Share via

Unable to sign CSR with Microsoft Windows CA

Przemek Wawrzyczny 46 Reputation points
2020-09-08T15:33:31.837+00:00

Hello Guys,

I have created CSR (using the blow guide) for one of our NPS servers.
https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Creating_an_Offline_Certificate_Request_in_Windows_Server

When trying to sign it with our CA I receive the following error:

The DNS name is unavailable and cannot be added to Subject Alternate Name.
0x8009480f (-2146875377 CERTSRV_E_SUBJECT_DNS_REQUIRED)
Denied by the Policy Module

I have tried to put different values in SAN during CSR creation but no luck,
I have tried and not to put anything in SAN field during CSR creation but no luck,
I have checked the record in AD and found server with correct fqdn,
I have tried different templates

I am wondering if any of guys might have an idea,

Regards,
Przemek

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Client for IT Pros | Networking | Network connectivity and file sharing
Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
Accepted answer
  1. Anonymous
    2020-09-09T06:53:56.78+00:00

    Hello @Przemek Wawrzyczny

    Thank you for posting here.

    Based on the description, I did some tests in my lab.

    I can enroll certificate through web page successfully.

    Here are the steps for your references.

    Step 1.On the CA server, duplicate one specific certificate template based on your needs and requirements.

    For example:
    RAS and IAS server

    Subject Name tab
    Select “Supply in the request

    Tip: we must select “Supply in the request” under subject name tab, then we can see this certificate template through web page.

    Security tab
    Authenticated Users: Read permission
    Domain Computers or sepcific machine name: Read and Enroll permission
    RAS and IAS servers: Read and Enroll permission

    23442-csr1.png

    Step 2.Issue certificate template on the CA server.

    23358-csr2.png

    Step 3.Create CSR file

    1.On the machine we want to request certificate using RAS and IAS server certificate template, open certlm.msc and create CSR file as below.

    23383-csr3.png

    1. Click "Next" button.
      23394-csr4.png

    3.Select the certificate template.
    23451-csr5.png

    4.Supply the subject and SAN (we must supply subject and SAN here).
    23346-csr6.png

    5.Save the CSR file.
    23376-csr8.png

    Step 4.Open IE and type http://machine.b.local/certsrv/( or https://machine.b.local/certsrv/) and click Enter.

    Tip: Machine is the computer name with Certification Authority Web Enrollement role installed.

    Step 5. Request certificate with CSR file created above (copy the content of CSR file and paste here).
    23348-csr11.png

    Step 6. we can see the certificate we requested.
    23347-csr9.png

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.