Making Windows PKI Clients Request New Certificates from Local Active Directory

Making Windows PKI Clients Request New Certificates from Local Active Directory

Q: How can we make sure that our Windows PKI clients request new certificates from the Certification Authority (CA) that is located in their local Active Directory (AD) site, and not from the CA located in the AD site of our central datacenter?

A: In Windows 8 and Windows Server 2012 Microsoft introduced AD site awareness for the AD Certificate Services (CS) and the Windows PKI client. This means that the PKI client can consider AD site information when a certificate request is made from the client. Also, a CA can be linked to an AD site in in AD. And PKI clients can then retrieve this site information from AD.

This CS site awareness feature is not enabled by default. To link a CA to an AD site, the msPKI-Site-Name attribute of the CA’s “pKIEnrolllmentService” AD object must contain a valid AD site name. You can instruct Windows to populate this attribute automatically for all AD-integrated or Enterprise CAs, or you can also set the site name yourself. You can find this object in the CN=Enrollment Services, CN=Public Key Services, CN=Services,CN=Configuration,DC=<domainDistinguishedNamingContext>.

To let Windows add the site to this attribute automatically for all Enterprise CAs, you can use the following certutil command: 

certutil -f -setcasites set 

To set the site name manually, you must use the following command: 

certutil -setcasites -f -config "<CAConfigName>" <SiteName>

In the above command <CAConfigName> must be replaced by the actual CA name (typically <DNS name of the server>\<CA name>, for example:\enterpriseCA1) and <SiteName> by the site name you want to set for the CA.

When an AD site is set for a CA, a Windows 8 (or later) PKI client will initiate an AD site cost calculation for all CAs that have the site attribute set in order to determine the fastest certificate enrollment channel. When multiple CAs are available the PKI client will enroll from the CA with the lowest cost. You can use the certutil -ping command to verify the AD site costs for different CAs. For example, the following certutil command will return the AD site cost for enterpriseCA1 and enterpriseCA2 in the domain: 

certutil -ping ","

More information on this feature can also be found in this Microsoft Technet article:

Jan De Clercq is a member of HP’s Technology Consulting IT Assurance Portfolio team. He focuses on cloud security, identity and access management, architecture for Microsoft-rooted IT infrastructures, and the security of Microsoft products. He's the author of Windows Server 2003 Security Infrastructures (Digital Press) and coauthor of Microsoft Windows Security Fundamentals(Digital Press) and Cloud Computing Protected: Security Assessment Handbook (Recursive Press). You can reach him at [email protected]

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.