Remove From My Forums

Windows 2008 R2 and Enrollment Agent Certificate

Question
0

Sign in to vote

Hi,

I have installed a Windows 2008R2 Server with ADCS. I have issued an enrollment Agent Certificate (Computer) template and also a smart card logon template that requires Enrollment Agent Certificate Signature before it can be sent to the CA.

I issued the Enrollment Agent Certificate, on the computer that is hosting the CA ie windows 2008 R2 via the MMC (computer). Then I tried to issue a smart card logon certificte on the same computer, via the MMC (user).

The MMC showed the templates, that could be issued to the user. I selected the smartcard logon template. The templates showed that it needed additional information (Signature from an enrollment agent cert), when I tried to find the enrollement Agent Cert in the MMC, the certificate could not be found.

I am experiencing the same via the code I have written.

Any ideas, why it does not work. Do I need to have the enrollment agent cert on a computer other than the one hosting the CA?

Tuesday, March 30, 2010 3:26 AM

Answers

2

Sign in to vote
In application policy drop-down list select Certificate Request Agent.
http://www.sysadmins.lv
- Marked as answer by Zahurab Friday, April 2, 2010 4:16 AM
Thursday, April 1, 2010 3:22 PM

All replies

0

Sign in to vote
to Enrol On Behalf Of for user certificates (smart card logon) you must obtain Enrollment Agent (User) certificate.
http://www.sysadmins.lv
- Proposed as answer by Martin Rublik Tuesday, March 30, 2010 9:31 AM
Tuesday, March 30, 2010 5:42 AM
0

Sign in to vote

when I try to issue a certificate on behalf of another user.. MMC (User)-->Personal-->Certificate-->advanced operations-->Enroll on behalf off.... I dont see the smart card logon template which is configured to require atleast one signature.

Tuesday, March 30, 2010 3:41 PM
0

Sign in to vote

also we have a working application, that used to issue smart card logon certs using the cert enrollment agent certificate progarmatically and issue certificates on behalf, in the 2003 and as late as 2008 enterprise version of CA. now we are using the 2008 r2 standard server as the CA, and the certificate keeps denying the request. The error is basically denied by policy module, the request diid not contain any valid signatures or the the signatures were not found

any ideas, could it be a 2008 r2 standard thing. How can I get more information on this policy module

Wednesday, March 31, 2010 4:23 AM
0

Sign in to vote

also we have a working application, that used to issue smart card logon certs using the cert enrollment agent certificate progarmatically and issue certificates on behalf, in the 2003 and as late as 2008 enterprise version of CA. now we are using the 2008 r2 standard server as the CA, and the certificate keeps denying the request. The error is basically denied by policy module, the request diid not contain any valid signatures or the the signatures were not found

any ideas, could it be a 2008 r2 standard thing. How can I get more information on this policy module

Wednesday, March 31, 2010 4:23 AM
0

Sign in to vote

here is the sample certificate request that fails. We had no problems making such requests with windows 2003 ca with enterprise CA. The 2008 CA rejects the request, with the error of "no signatures were accepted"

PKCS7/CMS Message:
CMSG_SIGNED(2)
CMSG_SIGNED_DATA_CMS_VERSION(3)
Content Type: 1.3.6.1.5.5.7.12.2 CMC Data

PKCS7 Message Content:
================ Begin Nesting Level 1 ================
CMS Certificate Request:
Tagged Attributes: 3

Body Part Id: 4
1.3.6.1.5.5.7.7.8 CMC Extensions
Value[0]:
    Data Reference: 0
    Cert Reference[0]: 1
Extensions: 4
    1.3.6.1.4.1.311.21.7: Flags = 0, Length = 31
    Certificate Template Information
        Template=SmartcardLogonECM(1.3.6.1.4.1.311.21.8.5522949.10561221.15222173.10448538.7192499.245.7888595.15461395)
        Major Version Number=100
        Minor Version Number=3

    2.5.29.37: Flags = 0, Length = 18
    Enhanced Key Usage
        Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
        Client Authentication (1.3.6.1.5.5.7.3.2)

    2.5.29.15: Flags = 1(Critical), Length = 4
    Key Usage
        Digital Signature, Key Encipherment (a0)

    1.3.6.1.4.1.311.21.10: Flags = 0, Length = 1c
    Application Policies
        [1]Application Certificate Policy:
             Policy Identifier=Smart Card Logon
        [2]Application Certificate Policy:
             Policy Identifier=Client Authentication

Body Part Id: 3
1.3.6.1.4.1.311.10.10.1 CMC Attributes
Value[0]:
    Data Reference: 0
    Cert Reference[0]: 1
1 attributes:

Attribute[0]: 1.3.6.1.4.1.311.21.20 (Client Information)
    Value[0][0]:
    Unknown Attribute type
    Client Id: = 5
    User: DEXADEMO\elmerfudd
    Machine: Vistax86.dexademo.pri
    Process: CertEnrollCtrl.exe

Body Part Id: 2
1.3.6.1.5.5.7.7.18 Reg Info
Value[0]:
    RequesterName: DEXADEMO\elmerfudd

Tagged Requests: 1
CMC_TAGGED_CERT_REQUEST_CHOICE:
Body Part Id: 1
================ Begin Nesting Level 2 ================
Element 0:
PKCS10 Certificate Request:
Version: 1
Subject:
    EMPTY

Public Key Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
    Algorithm Parameters:
    05 00
Public Key Length: 1024 bits
Public Key: UnusedBits = 0
    0000 30 81 89 02 81 81 00 e2 20 98 7e 03 5d e4 9d a6
    0010 0e 4d d8 27 12 b7 ba 27 81 fa 49 1c 4c 9e dc 47
    0020 c7 e7 7b 7a 04 35 c3 08 60 89 a2 f4 32 39 8f 9a
    0030 ba 09 cd 79 aa e3 54 56 27 df 16 be ec 9d 6e 3b
    0040 d1 1d 60 cc 0c fe 43 42 59 d0 73 97 e4 73 32 08
    0050 d0 60 76 a5 06 27 ad 0d 54 06 3f 1f 5c 02 74 ab
    0060 d0 f6 1d 78 2e 43 67 66 54 90 b9 a6 a9 03 94 a5
    0070 ec 81 14 f0 0b 94 79 86 30 69 7b 31 b9 af be 05
    0080 5e 2f e3 ec 8e 71 c7 02 03 01 00 01
Request Attributes: 4
4 attributes:

Attribute[0]: 1.3.6.1.4.1.311.13.2.3 (OS Version)
    Value[0][0]:
        6.0.6001.2

Attribute[1]: 1.3.6.1.4.1.311.21.20 (Client Information)
    Value[1][0]:
    Unknown Attribute type
    Client Id: = 5
    User: DEXADEMO\elmerfudd
    Machine: Vistax86.dexademo.pri
    Process: CertEnrollCtrl.exe

Attribute[2]: 1.3.6.1.4.1.311.13.2.2 (Enrollment CSP)
    Value[2][0]:
    Unknown Attribute type
    CSP Provider Info
    KeySpec = 1
    Provider = Microsoft Base Smart Card Crypto Provider
    Signature: UnusedBits=0

Attribute[3]: 1.2.840.113549.1.9.14 (Certificate Extensions)
    Value[3][0]:
    Unknown Attribute type
Certificate Extensions: 5
    1.3.6.1.4.1.311.21.7: Flags = 0, Length = 31
    Certificate Template Information
        Template=SmartcardLogonECM(1.3.6.1.4.1.311.21.8.5522949.10561221.15222173.10448538.7192499.245.7888595.15461395)
        Major Version Number=100
        Minor Version Number=3

    2.5.29.37: Flags = 0, Length = 18
    Enhanced Key Usage
        Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
        Client Authentication (1.3.6.1.5.5.7.3.2)

    2.5.29.15: Flags = 1(Critical), Length = 4
    Key Usage
        Digital Signature, Key Encipherment (a0)

    1.3.6.1.4.1.311.21.10: Flags = 0, Length = 1c
    Application Policies
        [1]Application Certificate Policy:
             Policy Identifier=Smart Card Logon
        [2]Application Certificate Policy:
             Policy Identifier=Client Authentication

    2.5.29.14: Flags = 0, Length = 16
    Subject Key Identifier
        e4 c9 e0 94 1a 56 0e b4 56 34 e8 18 6c 75 b7 ab c2 d2 ed e1

Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
    Algorithm Parameters:
    05 00
Signature: UnusedBits=0
    0000 ba 6e 55 09 33 00 77 d0 52 4d 24 da 77 df f9 fe
    0010 5f 86 17 76 cb 6b 97 a8 5d 5b 20 73 6b b6 81 49
    0020 64 22 5d 91 12 45 53 53 26 31 8d d5 ca e1 60 97
    0030 1f 7f 64 f5 4f b6 07 9e 54 38 af 9c 78 7a 01 6a
    0040 fb 6a 23 23 1e d8 69 25 5b 25 de 7b 1f 44 ee 6a
    0050 0d 03 8a f3 cb 72 58 a0 24 8b 1b a0 34 cb d6 78
    0060 74 75 c2 e5 fa b6 cf ef fc 26 51 3d 59 c7 fa ce
    0070 2f 6e 74 0d 80 43 ce 40 98 e1 9d aa 37 c0 ae 17
Signature matches Public Key
Key Id Hash(rfc-sha1): e4 c9 e0 94 1a 56 0e b4 56 34 e8 18 6c 75 b7 ab c2 d2 ed e1
Key Id Hash(sha1): 65 fe 19 b3 6f a4 af 1a 6c 9d 23 33 a8 01 72 2a 1d b0 13 d6
---------------- End Nesting Level 2 ----------------

Tagged Content Info: 0
Tagged Other Messages: 0
---------------- End Nesting Level 1 ----------------

Signer Count: 2

Signer Info[0]:
Signature matches request Public Key
CMSG_SIGNER_INFO_CMS_VERSION(3)
CERT_ID_KEY_IDENTIFIER(2)
    0000 e4 c9 e0 94 1a 56 0e b4 56 34 e8 18 6c 75 b7 ab
    0010 c2 d2 ed e1
Hash Algorithm:
    Algorithm ObjectId: 1.3.14.3.2.26 sha1 (sha1NoSign)
    Algorithm Parameters: NULL
Encrypted Hash Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
    Algorithm Parameters: NULL
Encrypted Hash:
    0000 13 76 f4 a4 89 a0 4e 77 78 a5 67 d7 c4 1b 4a 21
    0010 6d c5 34 6c 84 f9 a2 4b 35 cf 65 1f da f3 23 d6
    0020 4a 82 0a 98 85 f2 27 08 c2 49 d6 a3 02 c0 73 b1
    0030 d0 75 47 fa 07 76 56 35 ea 93 91 68 08 3b eb 57
    0040 f0 ed 6d ee 6b 70 b3 f9 ca ed f9 18 42 5e 46 b3
    0050 4c 32 8b a2 37 02 48 a2 d5 e9 a1 5a 36 0a 83 3c
    0060 d1 18 f1 5f 94 3a 5c 4b 66 ad 7e 52 62 b9 19 74
    0070 9b 50 b3 df 8e 14 0a 9a 90 86 55 69 77 52 2d b3

Authenticated Attributes[0]:
2 attributes:

Attribute[0]: 1.2.840.113549.1.9.3 (Content Type)
    Value[0][0]:
    Unknown Attribute type
    1.3.6.1.5.5.7.12.2 CMC Data

Attribute[1]: 1.2.840.113549.1.9.4 (Message Digest)
    Value[1][0]:
    Unknown Attribute type
    Message Digest:
        14 7c 52 15 58 2a a8 fa 45 26 96 cd 8a e9 1d 88 f3 b6 57 4f

Unauthenticated Attributes[0]:
0 attributes:

Computed Hash: 22 8f eb f7 61 a0 b9 26 56 20 ad cf cf c7 55 8e d2 22 06 6f
Signing Certificate Index: 0
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 3 Hours, 16 Minutes, 58 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 3 Hours, 16 Minutes, 58 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=ECMCA
NotBefore: 3/31/2010 4:49 PM
NotAfter: 3/30/2012 4:49 PM
Subject: CN=ECM.dexademo.pri
Serial: 611e0349000000000003
SubjectAltName: DNS Name=ECM.dexademo.pri
Template: MachineEnrollmentAgent
17 dc bc f8 9f 60 8d 8f f1 40 b3 a0 a8 8e c7 2a 61 be ef 16
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    CRL 1:
    Issuer: CN=ECMCA
    ca 2b f2 84 01 11 46 9a 05 7e f3 66 d5 67 ec 1c a6 4e 58 c5
    Delta CRL 1:
    Issuer: CN=ECMCA
    60 01 ab bd 98 b0 90 c8 30 93 72 23 22 49 4d 87 5a 72 32 d1
Application[0] = 1.3.6.1.4.1.311.20.2.1 Certificate Request Agent

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=ECMCA
NotBefore: 3/31/2010 4:35 PM
NotAfter: 3/31/2015 4:45 PM
Subject: CN=ECMCA
Serial: 5351c275687521b04f35b021ed69c475
98 cd aa 28 15 a2 ba 82 25 d5 fc 15 a2 58 e3 c1 35 94 c3 85
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
a4 c9 17 c4 1b 75 fd 21 2e 90 de 09 0c 0e 5e 88 be c7 7b 9e
Full chain:
ec 6d 9b c9 0d 4c e4 64 8a c7 9c 41 f5 e3 8e d4 f8 da d7 ef
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
    1.3.6.1.4.1.311.20.2.1 Certificate Request Agent

Signer Info[1]:
Signature matches Public Key
CMSG_SIGNER_INFO_PKCS_1_5_VERSION(1)
CERT_ID_ISSUER_SERIAL_NUMBER(1)
    Serial Number: 611e0349000000000003
    Issuer: CN=ECMCA
    Subject: CN=ECM.dexademo.pri
Hash Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
    Algorithm Parameters: NULL
Encrypted Hash Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
    Algorithm Parameters: NULL
Encrypted Hash:
    0000 5a e5 4a 86 d4 c2 fd 97 db 6d 72 87 d3 bf 4b 55
    0010 fc 43 d1 86 13 fe c9 09 2e 33 a1 e9 fb b3 3f b7
    0020 de 56 c1 ac d9 3a d1 c3 dc 92 c6 9d ce 8c 09 96
    0030 5b fa 96 0d de a5 1c fa 0c 74 40 39 95 05 1e 83
    0040 da 97 a5 50 25 c5 8b 45 e7 f6 ba e2 ed 8d 11 3e
    0050 d3 82 77 de 3e 4d 9b a0 13 6b 6c 73 b3 88 75 f8
    0060 35 c0 42 bb 43 42 0c cd 2c a5 92 a6 78 2d c1 36
    0070 c7 26 86 82 05 c0 39 6a e1 ea 9d 6f a7 77 dd a9
    0080 54 b0 ff 10 53 86 22 f8 76 48 6f f7 9b 02 6e 2b
    0090 59 b1 3d bb 2b f6 96 78 88 0f 95 50 57 16 8c d0
    00a0 29 cc cb bf fe cb 06 3f d6 72 a0 5a 00 f6 fd 93
    00b0 81 c6 13 c3 00 1f 87 fc 1f 30 d5 f3 e1 22 38 f0
    00c0 7d 09 9c e7 fa 0f d7 ba 6a 4d c0 31 e7 a0 80 23
    00d0 0e 13 21 9e 7b 25 ae 56 27 f3 47 f8 80 1d 2d c4
    00e0 49 ef 94 c8 d3 6a 68 89 cb 77 9c 47 a2 6b e5 9e
    00f0 52 a1 97 ee 6e 2f a0 75 98 06 f0 fc f4 fe 64 d3

Authenticated Attributes[1]:
2 attributes:

Attribute[0]: 1.2.840.113549.1.9.3 (Content Type)
    Value[0][0]:
    Unknown Attribute type
    1.3.6.1.5.5.7.12.2 CMC Data

Attribute[1]: 1.2.840.113549.1.9.4 (Message Digest)
    Value[1][0]:
    Unknown Attribute type
    Message Digest:
        14 7c 52 15 58 2a a8 fa 45 26 96 cd 8a e9 1d 88 f3 b6 57 4f

Unauthenticated Attributes[1]:
0 attributes:

Computed Hash: 22 8f eb f7 61 a0 b9 26 56 20 ad cf cf c7 55 8e d2 22 06 6f
No Recipient

Certificates:
================ Begin Nesting Level 1 ================
Element 0:
X509 Certificate:
Version: 3
Serial Number: 611e0349000000000003
Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
    Algorithm Parameters:
    05 00
Issuer:
    CN=ECMCA

NotBefore: 3/31/2010 4:49 PM
NotAfter: 3/30/2012 4:49 PM

Subject:
    CN=ECM.dexademo.pri

Public Key Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
    Algorithm Parameters:
    05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
    0000 30 82 01 0a 02 82 01 01 00 c6 e1 2e f9 a6 1c 60
    0010 f2 6f a4 54 6d e4 c9 97 95 da e8 c1 6c 93 e9 c6
    0020 bd 79 03 90 2b 19 5a ab ec 60 ff c7 77 f8 75 e8
    0030 3c 01 de cd 5b 80 8b f6 f6 e9 b9 c5 d4 e9 8a 14
    0040 84 7c e0 69 cb 5c 18 42 f4 5f f4 d1 2b 2b 08 1d
    0050 4a 08 58 d5 ef 60 51 2e b2 e6 7f d1 a6 5e 13 c6
    0060 6d 90 ee d9 48 cd f7 1f a0 d1 c4 77 3e f5 3e ee
    0070 a6 f1 20 ce a8 90 fa 14 23 ae e1 e3 43 8a f6 8a
    0080 49 30 3b e1 e5 e6 c1 01 7c f0 b0 ca 63 da a3 d6
    0090 f9 f7 5a b4 a7 63 e6 8c 90 f6 32 7a 64 c7 cb 4f
    00a0 a3 ae 0c af 64 45 17 e3 5f ac 48 e4 5a cd 43 66
    00b0 ab 6f 39 cd 4b fd 5d e8 ed db dd 72 43 72 1d 97
    00c0 cb c4 b6 98 12 60 22 0d 6a 7f d7 ee 16 51 80 2b
    00d0 93 f9 67 46 d0 b3 f1 c0 1d 16 9d df 9a 61 72 97
    00e0 e9 36 8d c6 11 55 be c7 1d f1 5e 72 bd a0 0f ea
    00f0 86 a1 d4 42 64 46 c7 c0 96 09 73 bf 58 f7 aa 44
    0100 e2 d5 78 56 8c 47 20 50 87 02 03 01 00 01
Certificate Extensions: 8
    1.3.6.1.4.1.311.20.2: Flags = 0, Length = 2e
    Certificate Template Name (Certificate Type)
        MachineEnrollmentAgent

    2.5.29.37: Flags = 0, Length = e
    Enhanced Key Usage
        Certificate Request Agent (1.3.6.1.4.1.311.20.2.1)

    2.5.29.15: Flags = 1(Critical), Length = 4
    Key Usage
        Digital Signature (80)

    2.5.29.14: Flags = 0, Length = 16
    Subject Key Identifier
        63 9d 5a 59 7c b5 36 46 ab 8c 77 1b b8 2f 52 29 35 6e 1f 58

    2.5.29.35: Flags = 0, Length = 18
    Authority Key Identifier
        KeyID=26 b4 6c c5 77 5a e7 19 ef af 1b f1 d6 a8 59 b7 b0 7c 8f df

    2.5.29.31: Flags = 0, Length = e6
    CRL Distribution Points
        [1]CRL Distribution Point
             Distribution Point Name:
                  Full Name:
                       URL=ldap:///CN=ECMCA,CN=ECM,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dexademo,DC=pri?certificateRevocationList?base?objectClass=cRLDistributionPoint
                       URL=http://ecm.dexademo.pri/CertEnroll/ECMCA.crl

    1.3.6.1.5.5.7.1.1: Flags = 0, Length = f6
    Authority Information Access
        [1]Authority Info Access
             Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
             Alternative Name:
                  URL=ldap:///CN=ECMCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dexademo,DC=pri?cACertificate?base?objectClass=certificationAuthority
        [2]Authority Info Access
             Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
             Alternative Name:
                  URL=http://ecm.dexademo.pri/CertEnroll/ECM.dexademo.pri_ECMCA.crt

    2.5.29.17: Flags = 0, Length = 14
    Subject Alternative Name
        DNS Name=ECM.dexademo.pri

Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
    Algorithm Parameters:
    05 00
Signature: UnusedBits=0
    0000 ef cb 53 b9 fd fc 3b db ae 8b bd ea bd 18 c8 99
    0010 04 fd 69 98 23 28 1b 2f c4 39 3f ca 1f c3 7d 56
    0020 9d 2e 45 56 80 df 0a cf 1c 0d 30 5b e1 7f 91 95
    0030 8d c8 7f 0e c8 ab 05 6a 8e 12 1f a9 04 f0 8b d4
    0040 76 8b 78 0b b2 b0 2c d7 c1 1f 7e 8d c8 e1 df 60
    0050 70 1e 38 dc 00 98 6b dd 13 91 f9 9b 5c 9c 29 7b
    0060 47 ef 65 24 e5 27 ee 68 34 2a b9 0f e5 44 20 c7
    0070 83 99 92 1b 37 b1 52 6d 75 39 ef 6a aa 1f 94 f7
    0080 3c f0 b9 ab d7 a0 b2 92 82 d6 72 2b 33 2b 90 62
    0090 8c 23 b0 35 3a aa 5a 27 d5 17 2a 71 29 3d 2d 3a
    00a0 9b 3b 37 f6 72 4a 3a ca 1e fc 3f dc 9d c4 74 de
    00b0 89 b4 a3 b8 99 21 32 27 2f 63 4f ea 7e 69 1a 0b
    00c0 31 a8 e1 93 93 e5 56 0f 32 91 73 68 53 0a 3e 86
    00d0 11 65 7f 67 cb 2b 5c a0 43 53 65 b1 53 97 b8 fc
    00e0 80 b8 da c1 63 8c 91 c8 6e 9b b0 4e 06 61 b0 12
    00f0 bc a9 f2 9c 7c ca dc 0b 10 98 ae 83 78 32 14 84
    0100 c5 b4 af 3d be 90 52 3c 6e 85 2a 3e f1 97 65 2c
    0110 5e 5b 85 ff 4e 22 42 3d d3 fe 75 8c 77 36 08 49
    0120 4b e8 e5 09 bf 6e a5 80 2e 07 1b f2 50 47 09 56
    0130 9c 3f 95 28 10 79 bd 16 7a a2 c5 75 ce de d6 14
    0140 e9 7f ab e6 93 c9 77 8e d9 20 55 a6 c9 ce 87 e0
    0150 67 11 74 b4 43 e4 80 08 98 ad 2f d8 73 3a c2 18
    0160 e9 90 3a e0 e3 7f 60 f2 ff 36 24 49 ef 26 80 c0
    0170 23 f7 05 ab 5b e9 62 5e 89 c0 08 95 37 09 36 9f
    0180 a4 3d 0e 2d bb bc 98 da 27 5c f4 2d 08 b1 3e aa
    0190 62 ab ae 18 41 4b 7e 7a a5 8c 8f 89 cd 09 8d 84
    01a0 01 43 1d 7d 72 fd df e8 0e 81 8d a7 4d ff 36 b7
    01b0 b3 7a 05 58 d0 cd 02 5c a8 20 da ec 96 1b f5 8b
    01c0 18 fa 7f 51 ab f4 97 bf 2c 8d b9 c4 1d 32 d0 92
    01d0 88 8e 84 e8 2f e9 8f 9f 99 aa 89 1b 11 51 b7 2b
    01e0 f5 95 95 be aa aa b0 71 c5 29 79 c9 0b 1c a9 8f
    01f0 c6 aa 5b 39 c5 d3 49 65 33 b4 7c 73 e9 86 b6 79
Non-root Certificate
Key Id Hash(rfc-sha1): 63 9d 5a 59 7c b5 36 46 ab 8c 77 1b b8 2f 52 29 35 6e 1f 58
Key Id Hash(sha1): da 88 62 ca 29 91 be e8 a0 c8 86 80 e2 10 42 f7 53 c1 95 86
Cert Hash(md5): e9 7f 50 f2 de 62 85 2b f0 3d e5 63 9e 22 2d a4
Cert Hash(sha1): 17 dc bc f8 9f 60 8d 8f f1 40 b3 a0 a8 8e c7 2a 61 be ef 16
---------------- End Nesting Level 1 ----------------
No CRLs
CertUtil: -dump command completed successfully.

The only difference in this env is that this request used to work with the Domain at 2000 functional level and now it is at 2003 functional level.

Thursday, April 1, 2010 8:38 AM
0

Sign in to vote

is there a way to enable extra logging at the ca to see why exactly the request is failing?

Thursday, April 1, 2010 9:19 AM
0

Sign in to vote

please show the settings of your template? Specially Issuance Requirements tab.
http://www.sysadmins.lv

Thursday, April 1, 2010 9:47 AM
0

Sign in to vote

The Issuance Requirement for the template is

CA Certificate manager approval (Not checked)

this number of authorized signatures (Checked with 1 specified)

Policy type required in signaturee==Application Policy

Application Policy==Any Purpose

The rest in other Template tabs are default, when you copy the template

Thursday, April 1, 2010 3:14 PM
0

Sign in to vote

The Issuance Requirement for the template is

CA Certificate manager approval (Not checked)

this number of authorized signatures (Checked with 1 specified)

Policy type required in signaturee==Application Policy

Application Policy==Any Purpose

The rest in other Template tabs are default, when you copy the template

Thursday, April 1, 2010 3:14 PM
2

Sign in to vote
In application policy drop-down list select Certificate Request Agent.
http://www.sysadmins.lv
- Marked as answer by Zahurab Friday, April 2, 2010 4:16 AM
Thursday, April 1, 2010 3:22 PM
0

Sign in to vote

Yup, that was the answer. Thanks a million :)

On the side note do you know of any documentation about the changes that have been made to CA2008 that are different from 2003?

Friday, April 2, 2010 4:16 AM
0

Sign in to vote

there are a lot of changes between 2003 and 2008 certificate services. You can check the following document:

http://www.microsoft.com/downloads/details.aspx?familyid=9BF17231-D832-4FF9-8FB8-0539BA21AB95&displaylang=en

note that this document is based on Windows Server 2008 beta versions. However there wasn't significant changes between betas and RTM.
http://www.sysadmins.lv

Friday, April 2, 2010 6:16 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Windows 2008 R2 and Enrollment Agent Certificate

Question

Answers

All replies