Re: "unpuiblish" a certutil -dspublish 'd ca
- From: Brian Komar [MVP] <bkomar@xxxxxxxxxxxxxxxxx>
- Date: Fri, 23 Mar 2007 07:18:58 -0400
In article <u4E5rrTbHHA.1400@xxxxxxxxxxxxxxxxxxxx>,
jwdaigle@xxxxxxxxxxxxx says...
I have a 2 tier heirarchy - an offline standalone root ca, and an onlineActually, you have not done anything wrong.
issuing CA.
While following Brian Komar's 2003 PKI reference, I did a dumb thing. I did
a "certutil -dspublish -f my_offline_root_standalone_ca SubCA" in addition
to the "certutil -dspublish -f my_offline_root_standalone_ca RootCA". Note
the SubCA versus RootCA.
So now all the workstations in the domain think that the RootCA is both a
RootCA and a subordinate CA.
Is there anyway I can remove the "subCA-ness" of my Root CA without trashing
the whole PKI infrastructure?
Thanks in advance for any help,
Joe
- When you use -dspublish with RootCA, you publish the
CA certificate to the Certification Authorities *and*
AIA container.
- When you use -dspublish with SubCA, you publish the CA
certificate only to the AIA container.
You use of -f in the command just caused an overwrite of
the existing certificate in the AIA container (which is
the same certificate).
You want the "subCA-ness" to allow the building of
chains after certificate renewal with a new key, when a
root CA can appear as a subordinate CA in a chain.
Brian
.
- Follow-Ups:
- References:
- "unpuiblish" a certutil -dspublish 'd ca
- From: Joe
- "unpuiblish" a certutil -dspublish 'd ca
- Prev by Date: "unpuiblish" a certutil -dspublish 'd ca
- Next by Date: Re: spyware
- Previous by thread: "unpuiblish" a certutil -dspublish 'd ca
- Next by thread: Re: "unpuiblish" a certutil -dspublish 'd ca
- Index(es):
Relevant Pages
|
