Help me design certificate services

Similar Messages

• Certificate issues Active Directory Certificate Services could not process request 3699 due to an error: The revocation function was unable to check revocation because the revocation server was offline. 0x80092013

  Hi,
  We have some problems with our Root CA. I can se a lot of failed requests. with the event id 22: in the logs. The description is: Active Directory Certificate Services could not process request 3686 due to an error: The revocation function was unable to
  check revocation because the revocation server was offline. 0x80092013 (-2146885613).  The request was for CN=xxxxx.ourdomain.com.  Additional information: Error Verifying Request Signature or Signing Certificate
  A couple of months ago we decomissioned one of our old 2003 DCs and it looks like this server might have had something to do with the CA structure but I am not sure whether this was in use or not since I could find the role but I wasn't able to see any existing
  configuration.
  Let's say that this server was previously responsible for the certificates and was the server that should have revoked the old certs, what can I do know to try and correct the problem?
  Thank you for your help
  //Cris

  hello,
  let me recap first:
  you see these errors on a ROOT CA. so it seems like the ROOT CA is also operating as an ISSUING CA. Some clients try to issue a new certificate from the ROOT CA and this fails with your error mentioned.
  do you say that you had a PREVIOUS CA which you decomissioned, and you now have a brand NEW CA, that was built as a clean install? When you decommissioned the PREVIOUS CA, that was your design decision to don't bother with the current certificates that it
  issued and which are still valid, right?
  The error says, that the REQUEST signature cannot be validated. REQUESTs are signed either by itself (self-signed) or if they are renewal requests, they would be signed with the previous certificate which the client tries to renew. The self-signed REQUESTs
  do not contain CRL paths at all.
  So this implies to me as these requests that are failing are renewal requests. Renewal requests would contain CRL paths of the previous certificates that are nearing their expiration.
  As there are many such REQUEST and failures, it probably means that the clients use AUTOENROLLMENT, which tries to renew their current, but shortly expiring, certificates during (by default) their last 6 weeks of lifetime.
  As you decommissioned your PREVIOUS CA, it does not issue CRL anymore and the current certificates cannot be checked for validity.
  Thus, if the renewal tries to renew them by using the NEW CA, your NEW CA cannot validate CRL of the PREVIOUS CA and will not issue new certificates.
  But it would not issue new certificates anyway even if it was able to verify the PREVIOUS CA's CRL, as it seems your NEW CA is completely brand new, without being restored from the PREVIOUS CA's database. Right?
  So simply don't bother :-) As long as it was your design to decommission the PREVIOUS CA without bothering with its already issued certificates.
  The current certificates which autoenrollment tries to renew cannot be checked for validity. They will also slowly expire over the next 6 weeks or so. After that, autoenrollment will ask your NEW CA to issue a brand new certificate without trying to renew.
  Just a clean self-signed REQUEST.
  That will succeed.
  You can also verify this by trying to issue a certificate on an affected machine manually from Certificates MMC.
  ondrej.

• Active Directory Certificate Services setup failed with the following error: Overlapped I/O operation is in progress. 0x800703e5 (WIN32: 997)

  Hi,
  I am trying to install certificate services on a windows 2008 server (R2 ENT SP1) with a PCIe nCipher HSM module installed on it. The version of nCipher SW is = 11.30.  It is a RootCA, and I am trying to use a key that is already stored in the HSM (I
  have done this before with a PCI HSM (older HW version)).  I select “Use existing private key” and “Select an existing private key on this computer” on the wizard, then i change the CSP to nCipher and click on "search" the key I am looking for
  appears and I select that one.  I repeat, I have done this before and it works with a PCI HSM module.
  The installation is finished before being prompted to insert the operator cards, and it ends with two errors:
  <Error>: Active Directory Certificate Services setup failed with the following error: Overlapped I/O operation is in progress. 0x800703e5 (WIN32: 997)
  And:
  <Error>: Active Directory Certificate Services setup failed with the following error: The group or resource is not in the correct state to perform the requested operation.
  0x8007139f (WIN32: 5023)
  The servermanager.log says:
  1856: 2014-07-23 18:27:48.195 [CAManager]                 Sync: Validity period units: Years
  1856: 2014-07-23 18:27:48.928 [Provider] Error (Id=0) System.Runtime.InteropServices.COMException (0x800703E5): CCertSrvSetup::Install: Overlapped I/O operation is in progress. 0x800703e5 (WIN32: 997)
     at Microsoft.CertificateServices.Setup.Interop.CCertSrvSetupClass.Install()
     at Microsoft.Windows.ServerManager.CertificateServer.CertificateServerRoleProvider.Configure(InstallableFeatureInformation featureInfo, DiscoveryResult discoveryResult, ChangeTracker changeTracker)
  1856: 2014-07-23 18:27:48.928 [Provider]                  CAErrorID: 0, CAErrorString: 'Active Directory Certificate Services setup failed with the following error:  Overlapped I/O operation is in progress.
  0x800703e5 (WIN32: 997)'
  1856: 2014-07-23 18:27:48.928 [Provider]                  Adding error message.
  1856: 2014-07-23 18:27:48.928 [Provider]                  [STAT] For 'Certification Authority':
  And:
  1856: 2014-07-23 18:27:49.053 [CAWebProxyManager]         Sync: Initializing defaults
  1856: 2014-07-23 18:27:49.162 [Provider] Error (Id=0) System.Runtime.InteropServices.COMException (0x8007139F): CCertSrvSetup::Install: The group or resource is not in the correct state to perform the requested operation. 0x8007139f (WIN32: 5023)
     at Microsoft.CertificateServices.Setup.Interop.CCertSrvSetupClass.Install()
     at Microsoft.Windows.ServerManager.CertificateServer.CertificateServerRoleProvider.Configure(InstallableFeatureInformation featureInfo, DiscoveryResult discoveryResult, ChangeTracker changeTracker)
  1856: 2014-07-23 18:27:49.162 [Provider]                  CAErrorID: 0, CAErrorString: 'Active Directory Certificate Services setup failed with the following error:  The group or resource is not in the correct
  state to perform the requested operation. 0x8007139f (WIN32: 5023)'
  1856: 2014-07-23 18:27:49.162 [Provider]                  Adding error message.
  Has anyone experienced this before? Am I missing something here?
  Any help will be very appreciated
  Thanks in advance
  Best regards
  Alejandro Lozano Villanueva

  Hi, thanks for your support.
  I have been playing around a bit with some ncipher commands and found this:
  C:\Program Files (x86)\nCipher\nfast\bin>cspcheck.exe
  cspcheck: fatal error: File key_mscapi_container-1c44b9424a23f6cddc91e8a065241a0
  9aa719e4f (key #1): 0 modules contain the counter (NVRAM file ID 021c44b9424a23f
  6cddc91)
  cspcheck: information: 2 containers and 2 keys found.
  cspcheck: fatal error occurred.
  If I perform the same command on the original server (the server with the original kmdata folder and with the running RootCA services):
  E:\nfast\bin>cspcheck.exe
  cspcheck: information: 2 containers and 2 keys found.
  cspcheck: everything seems to be in order.
  Strange?
  Moreover, when I do a csptest.exe command (also on both servers, i find this)
  On the new server:
  C:\Program Files (x86)\nCipher\nfast\bin>csptest.exe
  nCipher CSP test software
  =========================
  Found the nCipher domestic CSP named 'nCipher Enhanced Cryptographic Provider'
    Provider name: nCipher Enhanced Cryptographic Provider
    Version number: 1.48
  User key containers:
      Container 'csptest.exe' has no stored keys.
      Container 'Administrator' has no stored keys.
    Machine key containers:
      Container '352dd28a-17cb-4c6f-b6e4-bf39bcf75db5' has a 2048-bit signature key.
      Container 'ROOTCA' has no stored keys.
      Container 'csptest.exe' has no stored keys.
  While in the old server:
  E:\nfast\bin>csptest.exe
  nCipher CSP test software
  =========================
  Found the nCipher domestic CSP named 'nCipher Enhanced Cryptographic Provider'
    Provider name: nCipher Enhanced Cryptographic Provider
    Version number: 1.40
  User key containers:
      Container 'csptest.exe' has no stored keys.
    Machine key containers:
      Container '352dd28a-17cb-4c6f-b6e4-bf39bcf75db5' has a 2048-bit signature key.
      Container 'ROOTCA' has a 2048-bit signature key.
      Container 'csptest.exe' has no stored keys.
  As you can see, the container called ROOTCA, which is the one that I use during the installation, says it has no stored keys.  While on the old server, it says it contains a key.  Why is this happening?  I dont know, I am copying the complete
  key management folder from one server to another and initialize the security world with that folder as I always do, and i dont have any errors during this procedure. 
  Do you know what could be the cause of this? or how can I fix this?  Thanks a lot, best regards.
  Alejandro Lozano Villanueva

• Active Directory Certificate Services

  Hello,
  I have an issue with CRL and delta CRL which I cannot publish
  the errors are:
  1. Active Directory Certificate services could not publish a Delta CRL for key 0 to the following location: ldap:///...
  operation aborted 0x80004004 (-2147467260)
  and another event id 74
  please help
  thanks
  Mashhour

  Hi,
  I suggest you start troubleshoot this issue from these guides below:
  Event ID 66 — AD CS Certificate Revocation List (CRL) Publishing
  http://technet.microsoft.com/en-us/library/cc726342(v=WS.10).aspx
  Event ID 74 — AD CS Certificate Revocation List (CRL) Publishing
  http://technet.microsoft.com/en-us/library/cc726336(v=WS.10).aspx
  Please make sure that CA has Write permissions on the location mentioned in the Event message, and ensure that there is no network connectivity issue between CA and Domain Controller.
  Best Regards,
  Amy

• Certificate issued by AD Certificate Services Expired and won't renew, how to issue a new certificate?

  Hi,
  One of our internal web sites certificates expired so it can't be renewed
  From the "Failed Request" folder:
  "A required certificate is not within it's validity period when verified..."
  So I need to issue a new certificate but I can't seem to find out how to issue a new certificate via a certificate request file from within out Active Directory Certificate Services Management Console. 
  Anybody know how I would do this? Or am I looking in the wrong place?
  FYI, the certificate was originally issued from this internal CA so it was done before, by a previous administrator.
  Thanks!
  John H.

  Hi,
  Please refer to the below article to request or renew a certificate:
  http://windows.microsoft.com/en-hk/windows-vista/request-or-renew-a-certificate
  Event ID 4107 or Event ID 11 is logged in the Application log in Windows and in Windows Server
  http://support.microsoft.com/kb/2328240
  Hope this helps.
  Regards,
  Yan Li
  Regards, Yan Li

• Windows Server 2003 Certificate Services

  When trying to launch Certificate Services (via Start-Programs-Administrative Tools-Certification Authority, mmc, add snap-in, etc.) I'm getting the following error:
  Cannot manage Certificate Services. The specified service does not exist as an installed service. 0x424 (WIN32: 1060)
  I am a member of the 'Administrators' group on the server. I also tried running mmc in system32 and SysWOW64.
  Any help would be appreciated!
  Thanks,
  Tim

  You are not on a computer where AD Certificate Services is installed. You must right-click Certification Authority, and then redirect input to a computer that is actually running certificate services.
  By default, the MMC binds to the local computer (hence the error message)
  Brian

• Helping in Designing Scenario

  Hello people!
         i need some helping in designing a solution,  i'm kinda new in the PI world, and i never made BPM stuff and so...
        Here is my situation, i have 2 Webservices that i have to consume in PI
       R/3 will send information to PI
        in PI i have to Consume the first Webservice with some information and that will Response a Token,
  then i have to Merge this Token with another XML message and send to another Webservice, the i get the Response Message of this webservice and send back to R/3
      whats the best way of doing this? is it using BPM?
  this is the two Webservices i will have to use:
  http://siatepqa.suseso.cl:8888/Siatep/WSToken?wsdl
  http://siatepqa.suseso.cl:8888/Siatep/WSIngreso?wsdl
  Can anyone help me?
  Thanks!
  Edit:
  i've already read alot of BPM topics and  i think this is the way... but i'm not sure
  i want to use abap_proxy conection in r/3 > PI and the webservice connections will use SOAP/WS
  Edited by: pitoshi on Jun 9, 2010 10:57 PM

  Liang Ji,
  thanks  very mutch for your answer, this is very helpfull,
  But in:
  "R/3 send message to PI via Outbound proxy (using XI Adapter) ---> PI receive Message and execute Mapping program --> during the mapping program, you can have SOAP lookup to call first web service to get token, then you can use lookup value in your mapping, ---> Use SOAP receiver adapter to call first web service, then PI get response from it, then pass to R/3. "
  You mean " ---> Use SOAP receiver adapter to call first web service, then PI get response from it, then pass to R/3. ""
  call the Second Webservice?
  in spite of my difficulties with BPM, is this solution is better than using BPM?
  Edit: * and if any of these processes do not respond? how I treat it? *
  anyone else have any other option or tips to this scenario?
  Edited by: pitoshi on Jun 10, 2010 12:34 AM

• Error message while launching certsrv.msc (certificate services)

  Hi All,
  I am getting the below error message frequently whenever launching the Windows 2008 certificate services.  I had closed and loged off from all the available user profiles and tried to launch after sometime, still no joy.  I am restarting the CA
  services currently to resolve.  Is there any patch available to fix this?  kindly help, thanks
  Illegal operation attempted on a registry key that has been marked for deletion. 0x800703fa(WIN32:1018)

  Hi,
  Based on my research, other forum community members have solved this issue by:
  IIS reset
  Stop then restart the Search Query and Site Settings Service
  Enable group policy “'Do not forcefully unload the user registry at user logoff'”
  Here are some related links below:
  Registry key that has been marked for deletion
  http://social.technet.microsoft.com/Forums/sharepoint/en-US/bd8c0106-51a0-490e-9399-017da90c8f9f/registry-key-that-has-been-marked-for-deletion?forum=sharepointadminlegacy
  Search error: Illegal operation attempted on a registry key that has been marked for deletion
  http://social.technet.microsoft.com/Forums/sharepoint/en-US/b464d58a-32ff-44d0-93dd-b7b240e96869/search-error-illegal-operation-attempted-on-a-registry-key-that-has-been-marked-for-deletion?forum=sharepointadminprevious
  A COM+ application may stop working on Windows Server 2008 when the identity user logs off
  http://blogs.msdn.com/b/distributedservices/archive/2009/11/06/a-com-server-application-may-stop-working-on-windows-server-2008.aspx
  Best Regards,
  Amy

• Migrating 2003 certificate services to 2012

  What is the best way to migrate from a 2003 certificate services to a 2012 version? We have run into the issue with not being able to produce a SHA256 template in 2003.  Is there a way to bring a 2012 subordinate into the infrastructure to issue the
  SHA2 template?
  What we were thinking:
  1) Bring up a 2012 root CA
  2) Bring up the subordinate 2012 CA's
  3) Begin issuing from the 2012 infrastructure.  Require the users to replace the 2003 certs on the 2012 infrastructure or let them expire.  Or is there a way to migrate the 2003 certs over to the 2012 infrastructure?  Pointing the 2003 subordinates
  to the 2012 root?
  DC's are 2008 R2
  Thanks in advance.  New to the Microsoft CA services and now thrown in to get things working.

  Travis,
  Here areActive
  Directory Certificate Services Migration Guide
  General Information for you on the
  CA service.
  This should get you moving in the right direction.
  Cheers,
  Curt Winter
  Certified Microsoft Professional
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied. If you found my post helpful, please mark it as the answer.

• Help needed with certificates for RDS Host servers

  Hi,
  We currently have 4 RD Session-Host servers in our network. All four servers are member of a TS farm. We also have a TS Gatway server.
  I managed to give the TSGW server a certificate but I need your support on this on the RDS servers.
  What happens?
  When a user connects to the farm, a warning pops up telling me that the certificate is not issued by a trusted CA. This is because all RDS servers are using self signed certificates. Because the servers are farm members a user can be presented with this
  warning several times when the session is being redirected.
  How do I get rid of these warnings as well in our LAN as on the internet? What certificate type do I need?
  Thanks in advance.
  Jasper Kimmel

  Hi Jasper,
  What is your Server OS for your environment?
  Yeah, your all certificate related all warnings can disappear by purchasing the certificate from public CA. To access the farm outside the environment you can buy wildcard certificate. And yes, your all related queries be solved from the article provide in
  my previous comment.
  The easiest way to get a certificate, if you control the client machines that will be connecting, is to use Active Directory Certificate Services.  You can request and deploy your own certificates and they will be trusted by every machine in the domain.
  If you're going to allow users to connect externally and they will not be part of your domain, you would need to deploy certificates from a public CA.  Examples including, but not limited to: GoDaddy, Verisign, Entrust, Thawte, DigiCert
  In Windows 2008/2008 R2, you connect to the farm name, which as per DNS round robin, gets first directed to the redirector, next to the connection broker and finally to the server that will host your session.
  In Windows 2012, you connect to the Connection Broker and it routes you to the collection by using the collection name.  
  The certificates you deploy need to have a subject name or subject alternate name that matches the name of the server that the user is connecting to.  So for example, for Publishing, the certificate needs to contain the names of all of the RDSH servers
  in the collection.  The certificate for RDWeb needs to contain the FQDN of the URL, based on the name the users connect to.  If you have users connecting externally, this needs to be an external name (needs to match what they connect to).  If
  you have users connecting internally to RDweb, the name needs to match the internal name.  For Single Sign On, again the subject name needs to match the servers in the collection. (Quoted from previous article).
  Apart there is one more article by Kristin, you can go through for reference.
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].

• AD Certificate Services CRL & AIA configuration

  I'm prototyping a two tier PKI setup as a prerequisite to SCCM 2012 R2. In this setup I have on offline root CA (not domain joined) and two subordinate Enterprise Issuing CAs with AD Certificate Services installed. I have the Online Responder
  service installed and configured on both Issuing CAs. I'm using the Online responder to sync the two using the Array Configuration. I also plan to load balance the two OCSP responder service systems using an address like
  http://pki.contoso.com/ocsp . However, I'm a little confused about how the CDP and AIA locations should be configured on each of the three systems since I've read so much seemingly contradictory information.  
  Here's the CDP & AIA settings for the three systems:
  MyRootCA1-CDP
  C:\Windows\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
  <CRLNameSuffix><DeltaCRLAllowed>.crl">http://MySubCA01.contoso.com/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
  ,CN=AIA,CN=Public">ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public
  Key Services,CN=Services,<ConfigurationContainer><CAObjectClass>
  _<CaName><CertificateName>.crt">http://MySubCA02.contoso.com/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt
  MySubCA01-CDP
  C:\Windows\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
  <CRLNameSuffix><DeltaCRLAllowed>.crl">file://MySubCA01.contoso.com\pki\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
  MySubCA01-AIA
  ,CN=AIA,CN=Public">ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public
  Key Services,CN=Services,<ConfigurationContainer><CAObjectClass>
  http://pki.contoso.com/ocsp
  MySubCA02-CDP
  C:\Windows\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
  <CRLNameSuffix><DeltaCRLAllowed>.crl">file://MySubCA02.contoso.com\pki\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
  MySubCA02-AIA
  ,CN=AIA,CN=Public">ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public
  Key Services,CN=Services,<ConfigurationContainer><CAObjectClass>
  http://pki.contoso.com/ocsp
   I haven't seen any issues. Since I've cobbled the configuration from different sources, I just want to get some feedback and know that the configuration is appropriate for the design.
  Thanks in advance.

  See this:PKI Certificate Requirements for Configuration Manager

• Help in designing a Query

  Hello Everyone,
     I want you help in designing a query that involve OACT,OJDT,JDT1,OBGT and BGT1
  Actually I want a report that shows accounts Budget quarterly and its expenditure quarterly as well..
  Like shown below
  Account Name
  Budget from Jan to March
  Budget from April to June
  Budget from July to Sept
  Budget from Oct to Dec
  Expenditure from Jan to Mar
  Expenditure from Apr to June
  Expenditure from July to Sept
  Expenditure from Oct to Dec
                   Parameters would be Fiscal Year and Date range and Account name
  Can anyone please help me out in that one
  Thanks in advance

  Looking at the test data I have in these tables, it would appear impossible to join them all in one query without using UDFs...
  They don't share any columns.

• How can I create digital signatures for my users using Windows 2008 Active Directory Certificate Services?

  Hi,
  I need to create local digital signatures for my users. How can I do that using W2k8 Active Directory Certificate Services? We are gonna sign Office 2010 documents.
  What company offers cheap digital signatures solutions?
  Thanks in advanced

  Consider the following:
  if you use your local CA server to issue digital signature certificates, there is no cost, because you are eligible to issue so many certificates as you need. However, documents signed by these certificates will be considered trusted only within your AD
  forest and other machines that explicitly trust your local CA. Any external client will not trust your signatures.
  If you want to make your signature trusted outside your network (say, in worldwide), you need to pruchase a certificate from trusted commercial CA (VeriSign, GoDaddy, GlobalSign, StartCom, etc) according to respective vendor price list. In that case you
  don't need to have your local CA server, because it is not used. All certificate management is performed by the external CA. A most common scenario is to purchase signing certificate for particular departament principals (head managers) or few certificates
  for a whole company (all documents are revised by a responsible person or persons who holds signing certificate and sign them after review).
  so, it is not clear from your post what exactly you need.
  My weblog: http://en-us.sysadmins.lv
  PowerShell PKI Module: http://pspki.codeplex.com
  Windows PKI reference:
  on TechNet wiki

• Unable to remove/hide help icon in Discussion Service OOTB

  Hi,
  Is there any way to remove/hide help icon from Discussion Service OOTB toolbar ?
  I am not able to find help icon tag in ListTopics.jsff and ListMessages.jsff fragment file.
  Regards,
  Fyaz

  Hi.
  I´m not sure but I think this Taskflow is a "black box" and is not possible customize it

• Migrating Certificate Services to Server 2012 in a 2008 R2 AD Domain

  We have a Windows 2008 R2 SP1 Active Directory domain. Our Enterprise Certificate server is running on Windows 2003 R2. We'd like to introduce a Windows 2012 server into our existing domain and migrate the Certificate Services to that new box. Are there
  any 'gotchas' to implementing Certificate Cervices on a Windows Server 2012 system in a Windows 2008 R2 SP1 domain that we should be concerned with?
  Orange County District Attorney

  Hi,
  You can migrate Certificate Services to another server but server name should be same. Also changing the server name which has CA role installed is not recommended.
  AD CS Migration: Preparing to Migrate
  Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
  http://technet.microsoft.com/en-us/library/ee126102(v=ws.10).aspx
  Also I would request to post this question in security forum :
  http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads
  Also you consider, Windows Server 2012 General forum :
  http://social.technet.microsoft.com/Forums/en-US/winserver8gen/thread
  Best regards,
  Abhijit Waikar.
  MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
  Blog: http://abhijitw.wordpress.com
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.