Certificate not issued (Denied) Denied by Policy Module The DNS name is unavailable and cannot be added to Subject Alternate Name
I have window 2008 r2 CA, and I am trying to issue an EnrollmentAgentCertificate(Machine). I am using the CertUtil.exe to issue the certificate (I wrote some C# code earlier but that did not work either), here are the contents of my inf file [Version] Signature="$Windows NT$ [NewRequest] Subject ="CN=computername.domainname.com" PrivateKeyArchive = FALSE KeySpec = 2 KeyLength = 1024 SMIME = FALSE Exportable = FALSE UserProtected = FALSE MachineKeySet = TRUE Silent = FALSE ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0" ProviderType = 1 UseExistingKeySet = FALSE RequesterName =DOMAINNAME\ComputerName RequestType = pkcs10 KeyUsage = 0xA0 [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 OID=1.3.6.1.5.5.7.3.2 [RequestAttributes] CertificateTemplate="MachineEnrollmentAgent" 2.5.29.17="dns=COMPUTERNAME.domain.com" I am trying to issue the certificate on the same machine as the CA. I can issue the certificate via MMC Certificate Snap-in though Any help would be great
March 23rd, 2010 9:11pm

Hi, the EnrollmentAgentCertificate(Computer) template builds subject name from AD information. If you want to specify subject/san in request you need to setup a custom template and set its subject handling to supply in request. See http://technet.microsoft.com/en-us/library/cc725621(WS.10).aspx for more information. HTH Martin Rublik
Free Windows Admin Tool Kit Click here and download it now
March 24th, 2010 1:15am

thanks for the reply, let me give you a little back ground, on the issue. First I was trying to issue the certificate via code, creating the pkcs10 request, setting the private key values and then using certenroll to create a request and send it to the CA. The CA had CertificateEnrollmentAgnet(Computer) issued. I had not modified the template, so the CA was supposed to fill in the dns name in the SubAltName. But the CA kept denying with error that no dns name was found in the Certificate request. Then I starting playing around with CertReq utility and tried to issue the certificate with basic infromation and not supplying the SAN in the .inf file and I still kept getting the same error message. Then I tried issuing the certificate with the computers MMC, which worked. Then going though this forum and others (google), I found out that if you specify in the template not to build the SAN from directory but a SAN will be supplied, then the certreq.exe works I tried that and am able to issue EnrollmentAgentCertificate (computer) via both CertReq and via code. My question is why and how does MMC able to issue the certificates, with the option for SAN selected as "build from AD" and not the CertUtil or even my code
March 24th, 2010 3:00am

Hi, you need to request the certificate in context of the machine. This is how you can do it use certreq -adminforcemachine -config "cadnsname\caname" -submit request.req certificate.cer HTH Martin
Free Windows Admin Tool Kit Click here and download it now
March 24th, 2010 10:48am

Thanks for the help, on a side note, how would you define the -adminforcemachine flag via code (C#). I am thinking it should be a part of CertRequest.Submit, but I am not sure what flag to use
March 24th, 2010 6:04pm

I guess CR_IN_MACHINE http://msdn.microsoft.com/en-us/library/aa385054(VS.85).aspx Regards Martin Rublik
Free Windows Admin Tool Kit Click here and download it now
March 24th, 2010 7:11pm

thanks it worked. I guess I looked at the API and never saw the Machine flag
March 24th, 2010 10:51pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics