Windows 10: Error enrolling certificates from our Enterprise Root CA - Some Servers and Some...

Error enrolling certificates from our Enterprise Root CA - Some Servers and Some Certificates onlyThe generic error is:Certificate enrollment for Local system failed to enroll for a DomainControllerAuthentication certificate with request ID N/A from BRRJ1-SRV0024.qgog.ad\CA The RPC server is unavailable. 0x800706ba WIN32: 1722 RPC_S_SERVER_UNAVAILABLE.the detailed error isAn error occurred while enrolling for a certificate.A certificate request could not be created.Url: BRRJ1-SRV0024.qgog.ad\CAError: A certification chain processed correctly, but one of the CA certificates is not trusted b

:)

 

Error enrolling certificates from our Enterprise Root CA - Some Servers and Some Certificates only

Error enrolling certificates from our Enterprise Root CA - Some Servers and Some Certificates only

The generic error is:

Certificate enrollment for Local system failed to enroll for a DomainControllerAuthentication certificate with request ID N/A from BRRJ1-SRV0024.MYADCOMAIN\CA (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)).

the detailed error is

An error occurred while enrolling for a certificate.

A certificate request could not be created.

Url: BRRJ1-SRV0024.qgog.ad\CA

Error: A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)

At the CA itself in SOME Servers, I can enroll for certifciates

At clients , I can´t enroll any "computer" certificate

I tried to create a new template, nothing

I copied a template, generating a new one, nothing

But it hidden a big, big problem

The problem started to be noticed on first week of August and at first we think is related to the May Update 2022, because some changes were introduced, related to certificate authentication, but now, it´s unlikely to be it, because we uninstalled the patches since may and the registry keys to circunvent the problem it doesn´t work

C:\WINDOWS\system32>Certutil -ping -config CA

Connecting to CA ...

Server "CA" ICertRequest2 interface is alive (718ms)

CertUtil: -ping command completed successfully.

nltest /sc_verify:qgog

Flags: b0 HAS_IP HAS_TIMESERV

Trusted DC Name \\MyCAServer

Trusted DC Connection Status Status = 0 0x0 NERR_Success

Trust Verification Status = 0 0x0 NERR_Success

The command completed successfully

so, new error:

The certificate (#1) of Active Directory Certificate Services CA does not exist in the certificate store at CN=NTAuthCertificates,CN=Public Key Services,CN=Services in the Active Directory's configuration container. The directory replication may not be completed.

probably because we changed from SHA-1 to SHA256 and extended date limite for certificate-issuing at the CA

Using –dspublish and -addstore, I was able to get things right

So, new permissioens were tried;

dsacls "cn=adminsdholder,cn=system,dc=qgog,dc=ad" /G "DOMAIN\Cert Publishers:WP;userCertificate"

dsacls "cn=adminsdholder,cn=system,dc=qgog,dc=ad" /G "DOMAIN\Cert Publishers:RP;userCertificate"

So, new changes

certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\SetupStatus:

Old Value:

SetupStatus REG_DWORD = 6003 (24579)

SETUP_SERVER_FLAG -- 1

SETUP_CLIENT_FLAG -- 2

SETUP_DCOM_SECURITY_UPDATED_FLAG -- 2000 (8192)

SETUP_SERVER_IS_UP_TO_DATE_FLAG -- 4000 (16384)

New Value:

SetupStatus REG_DWORD = 4003 (16387)

SETUP_SERVER_FLAG -- 1

SETUP_CLIENT_FLAG -- 2

SETUP_SERVER_IS_UP_TO_DATE_FLAG -- 4000 (16384)

CertUtil: -setreg command completed successfully.

The CertSvc service may need to be restarted for changes to take effect.

We tried to activate DEBUG, no luck, nothing at the CA logs

C:\WINDOWS\system32>certutil.exe -f -setreg ca\debug 0xffffffff

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA\debug:

Old Value:

debug REG_DWORD = ffffffe3 (-29)

New Value:

debug REG_DWORD = ffffffff (-1)

CertUtil: -setreg command completed successfully.

The CertSvc service may need to be restarted for changes to take effect.

Now, more checks:

net localgroup "Certificate Service DCOM Access"

Alias name Certificate Service DCOM Access

Comment Members of this group are allowed to connect to Certification Authorities in the enterprise

Members

-------------------------------------------------------------------------------

Domain Controllers

NT AUTHORITY\Authenticated Users

NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS

Permissiones were OK

Error message (certsvc or autoenrollment) when requesting certificates from Microsoft CA



We also tried this.. no luck!

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole" /v CallFailureLogginLevel /d 00000001 /t REG_DWORD

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole" /v ActivationFailureLogginLevel /d 00000001 /t REG_DWORD

 

Enterprise root CA recommendation

Hi guys,

I am fairly new to PKI so have some basic question about enterprise two tier PKI .

Let's say we have root server, which is not the member of domain and normally stay powered down until we need to renew intermediate CA certificate.

Does Microsoft recommend root server as virtual machine or we can simply have root server on a CD, whenever we need to bring up root server we just pop in CD and boot the root server? So basically is there any well established recommended from Microsoft in favor of root server on CD versus a separate root server VM?

Thanks!!