Share via

Certificate Services - The certificate is not valid for the requested usage. Denied by Policy Module

  • Article

Question

Thursday, January 15, 2015 8:33 AM

I'm having some trouble with issuing a certificate from a CA hosted on a Windows Server 2008 R2 server for a SAP system using the Web Server template. I'm attempting to use web interface to issue the certificate using a CSR request. 

If I check the Issued certificates list there is already quite a few certificates issued to other SAP systems were the Web Server template was used. 

However the certificate can't be issued by the CA and the error message in the web interface reads: The disposition message is "Denied by Policy Module"
If I look at the Event Viewer the error message is: Active Directory Certificate Services denied request 197 because The certificate is not valid for the requested usage. 0x800b0110 (-2146762480).  The request was for CN=sapdeg.(removed).net, OU=ABAP, O=(removed), C=DK.  Additional information: Denied by Policy Module

I have inherited the CA setup from a former colleague so I'm afraid that I'm not that familiar with the setup yet, so please bare with me.

Any help will be greatly appreciated. 

All replies (6)

Thursday, January 15, 2015 9:10 AM ✅Answered

can you post the output of the following command:

certutil -dump path\requestfile.csr

put your actual path to a request file. You can mask private information.

Vadims Podāns, aka PowerShell CryptoGuy
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell File Checksum Integrity Verifier tool.

Thursday, January 15, 2015 12:12 PM ✅Answered | 1 vote

I only speculate here, but your request contains 1024bit DSA public key. I am not sure, if it is still supported, or does not collide with your CA's settings. Would you be able to check the other, already issued, certificates in CA database, if they also show DSA public keys?

ondrej.

Thursday, January 15, 2015 12:45 PM ✅Answered | 1 vote

Agree with Ondrej, the problem is with public key algorithm: DSA (digital signature algorithm) is intended for digital signatures and do not allow key exchange operations which are required for client/server authentication (because they use public keys to encrypt and exchange session key).

Vadims Podāns, aka PowerShell CryptoGuy
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell File Checksum Integrity Verifier tool.

Thursday, January 15, 2015 9:15 AM

The certutil -dump command returns the following:

PKCS10 Certificate Request:
Version: 1
Subject:
    CN=sapdeg.(removed).net
    OU=ABAP
    O=(removed)
    C=DK

Public Key Algorithm:
    Algorithm ObjectId: 1.2.840.10040.4.1 DSA
    Algorithm Parameters:
    0000  30 82 01 1f 02 81 81 00  ff ec 5e 55 77 e3 f4 7b
    0010  11 6a 04 04 8f 0f 05 90  1b 6e 36 3d 32 ba 3e 32
    0020  7b 07 27 37 ee 57 e0 f5  60 3f cf ad e4 77 23 30
    0030  8d 0b e6 53 bf 21 03 00  91 43 ee 40 68 02 76 5f
    0040  e4 0b 4a 7a 1a 50 5f 78  6e 12 fc bb 91 9f ea 25
    0050  4c 23 f7 6a 19 2d 3e 0c  a3 bd d9 c6 b4 2c 73 4d
    0060  f3 b4 7e ed a2 8d 5d c1  87 d6 c7 d8 d0 d8 bd 2e
    0070  07 8a 55 d1 09 ae 6f bb  27 5a 88 5f c7 d6 ee 32
    0080  6d 57 7f d8 ad ca 51 c5  02 15 00 d2 eb 3c 8c 94
    0090  11 99 9d e9 8f 0f d2 f4  bf d3 e9 30 a0 27 d1 02
    00a0  81 81 00 9c cc b0 e4 3a  85 6d ec 1c 33 17 a5 f7
    00b0  89 0e 7b 35 c8 dd 5b a6  3d 6a cf a6 49 59 c7 fd
    00c0  b4 88 52 8a 7b 9d 55 24  5b 8a a2 8c a0 ed 13 cd
    00d0  b1 e7 c0 ad 4b 1d c2 d8  28 e8 89 1d 0c ae 40 42
    00e0  e3 3c 04 9a 1c 89 40 8e  37 45 08 ff 82 f2 79 b8
    00f0  39 dd c6 11 1f 8d 5e b4  82 d6 50 0d 03 fc bc d0
    0100  18 c8 f0 5d b1 f5 14 99  4a 50 ee 93 a7 67 a9 63
    0110  fc 96 c5 23 a9 8c a5 dd  f7 d5 21 73 c5 45 6d 7f
    0120  ff 0a ff
        0000  02 81 81 00 ff ec 5e 55  77 e3 f4 7b 11 6a 04 04
        0010  8f 0f 05 90 1b 6e 36 3d  32 ba 3e 32 7b 07 27 37
        0020  ee 57 e0 f5 60 3f cf ad  e4 77 23 30 8d 0b e6 53
        0030  bf 21 03 00 91 43 ee 40  68 02 76 5f e4 0b 4a 7a
        0040  1a 50 5f 78 6e 12 fc bb  91 9f ea 25 4c 23 f7 6a
        0050  19 2d 3e 0c a3 bd d9 c6  b4 2c 73 4d f3 b4 7e ed
        0060  a2 8d 5d c1 87 d6 c7 d8  d0 d8 bd 2e 07 8a 55 d1
        0070  09 ae 6f bb 27 5a 88 5f  c7 d6 ee 32 6d 57 7f d8
        0080  ad ca 51 c5
        0000  02 15 00 d2 eb 3c 8c 94  11 99 9d e9 8f 0f d2 f4
        0010  bf d3 e9 30 a0 27 d1
        0000  02 81 81 00 9c cc b0 e4  3a 85 6d ec 1c 33 17 a5
        0010  f7 89 0e 7b 35 c8 dd 5b  a6 3d 6a cf a6 49 59 c7
        0020  fd b4 88 52 8a 7b 9d 55  24 5b 8a a2 8c a0 ed 13
        0030  cd b1 e7 c0 ad 4b 1d c2  d8 28 e8 89 1d 0c ae 40
        0040  42 e3 3c 04 9a 1c 89 40  8e 37 45 08 ff 82 f2 79
        0050  b8 39 dd c6 11 1f 8d 5e  b4 82 d6 50 0d 03 fc bc
        0060  d0 18 c8 f0 5d b1 f5 14  99 4a 50 ee 93 a7 67 a9
        0070  63 fc 96 c5 23 a9 8c a5  dd f7 d5 21 73 c5 45 6d
        0080  7f ff 0a ff
Public Key Length: 1024 bits
Public Key: UnusedBits = 0
    0000  02 81 81 00 9c ee 29 f8  90 10 3f c8 0c f2 7a 9e
    0010  e1 04 0c 53 9c 39 a4 f8  47 4c 79 6a 4c d1 39 dd
    0020  6f a9 8c f2 a3 5e 9e fc  90 40 a4 44 ed 8a 38 af
    0030  a7 ba 34 be 57 e9 c5 47  4e eb 66 e4 c3 18 a8 ed
    0040  70 e2 7b fc f4 79 f5 4a  d0 24 c9 10 fa 8f de 4d
    0050  c1 d2 4d 7f 3c 8f 22 00  e3 83 b9 24 66 d0 25 43
    0060  d2 bc 49 95 cd 7a c2 11  a8 02 ec b8 c3 1c 26 ee
    0070  51 46 61 b6 81 3a 02 04  3c 6d 81 da 09 f7 f3 3f
    0080  9e 7b f0 cf
Request Attributes: 0
  0 attributes:
Signature Algorithm:
    Algorithm ObjectId: 1.2.840.10040.4.3 sha1DSA
    Algorithm Parameters: NULL
Signature: UnusedBits=0
    0000  c8 37 84 54 dd 49 c6 14  40 90 92 a8 68 79 54 3b
    0010  cf 7d a5 32 14 02 82 82  b8 70 cf 92 74 ee e2 22
    0020  f7 2b 80 3c a9 bb 76 65  e5 b5 00 15 02 2d 30
Signature matches Public Key
Key Id Hash(rfc-sha1): 17 af ba 9c d7 76 0d cf 09 ad b6 99 86 42 bf d1 91 36 87
24
Key Id Hash(sha1): d4 e5 76 d6 cb 04 cf b5 8b 8c 3a c6 d6 6b 16 0c 62 6a e5 2a
CertUtil: -dump command completed successfully.

Thursday, January 15, 2015 4:56 PM | 1 vote

Or more specifically, the Web Server template (v1) in 2008 sets a minimum key size of 2048, so this request would be denied.

Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

Friday, January 16, 2015 1:22 PM

Thank you very much for your responses, you were right on with DSA being the issue.