Unable to sign CSR with Microsoft Windows CA

Przemyslaw Wawrzyczny 46 Reputation points
2020-09-08T15:33:31.837+00:00

Hello Guys,

I have created CSR (using the blow guide) for one of our NPS servers.
https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Creating_an_Offline_Certificate_Request_in_Windows_Server

When trying to sign it with our CA I receive the following error:

The DNS name is unavailable and cannot be added to Subject Alternate Name.
0x8009480f (-2146875377 CERTSRV_E_SUBJECT_DNS_REQUIRED)
Denied by the Policy Module

I have tried to put different values in SAN during CSR creation but no luck,
I have tried and not to put anything in SAN field during CSR creation but no luck,
I have checked the record in AD and found server with correct fqdn,
I have tried different templates

I am wondering if any of guys might have an idea,

Regards,
Przemek

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,374 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,880 questions
Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,022 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,724 questions
Accepted answer
  1. Daisy Zhou 18,706 Reputation points Microsoft Vendor
    2020-09-09T06:53:56.78+00:00

    Hello @Przemyslaw Wawrzyczny

    Thank you for posting here.

    Based on the description, I did some tests in my lab.

    I can enroll certificate through web page successfully.

    Here are the steps for your references.

    Step 1.On the CA server, duplicate one specific certificate template based on your needs and requirements.

    For example:
    RAS and IAS server

    Subject Name tab
    Select “Supply in the request

    Tip: we must select “Supply in the request” under subject name tab, then we can see this certificate template through web page.

    Security tab
    Authenticated Users: Read permission
    Domain Computers or sepcific machine name: Read and Enroll permission
    RAS and IAS servers: Read and Enroll permission

    23442-csr1.png

    Step 2.Issue certificate template on the CA server.

    23358-csr2.png

    Step 3.Create CSR file

    1.On the machine we want to request certificate using RAS and IAS server certificate template, open certlm.msc and create CSR file as below.

    23383-csr3.png

    1. Click "Next" button.
      23394-csr4.png

    3.Select the certificate template.
    23451-csr5.png

    4.Supply the subject and SAN (we must supply subject and SAN here).
    23346-csr6.png

    5.Save the CSR file.
    23376-csr8.png

    Step 4.Open IE and type http://machine.b.local/certsrv/( or https://machine.b.local/certsrv/) and click Enter.

    Tip: Machine is the computer name with Certification Authority Web Enrollement role installed.

    Step 5. Request certificate with CSR file created above (copy the content of CSR file and paste here).
    23348-csr11.png

    Step 6. we can see the certificate we requested.
    23347-csr9.png

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest