I have the following AD configuration:
rootca (standalone not domain connected)
- mydom.local
- dc1.mydom.local
- svr1.mydom.local
- subca.mydom.local(enterprise subordinate CA)
- other.mydom.local
- dc1.other.mydom.local
- svr1.other.mydom.local
I can register webserver certificates OK for svr1.mydom.local, however I log into svr1.other.mydom.local with the child domain administrator and I get the following error:
Permissions on the certificate template do not allow the current user to enroll for this type of certificate (0x80094012)
I think this must related to permissions however I am not sure how to proceed – what is the best practice to allow child domain administrators to request certificates from the subordinate CA located in the parent domain?
My inf file is below:
[NewRequest]
Subject="CN=svr1.other.mydom.local"
Exportable=TRUE
KeyLength=2048
KeySpec=1
MachineKeySet=TRUE
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
[RequestAttributes]
CertificateTemplate = WebServer
and i am running the following commands on svr1.other.mydom.local as administrator@other.mydom.local below:
certreq -new c:\svr1.inf c:\svr1.req
certreq -submit c:\svr1.req c:\svr1.cer ; I get the error here
Best Answer
Is the user a member of a security group that has Read and Enroll permission on the certificate template? That is required.
Administering Certificate Templates
http://technet.microsoft.com/en-us/library/cc725621%28v=ws.10%29
When you install certificates into the computer store and use auto-enrollment or manually request the certificate using the Certificates snap-in, the requesting computer account needs Read and Enroll permissions on the certificate template.
However, when you're using Certreq.exe to request certificates, even if they are computer certificates and use MachineKeySet = True, the requesting user needs Read and Enroll permissions on the certificate template. When you use Certreq.exe, the computer permissions are not used.