3

I have the following AD configuration:

rootca (standalone not domain connected)

  • mydom.local
    • dc1.mydom.local
    • svr1.mydom.local
    • subca.mydom.local(enterprise subordinate CA)
    • other.mydom.local
      • dc1.other.mydom.local
      • svr1.other.mydom.local

I can register webserver certificates OK for svr1.mydom.local, however I log into svr1.other.mydom.local with the child domain administrator and I get the following error:

Permissions on the certificate template do not allow the current user to enroll for this type of certificate (0x80094012)

I think this must related to permissions however I am not sure how to proceed - what is the best practice to allow child domain administrators to request certificates from the subordinate CA located in the parent domain?

My inf file is below:

[NewRequest]
Subject="CN=svr1.other.mydom.local"
Exportable=TRUE
KeyLength=2048
KeySpec=1
MachineKeySet=TRUE
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
[RequestAttributes]
CertificateTemplate = WebServer

and i am running the following commands on svr1.other.mydom.local as administrator@other.mydom.local below:

certreq -new c:\svr1.inf c:\svr1.req
certreq -submit c:\svr1.req c:\svr1.cer ; I get the error here
maweeras
  • 2,734
  • 2
  • 17
  • 23
morleyc
  • 1,150
  • 13
  • 47
  • 89

1 Answers1

4

Is the user a member of a security group that has Read and Enroll permission on the certificate template? That is required.

Administering Certificate Templates
http://technet.microsoft.com/en-us/library/cc725621%28v=ws.10%29

When you install certificates into the computer store and use auto-enrollment or manually request the certificate using the Certificates snap-in, the requesting computer account needs Read and Enroll permissions on the certificate template.

However, when you're using Certreq.exe to request certificates, even if they are computer certificates and use MachineKeySet = True, the requesting user needs Read and Enroll permissions on the certificate template. When you use Certreq.exe, the computer permissions are not used.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • thanks, the user requesting is the child domain administrator, looking at template permissions I see enterprise and domain admins, is it acceptable/good-practice to add the child domain admin group to these permissions? – morleyc Jul 19 '12 at 14:07
  • I'm not sure if this is a good-practice scenario. Seems like the only option for someone to use a template to enroll a cert is to have permission to do so. It's not as if you have another choice for where the templates are located or which template location to use. – Greg Askew Jul 19 '12 at 15:03