After I renewed my CA cert, all cert enrollment failed with error messages saying that the user does not have the permission to read the cert template. It is not true, as I have assigned sufficient security permission with Read and Enroll on the issued template. A further look into the Event Viewer shows this:
Event 93, Certificate Authority
The certificate (#%1) of certification authority %2 does not exist in the certificate store at CN=NTAuthCertificates,CN=Public Key Services,CN=Services in the Active Directory's configuration container. The directory replication may not be completed.
Performing the troubleshooting tasks on this Technet post did not help. The solution is to publish the new CRT manually to the NTAuthCA store.
- Login to CA using Domain Admin account.
- Go to the %systemroot%\System32\CertSrv\CertEnroll directory.
- Look for the latest *.crt file e.g. foo(2).crt
- Run "certutil -dspublish foo(2).crt NTAuthCA"
- Restart the CA service
Great SOLUTION !!!
ReplyDelete