Hi All, I am having difficulty generating a certificate request using certreq where I want the private key protected by an nCipher HSM. When I go to generate the certificate request I receive the following error: Key not valid for use in specified state. 0x800900b My server is on the Windows Server 2008 R2 platform and I am using an nCipher network HSM. I have tried generating the request using certreq and by using the MMC snapin but keep on getting the same error. If I try to enrol against another v3 certificate template with a similar configuration, e.g. an enrolment agent certificate and using the same settings in the inf file, I get prompted to create the private key in the HSM. Due to this I suspect that the problem lies with a configuration on the template. The OCSP template I am using is a direct duplicate of the default one with settings changed to allow the hardware KSP and to change the validity period. I also get the same error trying to enrol against the default OCSP template. Here is my policy.inf file: [NewRequest] KeyLength = 2048 MachineKeySet = TRUE ProviderName = "nCipher Security World Key Storage Provider" ProviderType = 1 RequestType = CMC Subject = "CN=XXX-OCSP-Signing" [RequestAttributes] CertificateTemplate = "XXX-OCSP-Signing-Certificate" Any help would be appreciated, Many Thanks Chris EDIT: I think I've now solved this. I removed the the "Add permissions to the Network Service...." setting from the Request Handling tab and all appears to be now working!

Hi Chris, You got it. For full details, look for "Using a hardware security module (HSM) to protect OCSP signing keys" in the following whitepaper: http://technet.microsoft.com/en-us/library/cc770413(WS.10).aspx. Thanks, John

EDIT: I think I've now solved this. I removed the the "Add permissions to the Network Service...." setting from the Request Handling tab and all appears to be now working! I've had similar experience when using nCipher HSM. After we removed the permissions to assigned to Network service everything worked fine. Martin

Make sure that you are using the 11.40 client software. There were some known bugs with the KSP when interacting with OCSP Brian

Hi Brian, I'm only on 11.30, we're getting an nShield Edge shipped in the next couple of days so I'm hoping it will come with the latest client software. Otherwise I'll have to speak with Thales. Thanks Chris