Hi, I have installed a Windows 2008R2 Server with ADCS. I have issued an enrollment Agent Certificate (Computer) template and also a smart card logon template that requires Enrollment Agent Certificate Signature before it can be sent to the CA. I issued the Enrollment Agent Certificate, on the computer that is hosting the CA ie windows 2008 R2 via the MMC (computer). Then I tried to issue a smart card logon certificte on the same computer, via the MMC (user). The MMC showed the templates, that could be issued to the user. I selected the smartcard logon template. The templates showed that it needed additional information (Signature from an enrollment agent cert), when I tried to find the enrollement Agent Cert in the MMC, the certificate could not be found. I am experiencing the same via the code I have written. Any ideas, why it does not work. Do I need to have the enrollment agent cert on a computer other than the one hosting the CA?

to Enrol On Behalf Of for user certificates (smart card logon) you must obtain Enrollment Agent (User) certificate.http://www.sysadmins.lv

when I try to issue a certificate on behalf of another user.. MMC (User)-->Personal-->Certificate-->advanced operations-->Enroll on behalf off.... I dont see the smart card logon template which is configured to require atleast one signature.

also we have a working application, that used to issue smart card logon certs using the cert enrollment agent certificate progarmatically and issue certificates on behalf, in the 2003 and as late as 2008 enterprise version of CA. now we are using the 2008 r2 standard server as the CA, and the certificate keeps denying the request. The error is basically denied by policy module, the request diid not contain any valid signatures or the the signatures were not found any ideas, could it be a 2008 r2 standard thing. How can I get more information on this policy module

here is the sample certificate request that fails. We had no problems making such requests with windows 2003 ca with enterprise CA. The 2008 CA rejects the request, with the error of "no signatures were accepted" PKCS7/CMS Message: CMSG_SIGNED(2) CMSG_SIGNED_DATA_CMS_VERSION(3) Content Type: 1.3.6.1.5.5.7.12.2 CMC Data PKCS7 Message Content:================ Begin Nesting Level 1 ================CMS Certificate Request:Tagged Attributes: 3 Body Part Id: 4 1.3.6.1.5.5.7.7.8 CMC Extensions Value[0]: Data Reference: 0 Cert Reference[0]: 1 Extensions: 4 1.3.6.1.4.1.311.21.7: Flags = 0, Length = 31 Certificate Template Information Template=SmartcardLogonECM(1.3.6.1.4.1.311.21.8.5522949.10561221.15222173.10448538.7192499.245.7888595.15461395) Major Version Number=100 Minor Version Number=3 2.5.29.37: Flags = 0, Length = 18 Enhanced Key Usage Smart Card Logon (1.3.6.1.4.1.311.20.2.2) Client Authentication (1.3.6.1.5.5.7.3.2) 2.5.29.15: Flags = 1(Critical), Length = 4 Key Usage Digital Signature, Key Encipherment (a0) 1.3.6.1.4.1.311.21.10: Flags = 0, Length = 1c Application Policies [1]Application Certificate Policy: Policy Identifier=Smart Card Logon [2]Application Certificate Policy: Policy Identifier=Client Authentication Body Part Id: 3 1.3.6.1.4.1.311.10.10.1 CMC Attributes Value[0]: Data Reference: 0 Cert Reference[0]: 1 1 attributes: Attribute[0]: 1.3.6.1.4.1.311.21.20 (Client Information) Value[0][0]: Unknown Attribute type Client Id: = 5 User: DEXADEMO\elmerfudd Machine: Vistax86.dexademo.pri Process: CertEnrollCtrl.exe Body Part Id: 2 1.3.6.1.5.5.7.7.18 Reg Info Value[0]: RequesterName: DEXADEMO\elmerfudd Tagged Requests: 1 CMC_TAGGED_CERT_REQUEST_CHOICE: Body Part Id: 1================ Begin Nesting Level 2 ================Element 0:PKCS10 Certificate Request:Version: 1Subject: EMPTY Public Key Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN) Algorithm Parameters: 05 00Public Key Length: 1024 bitsPublic Key: UnusedBits = 0 0000 30 81 89 02 81 81 00 e2 20 98 7e 03 5d e4 9d a6 0010 0e 4d d8 27 12 b7 ba 27 81 fa 49 1c 4c 9e dc 47 0020 c7 e7 7b 7a 04 35 c3 08 60 89 a2 f4 32 39 8f 9a 0030 ba 09 cd 79 aa e3 54 56 27 df 16 be ec 9d 6e 3b 0040 d1 1d 60 cc 0c fe 43 42 59 d0 73 97 e4 73 32 08 0050 d0 60 76 a5 06 27 ad 0d 54 06 3f 1f 5c 02 74 ab 0060 d0 f6 1d 78 2e 43 67 66 54 90 b9 a6 a9 03 94 a5 0070 ec 81 14 f0 0b 94 79 86 30 69 7b 31 b9 af be 05 0080 5e 2f e3 ec 8e 71 c7 02 03 01 00 01Request Attributes: 4 4 attributes: Attribute[0]: 1.3.6.1.4.1.311.13.2.3 (OS Version) Value[0][0]: 6.0.6001.2 Attribute[1]: 1.3.6.1.4.1.311.21.20 (Client Information) Value[1][0]: Unknown Attribute type Client Id: = 5 User: DEXADEMO\elmerfudd Machine: Vistax86.dexademo.pri Process: CertEnrollCtrl.exe Attribute[2]: 1.3.6.1.4.1.311.13.2.2 (Enrollment CSP) Value[2][0]: Unknown Attribute type CSP Provider Info KeySpec = 1 Provider = Microsoft Base Smart Card Crypto Provider Signature: UnusedBits=0 Attribute[3]: 1.2.840.113549.1.9.14 (Certificate Extensions) Value[3][0]: Unknown Attribute typeCertificate Extensions: 5 1.3.6.1.4.1.311.21.7: Flags = 0, Length = 31 Certificate Template Information Template=SmartcardLogonECM(1.3.6.1.4.1.311.21.8.5522949.10561221.15222173.10448538.7192499.245.7888595.15461395) Major Version Number=100 Minor Version Number=3 2.5.29.37: Flags = 0, Length = 18 Enhanced Key Usage Smart Card Logon (1.3.6.1.4.1.311.20.2.2) Client Authentication (1.3.6.1.5.5.7.3.2) 2.5.29.15: Flags = 1(Critical), Length = 4 Key Usage Digital Signature, Key Encipherment (a0) 1.3.6.1.4.1.311.21.10: Flags = 0, Length = 1c Application Policies [1]Application Certificate Policy: Policy Identifier=Smart Card Logon [2]Application Certificate Policy: Policy Identifier=Client Authentication 2.5.29.14: Flags = 0, Length = 16 Subject Key Identifier e4 c9 e0 94 1a 56 0e b4 56 34 e8 18 6c 75 b7 ab c2 d2 ed e1 Signature Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA Algorithm Parameters: 05 00Signature: UnusedBits=0 0000 ba 6e 55 09 33 00 77 d0 52 4d 24 da 77 df f9 fe 0010 5f 86 17 76 cb 6b 97 a8 5d 5b 20 73 6b b6 81 49 0020 64 22 5d 91 12 45 53 53 26 31 8d d5 ca e1 60 97 0030 1f 7f 64 f5 4f b6 07 9e 54 38 af 9c 78 7a 01 6a 0040 fb 6a 23 23 1e d8 69 25 5b 25 de 7b 1f 44 ee 6a 0050 0d 03 8a f3 cb 72 58 a0 24 8b 1b a0 34 cb d6 78 0060 74 75 c2 e5 fa b6 cf ef fc 26 51 3d 59 c7 fa ce 0070 2f 6e 74 0d 80 43 ce 40 98 e1 9d aa 37 c0 ae 17Signature matches Public KeyKey Id Hash(rfc-sha1): e4 c9 e0 94 1a 56 0e b4 56 34 e8 18 6c 75 b7 ab c2 d2 ed e1Key Id Hash(sha1): 65 fe 19 b3 6f a4 af 1a 6c 9d 23 33 a8 01 72 2a 1d b0 13 d6---------------- End Nesting Level 2 ---------------- Tagged Content Info: 0Tagged Other Messages: 0---------------- End Nesting Level 1 ---------------- Signer Count: 2 Signer Info[0]:Signature matches request Public KeyCMSG_SIGNER_INFO_CMS_VERSION(3)CERT_ID_KEY_IDENTIFIER(2) 0000 e4 c9 e0 94 1a 56 0e b4 56 34 e8 18 6c 75 b7 ab 0010 c2 d2 ed e1Hash Algorithm: Algorithm ObjectId: 1.3.14.3.2.26 sha1 (sha1NoSign) Algorithm Parameters: NULLEncrypted Hash Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN) Algorithm Parameters: NULLEncrypted Hash: 0000 13 76 f4 a4 89 a0 4e 77 78 a5 67 d7 c4 1b 4a 21 0010 6d c5 34 6c 84 f9 a2 4b 35 cf 65 1f da f3 23 d6 0020 4a 82 0a 98 85 f2 27 08 c2 49 d6 a3 02 c0 73 b1 0030 d0 75 47 fa 07 76 56 35 ea 93 91 68 08 3b eb 57 0040 f0 ed 6d ee 6b 70 b3 f9 ca ed f9 18 42 5e 46 b3 0050 4c 32 8b a2 37 02 48 a2 d5 e9 a1 5a 36 0a 83 3c 0060 d1 18 f1 5f 94 3a 5c 4b 66 ad 7e 52 62 b9 19 74 0070 9b 50 b3 df 8e 14 0a 9a 90 86 55 69 77 52 2d b3 Authenticated Attributes[0]: 2 attributes: Attribute[0]: 1.2.840.113549.1.9.3 (Content Type) Value[0][0]: Unknown Attribute type 1.3.6.1.5.5.7.12.2 CMC Data Attribute[1]: 1.2.840.113549.1.9.4 (Message Digest) Value[1][0]: Unknown Attribute type Message Digest: 14 7c 52 15 58 2a a8 fa 45 26 96 cd 8a e9 1d 88 f3 b6 57 4f Unauthenticated Attributes[0]: 0 attributes: Computed Hash: 22 8f eb f7 61 a0 b9 26 56 20 ad cf cf c7 55 8e d2 22 06 6fSigning Certificate Index: 0dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)HCCE_LOCAL_MACHINECERT_CHAIN_POLICY_BASE-------- CERT_CHAIN_CONTEXT --------ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)ChainContext.dwRevocationFreshnessTime: 3 Hours, 16 Minutes, 58 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)SimpleChain.dwRevocationFreshnessTime: 3 Hours, 16 Minutes, 58 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=ECMCA NotBefore: 3/31/2010 4:49 PM NotAfter: 3/30/2012 4:49 PM Subject: CN=ECM.dexademo.pri Serial: 611e0349000000000003 SubjectAltName: DNS Name=ECM.dexademo.pri Template: MachineEnrollmentAgent 17 dc bc f8 9f 60 8d 8f f1 40 b3 a0 a8 8e c7 2a 61 be ef 16 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) CRL 1: Issuer: CN=ECMCA ca 2b f2 84 01 11 46 9a 05 7e f3 66 d5 67 ec 1c a6 4e 58 c5 Delta CRL 1: Issuer: CN=ECMCA 60 01 ab bd 98 b0 90 c8 30 93 72 23 22 49 4d 87 5a 72 32 d1 Application[0] = 1.3.6.1.4.1.311.20.2.1 Certificate Request Agent CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=ECMCA NotBefore: 3/31/2010 4:35 PM NotAfter: 3/31/2015 4:45 PM Subject: CN=ECMCA Serial: 5351c275687521b04f35b021ed69c475 98 cd aa 28 15 a2 ba 82 25 d5 fc 15 a2 58 e3 c1 35 94 c3 85 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Exclude leaf cert: a4 c9 17 c4 1b 75 fd 21 2e 90 de 09 0c 0e 5e 88 be c7 7b 9eFull chain: ec 6d 9b c9 0d 4c e4 64 8a c7 9c 41 f5 e3 8e d4 f8 da d7 ef------------------------------------Verified Issuance Policies: NoneVerified Application Policies: 1.3.6.1.4.1.311.20.2.1 Certificate Request Agent Signer Info[1]:Signature matches Public KeyCMSG_SIGNER_INFO_PKCS_1_5_VERSION(1)CERT_ID_ISSUER_SERIAL_NUMBER(1) Serial Number: 611e0349000000000003 Issuer: CN=ECMCA Subject: CN=ECM.dexademo.priHash Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA Algorithm Parameters: NULLEncrypted Hash Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN) Algorithm Parameters: NULLEncrypted Hash: 0000 5a e5 4a 86 d4 c2 fd 97 db 6d 72 87 d3 bf 4b 55 0010 fc 43 d1 86 13 fe c9 09 2e 33 a1 e9 fb b3 3f b7 0020 de 56 c1 ac d9 3a d1 c3 dc 92 c6 9d ce 8c 09 96 0030 5b fa 96 0d de a5 1c fa 0c 74 40 39 95 05 1e 83 0040 da 97 a5 50 25 c5 8b 45 e7 f6 ba e2 ed 8d 11 3e 0050 d3 82 77 de 3e 4d 9b a0 13 6b 6c 73 b3 88 75 f8 0060 35 c0 42 bb 43 42 0c cd 2c a5 92 a6 78 2d c1 36 0070 c7 26 86 82 05 c0 39 6a e1 ea 9d 6f a7 77 dd a9 0080 54 b0 ff 10 53 86 22 f8 76 48 6f f7 9b 02 6e 2b 0090 59 b1 3d bb 2b f6 96 78 88 0f 95 50 57 16 8c d0 00a0 29 cc cb bf fe cb 06 3f d6 72 a0 5a 00 f6 fd 93 00b0 81 c6 13 c3 00 1f 87 fc 1f 30 d5 f3 e1 22 38 f0 00c0 7d 09 9c e7 fa 0f d7 ba 6a 4d c0 31 e7 a0 80 23 00d0 0e 13 21 9e 7b 25 ae 56 27 f3 47 f8 80 1d 2d c4 00e0 49 ef 94 c8 d3 6a 68 89 cb 77 9c 47 a2 6b e5 9e 00f0 52 a1 97 ee 6e 2f a0 75 98 06 f0 fc f4 fe 64 d3 Authenticated Attributes[1]: 2 attributes: Attribute[0]: 1.2.840.113549.1.9.3 (Content Type) Value[0][0]: Unknown Attribute type 1.3.6.1.5.5.7.12.2 CMC Data Attribute[1]: 1.2.840.113549.1.9.4 (Message Digest) Value[1][0]: Unknown Attribute type Message Digest: 14 7c 52 15 58 2a a8 fa 45 26 96 cd 8a e9 1d 88 f3 b6 57 4f Unauthenticated Attributes[1]: 0 attributes: Computed Hash: 22 8f eb f7 61 a0 b9 26 56 20 ad cf cf c7 55 8e d2 22 06 6fNo Recipient Certificates:================ Begin Nesting Level 1 ================Element 0:X509 Certificate:Version: 3Serial Number: 611e0349000000000003Signature Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA Algorithm Parameters: 05 00Issuer: CN=ECMCA NotBefore: 3/31/2010 4:49 PMNotAfter: 3/30/2012 4:49 PM Subject: CN=ECM.dexademo.pri Public Key Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN) Algorithm Parameters: 05 00Public Key Length: 2048 bitsPublic Key: UnusedBits = 0 0000 30 82 01 0a 02 82 01 01 00 c6 e1 2e f9 a6 1c 60 0010 f2 6f a4 54 6d e4 c9 97 95 da e8 c1 6c 93 e9 c6 0020 bd 79 03 90 2b 19 5a ab ec 60 ff c7 77 f8 75 e8 0030 3c 01 de cd 5b 80 8b f6 f6 e9 b9 c5 d4 e9 8a 14 0040 84 7c e0 69 cb 5c 18 42 f4 5f f4 d1 2b 2b 08 1d 0050 4a 08 58 d5 ef 60 51 2e b2 e6 7f d1 a6 5e 13 c6 0060 6d 90 ee d9 48 cd f7 1f a0 d1 c4 77 3e f5 3e ee 0070 a6 f1 20 ce a8 90 fa 14 23 ae e1 e3 43 8a f6 8a 0080 49 30 3b e1 e5 e6 c1 01 7c f0 b0 ca 63 da a3 d6 0090 f9 f7 5a b4 a7 63 e6 8c 90 f6 32 7a 64 c7 cb 4f 00a0 a3 ae 0c af 64 45 17 e3 5f ac 48 e4 5a cd 43 66 00b0 ab 6f 39 cd 4b fd 5d e8 ed db dd 72 43 72 1d 97 00c0 cb c4 b6 98 12 60 22 0d 6a 7f d7 ee 16 51 80 2b 00d0 93 f9 67 46 d0 b3 f1 c0 1d 16 9d df 9a 61 72 97 00e0 e9 36 8d c6 11 55 be c7 1d f1 5e 72 bd a0 0f ea 00f0 86 a1 d4 42 64 46 c7 c0 96 09 73 bf 58 f7 aa 44 0100 e2 d5 78 56 8c 47 20 50 87 02 03 01 00 01Certificate Extensions: 8 1.3.6.1.4.1.311.20.2: Flags = 0, Length = 2e Certificate Template Name (Certificate Type) MachineEnrollmentAgent 2.5.29.37: Flags = 0, Length = e Enhanced Key Usage Certificate Request Agent (1.3.6.1.4.1.311.20.2.1) 2.5.29.15: Flags = 1(Critical), Length = 4 Key Usage Digital Signature (80) 2.5.29.14: Flags = 0, Length = 16 Subject Key Identifier 63 9d 5a 59 7c b5 36 46 ab 8c 77 1b b8 2f 52 29 35 6e 1f 58 2.5.29.35: Flags = 0, Length = 18 Authority Key Identifier KeyID=26 b4 6c c5 77 5a e7 19 ef af 1b f1 d6 a8 59 b7 b0 7c 8f df 2.5.29.31: Flags = 0, Length = e6 CRL Distribution Points [1]CRL Distribution Point Distribution Point Name: Full Name: URL=ldap:///CN=ECMCA,CN=ECM,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dexademo,DC=pri?certificateRevocationList?base?objectClass=cRLDistributionPoint URL=http://ecm.dexademo.pri/CertEnroll/ECMCA.crl 1.3.6.1.5.5.7.1.1: Flags = 0, Length = f6 Authority Information Access [1]Authority Info Access Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2) Alternative Name: URL=ldap:///CN=ECMCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=dexademo,DC=pri?cACertificate?base?objectClass=certificationAuthority [2]Authority Info Access Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2) Alternative Name: URL=http://ecm.dexademo.pri/CertEnroll/ECM.dexademo.pri_ECMCA.crt 2.5.29.17: Flags = 0, Length = 14 Subject Alternative Name DNS Name=ECM.dexademo.pri Signature Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA Algorithm Parameters: 05 00Signature: UnusedBits=0 0000 ef cb 53 b9 fd fc 3b db ae 8b bd ea bd 18 c8 99 0010 04 fd 69 98 23 28 1b 2f c4 39 3f ca 1f c3 7d 56 0020 9d 2e 45 56 80 df 0a cf 1c 0d 30 5b e1 7f 91 95 0030 8d c8 7f 0e c8 ab 05 6a 8e 12 1f a9 04 f0 8b d4 0040 76 8b 78 0b b2 b0 2c d7 c1 1f 7e 8d c8 e1 df 60 0050 70 1e 38 dc 00 98 6b dd 13 91 f9 9b 5c 9c 29 7b 0060 47 ef 65 24 e5 27 ee 68 34 2a b9 0f e5 44 20 c7 0070 83 99 92 1b 37 b1 52 6d 75 39 ef 6a aa 1f 94 f7 0080 3c f0 b9 ab d7 a0 b2 92 82 d6 72 2b 33 2b 90 62 0090 8c 23 b0 35 3a aa 5a 27 d5 17 2a 71 29 3d 2d 3a 00a0 9b 3b 37 f6 72 4a 3a ca 1e fc 3f dc 9d c4 74 de 00b0 89 b4 a3 b8 99 21 32 27 2f 63 4f ea 7e 69 1a 0b 00c0 31 a8 e1 93 93 e5 56 0f 32 91 73 68 53 0a 3e 86 00d0 11 65 7f 67 cb 2b 5c a0 43 53 65 b1 53 97 b8 fc 00e0 80 b8 da c1 63 8c 91 c8 6e 9b b0 4e 06 61 b0 12 00f0 bc a9 f2 9c 7c ca dc 0b 10 98 ae 83 78 32 14 84 0100 c5 b4 af 3d be 90 52 3c 6e 85 2a 3e f1 97 65 2c 0110 5e 5b 85 ff 4e 22 42 3d d3 fe 75 8c 77 36 08 49 0120 4b e8 e5 09 bf 6e a5 80 2e 07 1b f2 50 47 09 56 0130 9c 3f 95 28 10 79 bd 16 7a a2 c5 75 ce de d6 14 0140 e9 7f ab e6 93 c9 77 8e d9 20 55 a6 c9 ce 87 e0 0150 67 11 74 b4 43 e4 80 08 98 ad 2f d8 73 3a c2 18 0160 e9 90 3a e0 e3 7f 60 f2 ff 36 24 49 ef 26 80 c0 0170 23 f7 05 ab 5b e9 62 5e 89 c0 08 95 37 09 36 9f 0180 a4 3d 0e 2d bb bc 98 da 27 5c f4 2d 08 b1 3e aa 0190 62 ab ae 18 41 4b 7e 7a a5 8c 8f 89 cd 09 8d 84 01a0 01 43 1d 7d 72 fd df e8 0e 81 8d a7 4d ff 36 b7 01b0 b3 7a 05 58 d0 cd 02 5c a8 20 da ec 96 1b f5 8b 01c0 18 fa 7f 51 ab f4 97 bf 2c 8d b9 c4 1d 32 d0 92 01d0 88 8e 84 e8 2f e9 8f 9f 99 aa 89 1b 11 51 b7 2b 01e0 f5 95 95 be aa aa b0 71 c5 29 79 c9 0b 1c a9 8f 01f0 c6 aa 5b 39 c5 d3 49 65 33 b4 7c 73 e9 86 b6 79Non-root CertificateKey Id Hash(rfc-sha1): 63 9d 5a 59 7c b5 36 46 ab 8c 77 1b b8 2f 52 29 35 6e 1f 58Key Id Hash(sha1): da 88 62 ca 29 91 be e8 a0 c8 86 80 e2 10 42 f7 53 c1 95 86Cert Hash(md5): e9 7f 50 f2 de 62 85 2b f0 3d e5 63 9e 22 2d a4Cert Hash(sha1): 17 dc bc f8 9f 60 8d 8f f1 40 b3 a0 a8 8e c7 2a 61 be ef 16---------------- End Nesting Level 1 ----------------No CRLsCertUtil: -dump command completed successfully. The only difference in this env is that this request used to work with the Domain at 2000 functional level and now it is at 2003 functional level.

is there a way to enable extra logging at the ca to see why exactly the request is failing?

please show the settings of your template? Specially Issuance Requirements tab.http://www.sysadmins.lv

The Issuance Requirement for the template is CA Certificate manager approval (Not checked) this number of authorized signatures (Checked with 1 specified) Policy type required in signaturee==Application Policy Application Policy==Any Purpose The rest in other Template tabs are default, when you copy the template

In application policy drop-down list select Certificate Request Agent.http://www.sysadmins.lv

Yup, that was the answer. Thanks a million :) On the side note do you know of any documentation about the changes that have been made to CA2008 that are different from 2003?

there are a lot of changes between 2003 and 2008 certificate services. You can check the following document: http://www.microsoft.com/downloads/details.aspx?familyid=9BF17231-D832-4FF9-8FB8-0539BA21AB95&displaylang=en note that this document is based on Windows Server 2008 beta versions. However there wasn't significant changes between betas and RTM.http://www.sysadmins.lv