Link to home
Create AccountLog in
Avatar of barrykeel
barrykeel

asked on

Requesting Certificate for Another User - certreq inf File Error

I have an enterprise root CA with 2003 Enterprise server. I have set a user for the Enrollment agent and a user for the Key Recovery Agent. I have tested the Key Recovery agent and the account works correctly. I have created and published a custom user template and assigned the security rights accordingly. I basically just extended the certificate life and named the template Domain User. I have set an OU of some users to AutoEnroll. No problems with auto enrollment. No problems with getting the certificate from the web enrollment at http://server/certsrv. The problem is using certreq to request a certificate for another user by the Enrollment Agent with the custom template. I have used an inf file I created but get an error. The error is The Certificate Request Processor. The parameter is incorrect 0x80070057 (WIN32: 87). Any idea as to what is incorrect?
[Version]
Signature= "$Windows NT$"

[EnhancedKeyUsageExtension]
 OID = 1.3.6.1.5.5.7.3.2
 OID = 1.3.6.1.5.5.7.3.4
 OID = 1.3.6.1.4.1.311.10.3.4 

[RequestAttributes]
 CertificateTemplate = "Domain User"

[NewRequest]
 Exportable = TRUE
 SMIME = TRUE
 PrivateKeyArchive = TRUE
 UserProtected = TRUE
 MachineKeySet = TRUE
 KeySpec =  1 
 KeyUsage =  0xa4 
 ProviderType =  1 
 RequestType =  PKCS10 
 ProviderName = " Microsoft Enhanced Cryptographic Provider v1.0 "
 Subject = " CN=User Name,DC=Domain,DC=com "
 RequesterName =  Domain\user
 KeyLength =  1024

Open in new window

Avatar of barane
barane
Flag of India image

Hope the below link would be useful

http://support.microsoft.com/kb/305193
Avatar of barrykeel
barrykeel

ASKER

There was never an error in the setup or configuration, only when requesting a cert using certreq. This CA is on a single DC and all users are on the same DC and they have local logon rights. There are no other machines in this domain. This is a test server to prepare for a CA upgrade in our actual production environment. Exactly how is the kb article rleated to  this error I am getting? I don't see it or I must be missing something.

The Error code is The parameter is incorrect. 0x80070057 ? am i right
Correct, but the KB article talks about that error in this scenario:
If you try to subordinate an Enterprise Certificate Authority (CA) to a standalone root CA, and the configuration is such that the root CA is installed on a member server or domain controller in the parent domain and the Enterprise CA is installed in a child domain, you receive the following error message.
I am not trying to subordinate an Enterprise Certificate Authority (CA) to a standalone root CA. It may still relate to my issue. In doing some research I have found that "The parameter is incorrect. 0x80070057" is a fairly common error code for a variety of applications not just certificate services. The user at installation had the correct rights and the key is there, per kb article.
After some reading on the inf file I changed the RequestType to CMC. Now the error is the following:
Certificate Request Processor. The keyset is not defined. 0x80090019 (-2146893799)
ASKER CERTIFIED SOLUTION
Avatar of barrykeel
barrykeel

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
I figured it out on my own.