ADCS - Smartcard User and Logon issuing problem


  • I've built Enterprise Root CA in my domain from scratch, made enrollment agent and issued cert for him. When i try to Enroll On Behalf Of... I can issue, for example Basic EFS or User certificate, but I can't issue Smartcard Logon or Smartcard User certificate. When I click enroll, I get following massage:

    Failed to install one or more certificates

    STATUS: Request denied

    The signature of the certificate cannot be verified.
    Error Constructing or Publishing Certificate The Request ID is x.

    On my client maschine, where I'm logged as enrollment agent, and from where I'm issuing certificates, in event log I get Event ID 13:

    Certificate enrollment for DZPANCEVO\enrollagent failed to enroll for a SmartcardUser certificate with request ID 14 from\dzpancevo-DC1-CA (The signature of the certificate cannot be verified. 0x80096004 (-2146869244)).

    On my CA server, I get Event ID 53:

    Active Directory Certificate Services denied request 14 because The signature of the certificate cannot be verified. 0x80096004 (-2146869244).  The request was for, CN=xxx xxxxxx, OU=xxxx, OU=xxx Users, DC=xxxx, DC=xxx.  Additional information: Error Constructing or Publishing Certificate

    I'm stuck here, we bought smart cards for all users in organization and they are all waithing for me to implement them. I'll appreciate any help.

    • Edited by bojantr Monday, November 12, 2012 11:20 PM
    • Moved by Yan Li_Moderator Tuesday, November 13, 2012 1:41 AM (From:General)
    Monday, November 12, 2012 10:31 PM


All replies

  • There might be several possible causes for the ADCS Event ID 53.

    Event ID 53 — AD CS Certificate Request (Enrollment) Processing

    Tuesday, November 13, 2012 7:04 AM
  • ofc I checked that link (direct link from event viewer), passed all steps but nothing is wrong. I just dont understand this event id of this massage and this: The signature of the certificate cannot be verified. Does this mean that my enrollment agent certificate have problems?
    Tuesday, November 13, 2012 9:17 AM
  • I think this is because your smart card uses custom CSP and custom (non-RSA) algorithm to generate key pairs. To resolve this issue, smart card middleware (along with CSP) must be installed on all machines.

    My weblog:
    PowerShell PKI Module:
    Check out new: PowerShell FCIV tool.

    • Marked as answer by bojantr Friday, November 16, 2012 2:22 PM
    Tuesday, November 13, 2012 11:21 AM