can't get new or renew certs from exchange only after root ca cert expired

From: Jeff Allen (jeff.allen_at_pikatech.com)
Date: 01/12/05 

Date: 12 Jan 2005 07:07:43 -0800

Recently one of my clients email encryption expired and when we tried
to renew her certificate we get the standard error "The message from
the Microsoft Exchange Key Management Server could not be processed.
Contact your administrator for a new security token, and set up
advanced security again." I have tried to enroll other accounts and
they all get the same message if they are new or current users. We did
have this problem in the past and it was related to the CA having an
expired cert. I checked this and the cert is fine and I even renewed
it to be safe.
 
I get the error below in the app log of the Exchange/KMS server with
and event ID: 5005 with a source of MSExchangeKMS when trying to
enable Advanced Security. (this is a brand new test account I have
created)
 
Mailbox "o=xxxxxx, ou=xxxxxx, cn=recipients, cn=testuser" has failed
being enabled or recovered.
 
And I get the error below on the CA event ID: 21 source of CertSvc.
 
Certificate Services could not process request 1148 due to an error: A
certification chain processed correctly, but one of the CA
certificates is not trusted by the policy provider. 0x800b0112
(-2146762478). The request was for CN=testuser, CN=recipients,
OU=xxxxxx, O=xxxxxx.
 
I was able to renew another CA from the main CA that the KMS talks to
and I can renew certs for websites on our internal network... just the
exchange that is giving us problems...
 
 
Any help you could provide would be greatly appreciated.
 

microsoft.public.security.crypto

 

microsoft.public.exchange2000.admin

 

microsoft.public.exchange2000.general

Relevant Pages

  • Re: Confusion RE: Transport Security Layer
    ... If you choose not to use Cert ... there are plenty of public certificate authorities out there. ... > server that requires TSL. ... >>>does this apply to Exchange 2K3. ...
    (microsoft.public.exchange.admin)
  • Re: Pocket PC 2003 - Can access OMA etc, but cannot sync with ActiveSync
    ... I think I originally imported the wrong cert from the workstation. ... of problem on SBS2k and Win2k where Exchange is in the default site and the ... I tried to install the certificate yesterday ...
    (microsoft.public.windows.server.sbs)
  • Re: Encryption
    ... I suppose you could give everyone the same certificate, ... But to use TLS you need not trust the other's cert. ... In the case of servers, ... MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm ...
    (microsoft.public.exchange.admin)
  • kms problems... or is it?
    ... to renew her certificate we get the standard error "The message from ... the Microsoft Exchange Key Management Server could not be processed. ... I checked this and the cert is fine and I even renewed ... I was able to renew another CA from the main CA that the KMS talks to ...
    (microsoft.public.exchange2000.general)
  • KMS problems... or not???
    ... to renew her certificate we get the standard error "The message from ... the Microsoft Exchange Key Management Server could not be processed. ... I checked this and the cert is fine and I even renewed ... I was able to renew another CA from the main CA that the KMS talks to ...
    (microsoft.public.exchange2000.general)