IT Consultant Everyday Notes

Just some problems/solutions storage

Category Archives: Certificates

PKI: Private Key Export failed during CA migration

I am currently lead a project for PKI migration from 2003 Servers to 2012 R2.

ISSUE: During migration one of CAs I observed an error when I tried to restore a Private Key saved on an old CA to the new CA.


The error said: Import private key: Active directory certificate services setup failed with the following error: Cannot find object or property. 0x80092004 (-2146885628 crypt_e_not_found)

RESOLUTION: I checked the machine local storage and found the old CA certificate there (without Private Key). The certificate was installed by GPO.  I deleted the certificate and retry Private Key import from CA installation wizard (where it failed). This time the cert was imported successfully.

SCCM 2012: Certificate requirements

PKI: Enable SAN support on Microsoft CA after server migration.


I migrated my Lab Enterprise CA from Windows Server 2008 R2 to Windows Server 2012 R2. I tried in-place upgrade. Everything seemed to be fine until I tried to request a SAN certificate from it.

It looks like this feature was lost in migration and I needed to re-enable it using

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

command (one line).


Do NOT forget to restart the CA service – the commend makes changes in registry.

More information about SANs and why you may decide to not enable them in this Technet Article

Certificate WEB request failed with: This Web browser does not support the generation of certificate requests.

Issue: I am trying to send a certificate request from my Windows 2012 Server running IE 10 (default).

The request fails with the error: “This Web browser does not support the generation of certificate requests.”


Resolution: Press F12 and select IE 10 Compatibility View. After that CertSrv page should be displayed properly:


Server 2012 PKI and XP compatibility

When your issuing CA is a nice and shiny Server 2012 your XP machines won’t be able to enroll for certificates.

You need to relax security as described in

certutil -setreg CA\InterfaceFlags -IF_ENFORCEENCRYPTICERTREQUEST
net stop certsvc & net start certsvc

So it is your choice – lower security level or migrate to Windows 7/8.  XP support will end at April of 2014. Winking smile

How to publish Certificate Revocation List (CRL)

If you are sing your own PKI infrastructure it is important to have your CRLs available for your certificates users, so they can check Certificate Revocation List published by your CA.

Environment (assuming is both internal and External FQDNs for the domain. If you use different names you need to add additional records for CRL location):

1. Certificate Authority (let use one level for simplicity):

2. WEB server WEBSERV  (IIS hosts a web server published on reverse proxy as CRL.MYDOMAIN.COM):

3. Windows Firewall on webserv allows File&Printer sharing


1. Configure CA installed on CASERV with the following extension settings (right-click CA):
– Add Location:
– Add Variables (in order): CAName, CRLNameSuffix, DeltaCRLAllowed
– Location: .crl  (so you have <CAName><CRLNameSuffix><DeltaCRLAllowed>.crl in CRL Location line)

– Select Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP extension of issued certificates
– Do not restart Certificate Services.

Note: if your internal domain and external domain names are different use your external web server name.

– Add Location: \\WEBSERV\crldist$\.
– Variable: CAName, CRLNameSuffix, DeltaCRLAllowed
– Location: .crl
– Select Publish CRL to this location and Publish Delta CRL to this location

– Restart Certificate Services.
– Close the Certificate Authority console.

2. Create CRL distribution point on WEBSERV by performing the following steps:
– Start Internet Information Services (IIS) Manager.
– In the console tree, browse to WEBSERV\Sites\Default Web Site, right-click Default Web Site, and then click Add Virtual Directory.
Alias:  CRLD;
Path:  C:\CRLDist
– In the middle pane of the console, double-click Directory Browsing, and in the Actions pane,click Enable.
–  In the console tree, click the CRLD folder.
–  In the middle pane of the console, double-click the Configuration Editor icon.
–  Click the down-arrow of the Section drop-down list, and navigate to system.webServer\security\requestFiltering.
–  In the middle pane of the console, double-click the allowDoubleEscaping entry to change the value from False to True.
–  In the details pane, click Apply.

3. Share and secure the CRL distribution point by performing the following steps:

– Share c:\crldist as \\WEBSERV\CRLDIST$
– Set Full Control for the Share and NTFS permissions for CACERV$ machine account

4. Publish the CRL to WEBSERV by performing the following steps:

– Go to CA mmc on CASERV
– navigate to Rvoked CErtificate folder. right-click the folder, select All Tasks-Publish
– check if CRL files were created in the \\WEBSERV\CRLDis$ share
– from external computer try to get CRL using<CRL_file_name>.crl URL