Unable to request certificate on Windows XP from your own CA (Certificate Authority)

If you’re installing a new Certificate Authority based on Windows Server 2008 or Windows Server 2008 R2 your might encounter a problem related where your computeres running Windows XP aren’t able to request nor auto-enroll a certificate from your CA. When you try to manually request the certificate you get an error saying:

“Unable to complete the request”, “Cannot find the requested object.” Similar message can be found in the Eventviewer.

If you look in your CA server, you can see that a certificate has been issued. (properly many many times, as the computer requests over and over again, because i cannot get the certificate)

Your can verify that you don’t have the object, by opening a MMC -> Add the Certificate snap-in -> select Local Computer,Computer account -> Expand personal Certificates and see that it is not there.

This i because the newer versions of Windows Server issues certificates based on the SHA512RSA algorythm, which is not supported by Windows XP by default. To use thoose your have to make sure that SP3 is installed and the hotfix (see link below) is installed.

 

I encoutered this when enrolling certificate based wireless security using 802.1x EAP enrolled through Group Policy (GPO)

This link provides information to a hotfix the enables Windows XP computers to request (and auto-enroll) the new Computer certificates (SHA512RSA) provided by Windows Server 2008

http://support.microsoft.com/kb/968730

Leave a Reply

© 2019: Noervig's notes | Easy Theme by: D5 Creation | Powered by: WordPress