When requesting a certificate via Netscape or Firefox the CA refused to issue the certificate with a warning 53 from CertSvc. The problem is described in the Windows Server 2003 PKI Operations Guide: “The following configuration change must be made to a Windows Server 2003 CA to permit Netscape 6.2.2 and later browsers to perform enrollment through the Web enrollment pages. To enable the parsing of request attributes for subject information, which is required for Netscape browser enrollment, use the following command:
certutil -setreg ca\CRLFlags +CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT “. This helped me to resolve the problem. See the link to “Windows Server 2003 PKI Operations Guide” to read the article.
for resolutions appropriate for three different situations.
The Windows Server 2003 SP1 installation process creates a new CERTSVC_DCOM_ACCESS security group. This problem occurs if the membership of the CERTSVC_DCOM_ACCESS group is configured incorrectly. See ME927066
to solve this problem.
If a user tries to enroll for certificates from a Windows Server 2003 Enterprise Edition certification authority (CA) and the Include e-mail name in subject name option is selected on the template, the user cannot enroll.This problem occurs because the e-mail address is not defined in the Active Directory account of the user who is trying to enroll. The LDAP mail attribute is missing from the Active Directory user account. There are several Microsoft articles with information about this event: ME239452
"Configuring and Troubleshooting Windows 2000 and Windows Server 2003 Certificate Services Web Enrollment" and "Key Archival and Management in Windows Server 2003" also provide information on this event.
This also occurs if, although the CRL does exist and is accessible, it is out of date (for example, it is published on a web site). The publication interval of the CRL has expired, and therefore the CA is unable to validate the revocation list. Publish the CRL again so the publication interval is updated to a date in the (near) future. This can happen in a root-subordinate-issuing chain of CAs, when (one of) the CRLs of the offline root/subordinate CA have expired.