[Today’s post is provided by Carol Bailey]
I’ve openly admitted that I don’t find the command-line utility, Certreq.exe, the easiest of the Certificate Services methods to use when it comes to deploying certificates for Configuration Manager native mode. But to some extent I made my peace with Certreq and started to recommend it when the later versions of Web enrollment no longer allowed installing certificates into the computer store. I always recommend installing directly into the computer store rather than installing into the user store and then exporting the certificate – because apart from the extra admin overheads, this workaround requires that the private key is exportable, which is not advisable for security reasons. Using Certreq.exe to request a certificate means that you can install directly into the computer store by using the parameter MachineKeySet = True.
Disclaimer: The information in this blog post is external to Configuration Manager, so you will not find this information in the Configuration Manager product documentation. However, we realize that PKI is often new to Configuration Manager admins, and aim to share our knowledge and experience to help you be more successful with the product.
I’m passing on a couple of tips about the following Certreq errors that I know have puzzled some of our customers:
- The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375) Denied by Policy Module.
- The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422) Denied by Policy Module.
Error: The public key does not meet the minimum size required by the specified certificate template
You are likely to see a key size error with Certreq when you request the site server signing certificate (or any other certificate) for a server running Windows Server 2003 and request the certificate from a CA running Windows Server 2008. This is because the default key size for Windows Server 2003 is 1024, and for Windows Server 2008 it is 2048. So when the certificate template defaults to using a minimum key size of 2048 and you try requesting the certificate with the default size of 1024, it’s going to fail with the error shown in the following picture:
It’s easy enough to correct this error. Either change the Minimum key size value from 2048 to 1024 on the Request Handling tab of the certificate template properties, or request a certificate with the key size of 2048. To tell Certreq to a request a certificate with the larger key size, add the line KeyLength=2048 to the inf file, within the [NewRequest] section. For example, your .inf file for the site server signing certificate on a Windows Server 2003 computer might look like the following:
[NewRequest]Subject = "CN=The site code of this site server is ABC"MachineKeySet = TrueKeyLength = 2048[RequestAttributes]CertificateTemplate = ConfigMgrSiteServerSigningCertificate
You won’t see this key length error if the requesting computer is also running Windows Server 2008, because both use the same default key length. This is why the KeyLength line isn’t included in the step-by-step example deployment for a Windows Server 2008 CA, because the requesting computer in this example deployment is also running Windows Server 2008. You could specify it, but there’s no need to do so when the operating system versions match.
Error: The permissions on the certificate template do not allow the current user to enroll for this type of certificate
When you install certificates into the computer store and use auto-enrollment or manually request the certificate using the Certificates snap-in, the requesting computer account needs Read and Enroll permissions on the certificate template. However, when you’re using Certreq.exe to request certificates, even if they are computer certificates and use MachineKeySet = True, the requesting user needs Read and Enroll permissions on the certificate template. When you use Certreq.exe, the computer permissions are not used at all. This explains the rather perplexing error message you see with Certreq.exe on Windows Server 2008 (with a similar error on Windows Server 2003) when the computer has Read and Enroll permissions and you think the user permissions should be not used:
When you realize that Certreq operates in the user context only, this error is easily corrected. If you will only ever request a certificate with this certificate template using Certreq.exe, specify user permissions only. However, if you might also use this certificate template with other certificate installation methods, specify both user permissions and computer permissions.
More Information about Certreq
The following Certificate Services documentation has additional information and examples for using Certreq.exe:
This posting is provided “AS IS” with no warranties, and confers no rights.