This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 61%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECE%3C/text%3E%3C/svg%3E)
Good morning all,
When I request a certificate at my enterprise CA using MMC, the enrollment process keeps getting stuck at the progress bar shown in the picture below.
I checked that the service is running and event logs show no warnigs/errors (neither on the CA nor in CAPI2 logs on the client computer) for enrollment for affected users. I verified, that the CA is available via certutil -ping -config and all green on PKIVIEW. I noticed, that this behaviour does not occur all the time but noticably often.
I also checkd the solution attempt from https://community.spiceworks.com/topic/2168954-user-is-stuck-in-certificate-enrollment, but the permissions are absolutely correct (as sometimes the enrollment works and sometimes not) and restarting CertSrv service each time this happens is not a feasable solution to me.
Does anyone have an idea about the cause of the issue or suggestions, where I could do additional research?
Thank you in advance.
Kind regards,
Chris
Does CertSvc restart solve the problem?
Hard to say. Sometimes it even works after retrying it some minutes later without restarting the service at all.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hello Chris,
Thank you so much for posting here.
According to our description, this behavior does not occur all the time but often. Sometimes it works but sometimes not. Restarting CertSrv server could solve the issue, right? But it is not a feasible solution to us. We would like to figure out the cause of this issue.
As per my understanding, it is a little hard to figure it out since it is not continuous behavior. Here is the discussion about this similar case, and we could kindly have a check whether it helps.
For any question, please contact us. Thanks.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello Hannah,
It seems that restarting the services solves the issue temporarily, but it is hard to proof as the issue occurs so randomly.
The second solution attempt in the link you sent, is not really applicable to me, and I'll explain why.
After more investigation I noticed, that the certificate requests do indeed arrive in the pending requests view in the certification authority. They can be issued and the certificate can be exported properly, but on the client computer, I realized that the original request containing the private key is not listed in the Certificate Enrollment Requests in MMC. So I am not able to use the certificate with the private key on the requesting machine/user.
I guess this is a consequence of the enrollment process not finalizing properly.
Best regards,
Chris
Hello Chris,
Thank you so much for your kindly reply.
As mentioned, it is hard to judge as the issue occurs so randomly. Thanks so much for spending time trying to figure it out. And it seemed that we have figured it out. I also learnt from this case.
Thanks again.
Best regards,
Hannah Xiong
Hello Hannah,
Well, the issue is not really resolved. Even though we are able to issue the certificate from the CA, we do not have the private key, as the client computer/user does not store it in the Certificate Enrollment Requests. Therefore the certificate is unusable.
I was not able to find out if the issue is related to the client(s) or the CA, as I was not able to find any related errors on either of them.
Kind regards,
Chris
Hi all,
I madre some further tests today. I enrolled for a certificate and the issue occured again. I restarted the AD CS service while keeping the enrollment window open. The restart operation failed with error 1053 (example image below, because I took no screenshot myself). Starting the service worked properly and the client recognized the RPC server of the CA not being available anymore.
I retried the enrollment immediately after and it finished without an issue. Therefore I assume the issue is related to a stuck/overloaded certificate service.
Any idea to dig deeper into this service and find the root issue?
Kind regards,
Christopher Ehrit
so you have any event logs on CA server? How big is your CA database?
An interesting one, that I found was Application Log > ID 5612.
Windows Management Instrumentation has stopped WMIPRVSE.EXE because a quota reached a warning value. Quota: HandleCount Value: 4100 Maximum value: 4096 WMIPRVSE PID: 2732 Providers hosted in this process: %systemroot%\system32\wbem\cimwin32.dll, %systemroot%\system32\wbem\mgmtprovider.dll, %systemroot%\system32\wbem\ntevt.dll, %systemroot%\system32\wbem\NetAdapterCim.dll
Database size is 2.32Gb, which I'd say is fine, but the log folder is 4.97Gb, which seems very big imo.
Anyone else having ideas ore recommendations?
We are still facing this issue from time to time.
Hello,
Thank you so much for your kindly reply.
Since this issue is a little weird, it might be hard to find the root issue here. I will continue to search for this issue. If it is urgent, I would suggest you contact Microsoft Customer Services and Support to get an efficient solution:
https://support.microsoft.com/en-in/hub/4343728/support-for-business
As for the error 1053, here is the discussion. We could kindly have a check whether it helps.
https://social.technet.microsoft.com/Forums/en-US/b146cc3b-09b1-48cc-b756-377369cc856b/error-1053-the-server-did-not-respond-to-the-start-or-control-request-in-a-timely-fashion?forum=win10itprohardware
Besides, we would like to share with you the information about How to troubleshoot Certificate Enrollment in the MMC Certificate Snap-in. The discussion here might not be suitable for our issue. But we could kindly have a check whether it could give us some insights.
Thank you so much for your understanding and support.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.