none
Windows 2008 R2 and Enrollment Agent Certificate

    Question

  • Hi,

    I have installed a Windows 2008R2 Server with ADCS. I have issued an enrollment Agent Certificate (Computer) template and also a smart card logon template that requires Enrollment Agent Certificate Signature before it can be sent to the CA.

    I issued the Enrollment Agent Certificate, on the computer that is hosting the CA ie windows 2008 R2 via the MMC (computer). Then I tried to issue a smart card logon certificte on the same computer, via the MMC (user).

    The MMC showed the templates, that could be issued to the user. I selected the smartcard logon template. The templates showed that it needed additional information (Signature from an enrollment agent cert), when I tried to find the enrollement Agent Cert in the MMC, the certificate could not be found.

    I am experiencing the same via the code I have written.

    Any ideas, why it does not work. Do I need to have the enrollment agent cert on a computer other than the one hosting the CA?

    Tuesday, March 30, 2010 3:26 AM

Answers

  • In application policy drop-down list select Certificate Request Agent.
    http://www.sysadmins.lv
    • Marked as answer by Zahurab Friday, April 2, 2010 4:16 AM
    Thursday, April 1, 2010 3:22 PM

All replies

  • to Enrol On Behalf Of for user certificates (smart card logon) you must obtain Enrollment Agent (User) certificate.
    http://www.sysadmins.lv
    • Proposed as answer by Martin Rublik Tuesday, March 30, 2010 9:31 AM
    Tuesday, March 30, 2010 5:42 AM
  • when I try to issue a certificate on behalf of another user.. MMC (User)-->Personal-->Certificate-->advanced operations-->Enroll on behalf off.... I dont see the smart card logon template which is configured to require atleast one signature.

    Tuesday, March 30, 2010 3:41 PM
  • also we have a working application, that used to issue smart card logon certs using the cert enrollment agent certificate progarmatically and issue certificates on behalf, in the 2003 and as late as 2008 enterprise version of CA. now we are using the 2008 r2 standard server as the CA, and the certificate keeps denying the request. The error is basically denied by policy module, the request diid not contain any valid signatures or the the signatures were not found

     

    any ideas, could it be a 2008 r2 standard thing. How can I get more information on this policy module

    Wednesday, March 31, 2010 4:23 AM
  • also we have a working application, that used to issue smart card logon certs using the cert enrollment agent certificate progarmatically and issue certificates on behalf, in the 2003 and as late as 2008 enterprise version of CA. now we are using the 2008 r2 standard server as the CA, and the certificate keeps denying the request. The error is basically denied by policy module, the request diid not contain any valid signatures or the the signatures were not found

     

    any ideas, could it be a 2008 r2 standard thing. How can I get more information on this policy module

    Wednesday, March 31, 2010 4:23 AM
  • here is the sample certificate request that fails. We had no problems making such requests with windows 2003 ca with enterprise CA. The 2008 CA rejects the request, with the error of "no signatures were accepted"

     

    PKCS7/CMS Message:
      CMSG_SIGNED(2)
      CMSG_SIGNED_DATA_CMS_VERSION(3)
      Content Type: 1.3.6.1.5.5.7.12.2 CMC Data

    PKCS7 Message Content:
    ================ Begin Nesting Level 1 ================
    CMS Certificate Request:
    Tagged Attributes: 3

      Body Part Id: 4
      1.3.6.1.5.5.7.7.8 CMC Extensions
      Value[0]:
        Data Reference: 0
        Cert Reference[0]: 1
      Extensions: 4
        1.3.6.1.4.1.311.21.7: Flags = 0, Length = 31
        Certificate Template Information
            Template=SmartcardLogonECM(1.3.6.1.4.1.311.21.8.5522949.10561221.15222173.10448538.7192499.245.7888595.15461395)
            Major Version Number=100
            Minor Version Number=3

        2.5.29.37: Flags = 0, Length = 18
        Enhanced Key Usage
            Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
            Client Authentication (1.3.6.1.5.5.7.3.2)

        2.5.29.15: Flags = 1(Critical), Length = 4
        Key Usage
            Digital Signature, Key Encipherment (a0)

        1.3.6.1.4.1.311.21.10: Flags = 0, Length = 1c
        Application Policies
            [1]Application Certificate Policy:
                 Policy Identifier=Smart Card Logon
            [2]Application Certificate Policy:
                 Policy Identifier=Client Authentication

      Body Part Id: 3
      1.3.6.1.4.1.311.10.10.1 CMC Attributes
      Value[0]:
        Data Reference: 0
        Cert Reference[0]: 1
      1 attributes:

      Attribute[0]: 1.3.6.1.4.1.311.21.20 (Client Information)
        Value[0][0]:
        Unknown Attribute type
        Client Id: = 5
        User: DEXADEMO\elmerfudd
        Machine: Vistax86.dexademo.pri
        Process: CertEnrollCtrl.exe

      Body Part Id: 2
      1.3.6.1.5.5.7.7.18 Reg Info
      Value[0]:
        RequesterName: DEXADEMO\elmerfudd

    Tagged Requests: 1
      CMC_TAGGED_CERT_REQUEST_CHOICE:
      Body Part Id: 1
    ================ Begin Nesting Level 2 ================
    Element 0:
    PKCS10 Certificate Request:
    Version: 1
    Subject:
        EMPTY

    Public Key Algorithm:
        Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
        Algorithm Parameters:
        05 00
    Public Key Length: 1024 bits
    Public Key: UnusedBits = 0
        0000  30 81 89 02 81 81 00 e2  20 98 7e 03 5d e4 9d a6
        0010  0e 4d d8 27 12 b7 ba 27  81 fa 49 1c 4c 9e dc 47
        0020  c7 e7 7b 7a 04 35 c3 08  60 89 a2 f4 32 39 8f 9a
        0030  ba 09 cd 79 aa e3 54 56  27 df 16 be ec 9d 6e 3b
        0040  d1 1d 60 cc 0c fe 43 42  59 d0 73 97 e4 73 32 08
        0050  d0 60 76 a5 06 27 ad 0d  54 06 3f 1f 5c 02 74 ab
        0060  d0 f6 1d 78 2e 43 67 66  54 90 b9 a6 a9 03 94 a5
        0070  ec 81 14 f0 0b 94 79 86  30 69 7b 31 b9 af be 05
        0080  5e 2f e3 ec 8e 71 c7 02  03 01 00 01
    Request Attributes: 4
      4 attributes:

      Attribute[0]: 1.3.6.1.4.1.311.13.2.3 (OS Version)
        Value[0][0]:
            6.0.6001.2

      Attribute[1]: 1.3.6.1.4.1.311.21.20 (Client Information)
        Value[1][0]:
        Unknown Attribute type
        Client Id: = 5
        User: DEXADEMO\elmerfudd
        Machine: Vistax86.dexademo.pri
        Process: CertEnrollCtrl.exe

      Attribute[2]: 1.3.6.1.4.1.311.13.2.2 (Enrollment CSP)
        Value[2][0]:
        Unknown Attribute type
        CSP Provider Info
        KeySpec = 1
        Provider = Microsoft Base Smart Card Crypto Provider
        Signature: UnusedBits=0

      Attribute[3]: 1.2.840.113549.1.9.14 (Certificate Extensions)
        Value[3][0]:
        Unknown Attribute type
    Certificate Extensions: 5
        1.3.6.1.4.1.311.21.7: Flags = 0, Length = 31
        Certificate Template Information
            Template=SmartcardLogonECM(1.3.6.1.4.1.311.21.8.5522949.10561221.15222173.10448538.7192499.245.7888595.15461395)
            Major Version Number=100
            Minor Version Number=3

        2.5.29.37: Flags = 0, Length = 18
        Enhanced Key Usage
            Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
            Client Authentication (1.3.6.1.5.5.7.3.2)

        2.5.29.15: Flags = 1(Critical), Length = 4
        Key Usage
            Digital Signature, Key Encipherment (a0)

        1.3.6.1.4.1.311.21.10: Flags = 0, Length = 1c
        Application Policies
            [1]Application Certificate Policy:
                 Policy Identifier=Smart Card Logon
            [2]Application Certificate Policy:
                 Policy Identifier=Client Authentication

        2.5.29.14: Flags = 0, Length = 16
        Subject Key Identifier
            e4 c9 e0 94 1a 56 0e b4 56 34 e8 18 6c 75 b7 ab c2 d2 ed e1

    Signature Algorithm:
        Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
        Algorithm Parameters:
        05 00
    Signature: UnusedBits=0
        0000  ba 6e 55 09 33 00 77 d0  52 4d 24 da 77 df f9 fe
        0010  5f 86 17 76 cb 6b 97 a8  5d 5b 20 73 6b b6 81 49
        0020  64 22 5d 91 12 45 53 53  26 31 8d d5 ca e1 60 97
        0030  1f 7f 64 f5 4f b6 07 9e  54 38 af 9c 78 7a 01 6a
        0040  fb 6a 23 23 1e d8 69 25  5b 25 de 7b 1f 44 ee 6a
        0050  0d 03 8a f3 cb 72 58 a0  24 8b 1b a0 34 cb d6 78
        0060  74 75 c2 e5 fa b6 cf ef  fc 26 51 3d 59 c7 fa ce
        0070  2f 6e 74 0d 80 43 ce 40  98 e1 9d aa 37 c0 ae 17
    Signature matches Public Key
    Key Id Hash(rfc-sha1): e4 c9 e0 94 1a 56 0e b4 56 34 e8 18 6c 75 b7 ab c2 d2 ed e1
    Key Id Hash(sha1): 65 fe 19 b3 6f a4 af 1a 6c 9d 23 33 a8 01 72 2a 1d b0 13 d6
    ----------------  End Nesting Level 2  ----------------

    Tagged Content Info: 0
    Tagged Other Messages: 0
    ----------------  End Nesting Level 1  ----------------

    Signer Count: 2

    Signer Info[0]:
    Signature matches request Public Key
    CMSG_SIGNER_INFO_CMS_VERSION(3)
    CERT_ID_KEY_IDENTIFIER(2)
        0000  e4 c9 e0 94 1a 56 0e b4  56 34 e8 18 6c 75 b7 ab
        0010  c2 d2 ed e1
    Hash Algorithm:
        Algorithm ObjectId: 1.3.14.3.2.26 sha1 (sha1NoSign)
        Algorithm Parameters: NULL
    Encrypted Hash Algorithm:
        Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
        Algorithm Parameters: NULL
    Encrypted Hash:
        0000  13 76 f4 a4 89 a0 4e 77  78 a5 67 d7 c4 1b 4a 21
        0010  6d c5 34 6c 84 f9 a2 4b  35 cf 65 1f da f3 23 d6
        0020  4a 82 0a 98 85 f2 27 08  c2 49 d6 a3 02 c0 73 b1
        0030  d0 75 47 fa 07 76 56 35  ea 93 91 68 08 3b eb 57
        0040  f0 ed 6d ee 6b 70 b3 f9  ca ed f9 18 42 5e 46 b3
        0050  4c 32 8b a2 37 02 48 a2  d5 e9 a1 5a 36 0a 83 3c
        0060  d1 18 f1 5f 94 3a 5c 4b  66 ad 7e 52 62 b9 19 74
        0070  9b 50 b3 df 8e 14 0a 9a  90 86 55 69 77 52 2d b3

    Authenticated Attributes[0]:
      2 attributes:

      Attribute[0]: 1.2.840.113549.1.9.3 (Content Type)
        Value[0][0]:
        Unknown Attribute type
        1.3.6.1.5.5.7.12.2 CMC Data

      Attribute[1]: 1.2.840.113549.1.9.4 (Message Digest)
        Value[1][0]:
        Unknown Attribute type
        Message Digest:
            14 7c 52 15 58 2a a8 fa 45 26 96 cd 8a e9 1d 88 f3 b6 57 4f

    Unauthenticated Attributes[0]:
      0 attributes:

    Computed Hash: 22 8f eb f7 61 a0 b9 26 56 20 ad cf cf c7 55 8e d2 22 06 6f
    Signing Certificate Index: 0
    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_BASE
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwRevocationFreshnessTime: 3 Hours, 16 Minutes, 58 Seconds

    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwRevocationFreshnessTime: 3 Hours, 16 Minutes, 58 Seconds

    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
      Issuer: CN=ECMCA
      NotBefore: 3/31/2010 4:49 PM
      NotAfter: 3/30/2012 4:49 PM
      Subject: CN=ECM.dexademo.pri
      Serial: 611e0349000000000003
      SubjectAltName: DNS Name=ECM.dexademo.pri
      Template: MachineEnrollmentAgent
      17 dc bc f8 9f 60 8d 8f f1 40 b3 a0 a8 8e c7 2a 61 be ef 16
      Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
        CRL 1:
        Issuer: CN=ECMCA
        ca 2b f2 84 01 11 46 9a 05 7e f3 66 d5 67 ec 1c a6 4e 58 c5
        Delta CRL 1:
        Issuer: CN=ECMCA
        60 01 ab bd 98 b0 90 c8 30 93 72 23 22 49 4d 87 5a 72 32 d1
      Application[0] = 1.3.6.1.4.1.311.20.2.1 Certificate Request Agent

    CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
      Issuer: CN=ECMCA
      NotBefore: 3/31/2010 4:35 PM
      NotAfter: 3/31/2015 4:45 PM
      Subject: CN=ECMCA
      Serial: 5351c275687521b04f35b021ed69c475
      98 cd aa 28 15 a2 ba 82 25 d5 fc 15 a2 58 e3 c1 35 94 c3 85
      Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
      Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

    Exclude leaf cert:
      a4 c9 17 c4 1b 75 fd 21 2e 90 de 09 0c 0e 5e 88 be c7 7b 9e
    Full chain:
      ec 6d 9b c9 0d 4c e4 64 8a c7 9c 41 f5 e3 8e d4 f8 da d7 ef
    ------------------------------------
    Verified Issuance Policies: None
    Verified Application Policies:
        1.3.6.1.4.1.311.20.2.1 Certificate Request Agent

    Signer Info[1]:
    Signature matches Public Key
    CMSG_SIGNER_INFO_PKCS_1_5_VERSION(1)
    CERT_ID_ISSUER_SERIAL_NUMBER(1)
        Serial Number: 611e0349000000000003
        Issuer: CN=ECMCA
        Subject: CN=ECM.dexademo.pri
    Hash Algorithm:
        Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
        Algorithm Parameters: NULL
    Encrypted Hash Algorithm:
        Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
        Algorithm Parameters: NULL
    Encrypted Hash:
        0000  5a e5 4a 86 d4 c2 fd 97  db 6d 72 87 d3 bf 4b 55
        0010  fc 43 d1 86 13 fe c9 09  2e 33 a1 e9 fb b3 3f b7
        0020  de 56 c1 ac d9 3a d1 c3  dc 92 c6 9d ce 8c 09 96
        0030  5b fa 96 0d de a5 1c fa  0c 74 40 39 95 05 1e 83
        0040  da 97 a5 50 25 c5 8b 45  e7 f6 ba e2 ed 8d 11 3e
        0050  d3 82 77 de 3e 4d 9b a0  13 6b 6c 73 b3 88 75 f8
        0060  35 c0 42 bb 43 42 0c cd  2c a5 92 a6 78 2d c1 36
        0070  c7 26 86 82 05 c0 39 6a  e1 ea 9d 6f a7 77 dd a9
        0080  54 b0 ff 10 53 86 22 f8  76 48 6f f7 9b 02 6e 2b
        0090  59 b1 3d bb 2b f6 96 78  88 0f 95 50 57 16 8c d0
        00a0  29 cc cb bf fe cb 06 3f  d6 72 a0 5a 00 f6 fd 93
        00b0  81 c6 13 c3 00 1f 87 fc  1f 30 d5 f3 e1 22 38 f0
        00c0  7d 09 9c e7 fa 0f d7 ba  6a 4d c0 31 e7 a0 80 23
        00d0  0e 13 21 9e 7b 25 ae 56  27 f3 47 f8 80 1d 2d c4
        00e0  49 ef 94 c8 d3 6a 68 89  cb 77 9c 47 a2 6b e5 9e
        00f0  52 a1 97 ee 6e 2f a0 75  98 06 f0 fc f4 fe 64 d3

    Authenticated Attributes[1]:
      2 attributes:

      Attribute[0]: 1.2.840.113549.1.9.3 (Content Type)
        Value[0][0]:
        Unknown Attribute type
        1.3.6.1.5.5.7.12.2 CMC Data

      Attribute[1]: 1.2.840.113549.1.9.4 (Message Digest)
        Value[1][0]:
        Unknown Attribute type
        Message Digest:
            14 7c 52 15 58 2a a8 fa 45 26 96 cd 8a e9 1d 88 f3 b6 57 4f

    Unauthenticated Attributes[1]:
      0 attributes:

    Computed Hash: 22 8f eb f7 61 a0 b9 26 56 20 ad cf cf c7 55 8e d2 22 06 6f
    No Recipient

    Certificates:
    ================ Begin Nesting Level 1 ================
    Element 0:
    X509 Certificate:
    Version: 3
    Serial Number: 611e0349000000000003
    Signature Algorithm:
        Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
        Algorithm Parameters:
        05 00
    Issuer:
        CN=ECMCA

    NotBefore: 3/31/2010 4:49 PM
    NotAfter: 3/30/2012 4:49 PM

    Subject:
        CN=ECM.dexademo.pri

    Public Key Algorithm:
        Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
        Algorithm Parameters:
        05 00
    Public Key Length: 2048 bits
    Public Key: UnusedBits = 0
        0000  30 82 01 0a 02 82 01 01  00 c6 e1 2e f9 a6 1c 60
        0010  f2 6f a4 54 6d e4 c9 97  95 da e8 c1 6c 93 e9 c6
        0020  bd 79 03 90 2b 19 5a ab  ec 60 ff c7 77 f8 75 e8
        0030  3c 01 de cd 5b 80 8b f6  f6 e9 b9 c5 d4 e9 8a 14
        0040  84 7c e0 69 cb 5c 18 42  f4 5f f4 d1 2b 2b 08 1d
        0050  4a 08 58 d5 ef 60 51 2e  b2 e6 7f d1 a6 5e 13 c6
        0060  6d 90 ee d9 48 cd f7 1f  a0 d1 c4 77 3e f5 3e ee
        0070  a6 f1 20 ce a8 90 fa 14  23 ae e1 e3 43 8a f6 8a
        0080  49 30 3b e1 e5 e6 c1 01  7c f0 b0 ca 63 da a3 d6
        0090  f9 f7 5a b4 a7 63 e6 8c  90 f6 32 7a 64 c7 cb 4f
        00a0  a3 ae 0c af 64 45 17 e3  5f ac 48 e4 5a cd 43 66
        00b0  ab 6f 39 cd 4b fd 5d e8  ed db dd 72 43 72 1d 97
        00c0  cb c4 b6 98 12 60 22 0d  6a 7f d7 ee 16 51 80 2b
        00d0  93 f9 67 46 d0 b3 f1 c0  1d 16 9d df 9a 61 72 97
        00e0  e9 36 8d c6 11 55 be c7  1d f1 5e 72 bd a0 0f ea
        00f0  86 a1 d4 42 64 46 c7 c0  96 09 73 bf 58 f7 aa 44
        0100  e2 d5 78 56 8c 47 20 50  87 02 03 01 00 01
    Certificate Extensions: 8
        1.3.6.1.4.1.311.20.2: Flags = 0, Length = 2e
        Certificate Template Name (Certificate Type)
            MachineEnrollmentAgent

        2.5.29.37: Flags = 0, Length = e
        Enhanced Key Usage
            Certificate Request Agent (1.3.6.1.4.1.311.20.2.1)

        2.5.29.15: Flags = 1(Critical), Length = 4
        Key Usage
            Digital Signature (80)

        2.5.29.14: Flags = 0, Length = 16
        Subject Key Identifier
            63 9d 5a 59 7c b5 36 46 ab 8c 77 1b b8 2f 52 29 35 6e 1f 58

        2.5.29.35: Flags = 0, Length = 18
        Authority Key Identifier
            KeyID=26 b4 6c c5 77 5a e7 19 ef af 1b f1 d6 a8 59 b7 b0 7c 8f df

        2.5.29.31: Flags = 0, Length = e6
        CRL Distribution Points
            [1]CRL Distribution Point
                 Distribution Point Name:
                      Full Name:
                           URL=ldap:///CN=ECMCA,CN=ECM,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dexademo,DC=pri?certificateRevocationList?base?objectClass=cRLDistributionPoint
                           URL=http://ecm.dexademo.pri/CertEnroll/ECMCA.crl

        1.3.6.1.5.5.7.1.1: Flags = 0, Length = f6
        Authority Information Access
            [1]Authority Info Access
                 Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
                 Alternative Name:
                      URL=ldap:///CN=ECMCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dexademo,DC=pri?cACertificate?base?objectClass=certificationAuthority
            [2]Authority Info Access
                 Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
                 Alternative Name:
                      URL=http://ecm.dexademo.pri/CertEnroll/ECM.dexademo.pri_ECMCA.crt

        2.5.29.17: Flags = 0, Length = 14
        Subject Alternative Name
            DNS Name=ECM.dexademo.pri

    Signature Algorithm:
        Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
        Algorithm Parameters:
        05 00
    Signature: UnusedBits=0
        0000  ef cb 53 b9 fd fc 3b db  ae 8b bd ea bd 18 c8 99
        0010  04 fd 69 98 23 28 1b 2f  c4 39 3f ca 1f c3 7d 56
        0020  9d 2e 45 56 80 df 0a cf  1c 0d 30 5b e1 7f 91 95
        0030  8d c8 7f 0e c8 ab 05 6a  8e 12 1f a9 04 f0 8b d4
        0040  76 8b 78 0b b2 b0 2c d7  c1 1f 7e 8d c8 e1 df 60
        0050  70 1e 38 dc 00 98 6b dd  13 91 f9 9b 5c 9c 29 7b
        0060  47 ef 65 24 e5 27 ee 68  34 2a b9 0f e5 44 20 c7
        0070  83 99 92 1b 37 b1 52 6d  75 39 ef 6a aa 1f 94 f7
        0080  3c f0 b9 ab d7 a0 b2 92  82 d6 72 2b 33 2b 90 62
        0090  8c 23 b0 35 3a aa 5a 27  d5 17 2a 71 29 3d 2d 3a
        00a0  9b 3b 37 f6 72 4a 3a ca  1e fc 3f dc 9d c4 74 de
        00b0  89 b4 a3 b8 99 21 32 27  2f 63 4f ea 7e 69 1a 0b
        00c0  31 a8 e1 93 93 e5 56 0f  32 91 73 68 53 0a 3e 86
        00d0  11 65 7f 67 cb 2b 5c a0  43 53 65 b1 53 97 b8 fc
        00e0  80 b8 da c1 63 8c 91 c8  6e 9b b0 4e 06 61 b0 12
        00f0  bc a9 f2 9c 7c ca dc 0b  10 98 ae 83 78 32 14 84
        0100  c5 b4 af 3d be 90 52 3c  6e 85 2a 3e f1 97 65 2c
        0110  5e 5b 85 ff 4e 22 42 3d  d3 fe 75 8c 77 36 08 49
        0120  4b e8 e5 09 bf 6e a5 80  2e 07 1b f2 50 47 09 56
        0130  9c 3f 95 28 10 79 bd 16  7a a2 c5 75 ce de d6 14
        0140  e9 7f ab e6 93 c9 77 8e  d9 20 55 a6 c9 ce 87 e0
        0150  67 11 74 b4 43 e4 80 08  98 ad 2f d8 73 3a c2 18
        0160  e9 90 3a e0 e3 7f 60 f2  ff 36 24 49 ef 26 80 c0
        0170  23 f7 05 ab 5b e9 62 5e  89 c0 08 95 37 09 36 9f
        0180  a4 3d 0e 2d bb bc 98 da  27 5c f4 2d 08 b1 3e aa
        0190  62 ab ae 18 41 4b 7e 7a  a5 8c 8f 89 cd 09 8d 84
        01a0  01 43 1d 7d 72 fd df e8  0e 81 8d a7 4d ff 36 b7
        01b0  b3 7a 05 58 d0 cd 02 5c  a8 20 da ec 96 1b f5 8b
        01c0  18 fa 7f 51 ab f4 97 bf  2c 8d b9 c4 1d 32 d0 92
        01d0  88 8e 84 e8 2f e9 8f 9f  99 aa 89 1b 11 51 b7 2b
        01e0  f5 95 95 be aa aa b0 71  c5 29 79 c9 0b 1c a9 8f
        01f0  c6 aa 5b 39 c5 d3 49 65  33 b4 7c 73 e9 86 b6 79
    Non-root Certificate
    Key Id Hash(rfc-sha1): 63 9d 5a 59 7c b5 36 46 ab 8c 77 1b b8 2f 52 29 35 6e 1f 58
    Key Id Hash(sha1): da 88 62 ca 29 91 be e8 a0 c8 86 80 e2 10 42 f7 53 c1 95 86
    Cert Hash(md5): e9 7f 50 f2 de 62 85 2b f0 3d e5 63 9e 22 2d a4
    Cert Hash(sha1): 17 dc bc f8 9f 60 8d 8f f1 40 b3 a0 a8 8e c7 2a 61 be ef 16
    ----------------  End Nesting Level 1  ----------------
    No CRLs
    CertUtil: -dump command completed successfully.

     

    The only difference in this env is that this request used to work with the Domain at 2000 functional level and now it is at 2003 functional level.

    Thursday, April 1, 2010 8:38 AM
  • is there a way to enable extra logging at the ca to see why exactly the request is failing?
    Thursday, April 1, 2010 9:19 AM
  • please show the settings of your template? Specially Issuance Requirements tab.


    http://www.sysadmins.lv
    Thursday, April 1, 2010 9:47 AM
  • The Issuance Requirement for the template is

     

    CA Certificate manager approval (Not checked)

    this number of authorized signatures (Checked with 1 specified)

    Policy type required in signaturee==Application Policy

    Application Policy==Any Purpose

    The rest in other Template tabs are default, when you copy the template

    Thursday, April 1, 2010 3:14 PM
  • The Issuance Requirement for the template is

     

    CA Certificate manager approval (Not checked)

    this number of authorized signatures (Checked with 1 specified)

    Policy type required in signaturee==Application Policy

    Application Policy==Any Purpose

    The rest in other Template tabs are default, when you copy the template

    Thursday, April 1, 2010 3:14 PM
  • In application policy drop-down list select Certificate Request Agent.
    http://www.sysadmins.lv
    • Marked as answer by Zahurab Friday, April 2, 2010 4:16 AM
    Thursday, April 1, 2010 3:22 PM
  • Yup, that was the answer. Thanks a million :)

    On the side note do you know of any documentation about the changes that have been made to CA2008 that are different from 2003?

    Friday, April 2, 2010 4:16 AM
  • there are a lot of changes between 2003 and 2008 certificate services. You can check the following document:

    http://www.microsoft.com/downloads/details.aspx?familyid=9BF17231-D832-4FF9-8FB8-0539BA21AB95&displaylang=en

    note that this document is based on Windows Server 2008 beta versions. However there wasn't significant changes between betas and RTM.


    http://www.sysadmins.lv
    Friday, April 2, 2010 6:16 AM