DOCUMENT:Q218802 06-AUG-2002 [exchange] TITLE :XADM: Can't Enroll Using X.509 V3 Certificates PRODUCT :Microsoft Exchange PROD/VER:winnt:5.5 OPER/SYS: KEYWORDS:exc55 ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Exchange Server, version 5.5 ------------------------------------------------------------------------------- IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base: Q256986 Description of the Microsoft Windows Registry SYMPTOMS ======== When Key Management (KM) Server administrators choose to issue X.509 v3 certificates (or issue both v1 and v3), they receive the following error message when they click OK on the dialog box that shows the certificate server to use: The KMS database had an error - c1031d9f The following event is logged in the event viewer application log: Event ID: 5017 Source: MSExchangeKMS Type: Error Category: none Description: KMS Admin \ failed to set the CertServer configuration. CAUSE ===== The organization name contains a special character such as a comma (,), underscore (_), and so on. RESOLUTION ========== A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to systems that are experiencing this specific problem. To resolve this problem, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site: http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question. The English version of this fix should have the following file attributes or later: Component: Setup Program +---------------------------+ | File name | Version | +---------------------------+ | Srvrmax.exe | 5.5.1960.10 | +---------------------------+ | Srvrmin.exe | 5.5.1960.10 | +---------------------------+ After you obtain the fix, follow these steps to apply it: 1. Create a new folder on your hard disk, and then copy the contents of the Server\Setup\I386 folder from the Exchange Server 5.5 CD-ROM to this new folder. 2. Rename the Setup.exe file in the folder on the hard disk to Setup.old, and then rename the Srvrmax.exe or Srvrmin.exe file to Setup.exe. Note that the Srvrmax.exe file should be used for the Enterprise edition of Exchange Server 5.5 and the Srvrmin.exe file should be used for the Standard edition of Exchange Server 5.5. 3. Run Setup.exe from the folder on the hard disk. 4. When the installation process is finished, apply the latest service pack for Exchange Server 5.5, even if it was already applied previously. For additional information about how to obtain the latest service pack for Exchange Server 5.5, click the article number below to view the article in the Microsoft Knowledge Base: Q191014 XGEN: How to Obtain the Latest Exchange Server 5.5 Service Pack WORKAROUND ========== WARNING: If you are using X.509 V1 certificates, the steps listed below remove the key history for all users. If you have users who will still be using X.509.V1, do not run the steps below and please call Microsoft Product Support Services (PSS) and reference this article. WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. 1. From a command prompt, run net stop certsvc to stop the Certificate Authority Service. 2. Open the registry and change the value for the following key from "," to "!": HKEY_LOCAL_MACHINE\CurrentControlSet\Services\CertSrc\Configuration\\Subject Name Separator NOTE: The value should be punctuation characters only such as the comma (,), period (.), semicolon (;), or exclamation mark (!). The default is a comma (,). It also needs to be a punctuation mark that is not present in the organization name. 3. From a command prompt, run net stop msexchangekms to stop the KMS service. 4. Make a backup of the Kmsdata folder. 5. Delete all the files in the Kmsdata folder. 6. From a command prompt, change directory to point to the C:\Exchsrvr\Bin folder, and run the following command: "kmserver -I -X "c=us, o=\" \", ou=, cn=certificate authority"" (without the quotation marks) where is your KMS password, is your organization name, and is your site name. 7. Restart the services. You should now be able to use X.509 V3 certificates. STATUS ====== Microsoft has confirmed that this is a problem in Microsoft Exchange Server version 5.5. Additional query words: ====================================================================== Keywords : exc55 Technology : kbExchangeSearch kbExchange550 kbZNotKeyword2 Version : winnt:5.5 Issue type : kbbug Solution Type : kbfix ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.