During my work with a customer renewing their Issuing CA’s certificate based on the steps documented in this article, I discovered that the Request file generated couldn’t be located in the default location of %systemDrive% . The Issuing CA didn’t log any errors in the Event Log, nor did it post any error messages. I also searched for all files with the extension *.req on all drives, and still couldn’t find the file.
After some more research, I discovered that my customer changed the default location of the RequestFileName Registry Key during their installation to a drive that no longer exists on the CA. The location configured was a:\%1_%3%4.req. I followed these steps to fix this issue:
- Start the Registry Editor
- Navigate to HKLM\System\CurrentControlSet\Services\Certsvc\Configuration\<CASanitizedName>
- Locate the Registry String RequestFileName
- Change the value from a:\%1_%3%4.req to C:\%1_%3%4.req
- Stop and Start the Certification Active Directory Certificate Services service
I was then able to create the Request File and submit it to the Offline Root CA to process it.
During my work with a customer renewing their Issuing CA’s certificate based on the steps documented in this article, I discovered that the Request file generated couldn’t be located in the default location of %systemDrive% . The Issuing CA didn’t log any errors in the Event Log, nor did it post any error messages. I also searched for all files with the extension *.req on all drives, and still couldn’t find the file.
After some more research, I discovered that my customer changed the default location of the RequestFileName Registry Key during their installation to a drive that no longer exists on the CA. The location configured was a:\%1_%3%4.req. I followed these steps to fix this issue:
- Start the Registry Editor
- Navigate to HKLM\System\CurrentControlSet\Services\Certsvc\Configuration\<CASanitizedName>
- Locate the Registry String RequestFileName
- Change the value from a:\%1_%3%4.req to C:\%1_%3%4.req
- Stop and Start the Certification Active Directory Certificate Services service
I was then able to create the Request File and submit it to the Offline Root CA to process it.
During my work with a customer renewing their Issuing CA’s certificate based on the steps documented in this article, I discovered that the Request file generated couldn’t be located in the default location of %systemDrive% . The Issuing CA didn’t log any errors in the Event Log, nor did it post any error messages. I also searched for all files with the extension *.req on all drives, and still couldn’t find the file.
After some more research, I discovered that my customer changed the default location of the RequestFileName Registry Key during their installation to a drive that no longer exists on the CA. The location configured was a:%1_%3%4.req. I followed these steps to fix this issue:
- Start the Registry Editor
- Navigate to HKLMSystemCurrentControlSetServicesCertsvcConfiguration<CASanitizedName>
- Locate the Registry String RequestFileName
- Change the value from a:%1_%3%4.req to C:%1_%3%4.req
- Stop and Start the Certification Active Directory Certificate Services service
I was then able to create the Request File and submit it to the Offline Root CA to process it.
Starting with Windows Vista and Windows Server 2008, the option to utilize Key Storage Providers (KSPs) in addition to Cryptographic Service Providers (CSPs) was added. These options are available when you create a Certificate Template and configure the settings in the Cryptography tab. Depending on the template duplicated, you may see that the default option is Request can use any provider available on the subject’s computer. However, the best practice is to select Requests must use one of the following providers. Then, ensure you configure only the providers that you want to be used. Another best practice is to use a key size of 1024 bits or higher.
More about this topic is on the TechNet Wiki http://social.technet.microsoft.com/wiki/contents/articles/10192.a-certificate-could-not-be-created-a-private-key-could-not-be-created.aspx
Starting with Windows Vista and Windows Server 2008, the option to utilize Key Storage Providers (KSPs) in addition to Cryptographic Service Providers (CSPs) was added. These options are available when you create a Certificate Template and configure the settings in the Cryptography tab. Depending on the template duplicated, you may see that the default option is Request can use any provider available on the subject’s computer. However, the best practice is to select Requests must use one of the following providers. Then, ensure you configure only the providers that you want to be used. Another best practice is to use a key size of 1024 bits or higher.
More about this topic is on the TechNet Wiki http://social.technet.microsoft.com/wiki/contents/articles/10192.a-certificate-could-not-be-created-a-private-key-could-not-be-created.aspx
