Hi, I have a problem with the topic certificates, too. I want to request certificates on the domaincontroller through cmd with the command certreq. My inf-file looks so: [Version] Signature=$Windows NT$ [NewRequest] Subject = "CN=Kauri" EncipherOnly = FALSE Exportable = TRUE KeyLength = 1024 KeySpec = 1 KeyUsage = 0xf0 MachineKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = CMC UserProtected = FALSE UseExistingKeySet = FALSE [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 OID=1.3.6.1.5.5.7.3.2 [RequestAttributes] CertificateTemplate = "ComputerV3" SAN="dns=server.example.com&dns=example.com" With the command "certreq -new" I create a .req-file. Then I use the command "certreq -submit" to create the certificate: Sorry, it´s german... Then I export the certificate to a client and try to connect using EAP-TLS. The problem is, that the client laptop don´t recognize the self-created certificate. The error "there are no certificates to...." is shown. But if I request the certificate using the webinterface "certsrv", without an inf. and a req. file, the certificate is ok. The connection with 802.1X EAP-TLS runs easily. Has anybody an idea, what the problem could be? Can anybody tell me, if the command "certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 " is necessary? The command is not running in cmd and I get an error.

Is you require a computer certificate, you need to set MachineKeySet = TRUE in the .inf file. This specifies that the certificate will be put into the local computer store. Is the problem that the certicficate is being generated without the Subject Alternate Name setting? If you can request a working cert from the web enrollment page, why do you need to use certreq? Cheers JJJason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

Is you require a computer certificate, you need to set MachineKeySet = TRUE in the .inf file. This specifies that the certificate will be put into the local computer store. Is the problem that the certicficate is being generated without the Subject Alternate Name setting? If you can request a working cert from the web enrollment page, why do you need to use certreq? Cheers JJJason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

HI jimbo195 did you install in the local store of the laptop the certificate of your RootCa in the trustedRoot? the SAN need to have a valide DNSname to have a successful authentication did you run the certutil in elevated privilege on your CA ?