Hi all,

One of the issues we may find when trying the code in my post How to create a certificate request that uses key archival with CertEnroll (JavaScript)is the following error when creating the request:

CertEnroll::CX509Enrollment::p_CreateRequest: The parameter is incorrect. 0x80070057 (WIN32: 87)

In my case I was getting this error because I was not using the right certificate asKeyArchivalCertificate property of the CMC request. When I first tried the code I set that property to the Key Recovery Agent Certificate that I had configured in my CA, and I got the error. No, that is not the certificate we have to use. We have to set that property to the Exchange Certificate of the CA itself.

Additionally, the Subject Name of the certificate has to match Issuer Name + "-Xchg". For example, if cert issuer is "MyCAServer", the expected subject name is "MyCAServer-Xchg". The subject name of our Key Recovery Agent Certificate won't match that, but the Exchange cert of our CA will.

We can export the Exchange Certificate of a MS CA with the following command:

certutil -cainfo xchg > xchg.cer

And then we can use the Base64 text of that .cer file in our code.

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)