as I read somewhere that user certificate subject DN was missing from 2025
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2026-05-26T09:57:19.26+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 10%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKA%3C/text%3E%3C/svg%3E)
Kumar Anup
0
Reputation points
answered 2026-05-29T04:32:30.29+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 86%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJN%3C/text%3E%3C/svg%3E)
Jason Nguyen Tran
19,865
Reputation points
Independent Advisor
2 answers
Certificate expiration
I have User Certificate Template and the validity period set to 5 years but why the actual certificate is only valid for 2 years?
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2026-05-26T00:36:36.68+00:00
Handian Sudianto
7,241
Reputation points
commented 2026-05-26T01:49:35.2+00:00
Handian Sudianto
7,241
Reputation points
1 answer
Replacing PKI Enterprise CA (Root and Issuing CA on single server) with 2 Tier PKI Root CA and separate CA issuing server
We are looking to change our PKI implementation from a single server in the domain running the Root and Issuing CA server with a lot of defaults, to a best practices Infrastructure with a two tier PKI Root CA (non-domain) and Issuing CA (domain joined)…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 11%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETG%3C/text%3E%3C/svg%3E)
2 answers
One of the answers was accepted by the question author.
CA Server without AD
If we want to implement 8021.x with certificate based authentication then we need CA server and the certificate will be pushed from intune. Can we build the CA server in standalone/workgroup becuse I dont have onpremises Active Directory?
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2026-04-30T02:31:30.68+00:00
Handian Sudianto
7,241
Reputation points
accepted 2026-05-04T14:53:59.2266667+00:00
Handian Sudianto
7,241
Reputation points
2 answers
What is best approach for ADCS Enterprise Subordinate Certificate Renewal
1. SubCA Renewal – Distribute First Then Activate --> Is this a recommended approach for Enterprise certificate authority cert renewal or not? We are planning to renew Enterprise Subordinate CA Certificate using same private key. Looking for best…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2026-05-04T12:15:06.1+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 97%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Arti Kumari
0
Reputation points
edited the question 2026-05-04T13:33:49.2+00:00
Arti Kumari
0
Reputation points
2 answers
Best Practices for Active Directory Rebuild and OU Design
Hi Microsoft Team, I’m currently working on Active Directory redesign and reconstruction effort and would appreciate guidance on Microsoft’s recommended best practices. Specifically, I am looking for clarification on the following areas: What are…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2026-04-25T15:42:16.64+00:00
emir goenaga
0
Reputation points
answered 2026-04-25T16:50:28.7133333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 62%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
HLBui
6,675
Reputation points
Independent Advisor
2 answers
One of the answers was accepted by the question author.
Cert private key permission changes
Hello, We're implementing a new Windows Event Collector using HTTPS. I have followed various online guides from Microsoft and others and I have a working environment. The only issue I ran in to was having to assign the NETWORK SERVICE account read only…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2026-04-13T19:13:26.4+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 76%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHL%3C/text%3E%3C/svg%3E)
Hardwick, Lewis
20
Reputation points
accepted 2026-04-14T15:26:11.28+00:00
Hardwick, Lewis
20
Reputation points
2 answers
Can NPS authenticate non-Domain computers via EAP-TLS?
Hi Everyone! I tried to implement NPS to authenticate non-Domain joined computers by using computer certificate to access Cisco Wi-Fi, but failed. My environment: Windows 2019 DC Windows 2019 CA + NPS Cisco WL3504 + AP1832I Windows 10 + Windows 11…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 47%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAW%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 8%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
3 answers
NPS EAP-TLS machine authentication fails, but user certificate authentication works
Does anyone have any suggestions? Thank you! NPS deny reason code 16 using computer certificate(EAP-TLS) Windows 11 24H2 client Aruba AP/controller NPS on Windows Server PEAP works user cert works computer cert fails machine cert is in Local…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2026-04-03T22:28:01.99+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 67%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM9%3C/text%3E%3C/svg%3E)
mmuser-9331
0
Reputation points
answered 2026-04-07T08:19:41.0866667+00:00
HLBui
6,675
Reputation points
Independent Advisor
2 answers
ADCS cluster in-place upgrade from 2012r2 --> 2016 --> 2019 - Issue with the secondary node
Hi, Ref: Windows Failover Cluster running ADCS role Please advise, if anyone had attempted ADCS failover cluster "in-place upgrade from 2012r2 --> 2016 --> 2019" and had seen issue with the secondary node showing offline after the upgrade…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2026-04-01T08:46:52.8+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 85%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
BK
0
Reputation points
answered 2026-04-01T09:18:47.76+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 90%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EQQ%3C/text%3E%3C/svg%3E)
Quinnie Quoc
11,400
Reputation points
Independent Advisor
2 answers
DisableCapiOverrideForRSA registry removal impact on windows 2022
Patch send on Oct 2025- KB5066835, does it got executed on windows 2022. Also is the new patch for removing registry value DisableCapiOverrideForRSA which is due in april 2026, will it be applied to windows 2022?
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2026-03-26T12:16:16.41+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 2%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMH%3C/text%3E%3C/svg%3E)
Mayuri Harkulkar Intertek
0
Reputation points
answered 2026-03-26T13:14:48.1233333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 96%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETV%3C/text%3E%3C/svg%3E)
Tan Vu
2,735
Reputation points
Independent Advisor
2 answers
troubleshooting a Windows code-signing issue involving a Sectigo code-signing certificate and a YubiKey
We are troubleshooting a Windows code-signing issue involving a Sectigo code-signing certificate and a YubiKey. Historically, our team’s workflow involved exporting a .pfx from Windows Certificate Manager and importing it into the YubiKey, but that is no…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 97%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
2 answers
[ARTICLE] Check secureboot CA 2023 certificates are installed on Windows 11
Open powershell application, type following commads one by one ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI kek).bytes) -match ‘Microsoft Corporation KEK 2K CA 2023’) ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes)…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2026-03-11T16:43:41.01+00:00
VARADHARAJAN K
9,691
Reputation points
Volunteer Moderator
edited the question 2026-03-25T03:14:03.8633333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 72%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIB%3C/text%3E%3C/svg%3E)
Ivy Bui (WICLOUD CORPORATION)
505
Reputation points Microsoft External Staff
Moderator
2 answers
ADCS Autoenrollment Not Renewing SAN Web Server Certificate
Creating a thread and asking for help cause I didn't find any information due to the specificity of this setup. Scenario Testing auto-renewal of a Web Server (for HTTPS scenarios) certificate with SANs in ADCS, using the AutoEnrollment…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2026-03-23T18:12:39.1466667+00:00
Lucas Campos
21
Reputation points
commented 2026-03-24T13:06:22.3066667+00:00
Lucas Campos
21
Reputation points
1 answer
One of the answers was accepted by the question author.
is there a way to swap domains on a certificate?
I have two domains: plaidmug.com comarket.app Because of a change in the course of our business, we need to have the wildcard domain on comarket.app, not plaidmug.com. Is there a way to swap the domains without having to pay for new…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2026-03-22T12:32:08.21+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 27%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Jeffrey McCandless
20
Reputation points
accepted 2026-03-23T13:16:51.1+00:00
Jeffrey McCandless
20
Reputation points
2 answers
Private key archival feature not working as expected
Hello, recently I have realized that my private keys are not archived at my issuing CA, even when the Recovery agent is configured, even that the clients are supposed to send the "blob" with the private key. But when i try to recover the…
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
asked 2026-03-18T09:08:52.5833333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 79%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDB%3C/text%3E%3C/svg%3E)
David Buřič
0
Reputation points
answered 2026-03-18T09:29:20.95+00:00
David Buřič
0
Reputation points
6 answers
One of the answers was accepted by the question author.
Sign Code with a YubiHSM over the Network
I have a YubiHSM that is all set up an a different client. Firewall rules are all set. The YubiHSM ksp on my computer, a authorized code signing certificate from our SubCA (for testing purpose). The certificate is installed on my computer and i can…
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 77%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)