requesting cert from local CA: "no trusted certificate authorities

TheMSsForum.com: The Microsoft Software Forum

I'm playing around with AD, certificates, and smart cards on a test
server separated from the rest of our network. I'm currently going by
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/howto/mapcerts.mspx,
trying to get a certificate that I can place on my smart card to log in
with.

I have a certificate authority installed on this domain controller (as a
stand-alone root CA), and I can see its cert in "Trusted Root
Certificate Authorities". If I try to launch the "Request New
Certificate" wizard for any account, I get an error message saying the
wizard could not be started because "there are no trusted certificate
authorities available", or permission is denied.

Is there something special I have to do to get the local machine to
"trust" this CA, or some other way I should go about this?

Thanks
Bean
Top

Re: requesting cert from local CA: "no trusted certificate authorities available" by Paul

Paul
Tue Nov 07 07:59:14 CST 2006

In article <ueGjf0cAHHA.4592@TK2MSFTNGP03.phx.gbl>, in the
microsoft.public.security news group, Jason Viers <spam@beanalby.net>
says...

> I have a certificate authority installed on this domain controller (as a
> stand-alone root CA), and I can see its cert in "Trusted Root
> Certificate Authorities". If I try to launch the "Request New
> Certificate" wizard for any account, I get an error message saying the
> wizard could not be started because "there are no trusted certificate
> authorities available", or permission is denied.
>
> Is there something special I have to do to get the local machine to
> "trust" this CA, or some other way I should go about this?
>

To use the MMC wizard your CA needs to be an Enterprise CA, and not a
standalone.

--
Paul Adare - MVP Virtual Machines
Waiting for a bus is about as thrilling as fishing,
with the similar tantalisation that something,
sometime, somehow, will turn up. George Courtauld

Top

Re: requesting cert from local CA: "no trusted certificate authorities by Jason

Jason
Wed Nov 08 16:20:04 CST 2006

Paul Adare wrote:
> To use the MMC wizard your CA needs to be an Enterprise CA, and not a
> standalone.

Thanks, removing the standalone CA and using an Enterprise CA worked!

I was able to request a certificate, export it, and throw it on the
smart card (with private key). When trying to log in, I can insert the
card and it asks for the PIN, but then says

The system could not log you on. The server authenticating you reported
an error (0xC00000BB). See the EventLog for more information.

In the EventLog is the following error:

An error occurred while retrieving a digital certificate from the
inserted smartcard. The keyset is not defined. Data: 19000980

This is all taking place on a single Windows 2003 Enterprise box, so the
documents I see about XP SP2 causing problems
(http://support.microsoft.com/kb/891849) don't apply.

I can look on the smartcard (using the ActivClient Agent software) and
see that the certificate is there, it's been "made available to
Windows", and been set as the primary certificate.

Any ideas what's causing this?
Top