.png)
最近,我们注意到我们的 DMZ 服务器的事件日志中每天都会出现以下错误:
CertificateServicesClient-CertEnroll EventID 82
Certificate enrollment for Local system failed in authentication to all urls for enrollment
server associated with policy id: {00B9F3A7-...-50628BC5AE7E} (The RPC server is
unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)). Failed to enroll for
template: Machine
CertificateServicesClient-CertEnroll EventID 13
Certificate enrollment for Local system failed to enroll for a Machine certificate with
request ID N/A from NY-CA01.company.com\Company Internal Root CA (d0 7a ... f3 e4 70).
CertificateServicesClient-AutoEnrollment EventID 6
Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is
unavailable.
我怀疑是防火墙的问题,并尝试使用证书实用程序工具来验证与证书颁发机构的连接,但是在运行-TCAInfo 命令时我收到以下错误消息:
PS C:\windows\system32> certutil -tcainfo
================================================================
CA Name: Company Internal Root CA
Machine Name: NY-CA01.Company.com
DS Location: CN=Company Internal Root CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=Company,DC=com
Cert DN: CN=CompanyInternal Root CA, DC=Company, DC=com
RegConnectRegistry/RegOpenKeyEx: The network path was not found. 0x80070035 (WIN32: 53 ERROR_BAD_NETPATH)
CA Registry Validity Period: ? ???
NotAfter: 10/11/2031 7:05 PM
Connecting to NY-CA01.Company.com\Company Internal Root CA ...
Server "Company Internal Root CA" ICertRequest2 interface is alive (47ms)
...
================================================================
NY-CA01.Company.com\Company Internal Root CA:
Enterprise Root CA
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800
b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
Online
它似乎认为 CA 处于在线状态,但找不到网络路径。错误和CA 注册有效期: ? ???未知。
我确认了https://ny-ca01.company.com/certsrv/可以从 DMZ 服务器访问,那么更新证书还需要哪些其他端口?