RE: First Enterprise Root CA - [WP]


am getting this error on my Root CA Server ... it appears that only uses
certs are being issue and machine certs are not ...

Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 80
Date: 7/8/2009
Time: 11:24:21 AM
User: N/A
Computer: RCA001

Description:
Certificate Services could not publish a Certificate for request 70 to the
following location on server DC02.dom.com:

CN=wifi,OU=Users,OU=RANDD GPO,OU=dom,DC=dom,DC=com.

Insufficient access rights to perform the operation. 0x80072098 (WIN32:
8344).ldap: 0x32: 00002098: SecErr: DSID-03150A45, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0

can't find much help.








"WildPacket" wrote:

ok .. I think the Default GPO for DCs has the option under computer config ->
windows settings -> Public Key Policies -> Autoenrollment and only enroll
certs automatically is selected.

I need to select the other 2 options too ... which are renew certs ..... and
update certs .....

I was testing in lab and I noticed when the cert is renewed the old cert
still shows in the CA Admin Console. I have to manually revoke.

Should they not autmatically go away once the cert is renewed????











"WildPacket" wrote:


In production .... deployed my first Enterprise Root CA running on a member
server windows 2003 enterprise version.

I have noticed that it has automatically assigned certs to all the DCs in
the forest/domain. The certs are valid for 1 year.

Where is this cert/template called "domain controller" sitting. I want to
make sure that these certs automatically renew after 1 year on the DCs???
How/Where can I check that?

Advise Please.

Thanks
.

Relevant Pages

  • Newbie wants to learn about PKI Server 2003......
    ... I have read stuff on Technet, bought Brian Komar's excellent "Windows Server ... We will implement a 2 tier heirarchy, with the Root CA being offline. ... We will publish our CRLs & Certs ... and relying only on AD for the internal users. ...
    (microsoft.public.windows.server.security)
  • Newbie wants to learn about PKI Server 2003.....
    ... I have read stuff on Technet, bought Brian Komar's excellent "Windows Server ... We will implement a 2 tier heirarchy, with the Root CA being offline. ... We will publish our CRLs & Certs ... and relying only on AD for the internal users. ...
    (microsoft.public.windows.server.security)
  • RE: Move Ent. Certificate Authority from DC and keep certs
    ... I did not clearly state in my last post that we have two DCs in this forest. ... sounds like we will need to demote DC1 before taking it offline and bringing ... Certificate Authority from DC and keep certs ... > rebuild the hardware for different production server roles. ...
    (microsoft.public.windows.server.migration)
  • Re: Move certificate authority
    ... A client having 2 certs from different CAs that are ... After all the new certs have been issued then revoke the certs from ... publish a new CRL and everything should be all good:). ... > server name & was hoping there was a safer method of moving the ...
    (microsoft.public.windows.server.security)
  • Re: Cant disable "Trusted" for Certificates Issued by MS Certificate Server
    ... There are no intermediate CAs or intermediate CA certs for the MS ... Certificate Server CA chain. ... >> cert for IIS with MS Certificate Server, and several client certs. ...
    (microsoft.public.inetserver.iis.security)