Server Certificate Regeneration Issue

Hi Carlos Sanchez,

You are unable to discover a CA because the AD CS service or the CA’s publish information is not available to the domain, and that prevents enrollment using the Active Directory Enrollment Policy. Verify the CA server is online and the Certification Authority service is running on the expected host. Confirm the CA certificate has not expired and that its root/intermediate certificates are present and trusted in the domain and on the server where you request the LDAPS certificate. Check DNS resolution and firewall rules so the client can reach the CA RPC and HTTP endpoints used for enrollment. Inspect the CA’s published enrollment points in Active Directory by checking the msPKI-Enrollment-Servers and ensure the CA’s AIA and CDP are reachable. Review the CA event log for denied enrollment requests and the client Application and System event logs for enrollment errors. The “same key” renewal restriction is often caused by a mismatch between the template settings and the key storage provider type or by CA policy that disallows reuse of the private key. Verify the certificate template allows renewal with the same key and that the template’s CSP/KSP settings match the machine’s key provider. Export and secure a backup of the existing machine certificate and private key before attempting any renewals. If the CA cannot be restored quickly, generate a new key pair, request a new certificate from a reachable CA, and rebind that certificate to LDAPS to restore service immediately. If the CA is available after you restore it, perform a controlled test to renew using the same key and monitor the CA logs for any template or policy rejections.

If this answer helps, please hit “accept answer” — thanks 🙂