none
Certificate Enrollment Problem

    Question

  •  I have a Windows Server 2008 Enterprise Root CA with a different Windows 2008 Server running the Cert Enrollment website (ussing SSL).  Any certificate that I attempt to request (Vista or XP) results in:

    ============================================

    Your request failed. An error occurred while the server was processing your request.

    Contact your administrator for further assistance.

    Request Mode:
    newreq - New Request
    Disposition:
    (never set)
    Disposition message:
    (none)
    Result:
    The RPC server is unavailable. 0x800706ba (WIN32: 1722)
    COM Error Info:
    CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722)
    LastStatus:
    The operation completed successfully. 0x0 (WIN32: 0)
    Suggested Cause:
    This error can occur if the Certification Authority Service has not been started.

    =================================


    The Windows Firewall is off between the web enrollment server and the CA, but only 443 is open in to the web enrollment server from externally.


    What am I missing here?  This is rapidly becoming a showstopper.

    Thanks,

    BH
    Wednesday, June 11, 2008 4:50 PM

Answers

  • What happens if you run the following command from the Web server (front end)
    certutil -ping -config "CADNSName\CAName"

    So, for example, if the DNS name of the CA is ca.example.com and the CA Name is "Example Corporation Corporate CA", then you would type certutil -ping -config "ca.example.com\Example Corporation Corporate CA" 

    You need to use RPC to communicate from the Web front end to the back end Web server. There are some excellent configuration tips in the Advanced Enrollment whitepaper that can assist you.

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx

    HTH,
    Brian
    Wednesday, June 18, 2008 5:16 AM

All replies

  • What happens if you run the following command from the Web server (front end)
    certutil -ping -config "CADNSName\CAName"

    So, for example, if the DNS name of the CA is ca.example.com and the CA Name is "Example Corporation Corporate CA", then you would type certutil -ping -config "ca.example.com\Example Corporation Corporate CA" 

    You need to use RPC to communicate from the Web front end to the back end Web server. There are some excellent configuration tips in the Advanced Enrollment whitepaper that can assist you.

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx

    HTH,
    Brian
    Wednesday, June 18, 2008 5:16 AM
  • I'm having a slightly related problem.  I have Certificate Services running on a Windows 2008 Enterprise Edition 64-bit.  I installed it as a Enterprise subordinate CA, using a certificate from the original enterprise CA.  It is set up as  I am trying to enroll a certificate on another computer.  When I use "Automatically Enroll and Retrieve Certificates",  I see the certificate I want.  However, when I try to enroll it I get the following error:

    The RPC server is unavailable.
    The certificate rquest could not be submitted to teh certificate authority

    There are no firewalls between the certificate authority and I tried using the certutil ping command as stated above and I got an 'is alive' reply from the CA.

    Any idea what my hang up could be?

    Friday, December 12, 2008 9:31 PM
  • I having the same issue. Were you able to reslove it. certutil -ping -config "ca.example.com\Example Corporation Corporate CA"
     is alive. any Suggestions
    Tuesday, May 22, 2012 6:37 PM