Resolving Certreq Errors: Key Size and User Permissions

Resolving Certreq Errors: Key Size and User Permissions

  • Comments 3
  • Likes

[Today's post is provided by Carol Bailey]

I've openly admitted that I don't find the command-line utility, Certreq.exe, the easiest of the Certificate Services methods to use when it comes to deploying certificates for Configuration Manager native mode.  But to some extent I made my peace with Certreq and started to recommend it when the later versions of Web enrollment no longer allowed installing certificates into the computer store.  I always recommend installing directly into the computer store rather than installing into the user store and then exporting the certificate - because apart from the extra admin overheads, this workaround requires that the private key is exportable, which is not advisable for security reasons.  Using Certreq.exe to request a certificate means that you can install directly into the computer store by using the parameter MachineKeySet = True.

Disclaimer:  The information in this blog post is external to Configuration Manager, so you will not find this information in the Configuration Manager product documentation.  However, we realize that PKI is often new to Configuration Manager admins, and aim to share our knowledge and experience to help you be more successful with the product.

I'm passing on a couple of tips about the following Certreq errors that I know have puzzled some of our customers:

  • The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375) Denied by Policy Module.
  • The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422) Denied by Policy Module.

Error: The public key does not meet the minimum size required by the specified certificate template

You are likely to see a key size error with Certreq when you request the site server signing certificate (or any other certificate) for a server running Windows Server 2003 and request the certificate from a CA running Windows Server 2008.  This is because the default key size for Windows Server 2003 is 1024, and for Windows Server 2008 it is 2048.  So when the certificate template defaults to using a minimum key size of 2048 and you try requesting the certificate with the default size of 1024, it's going to fail with the error shown in the following picture:

Key Length Error Dialog

It's easy enough to correct this error.  Either change the Minimum key size value from 2048 to 1024 on the Request Handling tab of the certificate template properties, or request a certificate with the key size of 2048.  To tell Certreq to a request a certificate with the larger key size, add the line KeyLength=2048 to the inf file, within the [NewRequest] section.  For example, your .inf file for the site server signing certificate on a Windows Server 2003 computer might look like the following:

Subject = "CN=The site code of this site server is ABC"
MachineKeySet = True
KeyLength = 2048
CertificateTemplate = ConfigMgrSiteServerSigningCertificate

You won't see this key length error if the requesting computer is also running Windows Server 2008, because both use the same default key length.  This is why the KeyLength line isn't included in the step-by-step example deployment for a Windows Server 2008 CA, because the requesting computer in this example deployment is also running Windows Server 2008.  You could specify it, but there's no need to do so when the operating system versions match.

Error: The permissions on the certificate template do not allow the current user to enroll for this type of certificate

When you install certificates into the computer store and use auto-enrollment or manually request the certificate using the Certificates snap-in, the requesting computer account needs Read and Enroll permissions on the certificate template.  However, when you're using Certreq.exe to request certificates, even if they are computer certificates and use MachineKeySet = True, the requesting user needs Read and Enroll permissions on the certificate template.  When you use Certreq.exe, the computer permissions are not used at all.  This explains the rather perplexing error message you see with Certreq.exe on Windows Server 2008 (with a similar error on Windows Server 2003) when the computer has Read and Enroll permissions and you think the user permissions should be not used:

Certificate Template Permissions Error

When you realize that Certreq operates in the user context only, this error is easily corrected.  If you will only ever request a certificate with this certificate template using Certreq.exe, specify user permissions only.  However, if you might also use this certificate template with other certificate installation methods, specify both user permissions and computer permissions.

More Information about Certreq

The following Certificate Services documentation has additional information and examples for using Certreq.exe:

--Carol Bailey

This posting is provided "AS IS" with no warranties, and confers no rights.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Carol Bailey hits another home run with her post yesterday on resolving a couple of Certreq errors involving

  • Every time I try to complete a certificate request, a landslide of errors come at me, and they're never the same errors.

    Windows Server Certificate Authority difficulties are easily the highest cause of profanity in my office, on any given day of any month, of any year.  I can do what I need to do here, on Linux is about 6 seconds, AND still be just as secure as I am now.

    I'm having the second problem you mentioned, and nothing I've found is working, including your solution.  Thank you for taking the time to document this; I'm sure it's helped many people, but Windows CA troubles have me wanting to become a farmer and leave technology behind forever.  This product has really soured me.  I hate it.  HATE.

  • I want to be a farmer too.     Using the Certificates snap-in, I still get the silly "the permissions on the certificate template do not allow the current user to enroll", which is silly, since the snapin checks the permissions before it displays the available templates.   Other locations on the net point out that you can't give certificate permissions to Domain Local groups, but using global groups don't seem to help.    Why or why did I pick this field?