?
Solved

Domain CA won't issue certs

Posted on 2015-02-18
3
Medium Priority
?
319 Views
Last Modified: 2015-02-18
Hello,

I was trying to make a new cert template today and it would only issue for 1 year out.  I noticed the root cert only had a date for a year out also.  So on the CA I clicked the Renew CA certificate.  This ran through without any issues.  Now when I try to request a new certificate it wont work.  It doesn't show any templates available.  If I click show all the computer certificate says "The permissions on this certificate authority do not allow the current user to enroll for certificates."  If you look at the attachment there is a little more to the error.   We didn't change anything except renewing the CA cert so I am not sure what broke.  I checked all the permissions I could find and don't see anything obvious.   Does anyone have anything to try?
Thanks in advanced.
cert-error.JPG
0
Comment
Question by:Tim Lewis
  • 2
3 Comments
 
LVL 1

Author Comment

by:Tim Lewis
ID: 40617728
other info... Windows 2008 R2 DC with 2008 AD.    Trying to request Public cert for web services on another windows 2008 R2 server.
0
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 2000 total points
ID: 40617862
First thought: within the CA MMC, for your CA, go to the Revoked Certificates, right click, all tasks, and Publish -- A New CRL.

If you open the properties of the CA, does it still show both the old and the new CA certificates in the general tab?

And just to double check... have you stopped and restarted the CA service?

And because changing the Root CA means a new root certificate has to be propagated thru your domain, have you tried a gpupdate /force on the web server?

I can't seem to force my test CA to renew, so I can't reproduce the problem... but still looking to see if I can find a more definitive solution.
0
 
LVL 1

Author Comment

by:Tim Lewis
ID: 40617931
awesome.  I published the new CRL and ran GPupdate /force on both machines and it seems to working now.  I am guessing it was the CRL since I restarted the server once already which should have forced the GPupdate anyway.  Thanks for the help.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question