Problem renewing a certificate
I need to renew my exchange server's iis certificate. I generate the request on the exchange server. I bring up the web page xxx.xxx.xxx.xxx/CertSrv and click Request a Certificate. I get the message:
No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory.
Per internet searches, I found the following suggestion:
You will need to view the Active Directory dNSHostName attribute on the following object: pkiEnrollmentService. To find this object, check the following locations:
CN=CertificateServer,CN=En
Services,CN=Services,CN=Co
To be able to see the dNSHostName attribute, you will have to use ADSIEdit.msc or LDP.exe.
When I try ADSI or LPD, I do not see any of the above. My ASDI shows:
Name Class Distinguished Name
CN=Builtin builtinDomain CN=Builtin,DC=MyDomain,DC=
CN=Computers container CN=Computers,DC=MyDomain,D
OU=Domain Controllers organizationalUnit OU=Domain Controllers,DC=MyDomain,DC
CN=ForeignSecurityPrincipa
CN=LostAndFound lostAndFound CN=LostAndFound,DC=MyDomai
CN=Managed Service Accounts container CN=Managed Service Accounts,DC=MyDomain,DC=lo
OU=Microsoft Exchange Security Groups organizationalUnit OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=loca
CN=Microsoft Exchange System Objects msExchSystemObjectsContain
OU=MyBusiness organizationalUnit OU=MyBusiness,DC=MyDomain,
CN=NTDS Quotas msDS-QuotaContainer CN=NTDS Quotas,DC=MyDomain,DC=loca
CN=Program Data container CN=Program Data,DC=MyDomain,DC=local
CN=System container CN=System,DC=MyDomain,DC=l
CN=TPM Devices msTPM-InformationObjectsCo
CN=Users container CN=Users,DC=MyDomain,DC=lo
CN=Infrastructure infrastructureUpdate CN=Infrastructure,DC=MyDom
Am I missing something?
No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory.
Per internet searches, I found the following suggestion:
You will need to view the Active Directory dNSHostName attribute on the following object: pkiEnrollmentService. To find this object, check the following locations:
CN=CertificateServer,CN=En
Services,CN=Services,CN=Co
To be able to see the dNSHostName attribute, you will have to use ADSIEdit.msc or LDP.exe.
When I try ADSI or LPD, I do not see any of the above. My ASDI shows:
Name Class Distinguished Name
CN=Builtin builtinDomain CN=Builtin,DC=MyDomain,DC=
CN=Computers container CN=Computers,DC=MyDomain,D
OU=Domain Controllers organizationalUnit OU=Domain Controllers,DC=MyDomain,DC
CN=ForeignSecurityPrincipa
CN=LostAndFound lostAndFound CN=LostAndFound,DC=MyDomai
CN=Managed Service Accounts container CN=Managed Service Accounts,DC=MyDomain,DC=lo
OU=Microsoft Exchange Security Groups organizationalUnit OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=loca
CN=Microsoft Exchange System Objects msExchSystemObjectsContain
OU=MyBusiness organizationalUnit OU=MyBusiness,DC=MyDomain,
CN=NTDS Quotas msDS-QuotaContainer CN=NTDS Quotas,DC=MyDomain,DC=loca
CN=Program Data container CN=Program Data,DC=MyDomain,DC=local
CN=System container CN=System,DC=MyDomain,DC=l
CN=TPM Devices msTPM-InformationObjectsCo
CN=Users container CN=Users,DC=MyDomain,DC=lo
CN=Infrastructure infrastructureUpdate CN=Infrastructure,DC=MyDom
Am I missing something?
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I added -attrib "CertificateTemplate:WebSe
Thank you for your help. I am going to open a new question regarding the 2 CA instances. If you are able, look for it.
Thanks again.
Thank you for your help. I am going to open a new question regarding the 2 CA instances. If you are able, look for it.
Thanks again.
Exchange
Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.
213K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
ASKER
certreq -submit \\svrxx\svrxxd\td\exchiis.
I get a panel asking me which CA to use, MyDomain-SVRXX-CA or MyDomain-SVRXX-CA-1, both on computer SVRXX.MyDomain.local. I dont know why it thinks I have 3 CA's. Is there a way I can clean up, delete one of them? I choose the newer one, -CA-1. I then get the error:
Certificate not issued (Denied) Denied by Policy Module 0x80094801, The request does not contain a certificate template
extension or the CertificateTemplate request attribute.
The request contains no certificate template information. 0x80094801 (-2146875391 CERTSRV_E_NO_CERT_TYPE)
Certificate Request Processor: The request contains no certificate template information. 0x80094801 (-2146875391 CERTSRV
_E_NO_CERT_TYPE)
Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTem
plate request attribute.
Is the request command correct? I simply asked for a renewal when I made the request file. Is there something else I need to to?
Thanks.