Applies to:
Microsoft Certificate Authority and Venafi Trust Protection Platform 15.1 through 17.1
Update (November 15, 2017):
In Venafi Trust Protection Platform 17.2, it was updated so that the Microsoft Certificate Authority enrollment driver could support the issuance of intermediate root certificates.
See: https://support.venafi.com/hc/en-us/articles/115000336572
Summary:
When enrolling against a Microsoft CA in Venafi, the error of "RetrieveCertificate failed with error: No End Entity certificate found" at stage 700.
More Info:
The error is due to using a CA template on the CA that has the Key Usage of "Certificate signing" configured. That Key Usage signifies that a certificate has the capability of signing other certificates, or in other words, a subordinate CA. Typically the creation of CA certificates, for security reasons, can't be an automated process and has to undergo a signing ceremony of sorts. The issuance and renewal of these special kinds of certificates are not the kind that the Venafi Trust Protection Platform is intended for.
Resolution:
If need be, you can download the certificate directly from the MSCA, and import it manually into Venafi Trust Protection Platform.
Comments