Saturday, June 13, 2015

Unable to renew certificate via internal Microsoft certificate authority

I encountered this issue while trying to renew a SSL certificate for Lync 2013. Within Lync console, when I want to renew the certificate, a generic certificate renewal wizard pops up and attempts to communicate with my internal certificate authority. Then this screen appears:



Requesting server's operating system:
  • Windows 2012 R2 
Certificate authority's operating system:
  • Windows 2003 R2 32 bit
Certificate type
  • Web Server SSL certificate
Error message:
  • The permissions on the certificate template do not allow the current user to enroll for this type of certificate. You do not have permission to request this type of certificate.

Sounds like some permission issue. I immediately went to poke around my CA's settings to see what I can find. Found the certificate template but when I viewed the properties for "web server" template, there are no options to change. Remember to change to certificate template management mode to make modifications. Right click on certificate templates and select "manage"



View the properties for "web server" template since this is the type of certificate my application is requesting for.



And saw this in the security permissions tab:



Seems that I already have full access rights granted to my domain admins group. Since I'm using a domain administrator account to renew the certificate, something else must be missing. I noticed that authenticate users only have "read" permission and not "enroll".



So what I did was to grant authenticated users "enroll" permission and immediately the certificate renewal went through without a hitch.

Out of curiosity, I removed the enroll permission for authenticate users and instead added the computer account of the server I'm trying to renew my certificate. Did another renewal and went through as well. Conclusion, certificate renewal can also be done with the computer account being granted enroll permission.

To add the computer account, click on the add button in the security tab.

 

Click on the "object types" button and make sure to include computer objects.



Type in the full computer name of the requesting server (not the CA name) and click ok. Check the allow box for read, write, enroll and no more certificate renewal issue in future for that particular server. This is a slightly more secure setup than to grant all authenticated users permission to enroll certs.

5 comments: