A big part of setting up your PKI is ensuring web enrollment so that certificates can be distributed to users. There are many different issues that can occur, but one of the more common ones is the 401.2 HTTPS error you see below. This occurs when you have set a certificate for HTTPS communication, but it does not have SAN values that it needs in it. The steps below will walk you through remediating this issue.
Error Handling
Once you have done your web enrollment and when navigating to your ADCS site, the https certificate might be seen as unavailable or your site will be shown as “Not Secure”. This can happen if the SAN attribute isn’t properly added to your certificate request.
Run the following command to set the proper flag and allow SAN Attributes to be used in your web certificate.
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTNAMES2
Restart your Active Directory Certificate services.
net stop certsvc && net start svc
Once done redo the issuing of the web certificate and assign it to your webpage again.
Conclusion
This is one of the more common web enrollment issues we run into with PKI. This is generally an easier than fix than most, so it is not very time consuming to take care of it. At Encryption Consulting, we work with your organization to plan, implement, and troubleshoot any PKI setup you may want to do. To learn more about how we can help your organization, please reach out to [email protected] or www.encryptionconsulting.com.
