Error constructing or publishing certificate

Recently, I was working on installing Lync Server 2010 for testing purposes , all was going smoothly till I reached the certificate request and assignment step . When I ran the certificate request wizard I was able to complete the request but with a warning as shown below :

When I checked the log file I got the following “Error:Error Constructing or Publishing Certificate”

Additionally , I got the following when clicked next at the certificate request wizard

I verified the existence of the root CA certificate at the Trusted Root Certification Authorities container on the Lync Server ,as below :

At this stage I went to check my Certificate Authority server s follow :

• Checked the services at Services snap-in : Both Active Directory Domain Services and Active Directory Certificate Services were started

• Upon checking for Active Directory Certificate Services events using Event Viewer I found that an event with ID 53 is present identifying the cause of the certificate generation failure 

Hence , although the services were up and running all required was to do a restart for both Directory Domain Services and Active Directory Certificate Services ( Thanks to the restartable Active Directory Domain Services )  and voilà , the certificate request completed successfully without any warnings or errors

When adding a new Skype for Business server to an existing topology, I came across the following error statement whilst trying to request a certificate from the internal certificate authority:

Command execution failed: Error Constructing or Publishing Certificate. The certificate validity period will be shorter than the “template name” certificate template specifies, because the template validity period is longer than the maximum certificate validity period allowed by the CA. Consider renewing the CA Certificate, reducing the template validity period, or increasing the registry validity period.

A screen shot of the error

The problem is down to a configuration issue with the certificate authority used for the request. I decided to perform some due diligence checking against what was currently configured. First checking the certificate template used, I could establish that the validity period of the template was 3 years.

Next, I decided I would double check the root certificate had not expired, as you can see from the screen shot, it is within it’s validity period

Next on the list of advices from the error was to check the registry validity period on the certificate authority server. You can check the values by browsing to the following locations using the registry editor:

HKLM:SYSTEMCurrentControlSetServicesCertSvcConfiguration”CA NAME”

The two entries you need to be concerned with are:

• ValidityPeriod – This should be set to Years
• ValidityPeriodUnits – This will be the number of units in the period set by the Validity Period (in my case: 2 Years)

By default, the registry validity period is set to two years.

As we can see, there is a discrepancy in the certificate template specifying a 3 year validity period, whilst the registry on the CA server has set a maximum of 2 years.

Changing the registry validity period to a higher or same value as the template is the recommended resolution to this error. Change the ValidityPeriodUnits value to a higher number e.g. 10

The restart the certificate authority services for the changes to take effect.

If you are not confortable with the registry editor method, you can alternatively use CERTUTIL to achieve this.

Open Command Prompt as an elevated administrator and type:

certutil –getreg CAValidityPeriod

and

certutil –getreg CAValidityPeriodUnits

These commands will output the current configured values:

To change the value of the validity period type the following command:

certutil –setreg CAValidityPeriodUnits 10

(where 10 is the number of units you want to set)

Again, restart the certificate authority service for these changes to take effect.

Once changed you will be able to request your Skype for Business certificates once more.