Friday, February 01, 2013 10:26 PM
I have a 2008 SP2 DCs and i completed the setup for a ROOT and SUB CA on 2008 R2 successfully. Since we wanted to handle the certificate requests, i have 'set the certificate request status to pending' for the request that come in.
i needed to install a DC certificate template, went through MMC > personal Certificate > Request Certificate and request the domain controller cert. Then went to my Sub CA, the request was in pending status, choose to Issue cert. I see the Cert in Issued cert. But the cert has not been installed on the DC - i checked on MMC personal local store. I still see the request in Certificate Enrollment Requests on MMC of the DC. I have done gpupdate and certutil - pulse and rebooted the CAs and DC a couple of times.
- Moved by Cheers ZHANGMicrosoft Contingent Staff, Moderator Monday, February 04, 2013 2:13 AM
Saturday, February 02, 2013 10:08 PM
Have you also done this?
1.Run the following command in CMD: certreq –retrieve <RequestNumber> <certificate>.cer (Use the request number you received when requesting the certificate)
2. Run the following command in the same CMD: certreq –accept <certificate>.cer
These steps are done after you have Issued the certificate to the machine :)
Monday, February 04, 2013 4:40 AM
Do you install your Certificate Chain in your "localMachine" TrustedRoot Store of your DC
because if you did it via the GUI you have to manually select the localMachine Store in the MMC Snap-in
Bring your Certificate signed on your DC and use certutil cmd
certuil -accept -machine CertificateFile.cer
Tuesday, February 05, 2013 1:08 PM
If you set the status to pending, I do not believe that it will ever install to the server when you actually issue it. Unless I am mistaken, this setting prevents the autoenrollment from working properly. In the past, I only use this for certificates that I want to have tight control over and/or I have to make advanced settings such as SAN certificates.
Regardless, to install the certificate is these steps:
- Open the Certification Authority console
- Navigate to the Issued Certificates node
- Double-click on the certificate in question'
- Select the Details tab and click 'Copy To File'
- Specify a file with a *.cer extension
You will now need to import this certificate into the domain controller:
- Add Certificates snap-in and select Local Machine
- Right-click on Personal node and select All Tasks --> Import...
- Select the file that you just created
- Complete the wizard
Assuming this is the machine that made the request, you will now have a working certificate. In the future if you decide that this process it too involved, I would recommend looking into autoenrollment for those certificates.