aydink
Tue Sep 30 02:31:33 CDT 2003
I could publish KRA certificates using "certutil -f -dspublish kra.cer "
Thank you Vishal
"Vishal Agarwal[MSFT]" <vishala@online.microsoft.com> wrote in message
news:Ohx15TkhDHA.3636@tk2msftngp13.phx.gbl...
> The KRA object in the DS is created when a Windows 2003 CA is installed or
> has its CA cert renewed.
>
> It is not created during upgrade from Windows 2000 to Windows 2003 -- in
> fact, it cannot be created at that time, because the upgrade code runs
> without appropriate network access.
>
> There are several ways to create the KRA object on the DS.
>
> 1) use certutil with the -f option to publish a previously issued (by the
> same CA) KRA cert.
>
> Save such a cert to a file named KRA.cer, then:
>
> certutil -f -dspublish kra.cer
>
> You must execute this as an Enterprise Administrator.
>
> 2) Uninstall the CA and re-install, using the existing keys, certs and
> database.
>
> 3) Renew the CA cert.
>
> The first option is the simplest and most direct.
>
> It also is the least risky.
>
>
>
> Thanks,
> Vishal [MSFT]
>
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights
> "aydink" <aydinkucuk@hotmail.com> wrote in message
> news:%23L69kH$gDHA.4024@TK2MSFTNGP11.phx.gbl...
> > Yes, I updated the forest schema with adprep /forestprep
> >
> >
> > "Laudon Williams [MSFT]" <laudonw@online.microsoft.com> wrote in message
> > news:uNovjE6gDHA.1684@TK2MSFTNGP10.phx.gbl...
> > > Did you update your forest's schema prior to migrating to the WS2003
CA?
> > >
> > > --
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > >
> > > "aydink" <aydinkucuk@hotmail.com> wrote in message
> > > news:OOpGgqygDHA.696@TK2MSFTNGP09.phx.gbl...
> > > > Hi, I have a problem about publishing the KRA Certificate to the
> Active
> > > > Directory. Below is my test environment :
> > > > 1 Server with the following configuration : Windows 2000 Domain
> > > Controller,
> > > > Exchange 2000 Server with KMS service, Enterprise Root CA. With the
> > help
> > > of
> > > > KMS, enrolling mailbox enabled users to advanced security was
working
> > > > properly.
> > > > I Exported the KMS database and uninstalled KMS service. Then
upgraded
> > > from
> > > > Exchange 2000 to Exchange 2003 and then upgraded from Windows 2000
> > Server
> > > to
> > > > Windows 2003 Advanced Server. After a successfull upgrade I tried to
> > > > configure the CA for Key Archival and Key Recovery. For this reason
I
> > > added
> > > > the new certificate template (Key Recovery Agent certificate
template)
> > > with
> > > > proper security permissions. Administrator user requested a KRA
> > > certificate
> > > > with the web enrollment wizard and installed the certificate
> > successfully.
> > > > At that point, Enterprise CA should publish the certificate to the
> > > directory
> > > > automatically(to the userCertificate attribute of CN=KRA,CN=Public
Key
> > > > Services,CN=Services,CN=Configuration,DC=domain,DC=local).
> > > > But there is a warning message in the application event log. I dont
> see
> > > > anything in the KRA container in AD Sites And Services snap-in. I
> could
> > > not
> > > > find any article in the KB. Any ideas? Thanks
> > > > AydinK
> > > >
> > > > Event Type: Warning
> > > > Event Source: CertSvc
> > > > Event Category: None
> > > > Event ID: 80
> > > > User: N/A
> > > > Computer: SERVER
> > > > Description:
> > > > Certificate Services could not publish a Certificate for request 11
to
> > the
> > > > following location on server SERVER:
> > ldap:///CN=EntRootCA,CN=KRA,CN=Public
> > > > Key Services,CN=Services,CN=Configuration,DC=test,DC=local.
Directory
> > > > object not found. 0x8007208d (WIN32: 8333).
> > > > ldap: 0x20: 0000208D: NameErr: DSID-031001C6, problem 2001
> (NO_OBJECT),
> > > data
> > > > 0, best match of:
> > > > 'CN=KRA,CN=Public Key
> > > > Services,CN=Services,CN=Configuration,DC=company,DC=local'
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>