Hi all,
I'm unable to renew a users Email Certificate - just getting error 0x800b0101 (-2146762495).
Active Directory Certificate Services could not process request 19 due to an error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495). The request was for E=alice.smart@aptest.com, CN=Alice Smart, CN=Users, DC=aptest, DC=com. Additional information: Error Verifying Request Signature or Signing Certificate
The problem that I have is that my CA Certificate is VALID until 2019. The CA is up and running (green Checkmark Symbol next to the CA when opening the Snap In)
Any thoughts how to resolve this? Am I missing some cert which might have expired?
The only other thing I saw was that my DC did get some new machine certs (also hosting the CA) but that shouldn't be relevant in the end...
Also: C:\>certutil -urlfetch -verify C:\install\ca-cert.cer
Issuer:
CN=aptest-CA
DC=aptest
DC=com
Subject:
CN=aptest-CA
DC=aptest
DC=com
Cert Serial Number: 47204d031e13b683465b2a4fc880588e
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=aptest-CA, DC=aptest, DC=com
NotBefore: 05.08.2014 14:06
NotAfter: 05.08.2019 14:16
Subject: CN=aptest-CA, DC=aptest, DC=com
Serial: 47204d031e13b683465b2a4fc880588e
10 82 07 bc 84 06 72 0d 19 44 3b b5 f5 71 ca f4 c2 fe ba ff
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
No URLs "None" Time: 0
---------------- Certificate CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
--------------------------------
Exclude leaf cert:
da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
10 82 07 bc 84 06 72 0d 19 44 3b b5 f5 71 ca f4 c2 fe ba ff
------------------------------------
Verified Issuance Policies: All
Verified Application Policies: All
Cert is a CA certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.
Thx for helping!
BR
Dan
- Edited by gongul Wednesday, August 19, 2015 12:15 PM