We help IT Professionals succeed at work.

Computer Certificate Request Problem

721 Views
Last Modified: 2013-12-04
The root CA (A Windows 2003 SE server) in my domain crashed and had to be restored from backup.  During the process the cert service had to be removed and re-installed.  Although the cert server seems to be working now (I can access the web enroll site, and "user certs" can be successfully requested), I cannot successfully request a computer certificate on any WinXP client using the certificates mmc - every time I try I get this message from the Certificate Request Wizard: "The certificate request failed.  The parameter is incorrect".  As I mentioned before though, this seems odd because when I request USER certificates using the certificate mmc, I have no problem.  I thought it might be a problem with the computer account on this particular client machine, so I deleted if from the domain and rejoined, but the problem persists.

Any ideas?
Comment
Watch Question

ParanormasticCryptographic Engineer
CERTIFIED EXPERT

Commented:
Was the old certificate imported with private key or was a new certificate and keyset generated when you reinstalled certificate services?

Author

Commented:
I did not do any of those things before I reinstalled certificate services.

FYI: I have now uninstalled cert services from that machine and installed it on another.  Unfortunately that didnt fix the problem however, as I now get a new error message:

The certificate request failed because of one of the following conditions:

-The certificate request was submitted to a Certification Authority (CA) that is not started
-You do not have the permissions to request certificates from the available CAs.

I also performed a certutil /dump on the XP machine (See below) and I noticed there are two entries there, one with the old, original CA and one with the new.  Seems like the client is trying to contact the original (now defunct) CA for computer certificate requests.

Where should I go from here?
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
Entry 0:
  Name:                         `mail.domain.com'
  Organizational Unit:          `'
  Organization:                 `'
  Locality:                     `'
  State:                        `'
  Country/region:               `'
  Config:                       `srv1.hq.domain.com\mail.domain.com'
 
  Exchange Certificate:         `'
  Signature Certificate:        `'
  Description:                  `'
  Server:                       `srv1.hq.domain.com'
  Authority:                    `mail.domain.com'
  Sanitized Name:               `mail.domain.com'
  Short Name:                   `mail.domain.com'
  Sanitized Short Name:         `mail.domain.com'
  Flags:                        `1'
 
Entry 1:
  Name:                         `srv2'
  Organizational Unit:          `'
  Organization:                 `'
  Locality:                     `'
  State:                        `'
  Country/region:               `'
  Config:                       `srv2.hq.domain.com\srv2'
  Exchange Certificate:         `'
  Signature Certificate:        `'
  Description:                  `'
  Server:                       `srv2.hq.domain.com'
  Authority:                    `srv2'
  Sanitized Name:               `srv2'
  Short Name:                   `srv2'
  Sanitized Short Name:         `srv2'
  Flags:                        `1'
CertUtil: -dump command completed successfully.

Open in new window

Cryptographic Engineer
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Great suggestions - especially helpful also was the pkiview.msc referenced in the Microsoft support article.

Thanks!

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.