none
Problem Generating a certificate request

    Pregunta

  •  

    I have a couple of Windows 2003 R2 SP2 servers hosting several instances of ADAM.  I am using certreq to generate the certificate requests for these servers so I can use SSL in connecting to ADAM but I am getting an error.  This is the request.inf I am using (pretty much straight from an MS article...) to generate the request...

     

    ;----------------- request.inf -----------------

    [Version]

    Signature="$Windows NT$

    [NewRequest]

    Subject = "CN=servername.childdomain.rootdomain.com" ; replace with the FQDN of the DC
    KeySpec = 1
    KeyLength = 1024
    ; Can be 1024, 2048, 4096, 8192, or 16384.
    ; Larger key sizes are more secure, but have
    ; a greater impact on performance.
    Exportable = TRUE
    MachineKeySet = TRUE
    SMIME = False
    PrivateKeyArchive = FALSE
    UserProtected = FALSE
    UseExistingKeySet = FALSE
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    ProviderType = 12
    RequestType = PKCS10
    KeyUsage = 0xa0

    [EnhancedKeyUsageExtension]

    OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

    ;-----------------------------------------------

     

    I am using this command....  certreq -new request.inf request.req

     

    After hitting enter, it sits there for about 10 seconds and gives me this error back...

     

    Certificate Request Processor: Access is denied.  0x80070005 (WIN32: 5)

    [RequestAttributes]

     

    I have searched on this error and have not found much of anything on it.  This process seems to work fine on other servers that I have, but these two servers both generate this error.  Both servers are clean builds and only have ADAM installed on them.  I am a local admin on both servers so it doesn't appear that there should be any permission issues as implied by the error message. 

     

    Anyone have any ideas?

     

    Thanks!

     

     

     

     

     

     

    jueves, 29 de mayo de 2008 19:47

Respuestas

  • Hello Bryan,

     

    First of all, please make sure that the CA certificate is added into the Trusted Root certificate store on the servers. If the certificate web enrollment is enabled, please check how a certificate request works on that two server generate the error.

     

    Meanwhile, please verify the security permission on the MachineKeys directory:

     

    1.    Open Windows Explorer, and find the MachineKeys directory in the following location:

    Drive:\Documents and Settings\all users\Application Data\Microsoft\Crypto\RSA\MachineKeys

    2.    Right-click the directory, and click Properties.

    3.    Click the Security tab, and ensure that the full control permission for the Administrators

     

    How to: Change the Security Permissions for the MachineKeys Directory

    http://msdn.microsoft.com/en-us/library/bb909654.aspx

     

    Hope it helps.

     

     

     

    • Editado Miles LiModerator viernes, 06 de junio de 2008 6:27 mark answer, you can reply directly for further discuession
    • Marcado como respuesta Miles LiModerator viernes, 06 de junio de 2008 6:37
    • Marcado como respuesta Miles LiModerator viernes, 06 de junio de 2008 6:37
    • Marcado como respuesta Miles LiModerator viernes, 06 de junio de 2008 6:37
    viernes, 30 de mayo de 2008 7:44
    Moderador

Todas las respuestas

  • Hello Bryan,

     

    First of all, please make sure that the CA certificate is added into the Trusted Root certificate store on the servers. If the certificate web enrollment is enabled, please check how a certificate request works on that two server generate the error.

     

    Meanwhile, please verify the security permission on the MachineKeys directory:

     

    1.    Open Windows Explorer, and find the MachineKeys directory in the following location:

    Drive:\Documents and Settings\all users\Application Data\Microsoft\Crypto\RSA\MachineKeys

    2.    Right-click the directory, and click Properties.

    3.    Click the Security tab, and ensure that the full control permission for the Administrators

     

    How to: Change the Security Permissions for the MachineKeys Directory

    http://msdn.microsoft.com/en-us/library/bb909654.aspx

     

    Hope it helps.

     

     

     

    • Editado Miles LiModerator viernes, 06 de junio de 2008 6:27 mark answer, you can reply directly for further discuession
    • Marcado como respuesta Miles LiModerator viernes, 06 de junio de 2008 6:37
    • Marcado como respuesta Miles LiModerator viernes, 06 de junio de 2008 6:37
    • Marcado como respuesta Miles LiModerator viernes, 06 de junio de 2008 6:37
    viernes, 30 de mayo de 2008 7:44
    Moderador
  • Thanks Miles.  I will try it out and see if it helps.
    lunes, 02 de junio de 2008 14:50
  • Thanks Miles,

     

    That worked perfectly for me :-)

     

    Michael

    jueves, 02 de junio de 2011 0:32