I have followed the Microsoft test lab instructions for setting up a two-tier CA hierarchy. I have the Certificate Enrollment Policy Web Service (CEP) installed on the same machine as the issuing Certificate Authority (CA). And the Certificate Enrollment Web Service (CES) installed on a separate machine. All three of those in the same domain: a.local.
I have serverB1 in another domain b.local which has received a server certificate. The instructions told me to simulate a certificate renewal by running the following two commands 1. certutil -f -policyserver * -policycache delete
. Output:
Cache Directory: C:\ProgramData\Microsoft\Windows\X509Enrollment
Name: SSL-TLS Server Certificates (Default)
Id: {B85DA5F6-850F-4C44-A80C-F60747D4DD77}
Url: https://IssuingCA.a.local/KeyBasedRenewal_ADPolicyProvider_CEP_Certificate/service.svc/CEP
Cache file exists: 48b23e1bb48a2bf09ce15b2526ef67eb32fe1251
1662 (5730) Bytes
Url: https://IssuingCA.a.local/KeyBasedRenewal_ADPolicyProvider_CEP_Certificate/service.svc/CEP
LastUpdate 2/18/2022 4:36 PM
Deleting cache entry!
Orphaned Cache file:
Cache file exists: 83b7376cb9815a475c54a66bd64eb8bfd31d6005
1662 (5730) Bytes
Url: https://IssuingCA.a.local/KeybasedRenewal_ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP
LastUpdate 2/18/2022 1:38 PM
Deleting cache entry!
CertUtil: -PolicyCache command completed successfully.
certreq -machine -q -enroll -cert <thumbprint> renew
of course with the correct thumbprint substituted. Output:
https://ces1.a.local/IssuingCA_CES_Certificate/service.svc/CES
The certificate request could not be submitted to the certification authority.
Access was denied by the remote endpoint. 0x803d0005 (-2143485947 WS_E_ENDPOINT_ACCESS_DENIED)
Certificate Request Processor: Access was denied by the remote endpoint. 0x803d0005 (-2143485947 WS_E_ENDPOINT_ACCESS_DENIED)
The Application Pool on CES is delegated to a user a\ces. The CEP was just using the default application pool identity. I tried also changing that to a\ces (and creating the corresponding SPN), but that didn't make any difference. I'm changing that back.
Any ideas what is going wrong here? I'm very new to all of this. Just following instructions.