Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Unable to Install certificate on domain controller 2008 CA

Answered Unable to Install certificate on domain controller 2008 CA

  • Friday, February 01, 2013 10:26 PM
     
     
    Sign In to Vote
    0

    Hi,

    I have a 2008 SP2 DCs and i completed the setup for a ROOT and SUB CA on 2008 R2 successfully. Since we wanted to handle the certificate requests, i have 'set the certificate request status to pending' for the request that come in.

    i needed to install a DC certificate template, went through MMC > personal Certificate > Request Certificate and request the domain controller cert. Then went to my Sub CA, the request was in pending status, choose to Issue cert. I see the Cert in Issued cert. But the cert has not been installed on the DC - i checked on MMC personal local store. I still see the request in Certificate Enrollment Requests on MMC of the DC. I have done gpupdate and certutil - pulse and rebooted the CAs and DC a couple of times.

    Please help 

     

All Replies

  • Saturday, February 02, 2013 10:08 PM
     
     
    Sign In to Vote
    0

    Hi,

    Have you also done this?

    1.Run the following command in CMD: certreq –retrieve <RequestNumber> <certificate>.cer (Use the request number you received when requesting the certificate)
    2. Run the following command in the same CMD: certreq –accept <certificate>.cer

    These steps are done after you have Issued the certificate to the machine :)

    Blog: www.danielclasson.com/blog | LinkedIn: Daniel Classon | Twitter: @danielclasson

     
  • Monday, February 04, 2013 4:40 AM
     
     
    Sign In to Vote
    0

    Hi

    Do you install your Certificate Chain in your "localMachine" TrustedRoot Store of your DC

    because if you did it via the GUI you have to manually select the localMachine Store in the MMC Snap-in

    Bring your Certificate signed on your DC and use certutil cmd

    certuil -accept -machine CertificateFile.cer

    Stef71

     
  • Tuesday, February 05, 2013 1:08 PM
     
     Answered
    Sign In to Vote
    0

    Hello,

    If you set the status to pending, I do not believe that it will ever install to the server when you actually issue it.  Unless I am mistaken, this setting prevents the autoenrollment from working properly.  In the past, I only use this for certificates that I want to have tight control over and/or I have to make advanced settings such as SAN certificates.

    Regardless, to install the certificate is these steps:

    1. Open the Certification Authority console
    2. Navigate to the Issued Certificates node
    3. Double-click on the certificate in question'
    4. Select the Details tab and click 'Copy To File'
    5. Specify a file with a *.cer extension

    You will now need to import this certificate into the domain controller:

    1. MMC
    2. Add Certificates snap-in and select Local Machine
    3. Right-click on Personal node and select All Tasks --> Import...
    4. Select the file that you just created
    5. Complete the wizard

    Assuming this is the machine that made the request, you will now have a working certificate. In the future if you decide that this process it too involved, I would recommend looking into autoenrollment for those certificates.

    ~ fr3dd

    fr3dd

    • Marked As Answer by YEMANO1 Wednesday, February 06, 2013 2:22 PM
    • Unmarked As Answer by YEMANO1 Wednesday, February 06, 2013 2:23 PM
    • Marked As Answer by YEMANO1 Wednesday, February 06, 2013 4:53 PM
    •