How are you generating the renewal request for the CA?
In Help and Support, please look for "renew a subordinate certification
authority". You will find the below content. Please let us know if you
followed this procedure or if you are doing something different to generate
the renewal request.
Thanks,
Vishal Agarwal[MSFT]
To renew a subordinate certification authority
Using the Windows interface
1.. Log on to the system as a Certification Authority Administrator.
2.. Open Certification Authority.
3.. In the console tree, click the name of the certification authority
(CA).
Where?
a.. Certification Authority (Computer)
b.. CA name
4.. On the Action menu, point to All Tasks, and click Renew CA
Certificate.
5.. Do one of the following:
a.. If you want to generate a new public and private key pair for the
certification authority's certificate, click Yes.
b.. If you want to reuse the current public and private key pair for the
certification authority's certificate, click No.
6.. Get the CA certificate from the parent CA. For more information, see
Notes.
Notes
a.. To open Certification Authority, click Start, click Control Panel,
double-click Administrative Tools, and then double-click Certification
Authority.
b.. To obtain the certificate for a subordinate CA, you must submit a
certificate request to a parent CA. The procedure for doing so differs
depending on whether the parent CA is available online.
a.. If a parent CA is available online
1.. Click Send the request directly to a CA already on the network.
2.. In Computer Name, type the name of the computer on which the
parent CA is installed.
3.. In Parent CA, click the name of the parent CA.
b.. If a parent CA is not available online
1.. Click Save the request to a file.
2.. In Request file, type the path and file name of the file that will
store the request.
3.. Obtain this subordinate CA's certificate from the parent CA.
The procedure for doing this will be unique to the parent CA. At a
minimum, the parent CA should provide a file containing the subordinate CA's
newly issued certificate and, preferably, its full certification path. For
the procedure to submit a certificate request using a file to a Microsoft
CA, see Related Topics.
If you get a subordinate CA certificate that does not include the full
certification path, the new subordinate CA you are installing must be able
to build a valid CA chain when it starts. Thus you must install the parent
CA's certificate in the Intermediate Certification Authorities certificate
store of the computer (if the parent CA is not a root CA), as well as the
certificates of any other intermediate CA in the chain, and you must install
the certificate of the root CA in the chain into the Trusted Root
Certification Authorities store. These certificates should be installed in
the certificate store before you install the CA certificate on the
subordinate CA you have just set up.
4.. Open Certification Authority.
5.. In the console tree, click the name of the CA.
Where?
a.. Certification Authority (Computer)
b.. CA name
6.. On the Action menu, point to All Tasks, and then click Install CA
Certificate.
7.. Locate the certificate file received from the parent certification
authority, click this file, and then click Open.
Using a command line
--
This posting is provided "AS IS" with no warranties, and confers no rights
Tom said:
Hello!
The error text in correct english is:
You do not have permission to request a certificate based on the selected certificate template.
The SubCA doesn' t find the Offline Root CA. I belive the SubCA only
searches Online CA' s! I have no chance to use a request file.
All servers are Windows Server 2003.
I' m a Domain and a Enterprise admin.
Tom
----- Vishal Agarwal[MSFT] wrote: -----
Are the failing renewals happening on the renewing CA, or when you submit
the new certificate request to the parent CA?
Is the subordinate CA running Windows 2000 or Windows 2003?
Is the parent CA running Windows 2000 or Windows 2003?
How are you submitting the request -- or did you not get that far?
To install or renew an Enterprise CA, the user must be a local administrator
for the machine, and must also be an Enterprise and Domain Administrator.
The local machine is used to store the new certificate and private key, and
the certificate is also written to some DS objects under the Configuration
container in the root domain of the CA's forest.
If you are running as all three types of administrators, and you are still
seeing this error, please provide the log file from %windir%\certocm.log.
Thanks,
Vishal Agarwal [MSFT]
need to
renew the Sub CA certificates. But If an administrator tries to renew the
certficate via the msc he receives an error. I try to translate it from
german to english: You have not the right to request such a certficate.
[/QUOTE]
