Applies To:
Venafi Trust Protection Platform 14.2 and above
Symptom:
When enrolling against a Microsoft CA, the certificate fails at stage 500 with the error:
"Verify CA certificate manager approval is required per the Issuance Requirements of the template."
In later releases, the message has changed slightly:
"Verify 'CA certificate manager' approval is required per the Issuance Requirements of the ADCS (MSCA) template."
Cause:
- This is caused by either Microsoft CA or Certificate template not being configured for manager approval - specifically with certificates containing one or more Subject Alternative Names (SAN).
- This can also happen when the certificate has a SAN on it and it should not. If you remove the SAN it in this case it should also resolve the error.
- A third scenario is if you've selected the option "Automatically include CN as DNS SAN" on the CA Template object. (See KB# 115002696411)
Resolution:
The steps that follow must be taken on the Certificate Authority Server, not the Venafi TPP server. This change is made to the CA itself.
Option 1: Enable the CA certificate manager approval setting
- Launch the MMC and add the Certificate Authority Snap-in
- right-click on the CA's name and select Properties.
- On the Policy Module tab, click Properties button.
- Select Set the certificate request status to pending....
Option 2: Make the change to individual templates
- Launch the Certificates Manager MMC:
- Right-click on a template to be enrolled by Trust Protection Platform, and then click Properties.
- On the Issuance Requirements tab, select CA Certificate Manager Approval to be required for enrollment
Comments