Solved

Computer Certificate Request Problem

Posted on 2009-04-03
4
690 Views
Last Modified: 2013-12-04
The root CA (A Windows 2003 SE server) in my domain crashed and had to be restored from backup.  During the process the cert service had to be removed and re-installed.  Although the cert server seems to be working now (I can access the web enroll site, and "user certs" can be successfully requested), I cannot successfully request a computer certificate on any WinXP client using the certificates mmc - every time I try I get this message from the Certificate Request Wizard: "The certificate request failed.  The parameter is incorrect".  As I mentioned before though, this seems odd because when I request USER certificates using the certificate mmc, I have no problem.  I thought it might be a problem with the computer account on this particular client machine, so I deleted if from the domain and rejoined, but the problem persists.

Any ideas?
0
Comment
Question by:tballin
  • 2
  • 2
4 Comments
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24062781
Was the old certificate imported with private key or was a new certificate and keyset generated when you reinstalled certificate services?
0
 

Author Comment

by:tballin
ID: 24063388
I did not do any of those things before I reinstalled certificate services.

FYI: I have now uninstalled cert services from that machine and installed it on another.  Unfortunately that didnt fix the problem however, as I now get a new error message:

The certificate request failed because of one of the following conditions:

-The certificate request was submitted to a Certification Authority (CA) that is not started
-You do not have the permissions to request certificates from the available CAs.

I also performed a certutil /dump on the XP machine (See below) and I noticed there are two entries there, one with the old, original CA and one with the new.  Seems like the client is trying to contact the original (now defunct) CA for computer certificate requests.

Where should I go from here?
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version

Entry 0:

  Name:                         `mail.domain.com'

  Organizational Unit:          `'

  Organization:                 `'

  Locality:                     `'

  State:                        `'

  Country/region:               `'

  Config:                       `srv1.hq.domain.com\mail.domain.com'
 

  Exchange Certificate:         `'

  Signature Certificate:        `'

  Description:                  `'

  Server:                       `srv1.hq.domain.com'

  Authority:                    `mail.domain.com'

  Sanitized Name:               `mail.domain.com'

  Short Name:                   `mail.domain.com'

  Sanitized Short Name:         `mail.domain.com'

  Flags:                        `1'
 

Entry 1:

  Name:                         `srv2'

  Organizational Unit:          `'

  Organization:                 `'

  Locality:                     `'

  State:                        `'

  Country/region:               `'

  Config:                       `srv2.hq.domain.com\srv2'

  Exchange Certificate:         `'

  Signature Certificate:        `'

  Description:                  `'

  Server:                       `srv2.hq.domain.com'

  Authority:                    `srv2'

  Sanitized Name:               `srv2'

  Short Name:                   `srv2'

  Sanitized Short Name:         `srv2'

  Flags:                        `1'

CertUtil: -dump command completed successfully.

Open in new window

0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24063614
Try running this:
certutil -dcinfo deleteBad

How to decom a CA server properly from AD:
http://support.microsoft.com/kb/889250

If this was a root CA you will need to put the new CA cert into GPO to distribute to clients.

You can update autoenroll events for the new CA:
certutil -pulse

Use the Certification Authorities MMC to assign desired templates to the new CA and remove the old.

0
 

Author Comment

by:tballin
ID: 24064891
Great suggestions - especially helpful also was the pkiview.msc referenced in the Microsoft support article.

Thanks!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
removing Exchange from an old windows 2003 DC 8 54
How to customise Office 2016 font settings with a GPO 3 83
Security Permissions Issues 10 74
Bizarre hard disk problem 15 112
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now