Problem with Certificate enrollment on Windows 8

hello,

our company uses certificates (for efs, email encryption etc.) has in certificate template enabled setting archive subject's encryption private key (in request handling tab).

on laptops windows 7 certificates enrolled , renewed without problem.
on laptops windows 8.1 received error below when try enroll new certificate or renew current user certificate:

error: certificate not valid requested usage. 0x800b0110 (-2146762480 cert_e_wrong_usage)

if disable archive subject's encryption private key setting in certificate template , try enroll new or renew current user certificate user certificates done on windows 8.1.

our certification authority running on windows 2008 (sp2) server. domain functional level windows server 2003.

help,

regards,

petr m.

this error can due problem of client in validating caexchange certificate / should used encrypt key pair. certificate has extended key usage private key archival set. if windows 8.1 clients "see" certificate chain associated caexchange certificate has limitation on ekus (for reasons determined), enrollment fail.

are using public ca in certificate chain? (i have seen error when private key usage eku not permitted per ca cert. properties set ms root program).

suggestion test:

• export latest certificate template caexchange certsrv.msc / issued certificates crt file.
• at windows 8.1 client double-click - see application policy 'private key archival' on general tab? (this should done in context of user whom enrollment fails).

elke

Windows Server  >  Security