locked
Error after running "certreq -submit sitesigning.req sitesigning.cer" during the request the site server signing certificate for the server process. RRS feed

  • Question

  • Running into the below error after running "certreq -submit sitesigning.req sitesigning.cer" during the request the site server signing certificate for the server process.

    Looking for any help that would point us in the right direction as to why the access denied is occurring?

    Log Name:      Application

    Source:        Microsoft-Windows-CertificationAuthority

    Date:          3/15/2011 2:49:16 PM

    Event ID:      53

    Task Category: None

    Level:         Warning

    Keywords:      Classic

    User:          SYSTEM

    Computer:      ********.***********.com

    Description:

    Active Directory Certificate Services denied request 192 because The requested certificate template is not supported by this CA. 0x80094800 (-2146875392).  The request was for CN=The site code of this site server is QTI.  Additional information: Denied by Policy Module  0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: 1.3.6.1.4.1.311.21.8.16369753.8759955.7095200.13780310.7957299.52.16201547.399445(ConfigMgrSiteServerSigningCertificate)/ConfigMgrSiteServerSigningCertificate.
    Tuesday, March 15, 2011 11:43 PM

Answers

  • Is your CA installed on a Windows Server Enterprise Edition? If not, you're out of luck. CAs installed on Windows Server standard Edition cannot issue certificates based on templates.

    Alternately, if your CA is on Windows Server Enterprise Edition, you may just have to be patient: http://support.microsoft.com/kb/281260.


    Jason | http://myitforum.com/cs2/blogs/jsandys | http://blogs.catapultsystems.com/jsandys/default.aspx | Twitter @JasonSandys
    Wednesday, March 16, 2011 1:25 AM
  • Thanks for you help. We created the whole thing from scratch (template and all, and reissued) with success.
    Tuesday, April 5, 2011 5:17 PM
  • Can you check if your permissions group is properly setup and that the computer account of the CA can read the template from the configuration partition ?

    Alternatively , can you list out the attributes of the template object in AD ?

    CN=Templatename,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=forestroot,dc=domain

    Thanks for posting this.  I had a similar issue and in addition to having to manually create a CAPolicy.inf file based in this article:

    http://blogs.technet.com/b/instan/archive/2009/01/14/using-a-custom-template-for-subordinate-ca-s.aspx

    I forgot that I had removed the authenticated user's group from having read access without granting read access to the sub ca to the newly created template.

    Friday, May 11, 2012 5:36 PM

All replies

  • Is your CA installed on a Windows Server Enterprise Edition? If not, you're out of luck. CAs installed on Windows Server standard Edition cannot issue certificates based on templates.

    Alternately, if your CA is on Windows Server Enterprise Edition, you may just have to be patient: http://support.microsoft.com/kb/281260.


    Jason | http://myitforum.com/cs2/blogs/jsandys | http://blogs.catapultsystems.com/jsandys/default.aspx | Twitter @JasonSandys
    Wednesday, March 16, 2011 1:25 AM
  • Yes, it is on Windows Server Enterprise so that we can issues certs based on templates, and we've never had issues with duping other templates and issuing them. We've tried again this morning and no go. Thanks for your help!
    Wednesday, March 16, 2011 4:35 PM
  • Can you check if your permissions group is properly setup and that the computer account of the CA can read the template from the configuration partition ?

    Alternatively , can you list out the attributes of the template object in AD ?

    CN=Templatename,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=forestroot,dc=domain

    Tuesday, March 22, 2011 1:23 PM
  • Thanks for you help. We created the whole thing from scratch (template and all, and reissued) with success.
    Tuesday, April 5, 2011 5:17 PM
  • Can you check if your permissions group is properly setup and that the computer account of the CA can read the template from the configuration partition ?

    Alternatively , can you list out the attributes of the template object in AD ?

    CN=Templatename,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=forestroot,dc=domain

    Thanks for posting this.  I had a similar issue and in addition to having to manually create a CAPolicy.inf file based in this article:

    http://blogs.technet.com/b/instan/archive/2009/01/14/using-a-custom-template-for-subordinate-ca-s.aspx

    I forgot that I had removed the authenticated user's group from having read access without granting read access to the sub ca to the newly created template.

    Friday, May 11, 2012 5:36 PM