Link to home
Start Free TrialLog in
Avatar of Steve B
Steve BFlag for United States of America

asked on

Domain controller keeps issuing itself a certificate daily

I have a domain controller that I am using with a onesign appliance for ldap synchronization using TLS.  I recently began having problems with this synchronization and I had to synch manually.  When I went to sync, the onesign appliance would complain that the certificate was not issued by a trusted ca and do I want to use it.  The certificate has the current date and expires a year from that date. If you click Yes, the certificate is imported into onesign and the sync happens fine.  The next day, it happens again ... it complains about the certificate and shows it as being valid from today's date to a year down the road.  I checked on the domain controller in the local certificate store, Personal and I see the certificate there.  It changes every day which breaks my onesign synchronization again.

Why is the DC issuing itself a new certificate each day at 4:58am?  I can't think of any changes to the environment that would have caused this to happen.
User generated image
ASKER CERTIFIED SOLUTION
Avatar of btan
btan
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Steve B
Steve B
Flag of United States of America image

ASKER

Thanks for the response.  I did follow this article from page 11 on to load our root CA certificate.  That went well so I appreciate the link.   I have attached a text file with all of the certs that are on the onesign appliance.  Is it ok to delete the certificates that are expired?  I don't see a way to back them up just in case so I am hesitant to delete them.  I see expired ones for the CA (dcsrv1) and the two domain controllers (grudcsrv1 and 2.)  I am thinking I only need three certificates ... one for the root CA I just imported and one for each domain controller.
certs.txt
Avatar of btan
btan
in fact expired certificate will not be used even if they remain stored. They have been been replaced with the existing new certificate in the same store, so those expired ones can be deleted. Just to share, even when a certificate is deleted, the corresponding private key is not deleted. Seems that the only solution is to manually delete files from %appdata%\Microsoft\Crypto\RSA\<sid>, or perhaps with a program that uses the crypto api, such as CleanCAPI. https://technet.microsoft.com/en-us/library/cc772354(v=ws.11).aspx
Avatar of Steve B
Steve B
Flag of United States of America image

ASKER

This seems to have worked well.  Thanks.