Solved

Domain CA won't issue certs

Posted on 2015-02-18
3
252 Views
Last Modified: 2015-02-18
Hello,

I was trying to make a new cert template today and it would only issue for 1 year out.  I noticed the root cert only had a date for a year out also.  So on the CA I clicked the Renew CA certificate.  This ran through without any issues.  Now when I try to request a new certificate it wont work.  It doesn't show any templates available.  If I click show all the computer certificate says "The permissions on this certificate authority do not allow the current user to enroll for certificates."  If you look at the attachment there is a little more to the error.   We didn't change anything except renewing the CA cert so I am not sure what broke.  I checked all the permissions I could find and don't see anything obvious.   Does anyone have anything to try?
Thanks in advanced.
cert-error.JPG
0
Comment
Question by:danskoit
  • 2
3 Comments
 

Author Comment

by:danskoit
ID: 40617728
other info... Windows 2008 R2 DC with 2008 AD.    Trying to request Public cert for web services on another windows 2008 R2 server.
0
 
LVL 29

Accepted Solution

by:
Rich Weissler earned 500 total points
ID: 40617862
First thought: within the CA MMC, for your CA, go to the Revoked Certificates, right click, all tasks, and Publish -- A New CRL.

If you open the properties of the CA, does it still show both the old and the new CA certificates in the general tab?

And just to double check... have you stopped and restarted the CA service?

And because changing the Root CA means a new root certificate has to be propagated thru your domain, have you tried a gpupdate /force on the web server?

I can't seem to force my test CA to renew, so I can't reproduce the problem... but still looking to see if I can find a more definitive solution.
0
 

Author Comment

by:danskoit
ID: 40617931
awesome.  I published the new CRL and ran GPupdate /force on both machines and it seems to working now.  I am guessing it was the CRL since I restarted the server once already which should have forced the GPupdate anyway.  Thanks for the help.
0

Featured Post

Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

Join & Write a Comment

#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now