1

I've searched far and wide but am unable to find reference to having NDES point to a new CA. During the configuration of the ADCS NDES role you have to point to specific CA. However we are now in the process of building a new CA. The current one is Tier 1 and we are now building a Tier 2 PKI so that comes with a new CA. We have a separate NDES server that will remain.

What are my options with regards to having NDES use the new CA? Things I imagine are possibilities (just assumptions, looking for confirmations):

  • Reinstalling the NDES role (Not preferred)
  • Renewing the NDES specific certificates, from the new CA (if possible?)

The new CA is on Win 2022 and the NDES server is Win 2019.

As the current PKI is also domain joined, I do not need to re-create the new templates and as the NDES server remains I also don't have to deal with the issue of creating a new NDES service account.

TLDR: New CA, NDES is configured to point to a specific CA during role configuration, how do I have it point to a new CA?

Is searched the internet and found many topics of changing the NDES service account and recreating CA's but I'm not looking for that information. The information that I'm looking for is more specific and I have been unable to find it.

I'm expecting either a nice registry hack or some steps/guidelines as to how it is best done. Preferably without reinstalling the NDES role.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
MyPkiProblems
  • 11
  • 1

1 Answers1

0

The reg keys are at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP. Within that, CAInfo points to the CA using the same format as certutil.exe config value. However, I doubt changing this is supported.

It would be much simpler and safer to run Uninstall-AdcsNetworkDeviceEnrollmentService followed by Install-AdcsNetworkDeviceEnrollmentService with new arguments. The latter will sort your RA certificates, whereas you'd have to do that yourself if you change the registry key.

garethTheRed
  • 1,997
  • 13
  • 20