Rebuild Certificate Authority
The whole CA management interface feels so overdue. i know the whole certificate thing wasnt built by microsoft and it pushed into the marked real fast (relatively speaking) so a solution had to be realized quick. The whole topic is very clumsy and involves so many manual steps that it gives lots of admins around the globe headaches. It is also very hard to learn and master due to the wrong tools i think.
The certification management in exchange control panel 2013 seems a step in the right direction. I cant really tell you what to do, but im sure that if the right guys at microsoft sit together, think and talk about this, something great comes out of it.
Dont get me wrong, this really isnt a Microsoft problem here. its a industry wide problem. But Microsoft could bring out a completely revised certification management (client and server) with their next version of windows and roll the dice to change the whole industry here. Just as other competitors have done with multitouch for example.
Lutz Mueller-Hipper commented
on Windows 2012 R2 and better you can just type certlm.msc to get the MMC opened up with the sanpin loaded for the local machine store. on Win 2008 R2 and better you can fire up certmgr.msc to have the same just with the current user machine store.
The CA goes back in history to the NT4 option pack. Microsoft has also a Certificate Management as part of FIM/MIM what was with MIM2016 just renovated. But there are so many different aspects, requirements and opinions around a PKI I really do not blame MS to hard, but of course there is room of improvement.
Agree, also needs to be easier to move CA to a different server. Currently it is quite a long process and you have to use the same name for the new server. I understand why but it might be better if the CA registered it's own name in DNS similar to Exchange Autodiscover, which could then be updated if the CA server changed.
Two points to add to my suggestion:
The handling arround certificates is very clumsy. On non CA Servers as well. You have to open MMC, load the snapin certificates, choose computer account and then open the respective area. It would be great to have a direct managementoption accessible by the server manager.
Please add the possibility to add reminders at a specific time before a certificate expires. This could be via email to a distribution group. Just add the SNMP server to the CA config and define a timeframe like one month to be notified.