Re: Generating a Root CA Certificate?
From: D. Cross [MS] (vaq130@hotmail.com)
Date: 08/29/02
- Next message: Raj Chahal: "firewall reccomendations ?"
- Previous message: John Meinz: "Disable CTRL-C for Logon Batch Job???"
- In reply to: Jason Penn: "Re: Generating a Root CA Certificate?"
- Next in thread: D. Cross [MS]: "Re: Generating a Root CA Certificate?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "D. Cross [MS]" <vaq130@hotmail.com> Date: Thu, 29 Aug 2002 06:40:29 -0700
You may need to specify the key size in a capolicy.inf file when installing
the CA if the wizard does not allow it.
This should be documented in the help files.
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. "Jason Penn" <penn@netcom.com> wrote in message news:2f0d01c24511$d9244a70$35ef2ecf@TKMSFTNGXA11... > I was most definately using the MSFT Enchanced CSP. The > wizard will not allow you you select a key size > 4096 in > either Win2000 or WinNET. > > What I did to resolve the issue (I think)was basically: > 1. Install Certificate Services on a Win2000 Advanved > Server. > 2. Request a Sub-CA Certificate from a WinNET RC1 Server. > 3. Export the key in WinNET to a PKCS#12 .pfx file. > (Win2000 would only allow export to a .pvk file) > 4. Copy the new exported key to the Win2000 Server. > 5. Uninstall Certificate Services. > 6. Import the Sub-CA key into the private store. > 7. Reinstall Certificate Services - Using the Key from > private store, but not the associated certificate. > > This produced a Self-Issued Root CA key at 16384 bit using > the MS Enhanced CSP. > > I then had to basically do the reverse again from the .NET > server as a Sub-CA, since the .NET Certificate Install > wizard wouldn't allow a key size > 4096 either. > > The two server certificates appear to be correct. They > show as validated - but they don't appear in the > Certificate Server Issued Store and I got errors in the > event log saying: > > "Automatic enrollment against the certification authority > Systems Experience CA-1 for a certificate of type > DomainController has failed. (0x800706ba) The RPC server > is unavailable. > . Another certification authority will be tried" > > Also - every time the two servers connect to each other, > (For an Active Directory Replication for example) I get > multiple certificates added to both the Root and > Intermediate CA Store in each of the CA's CN. These NEW > certificates are 512, 1024, and 4096 bit respectively - > and show as an invalid certificate that can't be verified > in the trust chain. > > Although the 16384 Root and Sub-CA certificates - APPEAR > valid, I'm not sure they are. I'll try issueing some > additional certificates tonight and see if they work. > > Any Idea's on what could be wrong? > > Jason Penn > > >-----Original Message----- > >we definately support 16K keys for any certificate > including root CAs. You > >should be able to type in that key value during the > install wizard. You > >must choose a CSP that supports that key size like the > MSFT Enhanced > >provider. You may find that some third party apps or > services do not > >support that large of a key size, so be aware... mainly > only the Unix > >side... > > > >What CSP are you using? > > > > > >-- > > > > > >David B. Cross [MS] > > > >-- > >This posting is provided "AS IS" with no warranties, and > confers no rights. > > > >http://support.microsoft.com > > > >"Jason Penn" <penn@netcom.com> wrote in message > >news:0db701c23f35$a0be2e30$9ae62ecf@tkmsftngxa02... > >> I'm setting up a Root Certificate Authority, but the > >> Certificate Services Install Wizard won't let you > generate > >> keys larger then 4096 bit. > >> > >> We require 16384 bit keys for all CA's. I figured I > could > >> generate a proper key on another CA and import it, but I > >> can only select "Subordinant CA" template. (I have > >> added "Everyone-Full Control" permissions to the CA > >> Template in AD Sites and Services, but it still can't be > >> selected as a template) > >> > >> If I use the SubCA template (which I assume is close > >> enough) the key will generate and import/export fine in > an > >> x.509 or PKCS#7 format. > >> > >> The wizard will allow you to import a key, but only > with a > >> PKCS#12 format. I can't find any way to export a SubCA > key > >> in a PKCS#12 format. (PKCS12 is a personal exchange > format > >> and doesn't seem applicable to a CA Certificate) > >> > >> > >> Does anyone know how I can solve this issue? > >> > >> I basically just need the Certificate Services to use or > >> generate a 16384 key for creating the root CA. > >> > >> Thanks, > >> Jason > > > > > >. > >
- Next message: Raj Chahal: "firewall reccomendations ?"
- Previous message: John Meinz: "Disable CTRL-C for Logon Batch Job???"
- In reply to: Jason Penn: "Re: Generating a Root CA Certificate?"
- Next in thread: D. Cross [MS]: "Re: Generating a Root CA Certificate?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
