Cannot issue Computer cert to standalone computer from my ECA

windows-server-2008-r2 ssl-certificate certificate certificate-authority ad-certificate-services

8,765

Solution 1

Alright I've answered my own question. The certificate must include exportable private keys, and it must reside in the Local Computer store. To do this I had to duplicate the Web Server template as a new template which allowed for the exporting of the private key. It must also be a "Server 2003" compatible template and not a Server 2008 template, or else it will not show up on your Certsrv webpage. The Certsrv webpage on your CA will install the certificate in your Current User > Personal store, but it won't work there. You must export it (with private key) and then import it into your Local Machine > Personal store. (Not just click and drag, that won't work either.)

Then, and only then, was I finally able to execute

C:\Users\Administrator>winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="SERVER1";CertificateThumbprint="1d9256aea461788764cec1904463120f084292f8"}

With no errors.

Solution 2

I've seen this before and I'm trying to remember what it was. Have you verified that you have permission to enroll for the certificate? Right-click on Certificate Templates and choose Manage. Find the computer certificate and go to permissions tab. You will have to add everyone enroll permission but because of this you will want to ensure CA Manager approval under the "issuance requirements" tab.

8,765

Ryan Ries

Windows Escalation Engineer at Microsoft. I debug things, with a particular fondness for Active Directory and coding. Disclaimer: This is my personal account and has no affiliation with my employer. All postings are provided "AS IS" with no warranties, and confer no rights. My posts do not represent the thoughts, intentions, plans or strategies of Microsoft. You should not consider out of date posts to reflect current thoughts and opinions.

Updated on September 18, 2022

Comments

Ryan Ries over 1 year
All Windows 2K8R2 SP1 environment.

I have a working Enterprise Certificate Authority in my domain. I want to issue a Computer certificate (for Server Authentication purpose) to an external, stand-alone machine. So I add the Certification Authority Web Enrollment, Certificate Enrollment Web Service, and Certificate Enrollment Policy Web Service role services to my ECA.

Now on my standalone machine, I browse to http://myCA/certsrv. I see that I am only able to request a "User Certificate." In the Advanced Certificate Request, there is still no option to request a Computer certificate or anything that will give me what I need, as far as I can tell.

So I edit the certrqtp.inc file on my ECA such that I replace rgAvailReqTypes(1,5) with rgAvailReqTypes(2,5), and I add this to toward the end of the file:
```
    rgAvailReqTypes(1,FIELD_TEMPLATE)="Computer"
    rgAvailReqTypes(1,FIELD_FRIENDLYNAME)="Computer"
    rgAvailReqTypes(1,FIELD_OID)="1.3.6.1.5.5.7.3.1"
    rgAvailReqTypes(1,FIELD_CSPLIST)=""
```
Now when I browse the website, I see a new certificate request type: Computer. However, when I try to submit that request on my standalone machine, I get this error:
```
Certificate Request Denied 
The disposition message is "Denied by Policy Module 0x80094800, The request was for
a certificate template that is not supported by the Active Directory Certificate
Services policy: 1.3.6.1.5.5.7.3.1(Server Authentication). ".
```
How can I issue a computer certificate from my ECA to an external, standalone computer?

If it helps, I am trying to use the cert on the standalone computer for the purposes of running a WinRM listener on that computer that uses SSL.

edit: What I did was request a "Web Server" certificate from the CA, which was granted. It was automatically installed into my user account store. From there, I exported the certificate on my standalone machine, and then imported it into my Local Computer -> Personal store. Now I have a certificate in there that is named after my HOSTNAME of my standalone computer, in the Subject property, it says CN = HOSTNAME, and for "intended purposes" it says "Server Authentication."

However, now I get this:

Even though I have a certificate in my local computer personal store that appears to meet all those requirements. :(
Ryan Ries over 12 years

Unfortunately, this did not help. I do appreciate your help so far though!
Paul Ackerman over 12 years

Does the standalone box trust the CA that issued the certificate? If not, it will not see the cert as valid. ie have you added the CA's cert to the trusted CA's store? Also are you able to reach the CRL on the CA from the standalone box?
Ryan Ries over 12 years

Upvoting for the help. :)