Can't issue cert to BES from 2008 DC/CA

Lifted

Diamond Member
Nov 30, 2004
5,748
2
0
I'm trying to generate a cert for BES 5 from a 2008 DC that is also acting as our cert authority. After generating a CSR for BES, I try to get a cert issued from the CA using the 'web server' template, and it is refused. The CA actually refuses the cert for all templates. This is the error from the event log, which is pretty much the same thing I see in the CA under Failed Requests.

Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: 8/13/2010 6:57:00 PM
Event ID 53
Task Category: None
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: DC/CA.corp.company.com
Description:
Active Directory Certificate Services denied request 53 because The certificate is not valid for the requested usage. 0x800b0110 (-2146762480). The request was for CN=server.corp.company.com, OU=IT, O=COMPANY NAME, L=New York, S=NY, C=US. Additional information: Denied by Policy Module.

I can't find anything online, and I don't know enough about Windows CA's to know what to look for from this point.
 
Last edited:

Genx87

Lifer
Apr 8, 2002
41,091
513
126
Wouldnt you need to add your local CA as a valid root authority on your BES server for it to come back as valid? I havent played with the internal CA stuff. But when I add SSL certs to exchange front ends I typically need to add in intermediate authorities and then the SSL cert.
 

Lifted

Diamond Member
Nov 30, 2004
5,748
2
0
I did that. Don't know why you would need to do that with Exchange though since it's running on IIS.

Anyway, the issue was with BES/Tomcat. Their documented solution to the problem is to issue a Subordinate Certificate Authority cert, which works, but is clearly not ideal. The more I deal with RIM, the more I think they must have outsourced their entire dev team to a high school in India.