Requesting certificate problem ( SRV 2008 R2 )

Similar Messages

• Unable to enroll Computer certificates on Server 2008 R2 and older

  I've found a strange issue with our CA setup, and it didn't used to be a problem.  While renewing some internal certificates a couple of months ago I discovered that systems of the Windows 7/Server 2008 R2 and older families cannot enroll for a Computer
  certificate or for a custom template I built for web servers.  Systems of the Windows 8/Server 2012 and newer families can enroll using the exact same user and process without any trouble.  Direct IIS "domain certificate" enrollment still
  works.
  I'm enrolling with the Certificates MMC snap-in to allow use of the enhanced security template I built.  I open MMC, add the local computer certificates snap-in, and then attempt to request a certificate with Personal > Certificates > All Tasks
  > Request New Certificate.  I choose the Active Directory Enrollment Policy but then get the "Certificate types are not available" error message and a blank selection screen.  If I check the box to show all templates the certificates
  I want are listed with:
  "The permissions on this certification authority do not allow the current user to enroll for certificates. A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA doesn't' support this
  operation, or the CA is not trusted."
  I've checked Event Viewer on both the CA and the clients, along with the CA request logs, but there's nothing visibly wrong.  The error message seems to say it all but since Windows 8/2012 clients and newer work I know the CA is functional and that
  the Administrator account can request certificates.  I've searched the web but can't find anything like this specific issue.
  Any ideas?
  Thank you!

  Hi Amy.
  Domain Admins and Enterprise Admins have Read/Write/Enroll.  Authenticated Users have Read.
  I also created a copy of an existing certificate (Web Server) but am unable to see it when I go to New > Certificate Template to Issue.  Our domain has had plenty of time to replicate the copied template.
  I don't recall making any changes that would have affected a computer's ability to enroll.  There has been some Group Policy work done and a new certificate template was created and marked to issue, but this problem was picked up by accident when I
  went to generate internal certificates back in October.  All administrative work is done as the domain Administrator account.
  We didn't have issues with this CA when it was first built, so something did change.  We don't have a large PKI environment, just some internal web sites, so if it comes to it I may just start over with everything.  When we moved to Server 2012
  on this system it was an upgrade from a Server 2003 CA that was never properly used or maintained.  It may be better just to clean everything and get one consistent root certificate again.
  Alan

• There is a problem with this connection's security certificate The remote computer cannot be authenticated due to problems with its security certificate. Security certificate problems might indicate an attempt to fool you or intercept any data you send

  Hi,
  I have this Windows 2008 R2 on which I installed remoteapp some years ago.
  Now the certificate expired and I get the message
  "There is a problem with this connection's security certificate
  The remote computer cannot be authenticated due to problems with its security certificate.
  Security certificate problems might indicate an attempt to fool you or intercept any data you send to the remote computer."
  How should I renew the certificate? I already went to certification store and tried to renew certificate with same key but then it says "the request contains nor certificate template information".
  Please advise.
  J.
  J.
  Jan Hoedt

  Does the computer account have Enroll permission to the certificate template?
  From the Server running your CA, run mmc, click File then Add/Remove Snap-in...
  Add Certificate Templates and click OK.
  Find the certificate template, then right click and select properties.  On my CA its call ed RemoteDesktopComputers but might be called something different depending on what what template your certificate is based on.
  On the security tab, click Oblect types, check Computers then OK. Enter the Computername and click OK.  Then give your computer account Enroll permisssion.
  HTH,
  JB

• Non-domain computer request certificate

  We have Enterprise CA with Certificate Enrollment Policy Web Service and Certificate Enrollment Web Service on same domain computer. 
  When I configure Enrollment policy on non-domain computers by adding exist Certificate Enrollment Policy Server: 
  mmc->Certificates(local computer)->Personal-Manage Enrollment Policy, all looks fine. But when I do request
  New Certificate -> Select Certificate Enrollment Policy appears window with empty list and message:
  Certificate types are not available.You cannot request a certificate at this time because no certificate types are available. From domain computers all works fine, I can choose templates from the list and can do command:
     certutil -config "DomainComp\CAname" -ping. 
  from non-domain computers I can't do certutil -ping:
  ...Connecting to DomainComp\CAname ...
  Server could not be reached: The RPC server is unavailable. 0x800706ba

  I'm used select username/password authentication when installed CES/CEP roles. If I want to use authentication with
  certificates, I must to make request and enroll it on CA. This is a problem for non-domain computer. By the way, using method:
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/098f858a-3e89-48d2-828e-274487033f6b/how-to-request-certificate-from-a-nondomain-computer?forum=winserversecurity
  I can manually make request file, issue it on Enterprise CA and export certificate file, when import certificate.
  This method
  http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx not work because appears empty list of enrolment templates.

• How to request certificate from a non-domain computer

  We using a Windows Server 2008 R2 Enterprise CA to issuing webserver-certificates (SSL). The CA-Server is a member of a AD-Domain and online. Now we want to request certificates from computers like Windows Server 2008 R2 or Linux Server which aren't member
  of the domain.
  How we can request certificates automatically with a script remote from these Windows Servers, for example ? Is it possible to use  the "Certificate Enrollment Web Service" without the "Certificate Enrollment Policy Web Service" ?
  Is it possible to use certreq in this scenario ?
  Thanks for your help.

  Now I have found a solution. Shortly I want describe the way:
  Prerequirements:
  1. ADCS Enterprise Certification Authority is installed
  2. ADCS Certificate Enrollment Web Service is installed on a server
  3. ADCS Certificate Enrollment Policy Web Service is installed on an other server
  Steps to do:
  1. Prepare a request-file for a certificate
  2. On a computer which is not a member of the Domain/Forest of the CA-Service: submit the request to the CA and receive the issued certificate. The following command have to written in one line without line breaks.
    certreq -submit
      -Username {domain}\{username}
      -p {password}
      -PolicyServer "https://{FQDN CertificateEnrollmentPolicyWebService-Server/-Alias}/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP"
      -config "https://{FQDN CertificateEnrollentWebService-Server/-Alias}/{CAName}_CES_UsernamePassword/service.svc/CES"
      -attrib "CertificateTemplate:{TemplateName}"
      {Enter Path and Name of the Request-File}
      {Choose Path and Filename for certificate}
     Sample:
     certreq -submit
          -Username contoso\Serviceaccount
          -p P@ssw0rd
          -PolicyServer "https://CAPolicyEnroll.contoso.com/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP"
          -config "https://CAWebEnroll.contoso.com/IssuingCA1_CES_UsernamePassword/service.svc/CES"
          -attrib "CertificateTemplate:MyOwnSSLTemplate"
          request.req
          sslcert.cer
  3. Now you can find a file with your requested certificate locally in path you have choosen for the certificate-file.
  I hope this will be helpful for other people enrolling certificates on non-domain member computers.

• Request Certificate error

  Hi,
  I have generated Request Certificate thruogh sapgenpse after that when importingthat certificate from service market place getting error like
  The submitted Distiguished Name (DN) does not match the DN contained in the request for the SAProuter certificate.
  Click on Go back.
  Please give the solution.
  Thanks,
  venkat

  Hello,
  >Please give the solution.
  Please, show that you have investigated on this problem.
  Help yourself first and then, people will maybe find some time to help you....
  Regards,
  Olivier

• SSL + Certificate problems solved

  To all of you who are having problems with Weblogic and Verisign Certificates.....
  Here is what I got from BEA:
  To solve this problem, review the corresponding configuration for our demo certificates
  and
  then proceed to similar Verisign setups.
  Once WLS 6.0 is started, proceed to a browser and open the console. Move to the
  servers
  tree, expand it, chose your server and move to its SSL tab.
  WLS demo 512 bit certificate
  1. Server Key File Name -> demokey.pem
  2. Server Certificate File Name -> democert.pem
  3. Server Certificate Chain File Name -> ca.pem
  WLS 1024 bit Demo Certificate
  1. Server Key File Name -> demokey1024.pem
  2. Server Certificate File Name -> democert1024.pem
  3. Server Certificate Chain File Name -> ca1024.pem
  Trial Verisign Certificates - 2 week expiration
  When you initially make the request, the following two files are generated:
  a. mycomputer_bea_com-key.der
  b. mycomputer_bea_com-1024cert.pem
  Once Verisign acknowledges the request, you are given instructions to install
  the
  certificate as well as use test CA's for each browser, IE and Netscape. You will
  need to
  save the test CA and use this in the SSL configuration.
  1. Server Key File Name -> mycomputer_bea_com-key.der
  2. Server Certificate File Name -> mycomputer_bea_com-1024cert.pem
  3. Server Certificate Chain File Name -> testca.der (obtained from the installation
  to each
  client browser)
  Purchased 1 year 1024 bit certificate from Verisign.
  As in the case of the trial certificate, much is the same except that no CA is
  forwarded.
  1. Server Key File Name -> mycomputer_bea_com-key.der
  2. Server Certificate File Name -> mycomputer_bea_com-1024cert.pem
  Now what to specify as the CA?
  Using any of the other CA's will generate the modulus exception. The only recourse
  in this
  event is to do the following:
  1. go to http://www.verisign.com/repository/root.html
  You'll find Class I to Class III root certificates and a Server CA.
  Take the plain text Server CA and save this to a file.
  2. Use a conversion utility, which can be found within OpenSSL, to convert the
  plain text
  to a .der format.
  3. Once the conversion is complete, this CA.der can be used as the Server Certificate
  Chain
  File Name.

  as in mail to CC_AA with scenarios, and Private Messages, happens WIN Vista and 7. IE 9 and 10. 3 diff machines, Dell laptop home, 2 Dell Desktops work. I always clear / delete top 4 items via Internet options approx. twice a week, first thing I did along with clearing SSL state. From CC homepage, click SIGN-IN in left side black box. Enter ID and Password, SIGN IN -> . Returns to CC homepage. Click on EMAIL box below the black box, get:There is a problem with this website's security certificate.     The security certificate presented by this website was issued for a different website's address. Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server. We recommend that you close this webpage and do not continue to this website.  Click here to close this webpage. Continue to this website (not recommended). More informationIf you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.When going to a website with an address such as https://example.com, try adding the 'www' to the address, https://www.example.com. For more information, see "Certificate Errors" in Internet Explorer Help. Address bar shows "https://login.comcast.net/login........" Interesting, for secure site no security icon appears on the address bar. On Home page, if instead I click arrow in Email box, I see a preview of my mail. Then I have to click "View Inbox" lower left corner of popup, and Inbox comes up..... 

• Error message trying to install Adobe Download Assistant (Sorry an Error has occured... certificate problem)

  I am trying to download the free trial of Acrobat XI. I am using an iMac running Mac OSX 10.6.8. When I click on the Installer I have downloaded for Adobe Download Assistant, it gives me the following error message while trying to open/install the Download Assistant:s
  Sorry, an error has occured.
  The application cannot be installed due to a certificate problem. The certificate does not match the installed application certificate, does not support application upgrades, or is invalid. Please contact the application author.
  Can anybody help?

  Lmslugo please move your current installation to the trash can, empty the trash, and reinstall.  This should give you a new copy of the application with a current certificate.

• Adobe Air Certificate problem

  I get the following error message when I try to use any of my applications that use Adobe Air: 
  The application cannot be installed due to a certificate problem.  The certificate does not match the installed application certificate, does not support the application upgrade, or is invalid. Please contact the application author.

  Have you tried creating new certificate for the app?

• Adobe AIR 3 Performance Issues and Code Signing Certificate Problem

  I recently updated to Adobe AIR 3.0 SDK (and runtime) doing HTML/Javascript development using Dreamweaver CS5.5 in a Windows 7 Home Premium (64 bit).
  The AIR app I'm developing runs well from within Dreamweaver. But when I create/package the AIR app and install it on my machine:
  1. The app literally CRAWLS running it in my Windows 7 12G RAM machine (especially when I use the mouse to mouse over a 19-by-21 set of hyperlinks on a grid) --- IT IS THAT SLOOOOWWWW...
  2. The app runs fine in my Mac OS X 10.6.8 with 4G RAM, also using the Adobe AIR 3 runtime.
  About the Code Signing Certificate problem:
  When I try to package the AIR app with ADT using AIR's temporary certificate feature, I get the error message "Could not generate timestamp: handshake alert: unrecognized_name".
  I found some discussions on this problem in an Adobe AIR Google Groups forum, but no one has yet offered any resolution to the issue. Someone said Adobe is using the Geotrust timestamping service --- located at https://timestamp.geotrust.com/tsa --- but going to this page produces a "404 --- Page not found" error.
  The Google Groups Adobe AIR page is here:
  http://groups.google.com/group/air-tight/browse_thread/thread/17cd38d71a385587
  Any ideas about these issues?
  Thanks!
  Oscar

  I recently updated to Adobe AIR 3.0 SDK (and runtime) doing HTML/Javascript development using Dreamweaver CS5.5 in a Windows 7 Home Premium (64 bit).
  The AIR app I'm developing runs well from within Dreamweaver. But when I create/package the AIR app and install it on my machine:
  1. The app literally CRAWLS running it in my Windows 7 12G RAM machine (especially when I use the mouse to mouse over a 19-by-21 set of hyperlinks on a grid) --- IT IS THAT SLOOOOWWWW...
  2. The app runs fine in my Mac OS X 10.6.8 with 4G RAM, also using the Adobe AIR 3 runtime.
  About the Code Signing Certificate problem:
  When I try to package the AIR app with ADT using AIR's temporary certificate feature, I get the error message "Could not generate timestamp: handshake alert: unrecognized_name".
  I found some discussions on this problem in an Adobe AIR Google Groups forum, but no one has yet offered any resolution to the issue. Someone said Adobe is using the Geotrust timestamping service --- located at https://timestamp.geotrust.com/tsa --- but going to this page produces a "404 --- Page not found" error.
  The Google Groups Adobe AIR page is here:
  http://groups.google.com/group/air-tight/browse_thread/thread/17cd38d71a385587
  Any ideas about these issues?
  Thanks!
  Oscar

• Cannot open install assistant.  I get this error message: The application cannot be installed due to a certificate problem.  The certificate does not match the installed application certificate, does not support application upgrades, or is invalid.  Pleas

  How can I downloade a trial of Adobe Elements 12? 
  I followed the instructions to download assistant...but get this message: The application cannot be installed due to a certificate problem.  The certificate does not match the installed application certificate, does not support application upgrades, or is invalid.  Please contact the application author.

  Hi alposer,
  Please remove the copy of the Adobe Download Assistant you currently have installed and then reinstall the Adobe Download Assistant.
  Regards,
  Rave

• Certificate Problem--can't install

  I am trying to install Creative Cloud trial version on my Mac. I get this message:  The application cannot be installed due to a certificate problem.  The certificate does not match the installed application certificate, does not support application upgrades, or is invalid.  Please contact the application author.
  There is no error number

  Kulerkween can you please post a screenshot of the error message?  Also what operating system are you using?

• Certificate problem--safari says it couldn't establish a secure connection.

  Certificate problem. How do I fix a corrupted cert? I think what's going on is that the cert that is installed for this site is bad. But Safari just gives an error and I can't find a way to remove the bad one and add a new one? Can anyone help me?

  I haven't experienced any issues like this.
  What's a corrupted certificate?

• Windows certificate problem - at least for a better description

  I'm not sure where this should be posted.  I believe it's actually a Windows problem, so i'll try here first.
  Okay, I was installing SQL 2012 express server and I ran into a problem during the installation.  It's been too long ago, and too many correction attempts since to remember what the original problem even was.  But, anyways I uninstalled the installation
  and tried again, and again and again.   I was getting these errors:   Well damn, I've uninstalled my latest attempt and the error logs are gone.  Anyways it was failing on a certificate issue and then unable to find a start-up handle for the
  database engine. After this I tried all of the suggested fixes put forth on msdn,  Stack OverFlow and several blogs, nothing worked.  One of the suggestions was to create a new account/profile and try installing with that account. At that point I
  discovered that I couldn't create a functional new profile; every one failed when trying to log in.  That's why I think it is a Windows 8.1 problem and not a SQL installation problem, although it's likely that created the original problem. Anyways, I'm
  stuck.  Any ideas, beyond re-installing (I'll probably wait for the April 8th update and see if that happens to fix the problem before suffering the inconvenience of a complete re-install) win 8.1?  I can recreate the error logs by going through
  the installation again if they could help or I can pull the logs from one of the other blogs.
  Thanks,
  Ray

  After more digging around I found another instance of this problem reported here:
  http://social.technet.microsoft.com/Forums/en-US/43cb5946-9d82-4973-b8a1-4053aa688ba8/user-profile-service-failed-the-signin-user-profile-cannot-be-loaded-for-any-new-accounts?forum=w8itprogeneral
  ( it won't let me post a link, so we get plain text)
  As suggested in the mentioned post, checking my Event Viewer showed basically two type of Errors:  Event ID 1500 when trying to log in to Windows 8.1 with the newly created profile or creating a new profile; and Event ID 1511 when trying to install
  SQL 2012 Server Express.  Later on in the error logs, errors with certificates are mentioned.  Further digging showed that in each case the errors occurred when an attempt was made to copy files from the Default profile, specifically files in the
  \AppData\Local\Microsoft\VSCommon folder, to a Temp folder during creation of the new profile.  I copied these files to another temp folder and removed them from the offending location. After doing so, SQL 2012 Server Express installed properly and I
  was able to create a new user profile which could log into Windows.  I haven't seen any other problems since the files were removed, VS2013 works fine, but it did before these issues popped-up too. (VS2012 was upgraded several months ago, so maybe the
  files were left from that?).
  Hope this might help others who run into certificate problems when creating profiles, either during installation of programs or when creating a new user profile.

• OS X Safari and Hotmail Certificate Problem

  Hello Apple discussions,I Am having problems accessing part of a microsoft hotmail account which explains below
  I Have a problem with my hotmail Web account Using OS X 10.6.4 Safari 5.0 when I Try adding another email account to my hotmail account where it says: Add an e-mail account on the left side pane of hotmail. when I Click on Add an e-mail account I Get the error message for a Certificate problem: safari cannot verify the identity of the website ¨col0-sec.mail.live.com¨ I Am using OS X 10.6.4 and Safari 5.0. I Have tried using a earlier version of safari but the same problem occurred so I Tried using Google Chrome (most recent) and Opera Browsers for MAC and with no luck, the exact same problem. so I Tried adding an email account using a windows xp machine, it had no problem adding an email account so the problem seems to be OS X problem. It seems to be something wrong with the certificate for validation on the Microsoft website I Think.I Can send a screen shot of the entire message that popped up for the invalid certificate if needed to fix this problem.

  Thought of something else you might try.
  Open Keychain Access (Applications/Utilities) Select "My Certificates" or on the left.
  If you see a Microsoft/Hotmail certificate, double click that. Click the gray disclosure triangle so
  it faces down. Click the pop up menu next to: When using this certificate and set it to: Always Trust.
  Relaunch Safari and try logging into your Hotmail account.
  Carolyn