Monday, February 17, 2014

Generate a Certificate for Exchange 2010 using Microsoft PKI

If creating a certificate request for OWA (and other associated services) with the intention of processing this request on a Microsoft enterprise PKI structure, you'll meet a series of challenges. Here is how to overcome them in the order you will encounter them.

After creating the request and attempting to submit it, you will first see this error message:

ASN1 bad tag value met. 0x8009310b (ASN: 267).

This error is because the request is by default encoded in Unicode while 2008r2 and lower PKI can only process ANSI. To convert, either open the request with notepad and select "File->Save As" and change the encoding to ANSI before saving.

If you submit at this point, you will see:

The request contains no certificate template information. 0x80094801 (-2146875391)
Denied by Policy Module 0x80094801, the request does not contain a certificate template extension or the Certificate Template request attribute.

This is because Microsoft enterprise PKI does not process unqualified (by means of a template) requests. We need to force a template (WebServer will work) by using the following command:

certreq -submit -attrib "CertificateTemplate:WebServer" NameOfMyRequest.req

Select your CA. If your template is configured correctly, the cert request will be successful. If not, you will receive the warning:

Certificate not issued (Denied) Denied by Policy Module  0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: Web Server.

The requested certificate template is not supported by this CA. 0x80094800 (-2146875392)

To remediate this issue you will need to create/enable your template as desired. I created a custom 2k8 compatible Web Server template that allows for exporting the private key (for Web Application Proxy) and it worked well. For more information, see Section 4 of my article.

Update 2017: I have confirmed that this solution works for Exchange 2016 as well.

After saving the request, use either powershell or the management console to finish processing the request, and then enjoy your e-net i-mail over the hinterlandnet.

No comments: