How to issue certificate with PrivateKeyArchival enabled with request in .req file (Network Steve Forum)

How to issue certificate with PrivateKeyArchival enabled with request in .req file

I have Enterprise CA running on Server 2008 R2 SP1 I`ve configured server templates to require PrivateKeyArchival. I can request succesfuly certificate for modified Computer and User Template(both with enabled PrivateKeyArchival) I also duplicate Web Server Template and name it "PKA_Web Server". After that i create certificate request for Exchange Certificate and save it to .req file. and i want to complate the request with "PKA_Web Server" template Since i cannot use Web Enrollment because the template require PrivateKeyArchival, how should i submit the request? I can request certificate via MMC Certificate snap-in with this template, but i don`t thnik that i can supply the .req file via this method. I`ve tried to use: certreq -submit -v -attrib "CertificateTemplate:PKA_Web Server" exchnage.req but the response is: (-v for verbose response) FR_PROP_FULLRESPONSE[0] 3: CERTSRV_E_PROPERTY_EMPTY FR_PROP_FULLRESPONSENOPKCS7[0] 3: CERTSRV_E_PROPERTY_EMPTY FR_PROP_STATUSINFOCOUNT[0] 1: 0x0(0) Certificate not issued (Incomplete) So please could anyone guide me how to create such a certificate (suppling .req for Template with enabled PrivateKeyArchive)

February 27th, 2012 3:43am

The easiest way is to create and submit the request using certreq.exe http://msdn.microsoft.com/en-us/library/windows/desktop/aa374906(v=vs.85).aspx The steps are: 1. Prepare a request.inf file with the following content: [NewRequest] Subject="cn=TestCN,o=TestOrg" RequestType=cmc PrivateKeyArchive=true [RequestAttributes] CertificateTemplate=WebServerTemplate 2. Generate the request by running the command: certreq.exe -new request.inf request.req 3. Submit the request to the online CA by running the command: certreq.exe -submit request.req newcertificate.cer 4. Install the certificate using the command: certrq.exe -install newcertificate.cer If your CA is not online, you need to perform step 3 on the CA /Hasain

Free Windows Admin Tool Kit Click here and download it now

February 27th, 2012 12:27pm

Have you tried the above suggestion? If there is any update, please let us know. Have a nice day!

March 2nd, 2012 10:14am

Yep i successfuly issued a certificate but it was useles because my TMG dosen`t like it, so i just remove Private Key Archival from the template. Thnak you Hasain

Free Windows Admin Tool Kit Click here and download it now

March 7th, 2012 11:27am

This topic is archived. No further replies will be accepted.