barrykeel
asked on
Requesting Certificate for Another User - certreq inf File Error
I have an enterprise root CA with 2003 Enterprise server. I have set a user for the Enrollment agent and a user for the Key Recovery Agent. I have tested the Key Recovery agent and the account works correctly. I have created and published a custom user template and assigned the security rights accordingly. I basically just extended the certificate life and named the template Domain User. I have set an OU of some users to AutoEnroll. No problems with auto enrollment. No problems with getting the certificate from the web enrollment at http://server/certsrv. The problem is using certreq to request a certificate for another user by the Enrollment Agent with the custom template. I have used an inf file I created but get an error. The error is The Certificate Request Processor. The parameter is incorrect 0x80070057 (WIN32: 87). Any idea as to what is incorrect?
[Version]
Signature= "$Windows NT$"
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.2
OID = 1.3.6.1.5.5.7.3.4
OID = 1.3.6.1.4.1.311.10.3.4
[RequestAttributes]
CertificateTemplate = "Domain User"
[NewRequest]
Exportable = TRUE
SMIME = TRUE
PrivateKeyArchive = TRUE
UserProtected = TRUE
MachineKeySet = TRUE
KeySpec = 1
KeyUsage = 0xa4
ProviderType = 1
RequestType = PKCS10
ProviderName = " Microsoft Enhanced Cryptographic Provider v1.0 "
Subject = " CN=User Name,DC=Domain,DC=com "
RequesterName = Domain\user
KeyLength = 1024ASKER
There was never an error in the setup or configuration, only when requesting a cert using certreq. This CA is on a single DC and all users are on the same DC and they have local logon rights. There are no other machines in this domain. This is a test server to prepare for a CA upgrade in our actual production environment. Exactly how is the kb article rleated to this error I am getting? I don't see it or I must be missing something.
The Error code is The parameter is incorrect. 0x80070057 ? am i right
ASKER
Correct, but the KB article talks about that error in this scenario:
If you try to subordinate an Enterprise Certificate Authority (CA) to a standalone root CA, and the configuration is such that the root CA is installed on a member server or domain controller in the parent domain and the Enterprise CA is installed in a child domain, you receive the following error message.
I am not trying to subordinate an Enterprise Certificate Authority (CA) to a standalone root CA. It may still relate to my issue. In doing some research I have found that "The parameter is incorrect. 0x80070057" is a fairly common error code for a variety of applications not just certificate services. The user at installation had the correct rights and the key is there, per kb article.
If you try to subordinate an Enterprise Certificate Authority (CA) to a standalone root CA, and the configuration is such that the root CA is installed on a member server or domain controller in the parent domain and the Enterprise CA is installed in a child domain, you receive the following error message.
I am not trying to subordinate an Enterprise Certificate Authority (CA) to a standalone root CA. It may still relate to my issue. In doing some research I have found that "The parameter is incorrect. 0x80070057" is a fairly common error code for a variety of applications not just certificate services. The user at installation had the correct rights and the key is there, per kb article.
ASKER
After some reading on the inf file I changed the RequestType to CMC. Now the error is the following:
Certificate Request Processor. The keyset is not defined. 0x80090019 (-2146893799)
Certificate Request Processor. The keyset is not defined. 0x80090019 (-2146893799)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I figured it out on my own.
http://support.microsoft.com/kb/305193