Follow

MSCA Fails to Issue a Certificate: Denied by Policy Module

Error:

When attempting to configure a certificate to issue from a certificate from a Microsoft CA, you are "denied by policy module".

Symptom:

When configuring your Microsoft Certificate Authority (MSCA) to issue a specific certificate template, you receive failure when testing issuance of the template. When you click on the Failed icon, Venafi as a Service displays a message stating: "Microsoft ADCS denied the certificate request. This is often do a malformed CSR or other incorrect input. Microsoft ADCS responded with Denied by Policy Module"

MSCADeniedByPolicy01.png

Cause:

The certificate template is configured to set the subject name using the Build from this Active Directory information option rather than Supply in the request.

MSCADeniedByPolicy02.png

Resolution:

Either create a new template with the proper settings for use by Venafi as a Service or set the certificate template Subject Name option to "Supply in the request".

MSCADeniedByPolicy03.png

After making the change, click "Test Again". Assuming the permissions are correct on the template (VaaS service account is granted read and enroll on the template), the issuance test result should change state to Passed.

MSCADeniedByPolicy04.png

 

Was this article helpful?
0 out of 0 found this helpful

Comments