EventID = 96:Active Directory Certificate Services could not create an encryption certificate. Requested by FROOT\WOOLYWILLOW$ Invalid Application Policies: 1.3.6.1.4.1.311.21.5. The certificate has invalid policy. 0x800b0113 (-2146762477). EventID = 87:Active Directory Certificate Services could not use the default provider for encryption keys. Keyset does not exist 0x80090016 (-2146893802) I have been searching online for the past few days and cant seem to find a solution. We are not doing key archival, and we are only using the PKI for SSL certificates. No recovery agents are defined. Thanks in advance for any assistance. Fed

Wondering if anyone else is experiencing this? Please help. thanks

Hi, It seems that the CA has been restricted from issuing CA encryption certificate. Do you define the EnhancedKeyUsageExtension in the CAPolicy.inf file? This section is used to restrict the types of certificates a CA can issue.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

[Version] Signature="$Windows NT$" [certsrv_server] renewalkeylength=2048 RenewalValidityPeriodUnits=5 RenewalValidityPeriod=years CRLPeriod=7 CRLPeriodUnits=days CRLOverlapPeriod=4 CRLOverlapUnits=hours CRLDeltaPeriod=12 CRLDeltaPeriodUnits=hours DiscreteSignatureAlgorithm=1 LoadDefaultTemplates=1 That is our CAPolicy file on the issuing server.

What is the CAPolicy.inf on the parent CAs? Restrictions set on the root or policy will affect the issuing CA? There appears to be no issues (other than you should delete the DiscreateSignatureAlgorithm=1 line) <G> I know where you got that from. Brian

[Version] Signature= "$Windows NT$" [PolicyStatementExtension] Policies = AllIssuancePolicy Critical = FALSE [AllIssuancePolicy] OID = 2.5.29.32.0 [certsrv_server] RenewalKeyLength=2048 RenewalValidityPeriodUnits=10 RenewalValidityPeriod=years CRLPeriod=days CRLPeriodUnits=360 CRLOverlapPeriod=weeks CRLOverlapUnits=2 CRLDeltaPeriodUnits=0 CRLDeltaPeriod=days DiscreteSignatureAlgorithm=1 Sorry for late response. Some reason I am not being emailed when a reply is posted. think i have it sorted out now. Attached is our inter policy. thanks

Bump, is it something we need to have or if not is there a way to not have it issued? thanks