开发者社区> 科技小能手> 正文
阿里云
为了无法计算的价值
打开APP
阿里云APP内打开

CA服务器使用certreq生成证书时显示:没有颁发证书(不完整)

简介:
+关注继续查看

在Exchange 2010服务器上,新建证书请求后,在CA服务器上通过certreq生成证书时显示“没有颁发证书 (不完整)”且没有错误提示,查看req文件没有乱码,检查证书模板重新新建模板问题依旧,但可以使用IIS(http://caserver/certsrv)正常申请证书。


解决办法:

使用记事本打开req文件,另存为时修改编码"Unicode"(默认)为"ANSI"。再重新执行命令即可。

certreq -submit -attrib "CertificateTemplate:xxxx" aaa.req bbb.cer

注意:通过certreq生成证书时可以加入CA服务器参数-config加CA服务器名,在新建证书模板时需要修改“使用者名称”配置为“在请求中提供”。否则会报错:“没有颁发证书 (已拒绝) 被策略模块拒绝  DNS 名不可用,无法添加到使用者替换名称。 0x8009480f (-2146875377)”

190036964.jpg

参考以下资料:

You cannot submit a certificate request generated by Exchange Management Console (EMC) or Exchange Management Shell (EMS) to Microsoft Certificate Services


Consider the following scenario. You create certificate certificate by using either Exchange Management Console (EMC) or Exchange Management Shell (EMS) and save it to a file. When you attempt to submit certificate request to a Windows-based Certification Authority (CA) (also known as Microsoft Certificate Services), you may receive error message. If CA server runs on Windows Server 2003 (R2) or Windows Server 2008, you receive the following message:

183831335.png

ASN1 bad tag value met. 0x8009310b (ASN: 267).

If CA server runs on Windows Server 2008 R2, no there are no response from MMC console. If you are using certreq.exe utility, you receive an error:

Contoso Pharmaceuticals Enrollment Policy
  {F29AC102-CDCD-4AA8-B1F5-761051FB52C5}
  https://cert.contoso.com/ADPolicyProvider_CEP_Kerberos/service.svc/CEP
Certificate not issued (Incomplete)

And certificate request is not issued, failed or pended.

Additional information: for certificate request generation follow the steps described in the  Create a New Exchange Certificate TechNet article.

Aside note: certificate request do not contains certificate template information which is required for Enterprise CAs. In order to submit the request to Enteprise CA you should use certreq.exe utility with the following syntax:

certreq –submit –attrib "CertificateTemplate:TemplateCommonName"

this command will add certificate template information as a attribute.

CAUSE


This behavior occurs when certificate request is stored in a file in Unicode encoding. Microsoft Certificate Services do not support Unicode-encoded files request files. Only ANSI encoding is supported.

STATUS

Microsoft has confirmed this behavior as inconsistent. No bug fixes are available. See Workaroundsection for example steps to overcome the issue.

WORKAROUND
  1. If you already have certificate request file, do the following:

    • Open Notepad program.

    • In the File menu, click Open.

    • In the Open File dialog, locate certificate request file.

    • In the File menu, click Save As… option.

    • Type a name for new request file. In the Encoding drop-down list, select ANSI.

    • Click Save to save the request.

    • Now you can resubmit certificate request to Microsoft Certificate Services


  2. If you are using Exchange Management Shell use the following guidance to save Base64-encoded certificate request to a file with proper encoding:

In the Exchange Management Shell console run New-ExchangeCertificate cmdlet with required parameters, save output to a variable and save output to a file with proper encoding:

$OutputRequest=New-ExchangeCertificate <Specify and fill all required properties>Set-Content-PathPath\ExchRequest.req -Value$OutputRequest-EncodingANSI

The default behavior for PowerShell Set-ContentAdd-ContentOut-File and redirection operator">" is to save content in Unicode encoding. If the file already exist, the commands respects existing file encoding. The default encoding can be changed by using –Encoding parameter for cmdlets.

Note: redirection operators do not support encoding change.


APPLIES TO
  • Windows Server 2003 (x86 and x64) Standard, Enterprise and Datacenter editions, all service packs

  • Windows Server 2003 (x86 and x64) R2 Standard, Enterprise and Datacenter editions, all service packs

  • Windows Server 2008 (x86 and x64) Standard, Enterprise and Datacenter editions, all service packs

  • Windows Server 2008 R2 Standard, Enterprise and Datacenter editions, all service packs

  • Active Directory Certificate Services

  • Microsoft Exchange Server 2007

  • Microsoft Exchange Server 2010


本文转自 lorysun 51CTO博客,原文链接:http://blog.51cto.com/lorysun/1287530

版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。

相关文章
直播带货APP源码开发为什么选择云服务器
云服务器可以为直播带货APP源码提供弹性计算以及更高的运行效率,避免资源浪费,随着直播带货APP源码业务需求的变化,可以实时扩展或缩减计算资源。CVM支持按实际使用的资源计费,可以节约计算成本。
293 0
如何给服务器安装SSL证书?
如何给服务器安装SSL证书?给服务器安装SSL证书,我们可以使用服务器证书安装配置指南(Apache)的方法来进行。  1.生成证书请求文件(CSR)  在购买并安装SSL证书之前,你必须在服务器上制作一个CSR文件。
3192 0
Jmeter系列二:CSV参数化、BeanShell、服务器监控等进阶使用
本篇博客带来Jmeter的进阶使用,包括新建测试计划、CSV参数化、BeanShell使用和服务器监控等 碎碎念 惯例碎碎念。 关于Jmeter,关于压力/性能测试,本不是我的专业范畴,但是由于前线需要,所以我就上阵了,粗浅涉猎并没有精通,所以哪里有写的不好的,请果断指出,反正我是不会改的。
2206 0
《Java EE 7精粹》—— 3.7 服务器和客户端扩展点
转换器、验证器和监听器是服务器端的附属对象,用于为页面上的组件添加更多的功能。行为是客户端的扩展点,可以使用行为定义的脚本增强组件的渲染内容。
1301 0
23703
文章
0
问答
文章排行榜
最热
最新
相关电子书
更多
低代码开发师(初级)实战教程
立即下载
阿里巴巴DevOps 最佳实践手册
立即下载
冬季实战营第三期:MySQL数据库进阶实战
立即下载