我已按照 Microsoft 测试实验室的说明设置了两层 CA 层次结构。我在与颁发证书颁发机构 (CA) 相同的计算机上安装了证书注册策略 Web 服务 (CEP)。证书注册 Web 服务 (CES) 安装在单独的计算机上。这三个都在同一个域中:a.local。我在另一个域 b.local 中有一个 serverB1,它已收到服务器证书。说明告诉我通过运行以下两个命令来模拟证书续订 1. certutil -f -policyserver * -policycache delete
. 输出:
Cache Directory: C:\ProgramData\Microsoft\Windows\X509Enrollment
Name: SSL-TLS Server Certificates (Default)
Id: {B85DA5F6-850F-4C44-A80C-F60747D4DD77}
Url: https://IssuingCA.a.local/KeyBasedRenewal_ADPolicyProvider_CEP_Certificate/service.svc/CEP
Cache file exists: 48b23e1bb48a2bf09ce15b2526ef67eb32fe1251
1662 (5730) Bytes
Url: https://IssuingCA.a.local/KeyBasedRenewal_ADPolicyProvider_CEP_Certificate/service.svc/CEP
LastUpdate 2/18/2022 4:36 PM
Deleting cache entry!
Orphaned Cache file:
Cache file exists: 83b7376cb9815a475c54a66bd64eb8bfd31d6005
1662 (5730) Bytes
Url: https://IssuingCA.a.local/KeybasedRenewal_ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP
LastUpdate 2/18/2022 1:38 PM
Deleting cache entry!
CertUtil: -PolicyCache command completed successfully.
certreq -machine -q -enroll -cert <thumbprint> renew
当然,替换的是正确的指纹。输出:
https://ces1.a.local/IssuingCA_CES_Certificate/service.svc/CES
The certificate request could not be submitted to the certification authority.
Access was denied by the remote endpoint. 0x803d0005 (-2143485947 WS_E_ENDPOINT_ACCESS_DENIED)
Certificate Request Processor: Access was denied by the remote endpoint. 0x803d0005 (-2143485947 WS_E_ENDPOINT_ACCESS_DENIED)
CES 上的应用程序池委托给用户 a\ces。CEP 只是使用默认的应用程序池标识。我还尝试将其更改为 a\ces(并创建相应的 SPN),但没有任何变化。我正在将其改回来。有人知道这里出了什么问题吗?我对这一切都很陌生。只是按照说明操作。