Share via

Error Denied By Policy Module : Request with Key Archival

Samir OUTMANI 1 Reputation point
2022-02-08T15:04:23.107+00:00

Hello

We have a multi-Tier PKI with ADCS, we configure an encryption template with Key Archival, but we get an error when requesting a certificate :

The request is missing a required private key for archival by the server. 0x80094804 (-2146875388
CERTSRV_E_ARCHIVED_KEY_REQUIRED)

We have checked that the root Edit properties contain Key Archival and Issuing CA is published on NTAuth Store.

Is there any other thing to verify ?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,671 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,686 Reputation points
    2022-02-09T10:52:17.537+00:00

    Hi there,

    If your user accounts are in a group that had Issue and Manage permissions in the Security tab on the CA you might get this error message. Try adding a user account to the security tab and giving it the same permissions and now you can retrieve a key from the previously issued test user cert.

    Also, check if the CA server has read permission on the template. The Authenticated Users built-in group is granted Read permission by default and if you happen to remove that group the CA server must be granted permissions on the template.

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments
  2. Samir OUTMANI 1 Reputation point
    2022-02-09T14:33:47.413+00:00

    Hello
    the problem is that we are not trying to get private key form previously issued certificate, we try to enroll a user on a template that had Key Archival properties.

    I have tried to add the user account directly and i check that the Authenticated user has read permission on the template.

    0 comments
  3. Kevin Piatt 80 Reputation points
    2024-07-10T20:31:15.1266667+00:00

    It would have been beneficial to see your cert request. I certainly will not request it this late in the game.

    Rather, I am posting here for persons that may be looking for the solution in the future.

    You need to add the PrivateKeyArchive = True attribute to your request.

    PrivateKeyArchive = True

    Example Request:

    [Version]
Signature = "$Windows NT$"
[NewRequest]
Subject = "CN=«CommonName»"
HashAlgorithm = SHA256
KeyAlgorithm = RSA
KeyLength = 4096
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
KeyUsage = 0xf0
MachineKeySet = True
RequestType = PKCS10
KeySpec = 1
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1
[Extensions]
1.3.6.1.5.5.7.48.1.5 = Empty
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.