Solved

Domain CA won't issue certs

Posted on 2015-02-18
3
290 Views
Last Modified: 2015-02-18
Hello,

I was trying to make a new cert template today and it would only issue for 1 year out.  I noticed the root cert only had a date for a year out also.  So on the CA I clicked the Renew CA certificate.  This ran through without any issues.  Now when I try to request a new certificate it wont work.  It doesn't show any templates available.  If I click show all the computer certificate says "The permissions on this certificate authority do not allow the current user to enroll for certificates."  If you look at the attachment there is a little more to the error.   We didn't change anything except renewing the CA cert so I am not sure what broke.  I checked all the permissions I could find and don't see anything obvious.   Does anyone have anything to try?
Thanks in advanced.
cert-error.JPG
0
Comment
Question by:Tim Lewis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 

Author Comment

by:Tim Lewis
ID: 40617728
other info... Windows 2008 R2 DC with 2008 AD.    Trying to request Public cert for web services on another windows 2008 R2 server.
0
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 500 total points
ID: 40617862
First thought: within the CA MMC, for your CA, go to the Revoked Certificates, right click, all tasks, and Publish -- A New CRL.

If you open the properties of the CA, does it still show both the old and the new CA certificates in the general tab?

And just to double check... have you stopped and restarted the CA service?

And because changing the Root CA means a new root certificate has to be propagated thru your domain, have you tried a gpupdate /force on the web server?

I can't seem to force my test CA to renew, so I can't reproduce the problem... but still looking to see if I can find a more definitive solution.
0
 

Author Comment

by:Tim Lewis
ID: 40617931
awesome.  I published the new CRL and ran GPupdate /force on both machines and it seems to working now.  I am guessing it was the CRL since I restarted the server once already which should have forced the GPupdate anyway.  Thanks for the help.
0

Featured Post

Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question