Cannot issue Computer cert to standalone computer from my ECA
All Windows 2K8R2 SP1 environment.
I have a working Enterprise Certificate Authority in my domain. I want to issue a Computer certificate (for Server Authentication purpose) to an external, stand-alone machine. So I add the Certification Authority Web Enrollment, Certificate Enrollment Web Service, and Certificate Enrollment Policy Web Service role services to my ECA.
Now on my standalone machine, I browse to http://myCA/certsrv. I see that I am only able to request a "User Certificate." In the Advanced Certificate Request, there is still no option to request a Computer certificate or anything that will give me what I need, as far as I can tell.
So I edit the certrqtp.inc file on my ECA such that I replace rgAvailReqTypes(1,5) with rgAvailReqTypes(2,5), and I add this to toward the end of the file:
rgAvailReqTypes(1,FIELD_TEMPLATE)="Computer"
rgAvailReqTypes(1,FIELD_FRIENDLYNAME)="Computer"
rgAvailReqTypes(1,FIELD_OID)="1.3.6.1.5.5.7.3.1"
rgAvailReqTypes(1,FIELD_CSPLIST)=""
Now when I browse the website, I see a new certificate request type: Computer. However, when I try to submit that request on my standalone machine, I get this error:
Certificate Request Denied
The disposition message is "Denied by Policy Module 0x80094800, The request was for
a certificate template that is not supported by the Active Directory Certificate
Services policy: 1.3.6.1.5.5.7.3.1(Server Authentication). ".
How can I issue a computer certificate from my ECA to an external, standalone computer?
If it helps, I am trying to use the cert on the standalone computer for the purposes of running a WinRM listener on that computer that uses SSL.
edit: What I did was request a "Web Server" certificate from the CA, which was granted. It was automatically installed into my user account store. From there, I exported the certificate on my standalone machine, and then imported it into my Local Computer -> Personal store. Now I have a certificate in there that is named after my HOSTNAME of my standalone computer, in the Subject property, it says CN = HOSTNAME, and for "intended purposes" it says "Server Authentication."
However, now I get this:
Even though I have a certificate in my local computer personal store that appears to meet all those requirements. :(
2 Answers
I've seen this before and I'm trying to remember what it was. Have you verified that you have permission to enroll for the certificate? Right-click on Certificate Templates and choose Manage. Find the computer certificate and go to permissions tab. You will have to add everyone enroll permission but because of this you will want to ensure CA Manager approval under the "issuance requirements" tab.
Paul AckermanAlright I've answered my own question. The certificate must include exportable private keys, and it must reside in the Local Computer store. To do this I had to duplicate the Web Server template as a new template which allowed for the exporting of the private key. It must also be a "Server 2003" compatible template and not a Server 2008 template, or else it will not show up on your Certsrv webpage. The Certsrv webpage on your CA will install the certificate in your Current User > Personal store, but it won't work there. You must export it (with private key) and then import it into your Local Machine > Personal store. (Not just click and drag, that won't work either.)
Then, and only then, was I finally able to execute
C:\Users\Administrator>winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="SERVER1";CertificateThumbprint="1d9256aea461788764cec1904463120f084292f8"}
With no errors.
Ryan RiesUser contributions licensed under CC BY-SA 3.0