Hello All. Thank you in advance for looking at this question. I am running into some issues creating a certificate request file using certreq.exe on a Windows Server 2003 R2 SP2 machine. The end goal of this is to enable TLS/SSL for inbound administrative remote desktop connections through terminal services. Here are the facts: Terminal Server (Windows Server 2003 R2 SP2 Standard) Standalone CA (Windows Server 2008 R2 SP1 Standard) Running CertReq.exe on the W2K3 server to create the request file with the following command line: certreq.exe -new certreq.inf certreq.req Contents of inf file: [NewRequest] Subject = "CN=***,OU=***,O=***,L=***,S=***,C=***" EncipherOnly = False Exportable = True KeyLength = 2048 KeyUsage = 0xf0 MachineKeySet = True ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 [EnhancedKeyUsageExtension] OID = 1.3.6.1.5.5.7.3.1 When I execute this command I am presented with the following error: Certificate Request Processor: Invalid algorithm specified. 0x80090008 (-2146893816) Running certutil -csplist returns the RSA SChannel as an available provider. This particular server has IIS on it so i created an offline request file through IIS using the defined CSP of Microsoft RSA SChannel Cryptographic Provider and I am able to create a request file to pass to my CA. I can then bring the cert back to my Win2k3 box and install it happily with no problems. Remote Desktop works fine through the new security settings. I tried creating the request using a CSP of "Microsoft Enhanced RSA and AES Cryptographic Provider" using the certreq.exe utility. This worked without a problem however after using this cert in terminal services, I was unable to authenticate via RDP to the server. I'm at a loss as to why I am unable to specify the required CSP by using certreq.exe! Is there anyone that can assist me with this? As a side note, I did try using the certsrv web pages on my 2008 CA to request an advanced server authentication certificate. After installing this cert and making sure it was in the Personal > Local Computer store I could never get it to appear as a selectable certificate in Terminal Services. Perhaps it needs more than "Key Encipherment and Data Encipherment" which is all the CA would issue me using the advanced request web pages for a server authentication certificate.

After experimenting with your request, I found out that it seems the EncipherOnly = False is the line to remove. That is the default setting anyways, but I am getting an error when I add in that part. http://technet.microsoft.com/en-us/library/cc736326(v=WS.10).aspx

I am seeing the same issue running CertReq on Windows Server 2003 R2 SP2 (with or without the EncipherOnly = False line), and it seems more like a problem with using: ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 I can generate a request just fine using: ProviderName="Microsoft Enhanced RSA and AES Cryptographic Provider" ProviderType=24 But the resulting certificate seems to be incompatible with IIS6/Win2k3. (A fatal error occurred while creating an SSL server credential.) I get the same SChannel error on the IIS6/Win2k3 machine if I use the default provider, which is: ProviderName = "Microsoft Strong Cryptographic Provider" ProviderType = 1 BUT When I take the SAME INF file (using provider type 12) to a windows server 2008 R2 machine, the request generates just fine. Is this a Windows Server 2003 CertReq.exe bug?

HI Jeremy in you request you put EncipherOnly = False but Did you have a PKIview all green for all your chain if not, the request will be deny by policy , to issued encryption certificate all CDP and AIA need to works and be green in PKIview. other possibilities is if a KRA is installed on this Signing ca by default the request will be in PKCS10 format intead od CMC need for KRA Hope will help you Stef71