|
Home > Archive > IIS Server Security > November 2004 > CA cannot process cert request
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
CA cannot process cert request
|
|
|
| I was not able to request a cert directly from a w2k3 server CA so I used the
option to prepare and send later. I was able to generate a CSR but when i
submit to CA, i get following error:
" the request contains no certificate template information. 0x80094801
(-2146875391) denied by policy module 0x80094801. the request does not
contain a certificate template extension or the certificate template request
attribute."
Some background detail: i have an autoenrollment policy to auto issue certs
to computers but the CA wouldn't issue one to this winXP computer which is
why I tried the CSR option.
Anybody with idea(s) on what the problem might be or troubleshooting steps.
I have been checking this newsgroup but haven't found anything that addresses
my problem.
Thanks.
| |
| Miha Pihler 2004-11-08, 5:50 pm |
| Hi,
Did you use Web Interface to issue certificate? What policy did you select?
What account did you use for this process?
Mike
"dej" <jaa@discussions.microsoft.com> wrote in message
news:BD1F1600-34F8-4387-ACD8-2E056C92EBC9@microsoft.com...
>I was not able to request a cert directly from a w2k3 server CA so I used
>the
> option to prepare and send later. I was able to generate a CSR but when i
> submit to CA, i get following error:
>
> " the request contains no certificate template information. 0x80094801
> (-2146875391) denied by policy module 0x80094801. the request does not
> contain a certificate template extension or the certificate template
> request
> attribute."
>
> Some background detail: i have an autoenrollment policy to auto issue
> certs
> to computers but the CA wouldn't issue one to this winXP computer which
> is
> why I tried the CSR option.
>
> Anybody with idea(s) on what the problem might be or troubleshooting
> steps.
> I have been checking this newsgroup but haven't found anything that
> addresses
> my problem.
>
> Thanks.
| |
|
| Hi Miha,
1. No, I didn't use the web interface. Actually I am not sure how to
implement so I've never used.
2. I used the default domain policy\computer configuration\windows
settings\public key policies\automatic certificate request settings\computer
template policy. I am providing the complete GPO editor path so that you are
clear on what policy I used.
3. If the process of setting policy, I used domain admin account. If process
of requesting cert, I tried all of the following: domain admin, local admin,
user account with both domain/local admin privilege.
Thanks.
Dej.
"Miha Pihler" wrote:
> Hi,
>
> Did you use Web Interface to issue certificate? What policy did you select?
> What account did you use for this process?
>
> Mike
>
> "dej" <jaa@discussions.microsoft.com> wrote in message
> news:BD1F1600-34F8-4387-ACD8-2E056C92EBC9@microsoft.com...
>
>
>
| |
| Miha Pihler 2004-11-08, 5:50 pm |
| Hi,
If you used default installation of your CA server then you should be able
to use web interface on your CA server (you can use it remotely). URL is
http://CA_Name/certsrv where CA_Name is name of your CA server. Browse to it
and click on Request a certificate. In the new windows select advanced
certificate request. In next windows select Submit a certificate request by
using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by
using a base-64-encoded PKCS #7 file. In first window (Saved Request) paste
your request. In second windows (Certificate Templates) select template that
says Web Server.
Once you enter all data, click Submit. You can now download the certificate
and save it to e.g. floppy or local/network drive. Now you can continue with
the process of installing SSL on your IIS server.
I hope this helps,
Mike
"dej" <dej@discussions.microsoft.com> wrote in message
news:658BDF91-6867-4106-B7D4-70B623B2569E@microsoft.com...[vbcol=seagreen]
> Hi Miha,
>
> 1. No, I didn't use the web interface. Actually I am not sure how to
> implement so I've never used.
>
> 2. I used the default domain policy\computer configuration\windows
> settings\public key policies\automatic certificate request
> settings\computer
> template policy. I am providing the complete GPO editor path so that you
> are
> clear on what policy I used.
>
> 3. If the process of setting policy, I used domain admin account. If
> process
> of requesting cert, I tried all of the following: domain admin, local
> admin,
> user account with both domain/local admin privilege.
>
> Thanks.
>
> Dej.
>
> "Miha Pihler" wrote:
>
| |
|
| Hi,
I tried to access the page but received a "the page cannot be found... HTTP
Error 404 - File or directory not found. Internet Information Services (IIS)"
error. I also tried to access the website directly since certsrv is a virtual
dir of the website but got
"under contruction... The site you are trying to view does not currently
have a default page. It may be in the process of being upgraded and
configured...." page.
When I look in IIS Manager, I see there is no "default" page. I am not very
familiar with IIS, I guess that's why I've not used the web interface.
Any idea/recommendation on what to do.
Thanks.
dej.
"Miha Pihler" wrote:
> Hi,
>
> If you used default installation of your CA server then you should be able
> to use web interface on your CA server (you can use it remotely). URL is
> http://CA_Name/certsrv where CA_Name is name of your CA server. Browse to it
> and click on Request a certificate. In the new windows select advanced
> certificate request. In next windows select Submit a certificate request by
> using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by
> using a base-64-encoded PKCS #7 file. In first window (Saved Request) paste
> your request. In second windows (Certificate Templates) select template that
> says Web Server.
>
> Once you enter all data, click Submit. You can now download the certificate
> and save it to e.g. floppy or local/network drive. Now you can continue with
> the process of installing SSL on your IIS server.
>
> I hope this helps,
>
> Mike
>
> "dej" <dej@discussions.microsoft.com> wrote in message
> news:658BDF91-6867-4106-B7D4-70B623B2569E@microsoft.com...
>
>
>
| |
| Miha Pihler 2004-11-09, 5:52 pm |
| Hi,
It depends how CA was installed. Web interface is not a mandatory component.
On Windows 2003 IIS is not installed by default and if you install CA
service now, it will work without Web Interface.
Do you have CertSrv present in your IIS on your CA server? Is default.asp
present in this directory?
Mike
"dej" <dej@discussions.microsoft.com> wrote in message
news:63412037-6DEF-4803-A548-A6235AA4D65A@microsoft.com...[vbcol=seagreen]
> Hi,
>
> I tried to access the page but received a "the page cannot be found...
> HTTP
> Error 404 - File or directory not found. Internet Information Services
> (IIS)"
> error. I also tried to access the website directly since certsrv is a
> virtual
> dir of the website but got
>
> "under contruction... The site you are trying to view does not currently
> have a default page. It may be in the process of being upgraded and
> configured...." page.
>
> When I look in IIS Manager, I see there is no "default" page. I am not
> very
> familiar with IIS, I guess that's why I've not used the web interface.
>
> Any idea/recommendation on what to do.
>
> Thanks.
>
> dej.
>
>
>
>
> "Miha Pihler" wrote:
>
| |
|
| I don't exactly remember if I installed the web component when I installed
the CA. The reason at the time was I wasn't sure I wanted to use it. But
when I check installed component on the server, I see that the web enrollment
component is installed.
CertSrv is present as a virtual directory on the IIS but there is no
default.asp. What do I do?
Thanks for your help.
"Miha Pihler" wrote:
> Hi,
>
> It depends how CA was installed. Web interface is not a mandatory component.
> On Windows 2003 IIS is not installed by default and if you install CA
> service now, it will work without Web Interface.
>
> Do you have CertSrv present in your IIS on your CA server? Is default.asp
> present in this directory?
>
> Mike
>
> "dej" <dej@discussions.microsoft.com> wrote in message
> news:63412037-6DEF-4803-A548-A6235AA4D65A@microsoft.com...
>
>
>
|
|
|
|
|