Certificate services client enrollment fails after renewing SSL certificate

Ruben Alvarez 96 Reputation points
2020-10-14T21:53:38.257+00:00

Hi all,

A couple years ago I setup a PKI with an offline root, enterprise CA, and a web-based NDES server all on Server 2016. We're using it for device authentication on our Wi-Fi.

Mac clients use SCEP and connect with the web-based NDES server. There is a Digicert SSL on this server. I believe that was part of the instructions on the guide I used to set this up. I use my MDM (Jamf) to deploy this to MacOS and iOS. This is working.

For my Windows clients I use Active Directory to first install the root certificate and then request a certificate on the enterprise CA. This was working until recently the Digicert SSL was renewed and installed on the web-based NDES server. Ever since then, everything is working except Windows clients getting new certificates from the enterprise CA.

Here's the messages I get on the Enterprise CA:
Event 22, CertificationAuthority
Active Directory Certificate Services could not process request 1265 due to an error: Cannot archive private key. The certification authority could not verify one or more key recovery certificates. 0x8009400b (-2146877429 CERTSRV_E_NO_VALID_KRA). The request was for OES\DELLLAT13-708$. Additional information: Error Archiving Private Key

Here's the messages I get on the Windows 10 client:
Event 13, CertificateServicesClient-CertEnroll
Certificate enrollment for Local system failed to enroll for a OESWorkstationAuthentication certificate with request ID N/A from entca.oes.edu\OES Enterprise Certificate Authority (Cannot archive private key. The certification authority could not verify one or more key recovery certificates. 0x8009400b (-2146877429 CERTSRV_E_NO_VALID_KRA)).
Event 6, CertificateServicesClient-AutoEnrollment
Automatic certificate enrollment for local system failed (0x8009400b) Cannot archive private key. The certification authority could not verify one or more key recovery certificates.

Can someone help me troubleshoot this?

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,810 questions
0 comments No comments
{count} votes

Accepted answer
  1. Ruben Alvarez 96 Reputation points
    2020-10-20T18:07:12.347+00:00

    33784-capture.jpg


7 additional answers

Sort by: Most helpful
  1. Vadims Podāns 9,121 Reputation points MVP
    2020-10-15T06:47:21+00:00

    Your template is configured for client private key archival in CA database (not sure for what reason) and all Key Recovery Agent certificates are expired.

    You have two options:

    1. Renew and replace Key Recovery Agent certificates on CA server
    2. Disable key archival for target certificate template (OESWorkstationAuthentication) as shown:
      clear highlighted checkbox
      32499-capture2.png
    0 comments No comments

  2. Ruben Alvarez 96 Reputation points
    2020-10-15T16:45:04.497+00:00

    Thanks for the reply.

    1. as you said, the "Archive subject's encryption private key" option was checked on the "OES Workstation Authentication" template. I have since unchecked that and even rebooted the CA. It's still getting the same error.
      1. I have a template for "OES Key Recovery Agent." Can you give me a procedure for renewing this?
        32619-capture.jpg

    32648-capture.jpg


  3. Ruben Alvarez 96 Reputation points
    2020-10-16T15:52:48.323+00:00

    So I've tried on two new computers. It's still not working, but the error is different. Now what is happening is Event viewer doesn't log anything. Nothing on the CA and nothing on the client. No request or failed request logged on the CA at all. On the client, it is getting the network profile from AD now. But no certificate.


  4. Ruben Alvarez 96 Reputation points
    2020-10-16T20:15:35.823+00:00

    I made a little progress. I found that if I check the box that you had checked, "Include symmetric algorithms allowed by the subject" then the client is now able to get a certificate. But now it's being rejected by the Radius server. I now get this error.

    RADIUS EAP-TLS: fatal alert by server - unsupported_certificate
    TLS Handshake failed in SSL_read with error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
    eap-tls: Error in establishing TLS session

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.