All versions of Centrify DirectControl and Centrify DirectSecureQuestion:
When attempting to enroll a certificate via adcert, the following output is seen:
- # ./adcert -e -n "XYZ Corporation Headquarters Certificate Authority" -s ca01.sub.xyz.com -t Computer
- Error while issuing a certificate for Computer: could not connect to CA [XYZ Corporation Headquarters Certificate Authority]: BSDSockets::connect - connection to ##.##.##.## failed.: No route to host
What does the error message "Error while issuing a certificate for Computer: could not connect to CA
" mean ?Note: tcpdump
shows that the local server connects to the CA server too and there are no ICMP messages prematurely closing the data connection.Answer:
This message means there was a connection failure when trying to contact the Certificate Authority.
This can happen if:
- The server is not a Certificate server
- The certificate service is shut down or not running
- The RPC TCP endpoint is disabled
- The server in question is not running the certificate RPC service on the TCP port
To diagnose the issue, download the Microsoft Portqry
tool and run:
- portqry -n <nmachine> -e 135
Check if the certificate service is running.
If the RPC mechanism is disabled on certsrv.exe
, certificates cannot be received.
The RPC mechanism can be re-enabled via the following commands:
- C:\ certutil.exe -setreg ca\InterfaceFlags -0x8
- net stop certsvc
- net start certsvc