Reputation: 11
no certificate available when enrolling on behalf
I have one WinServer 2008 Domain controller and a CA server on it. I log in with the Administrator account and want to request a certificate "on behalf" of a user of my DC.
for doing that, at first I duplicated these certificate templates:
- smart login
- smart user
- enrolment agent
I changed configuration and permission for new templates so that Administrator account can read, write and enrol for these templates.
After creating these new templates and assigning permissions and configuration, from mmc and certificate snap-in, for user account certificates, and for "Personal" section, we requested a new certificate for Administrator account to make it an enrollment agent as shown below:
then it is generated with no problem and we want to request a certificate on behalf of a user with this new certificate. But, in "Select enrolment agent certificate" and when we click on "Browse" button, we have a problem because there is no certificate to select, as shown below:
there is no certificate available to choose
I read a lot of documents online but I did not find the reason to solve this problem!
Upvotes: 0
Views: 4845
Answers (2)
Reputation: 4184
You need an enrollment agent certificate in the local user store (certmgr.msc)/machine store (certlm.msc) to request on behalf of. This is done by setting the signature count on the template.
If the signature count is not 0 you cannot enroll - because you first need an enrollment agent certificate...
- Set the signature count on the enrollment agent certificate template to 0.
- Enroll an enrollment agent certificate - dialog will not pop up
- Set the signature count on another certificate template to 1.
- Enroll a certificate based on the template in step 3. Dialog will pop up. Select certificate enrolled in step 2. Done
Upvotes: 1
Reputation: 1
I have same problem too (cannot choose existing enrollment cert).
The solution (maybe):
Check the access to published crl and/or refresh the crl cache on your enrollment workstation.
From elevated command line:
- Delete the old cache:
certutil -urlcache crl delete - Resync the crl cache:
certutil -setreg chain\ChainCacheResyncFiletime @now
Upvotes: 0
Related Questions
- No Certificates are available provisioning portal
- issue with certificate
- No certificate was found for subject Name CN=IdentityTKStsCert
- Cannot find the certificate in either the LocalMachine store or the CurrentUser store
- Exception on attempt to create not self-signed certificate
- An enrollment policy server could not be located
- Why can't Windows find the issuer of my certificate?
- C# x509Certificate2 cannot be created
- SharePoint 2010 Error The Signature of the certificate cannot be verified
- certificate issues certificate authority c#