Phani_Vasabattula
asked on
Error in Certificate Request....
Hi Experts,
I am facing problem in creating an certificate. I have created a certificate request in the notepad as below:
[NewRequest]
Subject ="CN=crm2007.vj.com"
Exportable = TRUE
KeySpec = 1
MachineKeySet = TRUE
[EnhancedKeyUsageExtension ]
OID = 1.3.6.1.5.5.7.3.1
saved this file as bcmcert.inf. Now I ran the command in the command prompt....
certreq -new bcmcert.inf bcmcert.req.
This command has created bcmcert.req without any issues. Now I stared local Microsoft Certificate Services, and clicked on "Request a Certificate" -> "advanced certificate request" -> "submit a certificate request by using a base 64-encoded CMC...", copied the content of bcmcert.req into the text box, and clicked on submit. I got the below error........
Error
Your request failed. An error occurred while the server was processing your request.
Contact your administrator for further assistance.
Request Mode:
newreq - New Request
Disposition:
(never set)
Disposition message:
(none)
Result:
The parameter is incorrect. 0x80070057 (WIN32: 87)
COM Error Info:
CCertRequest::Submit The parameter is incorrect. 0x80070057 (WIN32: 87)
LastStatus:
The parameter is incorrect. 0x80070057 (WIN32: 87)
Suggested Cause:
No suggestions.
Could anyone please suggest, where i have gone error? Your help will be highly appreciated...
Regards,
Phani.
I am facing problem in creating an certificate. I have created a certificate request in the notepad as below:
[NewRequest]
Subject ="CN=crm2007.vj.com"
Exportable = TRUE
KeySpec = 1
MachineKeySet = TRUE
[EnhancedKeyUsageExtension
OID = 1.3.6.1.5.5.7.3.1
saved this file as bcmcert.inf. Now I ran the command in the command prompt....
certreq -new bcmcert.inf bcmcert.req.
This command has created bcmcert.req without any issues. Now I stared local Microsoft Certificate Services, and clicked on "Request a Certificate" -> "advanced certificate request" -> "submit a certificate request by using a base 64-encoded CMC...", copied the content of bcmcert.req into the text box, and clicked on submit. I got the below error........
Error
Your request failed. An error occurred while the server was processing your request.
Contact your administrator for further assistance.
Request Mode:
newreq - New Request
Disposition:
(never set)
Disposition message:
(none)
Result:
The parameter is incorrect. 0x80070057 (WIN32: 87)
COM Error Info:
CCertRequest::Submit The parameter is incorrect. 0x80070057 (WIN32: 87)
LastStatus:
The parameter is incorrect. 0x80070057 (WIN32: 87)
Suggested Cause:
No suggestions.
Could anyone please suggest, where i have gone error? Your help will be highly appreciated...
Regards,
Phani.
ASKER
Thanks for the reply. I have followed the same steps, and it is nto working. This is due different scenario I had. Let me explain you the situation.
I have installed an SAP application on my personal laptop. This application is running at 192.xx.xx.1. This application has also installed a web site on IIS 6.0 with virtual address 192.XX.XX.2 on the same laptop. Now I am calling website from IE with address http://192.XX.XX.2/default.htm. Here the IE has to start application with an SSL certificate. I created the SSL certificate serveral ways and failed. Finally, what I understood is that I am creating an SSL creating with the subject as
Subject = "CN=crm2007.vj.com", O=TRAINING....
where crm2007.vj.com is my computer name, and Workgroup name is WORKGROUP.
From documentation, I understood that CN should be the DNS or NetBIOS name. Where my system is standalone system with workgroup defined as WORKGROUP.
Have I specified the correct value to CN parameter? If not, what is the value that I should specify? Can I create SSL certificate for a workstation? If yes, how? I need help on this very badly, and I can call you and share my desktop if required. my personal mail id is chphaniv@gmail.com
Request your inputs, and Thanks for your time.
Regards,
Phani.
I have installed an SAP application on my personal laptop. This application is running at 192.xx.xx.1. This application has also installed a web site on IIS 6.0 with virtual address 192.XX.XX.2 on the same laptop. Now I am calling website from IE with address http://192.XX.XX.2/default.htm. Here the IE has to start application with an SSL certificate. I created the SSL certificate serveral ways and failed. Finally, what I understood is that I am creating an SSL creating with the subject as
Subject = "CN=crm2007.vj.com", O=TRAINING....
where crm2007.vj.com is my computer name, and Workgroup name is WORKGROUP.
From documentation, I understood that CN should be the DNS or NetBIOS name. Where my system is standalone system with workgroup defined as WORKGROUP.
Have I specified the correct value to CN parameter? If not, what is the value that I should specify? Can I create SSL certificate for a workstation? If yes, how? I need help on this very badly, and I can call you and share my desktop if required. my personal mail id is chphaniv@gmail.com
Request your inputs, and Thanks for your time.
Regards,
Phani.
The CN can be netbios name, DNS name, IP address, or canonical name. DNS is most common. However, it must match what you are calling.
Since you are calling it as 192.x.x.2 that is what you need for the CN. You can get a SAN cert from many commercial CAs or from your own CA (need to enable SAN on your own CA first) - some commercial CA's don't like to issue to internal IP addresses though. I think Comodo will, but I'm not positive offhand, godaddy I've heard does not.
Also, make sure you are calling it as https:// instead of http:// since it is an SSL page.
It is generally best to use a CA signed certificate, however you can also use a self-signed cert - makecert.exe you can download from microsoft as part of the Platform SDK. Command reference is here:
http://msdn.microsoft.com/en-us/library/bfsktky3(VS.80).aspx
Download SDK here if you don't already have it:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=e6e1c3df-a74f-4207-8586-711ebe331cdc
example command:
makecert -n "CN=192.x.x.1" -pe -sr localmachine -ss CA -a sha1 -r CertName.cer
Since you are accessing this on the local box, you may need to look into this - not sure if it applies since it is a different IP address at least:
http://support.microsoft.com/kb/896861
Since you are calling it as 192.x.x.2 that is what you need for the CN. You can get a SAN cert from many commercial CAs or from your own CA (need to enable SAN on your own CA first) - some commercial CA's don't like to issue to internal IP addresses though. I think Comodo will, but I'm not positive offhand, godaddy I've heard does not.
Also, make sure you are calling it as https:// instead of http:// since it is an SSL page.
It is generally best to use a CA signed certificate, however you can also use a self-signed cert - makecert.exe you can download from microsoft as part of the Platform SDK. Command reference is here:
http://msdn.microsoft.com/en-us/library/bfsktky3(VS.80).aspx
Download SDK here if you don't already have it:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=e6e1c3df-a74f-4207-8586-711ebe331cdc
example command:
makecert -n "CN=192.x.x.1" -pe -sr localmachine -ss CA -a sha1 -r CertName.cer
Since you are accessing this on the local box, you may need to look into this - not sure if it applies since it is a different IP address at least:
http://support.microsoft.com/kb/896861
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your quick reply. I will try this and get back to you. Assuming that I have not provided the system details.....
OS Windows 2003 Service Pack 1
W3SVC IIS6 - World Wide Web Publishing service is running
Host name crm2007
Dns suffix vj.com
Workgroup name WORKGROUP
Kindly direct, if you have any more suggestions for me.
Thanks once again.......
Regards,
Phani.
OS Windows 2003 Service Pack 1
W3SVC IIS6 - World Wide Web Publishing service is running
Host name crm2007
Dns suffix vj.com
Workgroup name WORKGROUP
Kindly direct, if you have any more suggestions for me.
Thanks once again.......
Regards,
Phani.
ASKER
Hurray!! Self-signed certificates worked for me. Thanks a lot!! I wish to give 10,000 points.
[RequestAttributes]
CertificateTemplate = WebServer
Here is a link that explains everything if you need it:
http://technet.microsoft.com/en-us/library/bb663762.aspx
My example also increases your key strength from 1024 to 2048, which you should be doing these days anyways.
I assume that "certreq -new bcmcert.inf bcmcert.req. " did not have a period at the end as in the example?
Also, you might try using pkiview.msc (PKI Health Tool - available in 2003 resource kit, comes standard in 2008 renamed as Enterprise PKI). This will allow you to diagnose a number of PKI related issues quickly.
Open in new window