RE: Certificate Woes - Problem with CA

Hi,

You're absolutely right, we were thinking of different methods. I was
referring to submitting the request to an online CA by using IIS. This
will submit the request directly to the enterprise CA of your choice
without the need to use the web interface.

What I would like you to do as well is run a few diagnostic commands on the
CA you are trying to issue the Web Server certificate from and post the
results.

certutil -template -v > alltemplates.txt
certutil -catemplates -v > allpublished.txt
dsacls "CN=WebServer,CN=Certificate Templates,CN=Public Key
Services,CN=Services,CN=Configuration,DC=domain,DC=local" > templateacl.txt

For the last command you will need the support tools and you will need to
replace DC=domain,DC=local with the that of your forest root domain.

Hope this helps,

Brian Delaney
Microsoft Canada
--

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Thread-Topic: Certificate Woes - Problem with CA
thread-index: AccBwaXfl4mFcaLZRPu4/jmj4rANvw==
X-WBNR-Posting-Host: 209.77.80.2
From: =?Utf-8?B?QWxsaWU=?= <Allie@xxxxxxxxxxxxxxxxxxxxxxxxx>
References: <28B3664A-7FF5-4D09-A416-5DCDFEE5DBEA@xxxxxxxxxxxxx>
<Pj7tsiv9GHA.768@xxxxxxxxxxxxxxxxxxxxx>
<C54D3D57-C9E6-4375-9128-2C95391A125A@xxxxxxxxxxxxx>
<s8rTFDbAHHA.4432@xxxxxxxxxxxxxxxxxxxxx>
Subject: RE: Certificate Woes - Problem with CA
Date: Mon, 6 Nov 2006 08:36:02 -0800

Hi Brian,

I can request the certificate just fine using IIS. The problem happens
when
I submit the Certificate request to the certificate server. I select the
64
base encoded CMC or PKCS #10 certificate request, paste that contents of
certreq.txt in the appropriate box, when I try to select the Web server
template, I am never given that choice. I only have User and Basic EFS as
Template choices (and therefore, that is where I am stuck). I am not sure
if
this helped... maybe we are thinking about different methods of
submitting
the certificate request... please let me know (this problem is driving me
crazy...)
Thanks,

Allie

"Brian Delaney [MSFT]" wrote:

Hi Allie,

What is the error message that you receive when you attempt to request a
certificate through the IIS console?

Hope this helps,

Brian Delaney
Microsoft Canada
--

This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
Thread-Topic: Certificate Woes - Problem with CA
thread-index: Acb3jHJ+Cb2rGI4NRnObzHG/npl39g==
X-WBNR-Posting-Host: 209.77.80.2
From: =?Utf-8?B?QWxsaWU=?= <Allie@xxxxxxxxxxxxxxxxxxxxxxxxx>
References: <28B3664A-7FF5-4D09-A416-5DCDFEE5DBEA@xxxxxxxxxxxxx>
<Pj7tsiv9GHA.768@xxxxxxxxxxxxxxxxxxxxx>
Subject: RE: Certificate Woes - Problem with CA
Date: Tue, 24 Oct 2006 09:50:01 -0700

Hi Brian,

Thank you for responding! The template is published and the correct
permissions are set. Requesting the certificate through IIS console
also
fails... Let me know if you have any other ideas.

Allie


"Brian Delaney [MSFT]" wrote:

Hi,

Is the Web Server template published on the CA? Go into the
Certification
Authority snap-in and ensure you can see the Web Server template
under
Certificate Templates. If it is not in that list then the template
has
not
been published. To publish right-click and go to New and then
Certificate
Template to Issue.

Also verify the correct permissions are on the template. In order to
enroll the user requesting the certificate needs Read and Enroll
permissions and then CA issuing the certificate must also have Read
permissions to get to the template.

If all else fails try requesting the certificate through the IIS
console

Hope this helps,

Brian Delaney
Microsoft Canada
--

This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
Thread-Topic: Certificate Woes - Problem with CA
thread-index: Acbsn9Q2E0m7BLQ2T9OavwZnjH3ggw==
X-WBNR-Posting-Host: 209.77.80.2
From: =?Utf-8?B?QWxsaWU=?= <Allie@xxxxxxxxxxxxxxxxxxxxxxxxx>
Subject: Certificate Woes - Problem with CA
Date: Tue, 10 Oct 2006 12:11:03 -0700

I am trying to Submit a Certificate Request for my new Exchange 2003
server.
I have already created the certificate request but when I try to get
the
pending request accepted by my CA, using the 'submit a certificate
request
using a base 64-encoded CMC or PKCS #10 file, or submit a ...'
choice,
I
encounter the following problem: I only have User and Basic EFS as
choices
for Certificate Templates (I need to be able to select Web Server
instead).
When I go to the CA and select manage the templates, I can see the
Web
Server
template just fine (the permissions seem correct). I even tried
duplicating
it, but can't get either the web server or New web server templates
to
display in the Submit a Certificate Request or Renewal Request page.
I
don't
see any errors in the event log of the CA either. The CA is running
on
a
Windows 2003 Server (Std edition). Also, this process was working
until
about a month ago just fine... Nothing major has changed in the
server
with
the exceptions of MS security patches being installed (and I don't
think
that
installing patches would have broken CA). Has anyone encountered
this
problem or know of a solution? Thanks in advance.








.

Relevant Pages

  • Re: How to renew a certificate programmicaly
    ... Name 2 extension must contain a UPN entry, ... Please notice that the application> policy restriction is "Enrollment Agent" and that the "old certificate" does> not have this application policy. ... > I cannot see this template in the MMC snapin, I guess it is because it has> "X number of authotized signatures" and "Subject details supply in request". ...
    (microsoft.public.platformsdk.security)
  • Re: Problems requesting computer certificates on an issuing CA
    ... The exact permissions on my template are: ... I tried to manually enroll for a computer certificate based on ... CA allows the computers to request certificates. ...
    (microsoft.public.windows.server.security)
  • Re: Certificates for l2tp VPN
    ... "IPSec offline request" template, the certificate is in the Local ... canīt install the correct certificate to make it work. ...
    (microsoft.public.win2000.security)
  • Re: Problem processing SSL certificate response.
    ... "Download SSL Diagnostics 1.1 from Microsoft.com and use it to diagnose ... Note that I am able to work around this by requesting/processing a request ... transfering the generated PFX into the certificate store on the IIS machine. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Certificate Renewal questions
    ... A renewal request is a request for a new certificate signed by the old ... A renewal request submitted to an Enterprise CA may refer to a template that ...
    (microsoft.public.platformsdk.security)