Hi there!
Here is an issue:
- There is only Enterprise Root CA in the domain and it is installed on the DC.
- We are using account which is a member of Domain Admins, Enterprise Admins, Administrators groups.
- Our account is explicitly granted Read, Issue and Manage Certificates, Manage CA and Request Certificates rights on the properties of the CA AND Read, Write, Enroll on the Domain Controllers template.
- Domain Controllers and ENTERPRISE DOMAIN CONTROLLERS have Enroll right on the Domain Controllers template.
- CA Certificate and Domain Controller certificates for the 2 DCs (one of which hosts our CA) got expired.
- Using our account we renewed the CA certificate keeping the same public and private key pair.
- CA seems to be OK (green checkmark).
- We are unable to
"All Tasks\Request Certificate with New Key"
"All Tasks\Renew Certificate with New Key"
"All Tasks\Advanced Operations\Request new certificate with the same key"
"All Tasks\Advanced Operations\Renew this certificate with the same key"
with the error "Access is denied. The certificate request could not be submitted to the certification authority" (EventIDs 13 and 16)
or "You do not have permission to request certificates from this certification authority..." - The CA is not checked and greyed out. - BUT we are able request via "Right-click Certificates branch\All Tasks\Request New Certificate" (we have not finished it though).
Question:
Would you be so kind to advise:
- Can we "Request new/Renew this certificate with the same key" if we right-click on the expired certificate without right-clicking the Certificates branch?
- Can we "Renew/Request Certificate with New Key" if we right-click on the expired certificate without right-clicking the Certificates branch?
Thank you very much in advance!