Requesting Certificate for Another User - certreq inf File Error

I have an enterprise root CA with 2003 Enterprise server. I have set a user for the Enrollment agent and a user for the Key Recovery Agent. I have tested the Key Recovery agent and the account works correctly. I have created and published a custom user template and assigned the security rights accordingly. I basically just extended the certificate life and named the template Domain User. I have set an OU of some users to AutoEnroll. No problems with auto enrollment. No problems with getting the certificate from the web enrollment at http://server/certsrv. The problem is using certreq to request a certificate for another user by the Enrollment Agent with the custom template. I have used an inf file I created but get an error. The error is The Certificate Request Processor. The parameter is incorrect 0x80070057 (WIN32: 87). Any idea as to what is incorrect?
[Version]
Signature= "$Windows NT$"

[EnhancedKeyUsageExtension]
 OID = 1.3.6.1.5.5.7.3.2
 OID = 1.3.6.1.5.5.7.3.4
 OID = 1.3.6.1.4.1.311.10.3.4 

[RequestAttributes]
 CertificateTemplate = "Domain User"

[NewRequest]
 Exportable = TRUE
 SMIME = TRUE
 PrivateKeyArchive = TRUE
 UserProtected = TRUE
 MachineKeySet = TRUE
 KeySpec =  1 
 KeyUsage =  0xa4 
 ProviderType =  1 
 RequestType =  PKCS10 
 ProviderName = " Microsoft Enhanced Cryptographic Provider v1.0 "
 Subject = " CN=User Name,DC=Domain,DC=com "
 RequesterName =  Domain\user
 KeyLength =  1024

Open in new window

barrykeelAsked:
Who is Participating?
 
barrykeelConnect With a Mentor Author Commented:
I got it to work. It was some spacing in the syntax.
0
 
baraneCommented:
Hope the below link would be useful

http://support.microsoft.com/kb/305193
0
 
barrykeelAuthor Commented:
There was never an error in the setup or configuration, only when requesting a cert using certreq. This CA is on a single DC and all users are on the same DC and they have local logon rights. There are no other machines in this domain. This is a test server to prepare for a CA upgrade in our actual production environment. Exactly how is the kb article rleated to  this error I am getting? I don't see it or I must be missing something.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
baraneCommented:

The Error code is The parameter is incorrect. 0x80070057 ? am i right
0
 
barrykeelAuthor Commented:
Correct, but the KB article talks about that error in this scenario:
If you try to subordinate an Enterprise Certificate Authority (CA) to a standalone root CA, and the configuration is such that the root CA is installed on a member server or domain controller in the parent domain and the Enterprise CA is installed in a child domain, you receive the following error message.
I am not trying to subordinate an Enterprise Certificate Authority (CA) to a standalone root CA. It may still relate to my issue. In doing some research I have found that "The parameter is incorrect. 0x80070057" is a fairly common error code for a variety of applications not just certificate services. The user at installation had the correct rights and the key is there, per kb article.
0
 
barrykeelAuthor Commented:
After some reading on the inf file I changed the RequestType to CMC. Now the error is the following:
Certificate Request Processor. The keyset is not defined. 0x80090019 (-2146893799)
0
 
barrykeelAuthor Commented:
I figured it out on my own.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.