EnterpriseRootCA installation failure

EnterpriseRootCA installation fails with error message
 02/04/2021 22:03:53
 Varga Gábor

In one of my customers I faced a very strange issue during the installation of an Enterprise Root Certificate Authority. This type of CA is important for an enterprise company with properly working Active Directory infrastructure, becuase in this case the AD itself is managing the certificate enrollment/revocation tasks, which is very important from management and operation perspective.

However the installation of this certificate authority is not so complex, many prerequisites must be done before the installation happens. Especially, if the domain controller(s) and the CA server are on different locations separated with firewall.

The most important requirements:

  • The CA server must be joined to the domain (the required ports must be opened on the firewall)
  • The person who is installing the CA server must be member of Enterprise Admins and Domain Admins groups in the domain (this is required in order to the proper AD container structure could be created in a new domain)
  • The following ports are opened:

Protocol

Port

From

To

Action

Kerberos

TCP/464

Certificate Enrollment Web Services

Domain Controllers (DC)

Allow

LDAP

TCP/389 and UDP/389

Certificate Enrollment Web Services

Domain Controllers (DC)

Allow

LDAP

TCP/636

Certificate Enrollment Web Services

Domain Controllers (DC)

Allow

DCOM/RPC

Random port above port 1023

Certificate Enrollment Web Services

 All XP clients requesting certs

CA

Allow

HTTPS

TCP/443

All clients requesting certs

Certificate Enrollment Web Services

Allow

GC

TCP/3268

CA server

Domain Controller

Allow