Whenever I request a cert with key archival enabled in the template I get this error message: "An error occurred while creating the certificate request. Please verify that your CSP supports any settings you have made and that your input is valid." I have setup a KRA correctly, the KRA certificate is valid when I check it on the CA. When can this error be attributed to? --I thought I this problem was solved, but it turns out I was testing with a different template. This is still happening with all certs that specify key archival.

This is fundamentally a problem of trust. When key archival is enabled in the template settings, the Windows Certificate Client must include the user’s private key in the request before submitting it to the CA. The client retrieves the CA Exchange from the CA certificate and uses that to encrypt the private key before including it in the request. Prior to doing so, however, the client first validates the CA Exchange certificate. This error usually means the CA Exchange certificate is not trusted for Private Key Archival. There are two things to check: First, is the Root CA trusted for Private Key Archival on the client? Launch MMC and add the Certificate snap-in for the Computer account --> Local Computer. Expand the Trusted Root Certification Authorities store and locate your root CA certificate. Open the certificate and click on the Details tab. Click Edit Properties. Under Certificate purposes, verify that Private Key Archival is enabled. If the certificate is trusted for All Purposes, this is sufficient. Second, the issuing CA certificate must be trusted for Windows Authentication. Practically speaking, this means the certificate for the CA from which you are requesting the certificate must be published in the Enterprise NTAuth store on the computer from which you are requesting the certificate. You can check for this using the following command: certutil -enterprise -store NTAuth If your issuing CA certificate isn't in that store, then it may not be published in Active Directory. You can check for it's presence with the following command: certutil -store "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=..." Fill in the rest of your forest root domain DN. If your issuing CA certificate is published in AD, but is not in the Enterprise NTAuth store in the client, then make sure that Autoenrollment is enabled in Group Policy. Autoenrollment is the process by which certificates published in AD (NTAuth, Enterprise Root, etc) are propagated to forest members. If your issuing CA certificate is not published in Active Directory, then publish it using the following command. certutil -dspublish <CACert.crt> NTAuth You must be an Enterprise Admin. You can find the CACert.crt file in the %systemroot%\system32\certsrv\certenroll folder. Jonathan Stephens

The issuing CA's cert was not in the NTAuth store. Thanks!

Hello, i have the same message error in my company but just with romain profiles (computer connected trough a vpn), i checked what you said and every thing looks ok, root certificate installed and appers normal after run certutil, what else i can check? thanks