I have created a two-tier CA using Windows Server 2008 R2. The .inf files used to create this standalone root and an enterprise subCA are at the end of this post.
The root is installed OK and issued a certificate to the SubCA. The SubCA has in turn issued certificates to the domain controllers automatically.
My PKI health is green with all chains valid and CRL's published.
However, when I try to register a SAN certificate for my Exchange server, the request is not accepted. In fact, there is no error message at all. I am following (http://exchangeserverpro.com/how-to-issue-a-san-certificate-to-exchange-server-2010-from-a-private-certificate-authority)["How to issue a SAN certificate to Exchange 2010 from a Private Certificate Authority], and, in summary:
-
From the Exchange Management Shell:
New-ExchangeCertificate -FriendlyName "Exchange 2010 Certificate" -IncludeServerFQDN -DomainName mail.mydomain.net,autodiscover.mydomain.net,webmail.mydomain.net -GenerateRequest -PrivateKeyExportable $true -
I go to my sub CA web certificate services
http://subca/certsvc -
Request a certificate
-
Submit advanced certificate request
-
Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file
-
Paste the request from step 1 in the saved request box
-
Select certificate type Web Server
-
Hit Submit
-
Nothing… the page refeshes to show the same page again. There is no error on the page or in any log, and the request is not submitted.
I have tried submitting the cer file to the subordinate CA also via the certsrv MMC, i right click the CA -> All tasks -> Submit new request -> select the cer file, and hit ok. Nothing happens, no error, no pending request, there is nothing in the logs, nothing.
; CAPolicy.inf example file for the Root CA
[Version]
Signature= "$Windows NT$"
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
CRLPeriod = Years
CRLPeriodUnits = 1
CRLDeltaPeriod = Days
CRLDeltaPeriodUnits = 0
AlternateSignatureAlgorithm=1
[CRLDistributionPoint]
Empty=true
[AuthorityInformationAccess]
Empty=true
; CApolicy.inf file for the Issuing CA
[Version]
Signature= "$Windows NT$"
[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=10
CRLPeriod=Weeks
CRLPeriodUnits=1
CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=1
CRLOverlapPeriod=Days
CRLOverlapUnits=2
ValidityPeriod=Years
ValidityPeriodUnits=2
AlternateSignatureAlgorithm=1
Best Answer
I was able to resolve this after finding further information You cannot submit a certificate request generated by Exchange Management Console (EMC) or Exchange Management Shell (EMS) to Microsoft Certificate Services
In summary, this is becuase the certificate request was stored as Unicode encoding and Microsoft Certificate services do not support unicode-encoded files.
The fix is to open the request file in notepad and save-as as a new file this time with ANSI encoding. Resubmitting this ANSI encoded file to the CA is then works and certificate is issued.