Greg27
asked on
W2k8 R2 DC can't accept cert
I am trying to get my Windows 2008 R2 Dc to accept an SSL certificate. I ran the following command:
certreq -accept certnew.cer
I then get the following message:
DecodeFile returned 0x80070002 (WIN32: 2)
Certificate Request Processor: The system cannot find the file specified. 0x8007
0002 (WIN32: 2)
Am I doing something wrong? Trying to get LDAPS working with a 3rd party UCC Certificate.
certreq -accept certnew.cer
I then get the following message:
DecodeFile returned 0x80070002 (WIN32: 2)
Certificate Request Processor: The system cannot find the file specified. 0x8007
0002 (WIN32: 2)
Am I doing something wrong? Trying to get LDAPS working with a 3rd party UCC Certificate.
Did you actually generate the SSL certificate 'certnew.cer' and is it in the same directory as the certreq command?
ASKER
Yes on both accounts. I even entered the command:
certreq -accept C:\Users\user1\Desktop\cer
which contains the fully qualified path to the cert, but it still generates the same error.
certreq -accept C:\Users\user1\Desktop\cer
which contains the fully qualified path to the cert, but it still generates the same error.
And are you running the certreq command with administrator privileges?
ASKER
Yes. Am I missing something basic? Should I have the file sitting somewhere other than my desktop?
Watch the step three screen cast and see if that cures what ails you.
http://www.netometer.com/video/tutorials/godaddy-add-trusted-certificate-sbs-2008/
http://www.netometer.com/video/tutorials/godaddy-add-trusted-certificate-sbs-2008/
ASKER
I went to the link and selected step 3, but it will not show the video unless I sign up for about $30.
Very strange! Try adding the certificate via the Certificates snap-in in the Windows MMC.
ASKER
Do I import from the "Trusted Root Certification Autorities" or the "Personal" Certificates folder? I tried from the "Trusted Root Certification Authorities" folder, but it looks like it wants a file witha .crt extension instead of a .cer extension.
Trusted Root Certificate Authorities would be from someone like Verisign or GoDaddy. I believe you will want to use the personal certificates wizard to get the job done here since it is a self-signed certificate.
ASKER
It's actually a certificate from GoDaddy.
Ah, that's helpful to know. Here is a FREE link that should walk you through all of the steps quite nicely. http://www.bunkerhollow.com/blogs/matt/archive/2008/06/05/install-a-godaddy-ssl-certificate-on-iis-7.aspx
ASKER
Since this is for Active Directory and not IIS, will this link still work?
Do you currently have the Active Directory Certificate Services role installed on your server?
ASKER
To generate a certificate?
It is under the Personal certificates that you should see your certificate in the MMC
ASKER
Do I need Active Directory Certificate Services to use a 3rd party certificate for LDAPS?
No, you don't need AD CS. I'm crossing up my posts here. There's another one with a self-signed. You should be good to go with your third party certificate.
ASKER
If I try to import into the Personal folder, it still wants to add the .crt extension on.
ASKER
So, everything that I read tells me to create a cert file named cetnew.cer, but The Certificates MMC wants a file with an extension of .crt. Am I possibly missing a step to get the .cer file to a .crt?
.cer is correct. Did you put the .cer file in the same folder as the request file? Also, when you copied and pasted the third party certificate, did you include EVERYTHING, or did you cut the strange bits at the first and end? Usually there are slashes or dead space in them, but you have to copy EVERYTHING. You also have to be sure and use a plain text editor. No wordpad, and definitely no Word.
ASKER
I think I just copied the .cer file they sent me. I don't recall opening it up and copying anything.
ASKER
The request file is on the desktop as well.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am still dealing with the fact that even if I try to import the cert using the mmc, it still says it can't find the file. ????
ASKER
The link you sent me from Microsoft is the one I used. When I get to entering the command:
certreq -accept certnew.cer
it tells me the following:
DecodeFile returned 0x80070002 (WIN32: 2)
Certificate Request Processor: The system cannot find the file specified. 0x8007
0002 (WIN32: 2)
I am not sure what "The system cannot find the file specified" means as I have qualified the path to the cert and rechecked the name. If I look at help for the command certreq I see the format is:
------------
CertReq -Accept [Options] [CertChainFileIn | FullResponseFileIn | CertFileIn]
Accept and install a response to a previous new request.
Options:
-user
-machine
-------------
Do I need to do something with the certnew.cer file? before running the command?
I did try double clicking on the certificate and installing it that way, but I still don't see my specific cert listed. I do however see the following new cert listed under "Trusted Root Certification Authorities" -> "Certificates": "Go Daddy Class 2 Certification Authority". It also shows up under "Third-Party Root Certification Authorities" -> "Certificated".
certreq -accept certnew.cer
it tells me the following:
DecodeFile returned 0x80070002 (WIN32: 2)
Certificate Request Processor: The system cannot find the file specified. 0x8007
0002 (WIN32: 2)
I am not sure what "The system cannot find the file specified" means as I have qualified the path to the cert and rechecked the name. If I look at help for the command certreq I see the format is:
------------
CertReq -Accept [Options] [CertChainFileIn | FullResponseFileIn | CertFileIn]
Accept and install a response to a previous new request.
Options:
-user
-machine
-------------
Do I need to do something with the certnew.cer file? before running the command?
I did try double clicking on the certificate and installing it that way, but I still don't see my specific cert listed. I do however see the following new cert listed under "Trusted Root Certification Authorities" -> "Certificates": "Go Daddy Class 2 Certification Authority". It also shows up under "Third-Party Root Certification Authorities" -> "Certificated".
ASKER
wkcarlson, I just found out my actual problem. I now feel foolish. I thought I had unchecked the "Hide extensions for known file types", but apparently, Windows 2008 or 2008 R2 has added another hide option "Hide empty drives in the Computer Folder", so my certnew.cer file was actually named certnew.cer.crt. So, I was able to accept the certificate once I changed the extension. I wanted to give you credit for hanging with me and giving me good instructions on setting it up.
ASKER
wkcarlson, not sure if you know, but once I get the cert installed, do I need to reboot the server to connect via LDAPS or should it just work?