locked
certreq -accept on other server giving "Certificate Request Processor: Cannot find object or property. 0x80092004 (-2146885628)" RRS feed

  • Question

  • At the moment we have the following server set up:

    A SCCM server which is running a script for certain devices in our network and generating a .cer file for each device. 
    Next we want this .cer file to be installed on an certain devices for which this already has been generated (by the script running on the SCCM server). 

    PS C:\Windows\ccmcache\f> certreq -accept C:\SCCM\ourTarget.cer
    Usage:
      CertReq -?
      CertReq [-v] -?
      CertReq [-Command] -?

      CertReq -Accept [Options] [CertChainFileIn | FullResponseFileIn | CertFileIn]
        Accept and install a response to a previous new request.

      Options:
        -user
        -machine
        -pin Pin

    Expected -user | -machine argument
    Certificate Request Processor: Cannot find object or property. 0x80092004 (-2146885628)

    Why do I get this error and what can I do to fix this? 
    Where generating the .cer files on the SCCM server for firewall reasons.
    Also, if I run everything on 1 server (like in 1 powershell prompt) everything installs succesfully. 

    Kind regards

    Thijs

    Thursday, May 16, 2013 8:22 AM

Answers

  • Thank you all for your answers.

    Indeed I had to accept the certificate on the same server. 
    And in case you want to know, I get the private key using this command: 

    write-host "Creating private key" -ForegroundColor Yellow
    dir cert:\localmachine\my | 
      Where-Object { $_.hasPrivateKey -and $($_.subject) -eq "CN=$Computer.$fqdn" } | 
      Foreach-Object {[system.IO.file]::WriteAllBytes(
        "C:\SCCM\$($_.subject).pfx", 
        ($_.Export('PFX', 'secret')) ) }

    This checks for all the machine certificates with a certain computername + fqdn and creates a .pfx file.

    • Marked as answer by 朱鸿文 Monday, May 20, 2013 4:49 AM
    Friday, May 17, 2013 9:49 AM

All replies

  • try this: certreq -accept -machine C:\SCCM\ourTarget.cer

    also, you need to run the command on the same machine where the request was generated.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    Thursday, May 16, 2013 9:30 AM
  • But if I run this on the same machine where the request was generated, I install this certificate on that machine right? 
    So my next question is, is it possible to generate the certificates for other servers in our domain all on 1 server, because that is what i'm trying to do? 
    Thursday, May 16, 2013 9:40 AM
  • You can, but you have to:

    1) Run cert -accept on the machine where the command is generated (the key pair that needs to be associated with the certificate is *ON THAT MACHINE*

    2) Enable key export in the certificate template (prior to the cert request being generated)

    3) Export the certificate as a PKCS#12

    4) Distribute the PKCS#12 to the target server and install

    That is the *ONLY* way that it will work if you want to generate on one server

    Brian

    Thursday, May 16, 2013 1:45 PM
  • Thank you all for your answers.

    Indeed I had to accept the certificate on the same server. 
    And in case you want to know, I get the private key using this command: 

    write-host "Creating private key" -ForegroundColor Yellow
    dir cert:\localmachine\my | 
      Where-Object { $_.hasPrivateKey -and $($_.subject) -eq "CN=$Computer.$fqdn" } | 
      Foreach-Object {[system.IO.file]::WriteAllBytes(
        "C:\SCCM\$($_.subject).pfx", 
        ($_.Export('PFX', 'secret')) ) }

    This checks for all the machine certificates with a certain computername + fqdn and creates a .pfx file.

    • Marked as answer by 朱鸿文 Monday, May 20, 2013 4:49 AM
    Friday, May 17, 2013 9:49 AM
  • Forget to mention, I found this on http://powershell.com/cs/blogs/tips/archive/2009/10/20/exporting-certificate-with-private-key.aspx just customized it a little bit. 

    Tuesday, May 21, 2013 6:38 AM