Certificate not issued (Denied) Denied by Policy Module The DNS name is unavailable and cannot be added to Subject Alternate Name
I have window 2008 r2 CA, and I am trying to issue an EnrollmentAgentCertificate(Machine). I am using the CertUtil.exe to issue the certificate (I wrote some C# code earlier but that did not work either), here are the contents of my inf file
[Version]
Signature="$Windows NT$
[NewRequest]
Subject ="CN=computername.domainname.com"
PrivateKeyArchive = FALSE
KeySpec = 2
KeyLength = 1024
SMIME = FALSE
Exportable = FALSE
UserProtected = FALSE
MachineKeySet = TRUE
Silent = FALSE
ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0"
ProviderType = 1
UseExistingKeySet = FALSE
RequesterName =DOMAINNAME\ComputerName
RequestType = pkcs10
KeyUsage = 0xA0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2
[RequestAttributes]
CertificateTemplate="MachineEnrollmentAgent"
2.5.29.17="dns=COMPUTERNAME.domain.com"
I am trying to issue the certificate on the same machine as the CA.
I can issue the certificate via MMC Certificate Snap-in though
Any help would be great
March 23rd, 2010 9:11pm
Hi,
the EnrollmentAgentCertificate(Computer) template builds subject name from AD information. If you want to specify subject/san in request you need to setup a custom template and set its subject handling to supply in request. See http://technet.microsoft.com/en-us/library/cc725621(WS.10).aspx for more information.
HTH
Martin Rublik
Free Windows Admin Tool Kit Click here and download it now
March 24th, 2010 1:15am
thanks for the reply,
let me give you a little back ground, on the issue.
First I was trying to issue the certificate via code, creating the pkcs10 request, setting the private key values and then using certenroll to create a request and send it to the CA. The CA had CertificateEnrollmentAgnet(Computer) issued. I had not modified the template, so the CA was supposed to fill in the dns name in the SubAltName. But the CA kept denying with error that no dns name was found in the Certificate request.
Then I starting playing around with CertReq utility and tried to issue the certificate with basic infromation and not supplying the SAN in the .inf file and I still kept getting the same error message.
Then I tried issuing the certificate with the computers MMC, which worked.
Then going though this forum and others (google), I found out that if you specify in the template not to build the SAN from directory but a SAN will be supplied, then the certreq.exe works
I tried that and am able to issue EnrollmentAgentCertificate (computer) via both CertReq and via code. My question is why and how does MMC able to issue the certificates, with the option for SAN selected as "build from AD" and not the CertUtil or even my code
March 24th, 2010 3:00am
Hi,
you need to request the certificate in context of the machine. This is how you can do it
use certreq -adminforcemachine -config "cadnsname\caname" -submit request.req certificate.cer
HTH
Martin
Free Windows Admin Tool Kit Click here and download it now
March 24th, 2010 10:48am
Thanks for the help,
on a side note, how would you define the -adminforcemachine flag via code (C#). I am thinking it should be a part of CertRequest.Submit, but I am not sure what flag to use
March 24th, 2010 6:04pm
I guess
CR_IN_MACHINE http://msdn.microsoft.com/en-us/library/aa385054(VS.85).aspx
Regards
Martin Rublik
Free Windows Admin Tool Kit Click here and download it now
March 24th, 2010 7:11pm
thanks it worked. I guess I looked at the API and never saw the Machine flag
March 24th, 2010 10:51pm