Cannot Request Certificate

TheMSsForum.com: The Microsoft Software Forum

Clients in a child domain cannot request certificates from the issuing
CA which is located in the root domain.

I get the error The wizard cannot be started because of one or more of
the following conditions:
-There are no trusted certification authorities (CAs) available.
-You do not have permission to request certificates from the available
CAs
-The avaiable CAs issue certificates for which you do not have
permission.

Clients in the root domain can request new certificates.

Permissions on the CA are set that Authenticated Users can request
certificates.

The setup is all Win2003 Servers/AD and XpSP2 Clients
Top

Re: Cannot Request Certificate by Nick

Nick
Wed Feb 28 01:48:21 CST 2007

scottflower@btinternet.com
> Clients in a child domain cannot request certificates from the issuing
> CA which is located in the root domain.
>
> I get the error The wizard cannot be started because of one or more of
> the following conditions:
> -There are no trusted certification authorities (CAs) available.
Have you intsalled rootCA certificate on the clients? This computers are
in another domain and I think they can't locate rootCA certificate via
LDAP url.

I recommend you try yhis steps:

1. Aquire root certificate and copy it to client computer. Doble click
on it. If you see, that there is no trust to this certificate, then

2. Run certutil -url <cert file name>. Select checkbox "Certs (from AIA)
" and press Retrive button. Look for any errors. Do the same for the
option "CRLs (from CDP)"

3. If somewhere was error post them here :) I'll try to help to correct
them.

If there was no errors, then please give more information about your AD
topology and PKI.



>

--
With best regards
Nickolay Domukhovsky, MCSA
Top

Re: Cannot Request Certificate by scottflower

scottflower
Wed Feb 28 03:48:41 CST 2007

On Feb 28, 7:48 am, Nick Domukhovsky <ndomukhov...@ot.ru> wrote:
> scottflo...@btinternet.com> Clients in a child domain cannot request certificates from the issuing
> > CA which is located in the root domain.
>
> > I get the error The wizard cannot be started because of one or more of
> > the following conditions:
> > -There are no trusted certification authorities (CAs) available.
>
> Have you intsalled rootCA certificate on the clients? This computers are
> in another domain and I think they can't locate rootCA certificate via
> LDAP url.
>
> I recommend you try yhis steps:
>
> 1. Aquire root certificate and copy it to client computer. Doble click
> on it. If you see, that there is no trust to this certificate, then
>
> 2. Run certutil -url <cert file name>. Select checkbox "Certs (from AIA)
> " and press Retrive button. Look for any errors. Do the same for the
> option "CRLs (from CDP)"
>
> 3. If somewhere was error post them here :) I'll try to help to correct
> them.
>
> If there was no errors, then please give more information about your AD
> topology and PKI.
>
>
>
> --
> With best regards
> Nickolay Domukhovsky, MCSA

Both Cert and CRLs show a status of failed, double clicking the URL in
the Retrieval Tool Window give the error "Error retrieving URL: Error
0x80072ee5 (WIN32:12005)

I can open both the Cert and CRL via a browser.

The AD infrastructure consists of a root domain and two child
domains.

The PKI infrastructure is

An offline Root CA
An Enterprise Subordinate CA in the Root domain

I can request a certificate for a Root level account from anywhere in
the forest, I cannot request a certificate from anywhere in the forest
with an account from either child domain.

Thanks
Scott

Top

Re: Cannot Request Certificate by scottflower

scottflower
Wed Feb 28 04:27:22 CST 2007

On Feb 28, 9:48 am, scottflo...@btinternet.com wrote:
> On Feb 28, 7:48 am, Nick Domukhovsky <ndomukhov...@ot.ru> wrote:
>
>
>
>
>
> > scottflo...@btinternet.com> Clients in a child domain cannot request certificates from the issuing
> > > CA which is located in the root domain.
>
> > > I get the error The wizard cannot be started because of one or more of
> > > the following conditions:
> > > -There are no trusted certification authorities (CAs) available.
>
> > Have you intsalled rootCA certificate on the clients? This computers are
> > in another domain and I think they can't locate rootCA certificate via
> > LDAP url.
>
> > I recommend you try yhis steps:
>
> > 1. Aquire root certificate and copy it to client computer. Doble click
> > on it. If you see, that there is no trust to this certificate, then
>
> > 2. Run certutil -url <cert file name>. Select checkbox "Certs (from AIA)
> > " and press Retrive button. Look for any errors. Do the same for the
> > option "CRLs (from CDP)"
>
> > 3. If somewhere was error post them here :) I'll try to help to correct
> > them.
>
> > If there was no errors, then please give more information about your AD
> > topology and PKI.
>
> > --
> > With best regards
> > Nickolay Domukhovsky, MCSA
>
> Both Cert and CRLs show a status of failed, double clicking the URL in
> the Retrieval Tool Window give the error "Error retrieving URL: Error
> 0x80072ee5 (WIN32:12005)
>
> I can open both the Cert and CRL via a browser.
>
> The AD infrastructure consists of a root domain and two child
> domains.
>
> The PKI infrastructure is
>
> An offline Root CA
> An Enterprise Subordinate CA in the Root domain
>
> I can request a certificate for a Root level account from anywhere in
> the forest, I cannot request a certificate from anywhere in the forest
> with an account from either child domain.
>
> Thanks
> Scott- Hide quoted text -
>
> - Show quoted text -

Apologies,

Correction to the previous submission, the Certutil tests do work
fine, I had a typo error in the string.

Top

Re: Cannot Request Certificate by Nick

Nick
Wed Feb 28 07:43:19 CST 2007

I think this would help: http://support.microsoft.com/kb/281271


--
With best regards
Nickolay Domukhovsky, MCSA
Top

Re: Cannot Request Certificate by Nick

Nick
Wed Feb 28 07:46:32 CST 2007

And some more useful reading:

http://support.microsoft.com/kb/239706

http://support.microsoft.com/?id=332097 - if you have problems with web
enrollment.


--
With best regards
Nickolay Domukhovsky, MCSA
Top

Re: Cannot Request Certificate by scottflower

scottflower
Wed Feb 28 10:00:08 CST 2007

On Feb 28, 1:43 pm, Nick Domukhovsky <ndomukhov...@ot.ru> wrote:
> I think this would help:http://support.microsoft.com/kb/281271
>
> --
> With best regards
> Nickolay Domukhovsky, MCSA

Fantastic, that's sorted it.

Thanks you very much for your help.

Top