pramod1
asked on
ACTIVE DIRECTORY, CERTIFICATE, GPO
i am importing certificate for RDP on a domain controller
but i feel it is GPO which is not allowing to get imported as per the error below
error
"an error occured while enrolling the certificate. Certificate requested cannot be submitted to certificate authority
RPC server is unavailable 0x800706ba(Win32:1722 RPC_S_SERVER_UNAVAILABLE)
how can i identify the GPO?
Hello,
what are you doing exactly?
It seems that you are trying to install a certificate which is in reality a "request" !
Is the CA/Authority service on the domain controller?
If you don't have an authority, and if the RDP certificate has been created as "self-signed", you must add it as authority on all machines that needs to use or accept it.
what are you doing exactly?
It seems that you are trying to install a certificate which is in reality a "request" !
Is the CA/Authority service on the domain controller?
If you don't have an authority, and if the RDP certificate has been created as "self-signed", you must add it as authority on all machines that needs to use or accept it.
ASKER
I am trying to import the rdp cert from mmc of DC where it fails but when I do from member server it works
Why or what do you want to obtain adding the RDP cert on the DC ?
Are you just using the MMC console "certificates" to add the certificate in the "Trusted authorities"?
=> It is nearly the only useful action that I can imagine.
The only other action should be to distribute this certificate by GPOs to update machines with a new authority to accept.
Are you just using the MMC console "certificates" to add the certificate in the "Trusted authorities"?
=> It is nearly the only useful action that I can imagine.
The only other action should be to distribute this certificate by GPOs to update machines with a new authority to accept.
ASKER
i am addressing vulnerability that i need CA cert and not self signed cert
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
i am trying to import this certificate from under personal-certificate - and then import and gettingRPC error
and copying it to
and copying it to
ASKER
Certificate Enrollment Error – 0x800706ba The RPC server is unavailable
ASKER
ASKER
url: DOMAIN.NET\ pre-prod issuing CA1
ASKER
I WAS READING ARTICLE
- On the domain controller on which the certification service is deployed, you need to make sure there is a domain security group CERTSVC_DCOM_ACCESS or Certificate Service DCOM Access;
ASKER
I CHECKED THIS Certificate Service DCOM Access IN ADUC but it is blank
That I see is only the request (construction) of the certificate.
Now, you have to submit this request (.REQ file) on the server where the Certificate Authority is installed.
You need to have a template (authorized) corresponding to the request.
Then, you can issue (approuve) the delivery of the certificate on the CA server.
You can use this kind of command to obtain the public part of the certificate :
certreq -attrib "CertificateTemplate:YourT emplate" -submit YourRequestFile.req
You need a template that authorizes 1825 days...
Now, you have to submit this request (.REQ file) on the server where the Certificate Authority is installed.
You need to have a template (authorized) corresponding to the request.
Then, you can issue (approuve) the delivery of the certificate on the CA server.
You can use this kind of command to obtain the public part of the certificate :
certreq -attrib "CertificateTemplate:YourT
You need a template that authorizes 1825 days...
ASKER
but when i do the same from member windows server, it works fine
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
run certutil on the two systems in question what do you get as a response. do they both return the same info?
Does it have the private key?
You need to use the certutil to identify the CA reference to which it tries to submit.
You could save the CSR and submit it to the issuing CA...
Something is a miss..
The GPO is not at issue, the CA record to which the request should be sent is the issue.
Do you have something that you know has a currently valid cert, using that looking at the certificate path could help identify the issuing CA.