One of the primary functions of a certification authority (CA) is to evaluate certificate requests from clients and, if predefined criteria are met, issue certificates to those clients. In order for certificate enrollment to succeed, a number of elements must be in place before the request is submitted, including a CA with a valid CA certificate; properly configured certificate templates, client accounts, and certificate requests; and a way for the client to submit the request to the CA, have the request validated, and install the issued certificate.
Enable publication of an end-entity certificate
In order to publish a certificate you need network connectivity and network permissions. To resolve this issue:
Confirm that you have network connectivity between the client and certification authority (CA).
Confirm that the CA has Read and Write permissions on the userCertificate attribute of the user or computer object of the entity requesting the certificate.
If you have more than one domain or a two-level (parent/child) domain hierarchy, you need to allow the Cert Publishers group from one domain (domain A) Read and Write permissions on the userCertificate attribute in another domain (domain B). To do this, follow the procedure in the "Correct cross-domain permission errors" section.
Publish the certificate.
To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.
Confirm network connectivity between a client and a CA
To confirm a client connection to a CA:
On the client, click Start, type cmd and press ENTER.
Type ping <server_FQDN>, where <server_FQDN> is the fully qualified domain name (FQDN) of the CA (for example, server1.contoso.com), and then press ENTER.
If the ping was successful, you will receive a reply similar to the following:
Reply from IP_address: bytes=32 time=3ms TTL=59
Reply from IP_address: bytes=32 time=20ms TTL=59
Reply from IP_address: bytes=32 time=6ms TTL=59 3
At the command prompt, type ping <IP_address>, where <IP_address> is the IP address of the CA, and then press ENTER.
If you can successfully connect to the CA by IP address but not by FQDN, this indicates a possible issue with Domain Name System (DNS) host name resolution. If you cannot successfully connect to the CA by IP address, this indicates a possible issue with network connectivity, firewall configuration, or Internet Protocol security (IPsec) configuration.
Confirm permissions on the
containers in Active Directory
To confirm that the CA has necessary permissions on the Domain Computers and Domain Users containers:
Click Start, point to Administrative Tools, and click Active Directory Sites and Services.
On the View menu, click Show Services Node.
Double-click Services, double-click Public Key Services, right-click Domain Computers, and click Properties.
On the Security tab, confirm that the Cert Publishers group has Read and Write permissions.
Right-click Domain Users, and click Properties.
Correct cross-domain permissions errors
To set these permissions by using use the Dsacls tool:
Click Start, type cmd and press ENTER, then run the following commands:
dsacls "dc=<domainB>,dc=<contoso>,dc=<com>" /I:S /G "<domainA>\Cert Publishers":RP;userCertificate,user
dsacls "dc=<domainB>,dc=<contoso>,dc=<com>" /I:S /G "<domainA>\Cert Publishers":WP;userCertificate,user
dsacls "cn=<adminsdholder>,cn=system,dc=<contoso>,dc=<com>" /I:S /G \Cert Publishers":RP;userCertificate,user
dsacls "cn=<adminsdholder>,cn=system,dc=<domainB>,dc=<contoso>,dc=<com>" /I:S /G "<domainA>\Cert Publishers":WP;userCertificate,user
Substitute the correct names from your organization for the <domainname> and <com> placeholders in the example.
For more information, see article 281271 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=95695).
Publish a certificate
To publish a certificate:
On the computer hosting the CA, click Start, type cmd and press ENTER.
Type ping <ipaddress> where <ipaddress> is the IP address of a domain controller and press ENTER to confirm that you have a network connection.If you do not have a network connection, fix the problem and try again.
At a command prompt, type certutil -dspublish <cert.cer> ldap:///<network location included in the event log message> and press ENTER. <Cert.cer> is a certificate file exported by using the Certificate Export Wizard.
If you have connectivity but still cannot publish the certificate, use Active Directory Users and Computers to confirm that the computer hosting the CA has Read and Write permissions to the userCertificate attribute of the user or computer object. (This is generally by membership in the Cert Publishers group).