ADCS - How can I diagnose the exact reason a certificate request was denied by a policy module?

1

I need to develop operational procedures to audit and understand why a specific request was rejected by an Active Directory Certificate Services (ADCS) Policy Module.

I've attempted turning on all logging (checkboxes) in the GUI, and checked the Eventlog. I only see one event log entry per failed request, however I don't have a clear way of determining what caused it to fail. An example of a failure is below:

Active Directory Certificate Services denied request 4 because The certification authority's certificate contains invalid data. 0x80094005 (-2146877435 CERTSRV_E_INVALID_CA_CERTIFICATE). The request was for CN=Issue01a, CN=Bits.com, OU=For email security, O=Bits LLC, C=US. Additional information: Denied by Policy Module

The above example is a sub-ca that intentionally had a validity period that would extend beyond the validity of the parent CA.

I'm hoping to derive that reason from the error code above, or some other location.

What I've done: Searching for the error "2146877435" in google, results in this very post being pulled up. None of the results on the first few pages are a list of error codes and reasons.

certificate-authority
ad-certificate-services
pki
asked on Server Fault Jun 18, 2014 by halfbit • edited Jun 18, 2014 by halfbit

1 Answer

1

This link describes how to extract more logging from the certificate service. A restart may be required.

To enable debug logging for the native Windows CertEnroll client, execute the following command:

Certutil –setreg enroll\debug 0xffffffe3 The log file is in the following location: %windir%\CertEnroll.log

certutil –setreg ca\debug 0xffffffe3 The log file is in the following location: %windir%\certsrv.log

answered on Server Fault Jun 19, 2014 by halfbit

User contributions licensed under CC BY-SA 3.0