CA服务器使用certreq生成证书时显示:没有颁发证书(不完整)

简介:

在Exchange 2010服务器上,新建证书请求后,在CA服务器上通过certreq生成证书时显示“没有颁发证书 (不完整)”且没有错误提示,查看req文件没有乱码,检查证书模板重新新建模板问题依旧,但可以使用IIS(http://caserver/certsrv)正常申请证书。


解决办法:

使用记事本打开req文件,另存为时修改编码"Unicode"(默认)为"ANSI"。再重新执行命令即可。

certreq -submit -attrib "CertificateTemplate:xxxx" aaa.req bbb.cer

注意:通过certreq生成证书时可以加入CA服务器参数-config加CA服务器名,在新建证书模板时需要修改“使用者名称”配置为“在请求中提供”。否则会报错:“没有颁发证书 (已拒绝) 被策略模块拒绝  DNS 名不可用,无法添加到使用者替换名称。 0x8009480f (-2146875377)”

参考以下资料:

You cannot submit a certificate request generated by Exchange Management Console (EMC) or Exchange Management Shell (EMS) to Microsoft Certificate Services


Consider the following scenario. You create certificate certificate by using either Exchange Management Console (EMC) or Exchange Management Shell (EMS) and save it to a file. When you attempt to submit certificate request to a Windows-based Certification Authority (CA) (also known as Microsoft Certificate Services), you may receive error message. If CA server runs on Windows Server 2003 (R2) or Windows Server 2008, you receive the following message:

ASN1 bad tag value met. 0x8009310b (ASN: 267).

If CA server runs on Windows Server 2008 R2, no there are no response from MMC console. If you are using certreq.exe utility, you receive an error:

Contoso Pharmaceuticals Enrollment Policy
  {F29AC102-CDCD-4AA8-B1F5-761051FB52C5}
  https://cert.contoso.com/ADPolicyProvider_CEP_Kerberos/service.svc/CEP
Certificate not issued (Incomplete)

And certificate request is not issued, failed or pended.

Additional information: for certificate request generation follow the steps described in the  Create a New Exchange Certificate TechNet article.

Aside note: certificate request do not contains certificate template information which is required for Enterprise CAs. In order to submit the request to Enteprise CA you should use certreq.exe utility with the following syntax:

certreq –submit –attrib "CertificateTemplate:TemplateCommonName"

this command will add certificate template information as a attribute.

CAUSE


This behavior occurs when certificate request is stored in a file in Unicode encoding. Microsoft Certificate Services do not support Unicode-encoded files request files. Only ANSI encoding is supported.

STATUS

Microsoft has confirmed this behavior as inconsistent. No bug fixes are available. See Workaroundsection for example steps to overcome the issue.

WORKAROUND
  1. If you already have certificate request file, do the following:

    • Open Notepad program.

    • In the File menu, click Open.

    • In the Open File dialog, locate certificate request file.

    • In the File menu, click Save As… option.

    • Type a name for new request file. In the Encoding drop-down list, select ANSI.

    • Click Save to save the request.

    • Now you can resubmit certificate request to Microsoft Certificate Services


  2. If you are using Exchange Management Shell use the following guidance to save Base64-encoded certificate request to a file with proper encoding:

In the Exchange Management Shell console run New-ExchangeCertificate cmdlet with required parameters, save output to a variable and save output to a file with proper encoding:

$OutputRequest=New-ExchangeCertificate <Specify and fill all required properties>Set-Content-PathPath\ExchRequest.req -Value$OutputRequest-EncodingANSI

The default behavior for PowerShell Set-ContentAdd-ContentOut-File and redirection operator">" is to save content in Unicode encoding. If the file already exist, the commands respects existing file encoding. The default encoding can be changed by using –Encoding parameter for cmdlets.

Note: redirection operators do not support encoding change.


APPLIES TO
  • Windows Server 2003 (x86 and x64) Standard, Enterprise and Datacenter editions, all service packs

  • Windows Server 2003 (x86 and x64) R2 Standard, Enterprise and Datacenter editions, all service packs

  • Windows Server 2008 (x86 and x64) Standard, Enterprise and Datacenter editions, all service packs

  • Windows Server 2008 R2 Standard, Enterprise and Datacenter editions, all service packs

  • Active Directory Certificate Services

  • Microsoft Exchange Server 2007

  • Microsoft Exchange Server 2010


本文转自 lorysun 51CTO博客,原文链接:http://blog.51cto.com/lorysun/1287530
相关文章
|
5月前
|
前端开发 小程序 应用服务中间件
在服务器上正确配置域名https证书(ssl)及为什么不推荐使用宝塔申请免费ssl证书
在服务器上正确配置域名https证书(ssl)及为什么不推荐使用宝塔申请免费ssl证书
281 4
|
4月前
|
网络安全
嗯… 无法访问此页面43.139.210.211 花了太长时间进行响应,无法连接宝塔,是服务器内的宝塔面板开启了ssl的验证,但是没有绑定证书,所以被拦截,关闭宝塔面板的ssl访问认证恢复正常
嗯… 无法访问此页面43.139.210.211 花了太长时间进行响应,无法连接宝塔,是服务器内的宝塔面板开启了ssl的验证,但是没有绑定证书,所以被拦截,关闭宝塔面板的ssl访问认证恢复正常
|
tengine 应用服务中间件 Linux
【Linux环境】如何在Nginx(或Tengine)服务器上安装ssl证书----介绍nginx服务器类型证书的下载与安装操作
【Linux环境】如何在Nginx(或Tengine)服务器上安装ssl证书----介绍nginx服务器类型证书的下载与安装操作
517 0
|
6月前
|
Linux
本地下载使用证书登陆的linux服务器的文件的命令
本地下载使用证书登陆的linux服务器的文件的命令
|
6月前
|
安全 算法 网络安全
windows服务器——部署PKI与证书服务
windows服务器——部署PKI与证书服务
154 0
|
应用服务中间件 网络安全 Apache
解决 Nginx Let&#39;s Encrypt HTTPS 证书 错误: 服务器缺少中间证书
解决 Nginx Let&#39;s Encrypt HTTPS 证书 错误: 服务器缺少中间证书
818 0
解决 Nginx Let&#39;s Encrypt HTTPS 证书 错误: 服务器缺少中间证书
|
数据建模 应用服务中间件 网络安全
宝塔面板部署DV免费证书(web服务器nginx)
宝塔面板部署DV免费证书(web服务器nginx)
宝塔面板部署DV免费证书(web服务器nginx)
关于微信企业付款到零钱X509Certificate2读取证书信息,发布到服务器访问不到的解决方案
关于微信企业付款到零钱X509Certificate2读取证书信息,发布到服务器访问不到的解决方案
253 0
关于微信企业付款到零钱X509Certificate2读取证书信息,发布到服务器访问不到的解决方案
|
Ubuntu Linux 网络安全
[Apache,安装包,Openssl,服务器证书,安装目录]Linux Apache SSL证书安装
  一、安装准备 1.安装Openssl要使Apache支持SSL,需要首先安装Openssl支持。(现在的服务器一般都已经预装了,可以直接直接跳到下一步。)安装Openssl有两种方式:1)下载源码编译安装:推荐下载安装openssl-0.9.8k.tar.gz
369 0
下一篇
无影云桌面