Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1623: What does the error message "Error while issuing a certificate for Computer: could not connect to CA" mean ?

Centrify DirectAudit ,   Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:19 AM

Applies to: All versions of Centrify DirectControl and Centrify DirectSecure

Question:

When attempting to enroll a certificate via adcert, the following output is seen:
  • # ./adcert -e -n "XYZ Corporation Headquarters Certificate Authority" -s ca01.sub.xyz.com  -t Computer
  • Error while issuing a certificate for Computer: could not connect to CA [XYZ Corporation Headquarters Certificate Authority]: BSDSockets::connect - connection to ##.##.##.## failed.: No route to host
What does the error message "Error while issuing a certificate for Computer: could not connect to CA" mean ?

Note: tcpdump shows that the local server connects to the CA server too and there are no ICMP messages prematurely closing the data connection.


Answer:

This message means there was a connection failure when trying to contact the Certificate Authority.

This can happen if:
  • The server is not a Certificate server
  • The certificate service is shut down or not running
  • The RPC TCP endpoint is disabled
  • The server in question is not running the certificate RPC service on the TCP port

To diagnose the issue, download the Microsoft Portqry tool and run:
  • portqry -n <nmachine> -e 135
Check if the certificate service is running.

If the RPC mechanism is disabled on certsrv.exe, certificates cannot be received. 
The RPC mechanism can be re-enabled via the following commands:
  • C:\ certutil.exe -setreg ca\InterfaceFlags -0x8
  • net stop certsvc
  • net start certsvc

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.