Start by verifying the currently published CA(s) with:
certutil -config - -ping
and also adsiedit:
CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=yourdomain,DC=internal
Confirm whether the CA is entrpise or standalone with:
certutil –cainfo
The CA type must be Enterprise otherwise MMC enrollment will not work.
We can also verify the permissions on the CA itself by gonig to the Certificate Authority snapin:
CertSrv.msc
and right-hand clicking on the server node >> Security >> and ensuring the relevant users have the 'request' permission - which should typically be 'Authenticated Users' and that Domain Admins, Enterprise Admins and Administrators have the 'enroll' permission.
We can pull down a list of certificates from issue the retrieve a list of templates from the CA:
certutil –template
Example output:
EFSRecovery: EFS Recovery Agent ACCESS DENIED
CodeSigning: Code Signing
CTLSigning: Trust List Signing
EnrollmentAgent: Enrollment Agent
EnrollmentAgentOffline: Exchange Enrollment Agent (Offline request)
Verify whether the relevant template you are trying to issue has 'Access Denied' appended to it - if so it is almost certainly a permissions issue on the certificate template - go to:
certtmpl.msc
and right-hand click on the certificate >> Security tab and verify the permissions.
Also within the Certificate Template mmc snapin - check the Subject Name tab and ensure that 'Build from the active directory information' is selected if you are attempting to request the certificate from MMC - as the MMC snapin does not support provide a common name with the request! (This caught me out!)
Last one: An obvious one - but ensure that the certificate template is actually issued:
CA Authority >> Right-hand click Certificate Templates >> New >> Certificate template to issue.
No comments:
Post a Comment