{"id":12122,"date":"2026-04-07T13:25:56","date_gmt":"2026-04-07T18:25:56","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=12122"},"modified":"2026-04-07T13:25:56","modified_gmt":"2026-04-07T18:25:56","slug":"venafi-issue-certs-immediately-revoked-as-superseded-when-using-stand-alone-microsoft-ad-cs-ca","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=12122","title":{"rendered":"Venafi Issue &#8211; Certs Immediately Revoked as Superseded When Using Stand-Alone Microsoft AD CS CA"},"content":{"rendered":"<h1>Background:<\/h1>\n<h2>Environment<\/h2>\n<ul>\n<li>Dev environment, Venafi 25.3.0.2740<\/li>\n<li>Microsoft ADCS\u00a0<strong>stand-alone<\/strong>\u00a0CA<\/li>\n<li>Enrollment method:\u00a0<strong>DCOM<\/strong><\/li>\n<li>CA object uses a\u00a0<strong>local account on the ADCS server<\/strong><\/li>\n<li>No custom workflows<\/li>\n<li>No customizations<\/li>\n<li>No consumers\/app installation tied to the cert object<\/li>\n<li>Simple certificate object created for testing<\/li>\n<\/ul>\n<h2>Problem<\/h2>\n<p>When a certificate is requested from Venafi against the stand-alone Microsoft CA, ADCS successfully issues the certificate, but the certificate is immediately revoked with revocation reason:<\/p>\n<ul>\n<li>Superseded<\/li>\n<\/ul>\n<p>This is happening to the\u00a0<strong>same certificate that was just issued<\/strong>, not a prior cert.<\/p>\n<h2>Expected behavior<\/h2>\n<p>Venafi should submit the CSR, obtain the issued certificate, and leave the newly issued certificate valid.<\/p>\n<h2>Actual behavior<\/h2>\n<p>Venafi submits the CSR, ADCS issues the certificate successfully, and then the same certificate is immediately revoked as\u00a0Superseded.<\/p>\n<h1>Evidence gathered<\/h1>\n<p><strong>1. ADCS database confirms issued cert is the same cert being revoked<\/strong><\/p>\n<p>Example request:<\/p>\n<ul>\n<li>Request ID: 41<\/li>\n<li>Requester Name: HOSTNAME\\venafi<\/li>\n<li>Common Name: 20260331-withrevoke.example.com<\/li>\n<li>Serial Number: 55000000299749d000d299f5ae000100000029<\/li>\n<li>Disposition: Revoked<\/li>\n<li>Disposition Message: Revoked by HOSTNAME\\venafi<\/li>\n<li>Revocation Reason: 0x4 &#8212; Superseded<\/li>\n<\/ul>\n<p>This proves Venafi is revoking the cert it just obtained.<\/p>\n<p><strong>2. ADCS request contents are valid<\/strong><\/p>\n<p>For the same request, ADCS shows the CSR and issued certificate are normal and match expectations.<\/p>\n<p><strong>Request attributes<\/strong><\/p>\n<ul>\n<li>CertificateTemplate: WebServer<\/li>\n<li>ccm: venafihost.servers.example.com<\/li>\n<\/ul>\n<p><strong>CSR \/ issued cert contents<\/strong><\/p>\n<ul>\n<li>Subject:\u00a0CN=20260331-withrevoke.example.com, O=&#8221;Uniti Group, Inc&#8221;, L=Little Rock, S=Arkansas, C=US<\/li>\n<li>SAN:\u00a0DNS Name=20260331-withrevoke.example.com<\/li>\n<li>RSA 2048 key<\/li>\n<li>Certificate issued successfully before revoke<\/li>\n<\/ul>\n<p>This suggests the CA is not returning malformed or obviously incorrect cert content.<\/p>\n<p><strong>3. Security event log confirms immediate issue then revoke<\/strong><\/p>\n<p>After enabling\u00a0Certification Services\u00a0auditing, Security log shows this sequence:<\/p>\n<p><strong>Event 4886<\/strong><\/p>\n<ul>\n<li>Certificate Services received the request<\/li>\n<\/ul>\n<p><strong>Event 4887<\/strong><\/p>\n<ul>\n<li>Certificate Services approved the request and issued the certificate<\/li>\n<li>Requester:\u00a0HOSTNAME\\venafi<\/li>\n<li>DCOM\/RPC authentication path used<\/li>\n<li>Template shown as\u00a0WebServer<\/li>\n<\/ul>\n<p><strong>Event 4870<\/strong><\/p>\n<ul>\n<li>Certificate Services revoked the certificate<\/li>\n<li>Same serial number as the issued certificate<\/li>\n<li>Reason:\u00a04\u00a0(Superseded)<\/li>\n<\/ul>\n<p>This happens effectively immediately.<\/p>\n<p><strong>4. Pattern is repeatable<\/strong><\/p>\n<p>Querying the CA database for requests from\u00a0HOSTNAME\\venafi\u00a0shows a repeated pattern where most requests are immediately revoked with:<\/p>\n<ul>\n<li>Disposition: Revoked<\/li>\n<li>Revocation Reason: Superseded<\/li>\n<li>Disposition Message: Revoked by HOSTNAME\\venafi<\/li>\n<\/ul>\n<p>The exceptions were tests where revoke capability had been intentionally removed from the Venafi CA account.<\/p>\n<p><strong>5. Permission test changed behavior but did not fix root cause<\/strong><\/p>\n<p>When\u00a0Issue and Manage Certificates\u00a0was removed from the Venafi CA account, the request no longer completed the revoke path and instead failed earlier with:<\/p>\n<ul>\n<li>PostCSR failed with error: CCertAdmin::SetCertificateExtension: Access is denied. 0x80070005<\/li>\n<\/ul>\n<p>This indicates Venafi is performing CA\u00a0<strong>administrative<\/strong>\u00a0operations after CSR submission, and revocation happens later in that same general post-issuance path.<\/p>\n<p><strong>6. Procmon on the Venafi host shows\u00a0VPlatform.exe\u00a0using both CertRequest and CertAdmin<\/strong><\/p>\n<p>Procmon on\u00a0CWWAPP1989D\u00a0captured\u00a0VPlatform.exe\u00a0doing the following:<\/p>\n<p><strong>Cert enrollment path<\/strong><\/p>\n<p>VPlatform.exe\u00a0queries and activates:<\/p>\n<ul>\n<li>HKCR\\CLSID\\{98AFF3F0-5524-11D0-8812-00A0C903B83C}<\/li>\n<li>CertRequest Class<\/li>\n<li>C:\\Windows\\System32\\certcli.dll<\/li>\n<\/ul>\n<p><strong>CA admin path<\/strong><\/p>\n<p>VPlatform.exe\u00a0then queries and activates:<\/p>\n<ul>\n<li>HKCR\\CLSID\\{37EABAF0-7FB6-11D0-8817-00A0C903B83C}<\/li>\n<li>CertAdmin Class<\/li>\n<li>%systemroot%\\system32\\certadm.dll<\/li>\n<\/ul>\n<p><strong>DCOM\/RPC communication<\/strong><\/p>\n<p>Procmon also shows:<\/p>\n<ul>\n<li>endpoint mapper (135) traffic via\u00a0svchost.exe<\/li>\n<li>VPlatform.exe\u00a0connecting to the CA host on dynamic RPC port\u00a050014<\/li>\n<\/ul>\n<p>This strongly suggests:<\/p>\n<ul>\n<li>VPlatform.exe\u00a0first issues via\u00a0CertRequest<\/li>\n<li>then immediately performs CA admin operations via\u00a0CertAdmin<\/li>\n<\/ul>\n<p>Given the ADCS security logs, that admin path appears to be what revokes the newly issued cert.<\/p>\n<p><strong>Additional observations<\/strong><\/p>\n<p><strong>Stand-alone CA<\/strong><\/p>\n<p>This is a\u00a0<strong>stand-alone<\/strong>\u00a0Microsoft CA, not enterprise template-based ADCS.<\/p>\n<p><strong>No special Venafi workflow\/customization<\/strong><\/p>\n<p>This is a dev system with:<\/p>\n<ul>\n<li>no custom workflows<\/li>\n<li>no special consumers<\/li>\n<li>no installation\/application integration<\/li>\n<li>minimal test object<\/li>\n<\/ul>\n<p>That makes this look less like an environmental customization problem and more like:<\/p>\n<ul>\n<li>default Venafi behavior in this integration path, or<\/li>\n<li>a product defect in the stand-alone Microsoft CA DCOM path<\/li>\n<\/ul>\n<p><strong>Failed auth events also observed<\/strong><\/p>\n<p>We saw Security log\u00a04625\u00a0failures from\u00a0CWWAPP1989D\u00a0for\u00a0WINDSTREAM\\g9897431.<\/p>\n<p>From the Security log:<\/p>\n<ul>\n<li>11:53:34\u00a0\u2014\u00a04886\u00a0request received<\/li>\n<li>11:53:36\u00a0\u2014\u00a04887\u00a0certificate issued<\/li>\n<li>11:53:36\u00a0\u2014\u00a04870\u00a0certificate revoked<\/li>\n<li>11:53:36 \u2014 multiple 4625 failures for DOMAIN\\venafisystemuser<\/li>\n<li>11:53:37\u00a0\u2014 another\u00a04625<\/li>\n<\/ul>\n<p>Since time resolution in the log is seconds, it is <em>possible<\/em> Venafi is requesting the cert under the configured credential (HOSTNAME\\venafi), attempting to do something <em>else<\/em> under DOMAIN\\venafisystemuser, getting an auth failure, and then revoking the certificate under the configured credential (DOMAIN\\venafisystemuser). I would be surprised if this is the case because \u201csuperseded\u201d is a very specific revocation reason. I would expect something like a generic \u201cUnspecified\u201d or \u201cCessation of Operation\u201d to be used.<\/p>\n<p><strong>Summary conclusion<\/strong><\/p>\n<p>Current evidence indicates that:<\/p>\n<ul>\n<li>Venafi successfully enrolls the certificate from the stand-alone Microsoft CA using DCOM \/\u00a0CertRequest<\/li>\n<li>VPlatform.exe\u00a0then immediately invokes the Microsoft CA admin COM interface (CertAdmin)<\/li>\n<li>the newly issued certificate is then revoked by the Venafi CA account with reason\u00a0Superseded<\/li>\n<\/ul>\n<p>At this point, this appears to be:<\/p>\n<ul>\n<li>Venafi-driven post-issuance behavior<\/li>\n<li>not spontaneous ADCS behavior<\/li>\n<li>and likely either:\n<ol>\n<li>expected-but-unwanted default behavior in this integration mode, or<\/li>\n<li>a product defect in the stand-alone Microsoft CA DCOM workflow<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<p><strong>Resolution<\/strong><\/p>\n<p>The issue was resolved by changing the policy module settings to set the cert request to pending instead of automatically issue. While I expected this to leave the cert in a pending state and require manual intervention (or a batch job to bulk approve whatever is pending), the cert was immediately issued.<\/p>\n<p><a href=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/adcs-policysettings.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-12123\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/adcs-policysettings.jpg\" alt=\"\" width=\"721\" height=\"614\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/adcs-policysettings.jpg 721w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2026\/04\/adcs-policysettings-300x255.jpg 300w\" sizes=\"auto, (max-width: 721px) 100vw, 721px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Background: Environment Dev environment, Venafi 25.3.0.2740 Microsoft ADCS\u00a0stand-alone\u00a0CA Enrollment method:\u00a0DCOM CA object uses a\u00a0local account on the ADCS server No custom workflows No customizations No consumers\/app installation tied to the cert object Simple certificate object created for testing Problem When a certificate is requested from Venafi against the stand-alone Microsoft CA, ADCS successfully issues the &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1525],"tags":[2184,2185],"class_list":["post-12122","post","type-post","status-publish","format-standard","hentry","category-windows","tag-venafi","tag-windows-ad-cs"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/12122","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=12122"}],"version-history":[{"count":1,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/12122\/revisions"}],"predecessor-version":[{"id":12124,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/12122\/revisions\/12124"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=12122"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=12122"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=12122"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}