Computer Certificate Renewal - Failing

Similar Messages

• Unable to enroll Computer certificates on Server 2008 R2 and older

  I've found a strange issue with our CA setup, and it didn't used to be a problem.  While renewing some internal certificates a couple of months ago I discovered that systems of the Windows 7/Server 2008 R2 and older families cannot enroll for a Computer
  certificate or for a custom template I built for web servers.  Systems of the Windows 8/Server 2012 and newer families can enroll using the exact same user and process without any trouble.  Direct IIS "domain certificate" enrollment still
  works.
  I'm enrolling with the Certificates MMC snap-in to allow use of the enhanced security template I built.  I open MMC, add the local computer certificates snap-in, and then attempt to request a certificate with Personal > Certificates > All Tasks
  > Request New Certificate.  I choose the Active Directory Enrollment Policy but then get the "Certificate types are not available" error message and a blank selection screen.  If I check the box to show all templates the certificates
  I want are listed with:
  "The permissions on this certification authority do not allow the current user to enroll for certificates. A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA doesn't' support this
  operation, or the CA is not trusted."
  I've checked Event Viewer on both the CA and the clients, along with the CA request logs, but there's nothing visibly wrong.  The error message seems to say it all but since Windows 8/2012 clients and newer work I know the CA is functional and that
  the Administrator account can request certificates.  I've searched the web but can't find anything like this specific issue.
  Any ideas?
  Thank you!

  Hi Amy.
  Domain Admins and Enterprise Admins have Read/Write/Enroll.  Authenticated Users have Read.
  I also created a copy of an existing certificate (Web Server) but am unable to see it when I go to New > Certificate Template to Issue.  Our domain has had plenty of time to replicate the copied template.
  I don't recall making any changes that would have affected a computer's ability to enroll.  There has been some Group Policy work done and a new certificate template was created and marked to issue, but this problem was picked up by accident when I
  went to generate internal certificates back in October.  All administrative work is done as the domain Administrator account.
  We didn't have issues with this CA when it was first built, so something did change.  We don't have a large PKI environment, just some internal web sites, so if it comes to it I may just start over with everything.  When we moved to Server 2012
  on this system it was an upgrade from a Server 2003 CA that was never properly used or maintained.  It may be better just to clean everything and get one consistent root certificate again.
  Alan

• Computer certificates expiring within 6 weeks disappearing from machines when computer certificates from two certificate authorities are present

  2008 R2 single tier enterprise certificate authority with root certificate expiring within 6 weeks, also domain controller
  2012 R2 single tier enterprise certificate authority with root certificate valid for more than the next year, also domain controller
  Both servers are approved as certificate authorities for the domain and can issue computer certificates using the computer certificate template. There is a group policy object applied to all workstations that contains an automatic computer certificate request,
  but the actual "certificate services client auto-enrollment" element is "not configured". This process seems to work like a round robin in that computers with no certificate can wind up with a certificate from either certificate
  authority. I need all PCs to have both certs for a DirectAccess migration. I have successfully used SCCM to ensure all PCs have both certificates using compliance rules and a script using certreq.exe.
  A machine will keep both certs until the older computer certificate moves into the 6 week window of expiration, then it gets purged. I have observed this behavior for over a month, even when the CA root certificate wasn't so close to expiring. I
  can't figure out what setting is triggering the purge, but need to stop it. Maybe it's coming from default settings in local machine policy for an element that should be disabled in the group policy object supplying the automatic certificate request?
  The worst part of this issue is that I can't recreate the purging behavior with gpupdates or restarts on my test machines.

  You should not be using Automatic Certificate Request Service (ACRS) for this - it was designed for Windows 2000 and is generally deprecated. Secondly, the reason it is acting like a round-robin as you describe it, is that templates are generally configured
  to attempt to renew within 6 weeks of their expiration. Since the 2008 R2 CA is expiring within 6 weeks, it cant issue anything longer than its own remaining lifetime. It is a well known issue that issuing a certificate within the renewal period will cause
  problems.
  What you should do it use AutoEnrollment and issue a certificate with a very small renewal period (1 week perhaps) by creating a custom V2 template and issuing that from your 2008 R2 CA. Then on the 2012 R2 CA you will need ANOTHER template, as the computer
  will only enroll for a certificate from each template. This one can be configured with a normal lifetime and renewal period.
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

• What do I need the Computer certificate for in an Active Directory domain? Theoretical Inquiry

  So we are trying to clean up the thousands of certificate we have deployed.  We are on a 2008 R2 Active Directory and have been using certs for about a decade.  With all of our machines auto enrolling in Computer certificates and renewing every
  year we have maybe 50,000 certificates, yes some are expired already but its a nightmare to manage.  So what do we need the Computer certificate on all the Windows machines for anyway, some are XP most are Windows 7.
  Is the Computer certificate required for Kerberos authentication?
  If we don't need it I rather stop publishing the Computer template and simplify our lives.
  Please explain (I am not new to PKI, though this question may make me seem like a novice) I get the Web Certs, EFS, etc.

  Computer certificates are not needed for Kerberos authentication.
  They are typically used for 802.1x WLAN or wired authentication, or they might be used for VPN logon. Then you might used them for IPsec / "domain isolation" or perhaps DirectAccess or related solutions by other vendors.
  So they are needed for some sort of "network isolation" but they are not required for default AD operations. With some the mentioned scenarios (e.g. 802.1x / IPsec) you have the choice to pick either certificates or other credentials.
  Elke

• Certificate authentification failed

  I need help i have adobe reader 9 on my computer trying to update i get an error message certificate authentification failed, what do i need to do to update can some one help me.

  For Flash Player (according to your PM to me):
  Flash Player for ActiveX (Internet Explorer)
  Flash Player Plug-in (All other browsers)
  Flash Player (Mac OS X)

• WINRM HTTPS listener and Certificate renewal

  hello,
  I am planning to setup winrm over HTTPS only on multiple 2008R2 systems.
  All computers are joined to same domain and are configured to request/renew computer certificate from local CA (via GPO).
  When setting up winrm listener over HTTPS, it creates ok with current certificate thumbprint.
  My question is, what happens to WINRM listener when computer certificate gets renewed (i assume it will have new thumbprint)? Would i need to recreate listeners everytime that happens?  Can't imagine managing this in large environments where different
  computers renews certs at different time.... Whats your approach in this situation?
  thanks in advance for all answers!

  Hi,
  The purpose of configuring WinRM for HTTPS is to encrypt the data being sent across the wire. 
  WinRM HTTPS requires a local computer "Server Authentication"
  certificate with a CN matching the hostname, that is not expired, revoked, or self-signed to be installed.  So I think after the cretificate gets renewed, the
  WINRM listener  will have a new certificate too.
  Regards,
  Yan Li
  Regards, Yan Li

• I have a version Adobe pro 7, my old computer hard drive failed tried to install on my Windows 8.1, will not start up error message

  I have a version Adobe pro 7.1, my old computer hard drive failed, tried to install on my Windows 8.1, will not start up get error message? any solutions?  It worked perfectly fine on my old computer which was windows 7.0

  Hey,
  I am sorry but Acrobat 7 is not at all compatible with Windows 8. For this, you will need to upgrade your Adobe Acrobat version.
  For better understanding, please refer this kb file:
  Compatible web browsers and PDFMaker applications
  Regards,
  Anubha

• Primary computer C-Drive failing, want to move Itunes software and backups to alternate drive how do i this so it runs off of alternate drive?

  Primary Win-7 computer C-Drive failing, want to move Itunes software and backups to alternate drive how do i this so it runs off of alternate drive?

  Hi there Sandduster2,
  You may find the information in the article below helpful.
  iTunes for Windows: Moving your iTunes Media folder
  http://support.apple.com/kb/ht1364
  -Griff W. 

• J2EE Certificate Renewal in PI 7.0

  Hi
  We are executing a project to renew the certificates installed in our XI server. The certificate which is currently installed in our XI severer is signed by Verisign. All partners communicating to the XI server use the certificate to digitally sign the message. In XI server we have configured communication channels to receive process the signed message and also to deliver digitally signed message to partners. The validity of the current certificate installed in our system is going to end by the end of Feb. We are looking at renewing the certificate before the expiry date so that there will not be any interruption in partner communication. In this regard, please provide your inputs to the following items
  1. Should the existing CSR be sent to the CA for validity extension or a new CSR to be generated
  2. During certificate renewal, can the existing private/public key be retained for the renewed certificate
  3. Can we have the old certificate installed in the XI server along with the newly renewed certificate, so that the partners can be gradually migrated
  4. Is XI server restart required after certificate installation/upgrade
  We have referred the SAP Note 694290 for Verisign certificate renewal
  Thanks
  Srinivas

  No cross posting
  Read the "Rules of Engagement"
  Regards
  Juan

• Import cert in Cisco 7921 with error "certificate verification failed"

  Hi everyone
  I am trying to install a digit cert on a 7921 and I get the message on import of "certificate verification failed".
  I have tried a number of time, create CSR file then login to certificate web site and get file assigned then import it back to the phone. I used the DER format
  Many thx indeed,
  Roy

  Hi,
  Referencing: https://supportforums.cisco.com/thread/2095711
  Have you followed the steps outlined in page 72 of this guide?  This should be applicable to 792x.
  http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7925g/7_0/english/deployment/guide/7925dply.pdf
  Do you have any trace logs from the phone you can post after your attempt to import the cert?

• 802.1x ISE with computer certificates

  Hello,
  I'm trying to configure 802.1x policy on Cisco ISE (v1.2.x) which will authenticate devices using computer certificates.
  i have configured the AP and the policy on the ISE server and when i'm trying to connect i'm getting an error message says:
  "11514 Unexpectedly receive empty TLS message; treating as a rejection by the client"
  Did anyone encountered this message with this kind of setup?
  Thx,
  Tal

  You didn't revealed even the basic things like the OS you have on client machine. It mean you have a version of Windows. Unfortunately, I'm no windows expert.
  Your client needs to recognize Cisco ISE certificate as trusted. Root CA needs to be placed in appropriate certificate store - the machine store if you are configuring machine-level authentication, or the user store if you are configuring user-level authentication. Or elsewhere according requirements of your authentication client. Consult the documentation related to your OS and it's client setup. If there is a intermediate certificate then it needs to be delivered from server side to client during TLS handshake.
  I wish a more skilled Windows user will give you better advice. I'm familiar with the principles, but I don't know where to click in Windows.

• Access connection​s 5.50 and EAP TLS with Computer certificat​e

  Hello,
  I'm trying to connect to a Wifi using Computer certificate to authenticate and it works perfectly fine with windows Wireless Zero Config however with Thinkvantage Access Connection I always get an authentication error.
  I'm using a R61 with a ThinkPad 802.11a/b/g/n, 802.11b/g/n Wireless LAN Mini PCI Express Adapter. It's been updated to the latest driver (v7.6.1.260b)
  OS is windows XP with SP3 and all the windows update (as of today).
  On my Radius server this is what I get:
  If I use WZC I get this in the authentication:
  Security ID: DOMAIN\R61WXP$ (this is my computer name)
  Account name: host/R61WXP.domain.local
  Account Domain: DOMAIN
  FQDN: DOMAIN\R61WXP$
  When I use Access Connections:
  Security ID: DOMAIN\Guest
   Account name: 
  Account Domain: DOMAIN
  FQDN: DOMAIN\Guest
  My Access connection profile is set this way:
  IEEE802.1x => Authenticate as Computer when the information is available.
  I hope someone can help !
  Thanks!

  Hi,
  try to dissable the IEEE802.1x => Authenticate as Computer when the information is available.
  Make also sure, that the profile connection is correctly configured in the AC profile settings.
  This mighe the the root cause.
  I can tell you, that there must be something missconfigured, as this configuration will surelly work .
  Cheers

• Require Computer Certificate And user credentials

  Hi All,
  I'm trying to test 802.1x authentication in a lab environment with some standalone 1131AGs and a Server 2008 R2 NPS server. I've been able to set up a few different scenarios but none have met all my requirements:
  Scenario 1:
  Laptops in the domain automatically get certs from a GPO
  Laptops in the domain automatically get an SSID configured from a GPO
  Laptops in the domain automatically authenticate using their computer certificate.
  Problem:
  I can't add non-domain computers to this network. I've tried installing computer certs using Windows 2008 R2's certsrv CA web portal but these types of certs don't seem to work.
  Scenario 2:
  Same as below except I provide non-domain computers with a user certificate which they can request through Windows 2008 R2s certsrv CA web portal.
  They can connect BUT they can export the private key and put it on other devices or give it to their friends, etc.
  I'd like to figure out a way to ensure certificates can't be exported or at least require a user cert and a username and password to get onto the wireless network. Is this not possible with EAP-TLS or PEAP-TLS?
  Thanks!

  Yon,
  Moving this to AAA forum.
  Thanks,
  Vinay Sharma
  Community Manager - Wireless
  Cisco Support Community

• Cisco ISE Admin and EAP certificate renewal

  Hi board,
  maybe I'm asking a rather dumb question here, but anyway :)
  I'm currently thinking about how to renew an admin/EAP certificate on an ISE node and the effect on the endpoint authentication.
  Here's the thing I do, when I initially install an ISE node
  1.) CSR creation on ISE (PAN) - CN=$FQDN$ and SAN="fqdn as well"
  2.) Sign CSR and bind certificate on ISE node - done
  Now after 10 month or so (if the certificate is valid for one year) I want to renew the ISE admin/EAP certificate.
  CSR creation: I cannot use the $FQDN$ as the CN, because there is still the current certificate (CN must be unique in the store, right?)
  So what to do now? Do I really need to create a temporary SSC and make it the admin/EAP certificate, delete the current certificate and then create a new CSR? There must be a better and more important non-disruptive way of doing this.
  How do you guys do this in your deployments?
  Thanks in advance and sorry again if this is a silly question.
  Johannes

  you can install a new certificate on the ISE before it is active, Cisco recommends that you install the new certificate before the old certificate expires. This overlap period between the old certificate expiration date and the new certificate start date gives you time to renew certificates and plan their installation with little or no downtime. Once the new certificate enters its valid date range, enable the EAP and/or HTTPS protocol. Remember, if you enable HTTPS, there will be a service restart
  Certificate Renewal on Cisco Identity Services Engine Configuration Guide
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116977-technote-ise-cert-00.html

• I would like to activate CS4 after I formmated my computer, but it fails

  I would like to activate CS4 after I formmated my computer, but it fails since I've already done that several times. How can I activate it? it's a software I purchased several years ago and I still have the serial number

  What is the error message that you see?  If it indicates your activations are all used then you need to contact Adobe Support thru chat and ask them to reset the activations.
  Chat support - For the link below click the Still Need Help? option in the blue area at the bottom and choose the chat option...
  Make sure you are logged in to the Adobe site, have cookies enabled, clear your cookie cache.  If it fails to connect try using a different browser.
  Serial number and activation chat support (non-CC)
  http://helpx.adobe.com/x-productkb/global/service1.html ( http://adobe.ly/1aYjbSC )