none
Enterprise PKIview.msc Error for new SubCA

    Question

  • Hi Folks,

    for SHA1 depraction, we set up a new ROOT-CA and now also a new (Enterprise) Sub-CA. After Installation and customizing CDP an AIA in pkiview.msc all Looks fine.

    Today in Enterprise PKIview.msc i receive an Error for the new SubCA: "This CA is currently offline or unavailable"

    pkiview Ca offline

    ROOT CA Check - OK, CDP http check OK, AIA http check OK

    checks

    I can Manage the SubCa, all Services Up and Running, i can view and Edit the CA Properties and Templates. 

    enterprise-sub-ca-manage-ok

    I also checked all logs on the SubCA but i don´t find any error on the SubCA.

    What´s the Problem? Firewall or any other?

    Thanks in advance!


    Kind regards Joerg



    Wednesday, November 02, 2016 4:44 PM

Answers

  • Hi Mark,

    i run pkiview directly from the sub-ca with the error. from an remote server (same subnet), too. i deactivated Firewall for testing on the sub-ca, result was the same error.

    it seem´s not an Network/Firewall Problem ...

    i checked my permissions, because certutil -ping servername\name-sub-ca02 Reports and permisson error:

    C:\Windows\system32>certutil -ping caserver02\caname-sub-ca02
    Connecting to caserver02\caname-sub-ca02...
    Server could not be reached: The permissions on this certification authority do not allow the current user to enroll for certificates. 0x80094011 (-2146877423 CERTSRV_E_ENROLL_DENIED) -- (0ms)
    
    CertUtil: -ping command FAILED: 0x80094011 (-2146877423 CERTSRV_E_ENROLL_DENIED)
    CertUtil: The permissions on this certification authority do not allow the current user to enroll for certificates.

    i checked the right of my user and see i needed more rights as only "managae ca" in out custom security Group. i added "issure and manage certificates" and "request certificates" rights to the Group.

    now in pkiview the ca is online and available and in certutil -ping the sub-ca Reports alive!

    C:\Windows\system32>certutil -config - -ping
    caserver02.domain.tld\caname-Sub-CA02
    Connecting to caserver02.ttcon.local\caname-Sub-CA02 ...
    Server "caname-Sub-CA02" ICertRequest2 interface is alive (0ms)
    CertUtil: -ping command completed successfully.

    thanks for help


    Kind regards Joerg


    Thursday, November 03, 2016 8:48 AM

All replies

  • It could be firewall related - you can use "certutil -ping" (you will need to specify the destination - use /? to get help" to determine if the location you are running pkiview can each the subordinate CA. If you are running it on the subordinate itself, the firewall wouldnt make an issue. Does the problem happened repeatedly? It's possible it was a transient issue.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    Wednesday, November 02, 2016 6:20 PM
  • Hi Mark,

    i run pkiview directly from the sub-ca with the error. from an remote server (same subnet), too. i deactivated Firewall for testing on the sub-ca, result was the same error.

    it seem´s not an Network/Firewall Problem ...

    i checked my permissions, because certutil -ping servername\name-sub-ca02 Reports and permisson error:

    C:\Windows\system32>certutil -ping caserver02\caname-sub-ca02
    Connecting to caserver02\caname-sub-ca02...
    Server could not be reached: The permissions on this certification authority do not allow the current user to enroll for certificates. 0x80094011 (-2146877423 CERTSRV_E_ENROLL_DENIED) -- (0ms)
    
    CertUtil: -ping command FAILED: 0x80094011 (-2146877423 CERTSRV_E_ENROLL_DENIED)
    CertUtil: The permissions on this certification authority do not allow the current user to enroll for certificates.

    i checked the right of my user and see i needed more rights as only "managae ca" in out custom security Group. i added "issure and manage certificates" and "request certificates" rights to the Group.

    now in pkiview the ca is online and available and in certutil -ping the sub-ca Reports alive!

    C:\Windows\system32>certutil -config - -ping
    caserver02.domain.tld\caname-Sub-CA02
    Connecting to caserver02.ttcon.local\caname-Sub-CA02 ...
    Server "caname-Sub-CA02" ICertRequest2 interface is alive (0ms)
    CertUtil: -ping command completed successfully.

    thanks for help


    Kind regards Joerg


    Thursday, November 03, 2016 8:48 AM
  • Hi,

    Glad to hear that the issue is resolved and thank you for sharing the solution with forum community members!

    Please feel free to let us know if there are any further requirements.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 03, 2016 11:51 AM
    Moderator