locked
NDES Certificate Renewal Problem RRS feed

  • Question

  • Hi Anyone;

    We have root CA offline and Sub ca that have also installed NDES.   Two certificates expired CEP Encryption and Exchange Enrollment Agent (Offline).    When I try to renew the certificate through the Certificate MMC,   I get any error "the permissions on the certificate template do not allow the current user to enroll for this type of certificate. You do not have permission to request this type of certificate."   I am logged on the sub CA with my domain admin account.   I checked the template and the Domain Admin has read/write and enroll" authority.  The server is 2008r2 Enterprise version

    Thursday, May 21, 2015 9:16 PM

Answers

  • You are not using the correct accounts.

    - The Exchange Enrollment Agent (Offline Request) certificate must actually be renewed in the security context of the NDES service account (and moved to the computer store).  (see https://support.microsoft.com/en-us/kb/2712186?wa=wsignin1.0)

    - The CEP Encryption certificate must be renewed for the Certificates MMC focused on the location computer (NDES server computer account)

    - The permissions must be set to allow the referenced accounts Read and Enroll permissions on the certificate templates.

    - The previous certificates must not be expired. The renewal requires signing the request with the previous certificate

    You need to do new requests

    Brian

    Friday, May 22, 2015 1:30 AM

All replies

  • You are not using the correct accounts.

    - The Exchange Enrollment Agent (Offline Request) certificate must actually be renewed in the security context of the NDES service account (and moved to the computer store).  (see https://support.microsoft.com/en-us/kb/2712186?wa=wsignin1.0)

    - The CEP Encryption certificate must be renewed for the Certificates MMC focused on the location computer (NDES server computer account)

    - The permissions must be set to allow the referenced accounts Read and Enroll permissions on the certificate templates.

    - The previous certificates must not be expired. The renewal requires signing the request with the previous certificate

    You need to do new requests

    Brian

    Friday, May 22, 2015 1:30 AM
  • Brian,   thanks for pointing me in right direction,   everything running as required!
    Friday, May 22, 2015 3:48 PM
  • Hi Brian

    I am in the same boat - and I can't seem to find the information anywhere.

    My CEP Encryption and Exchange Enrollment Agent (Offline) certificates are expired. I logged into my issuing CA (2008R2) with the NDES server computer account.

    I've been able to reissue the CEP Encryption certificate by selecting the 'Request new certificate with the same key' and re-entered the Subject information.

    However as I understand, the Exchange Enrollment Agent (Offline Request) certificate you can't request a new one in the mmc? The problem with article (https://support.microsoft.com/en-us/kb/2712186?wa=wsignin1.0) is that it is for renewing and my cert is expired so when I hit the command 'CertReq.exe -Submit Certnew.req Certnew.cer' it throws up the error; 'Error Verifying Request Signature or Signing Certificate A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file." - So the question is how can I re-issue or renew the cert when it is expired? Thanks

    Friday, August 21, 2015 3:23 PM