Hi, I installed a Certification Authority on a Windows Server 2008 R2 domain member to secure Exchange 2010 "Outlook Web App" with SSL. I created the Certificate Request (cert.req) from the EMC "Exchange Certificates" screen, but when I use the "submit new request" function of the CA MMC, nothing happens, no error message, nothing. Any ideas ?- ThePro

Now you need to copy the cert.req to the CA server web interface and download the certificate from the CA server. MCSA, MCSE, MCITP:SA, MCITP:EA, MCTS:Exchange Server 2010 Config, CCNA

Hi, I installed a Certification Authority on a Windows Server 2008 R2 domain member to secure Exchange 2010 "Outlook Web App" with SSL. I created the Certificate Request (cert.req) from the EMC "Exchange Certificates" screen, but when I use the "submit new request" function of the CA MMC, nothing happens, no error message, nothing. Any ideas ? - ThePro In the same MMC locate Issued Certificates node and ensure if your certificate was issued. Double-click on certificate, switch to Details tab a click Copyt to file button. Follow instructions, move the file to Exchange server and install it. > Now you need to copy the cert.req to the CA server web interface and download the certificate from the CA server. no, this is not correct answer. Author already submitted request to CA server.http://en-us.sysadmins.lv

In the same MMC locate Issued Certificates node and ensure if your certificate was issued. There nothing in the "Issued certificate" screen, neither in "Pending requests" nor "Failed Requests" - ThePro

try to perform the same operation, but from command line: certreq -submit requestfile.req In the opened dialog box select required CA server and check for any messages.http://en-us.sysadmins.lv

The error message is: Active Directory Enrollment Policy {04D0DAAD-B09E-4083-AF37-4D6131C40066} ldap: Certificate not issued (Incomplete) Thanks for your help !- ThePro

Can you show us the output of the following command: certutil -dump requestfile.req it is probably that certificate request is missing Certificate Template information. If so, make sure if appropriate template is assigned to CA server (for example, WebServer template) and submit request as follows: certreq -submit -attrib "CertificateTemplate:WebServer" requestfile.reqhttp://en-us.sysadmins.lv

Here is the output: ------ PKCS10 Certificate Request: Version: 1 Subject: C=CA S=Quebec L=Saguenay O=Grimard OU=Head office CN=exchange.grimard.ca Public Key Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN) Algorithm Parameters: 05 00 Public Key Length: 2048 bits Public Key: UnusedBits = 0 0000 30 82 01 0a 02 82 01 01 00 d8 c7 65 6d 06 37 dd 0010 13 dc 04 92 c4 0f b5 c2 1c 53 7f dc 5f 85 11 c6 0020 90 eb 9d a4 09 a8 ae e7 25 38 07 66 b7 bc 74 1b 0030 a1 ce 6b e1 be 83 aa fa 5d 28 a7 ee 30 44 08 52 0040 6a ae 09 6b 07 a4 cc 45 2b 4b 36 0e 2f a1 df ed 0050 45 c3 b1 77 1f f9 11 7d 88 6f ca a8 1e 18 31 d0 0060 90 cb 1d 85 62 7d 88 2b 11 9c 3d b6 7a 5a 90 a1 0070 48 3e 73 e2 69 cc 13 79 ae 3a 0f d8 dd ff 78 6d 0080 41 43 e9 1a 92 41 0a ad aa f4 2a bd 9b c0 94 bd 0090 b3 ce de b0 6c c6 54 70 a3 b2 a5 4f 9f 17 39 8b 00a0 03 b8 b4 0a ff 6d d4 48 35 86 22 75 2e 79 ea 52 00b0 55 34 56 7c 42 55 b8 9b 49 5d 16 89 d6 f5 f1 51 00c0 dc c0 bc 4d 35 d2 ed 6a 0b 8f 6a 1b 85 0b 55 02 00d0 65 6a 4d d9 53 17 6e 97 73 b5 65 4b b6 45 8a 3b 00e0 52 5d 9f ea 4e e0 80 5e 48 e5 f3 89 f3 b8 6c ca 00f0 fd 53 25 82 9c fd f9 20 25 60 86 d6 7f 12 12 06 0100 76 1d 1a 64 78 7e 47 c7 33 02 03 01 00 01 Request Attributes: 4 4 attributes: Attribute[0]: 1.3.6.1.4.1.311.13.2.3 (OS Version) Value[0][0]: 6.1.7600.2 Attribute[1]: 1.3.6.1.4.1.311.21.20 (Client Information) Value[1][0]: Unknown Attribute type Client Id: = 5 ClientIdDefaultRequest -- 5 User: GRIMARD\EXCHANGE3$ Machine: EXCHANGE3.grimard.ca Process: Microsoft.Exchange.ServiceHost.exe Attribute[2]: 1.3.6.1.4.1.311.13.2.2 (Enrollment CSP) Value[2][0]: Unknown Attribute type CSP Provider Info KeySpec = 1 Provider = Microsoft RSA SChannel Cryptographic Provider Signature: UnusedBits=0 Attribute[3]: 1.2.840.113549.1.9.14 (Certificate Extensions) Value[3][0]: Unknown Attribute type Certificate Extensions: 4 2.5.29.15: Flags = 1(Critical), Length = 4 Key Usage Digital Signature, Key Encipherment (a0) 2.5.29.17: Flags = 0, Length = 30 Subject Alternative Name DNS Name=exchange.grimard.ca DNS Name=autodiscover.grimard.ca 2.5.29.19: Flags = 1(Critical), Length = 2 Basic Constraints Subject Type=End Entity Path Length Constraint=None 2.5.29.14: Flags = 0, Length = 16 Subject Key Identifier 28 94 a3 60 f9 9f 98 2e 0a bc fd 45 23 c1 98 17 43 a3 83 ac Signature Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA Algorithm Parameters: 05 00 Signature: UnusedBits=0 0000 3c 9b 96 b5 f6 e7 9d c6 ec 57 a8 68 2f 32 af 66 0010 40 75 30 ea fd 22 d3 1b 50 b2 84 50 37 d9 91 85 0020 5a 71 a5 67 fb 88 4b fd 4a e3 c0 1d 06 c9 41 02 0030 86 ce 1e ca 8b 63 ed 69 8b 97 d4 7d 20 f3 f2 59 0040 7d 1a fa 1c fd 61 a5 77 c9 b1 4a 25 e7 4c 89 74 0050 7a 21 06 80 7a 53 8d 53 84 25 99 cd 9e 2b 09 ae 0060 35 81 06 86 e0 8e 61 cb ee b3 d6 20 72 3e c0 a3 0070 01 9e 73 c3 ef 4c 25 d1 03 ec 00 76 8e 3b fb 76 0080 b0 60 88 a8 d3 65 0d 62 64 f7 39 28 bc 46 3c 7d 0090 6e 36 ca 8e f9 59 e9 3b b2 12 a3 51 e9 24 31 95 00a0 2b 10 e5 49 3d 96 f4 d5 00 d0 65 ef 23 fe 86 91 00b0 ee 28 4f 03 c8 ca 5c 3c 28 9c c5 8a b2 2b 8a 7a 00c0 ff 8e 84 25 8d 20 2e b1 39 e8 99 bb 76 5c 1f b1 00d0 2d df da 32 22 11 1d 96 24 b8 8a 4a a4 a4 0c e0 00e0 09 07 12 61 d3 a5 0e 42 f4 5a 0e 68 86 b2 20 a9 00f0 a2 58 4a fa 22 40 ea e0 75 81 20 c9 ec 68 21 7d Signature matches Public Key Key Id Hash(rfc-sha1): 28 94 a3 60 f9 9f 98 2e 0a bc fd 45 23 c1 98 17 43 a3 83 ac Key Id Hash(sha1): 22 90 54 cf 72 8b cb 5f ec f9 91 a4 82 f0 bc 5a 0e 14 44 6e CertUtil: -dump command completed successfully. ------- ThePro

As I assumed, Certificate Template extension is missing. In addition your request contains Subject Alternative Name extension. By default Windows CA don''t allow this extension for templates where subject is constructed from request information. Run the following commands on the CA server: certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 net stop certsvc net start certsvc make sure if appropriate template is assigned to CA server (for example, WebServer template) and submit request as follows: certreq -submit -attrib "CertificateTemplate:WebServer" requestfile.reqhttp://en-us.sysadmins.lv

Thanks. I ran these steps, but I still have the same error message. How do I select which template to use ?- ThePro

This command parameter: -attrib "CertificateTemplate:WebServer" will specify template name.http://en-us.sysadmins.lv

My question was: how do I know if "WebServer" is the right template for an Exchange server ? Thanks again.- ThePro

Exchange server requires server authentication certificate, so Outlook clients are able to communicate with Exchange over HTTPS (SSL). Server certificate guarantees that Outlook is connected to right server. Default WebServer template met all those requirements for Exchange server.http://en-us.sysadmins.lv

Ok, but I still get: Active Directory Enrollment Policy {04D0DAAD-B09E-4083-AF37-4D6131C40066} ldap: Certificate not issued (Incomplete)- ThePro

can you send me a copy of the request file (vpodans&sysadmins.lv)? Replace & with @.http://en-us.sysadmins.lv

I have checked your request file. The problem is that the file is saved in Unicode encoding which is not supported. Open file in notepad and save it in ANSI encoding.http://en-us.sysadmins.lv

Problem solved. Thank you very much.- ThePro