Hi, We just rebuild our internal PKI infrastructure that means, we deployed one ROOT offline standalone PKI server (Windows SERVER 2003) and one Online Enterprise PKI Issuing server (Windows SERVER 2003 Enterperise). We configured our CRL and AIA publishing points (first is http after is ldap). The issuing of certificates is working good with Certificate template ver. 1and ver 2. on Windows XP and Vista. We created KRA and we checked the templates ver. 2 "Archive subject's encryption private key". Andhere isthe problem!! For Windows XP SP3 is working fine but on Vista we are receiving the following error: "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.(Error: 0x800B0112)." It seems that is problem with one of the CA certificates but on some Vista computers the issuing is working !! The Root CA and Issuing CA certificates are in the appropriate certificates stores on Vista machines.Also I installed clean Windows Vista SP1 machine without any installed software and I have the same problem. Resume: Problem on Vista SP1 with issuing of certificates ver.2 where the ""Archive subject's encryption private key" is checked. Does anyone has similar experience? Thanks for your help

Hi, If the template settings for the users request certificate is configured for key archival, the Windows Vista PKI client must include the users private key in the request before submitting it to the CA. The PKI client retrieves the CAs CA Exchange certificate and uses that to encrypt the private key before including it in the request. Prior to doing so, however, the PKI client first validates the CA Exchange certificate. Are the machines joined domain? This issue can occur if the CA certificate is not in clients Enterprise NTAuth store. The local NTAuth store can be manually populated using the utility certutil.exe. Certutil -enteprise -addstore NTAuth CaCertificate.cer The physical location for the NTAuth store is: HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates When the issuing CA certificate is added to the NTAuth store, you will see a new key named for the certificates SHA1 thumbprint added beneath the Certificates key.

Hi Joson, The problem is solved thanks to your help :)))) That was the problem. The NTAuth store on thelocal computer was empty. When I populated it with certutil including theRoot and Issuing CA Certificates the requesting of a certificate isworking.BecausetheAutoenrolment is disabled we are assuming that the CA Certificates are not deployed automaticaly in NTAuth store to the local computers.Thanks again,Tomas

Glad to hear that. :)Have a great day.