Re: "unpuiblish" a certutil -dspublish 'd ca

---

• From: "Joe" <jwdaigle@xxxxxxxxxxxxx>
• Date: Sat, 24 Mar 2007 16:49:49 +0800

---

"Brian Komar [MVP]" <bkomar@xxxxxxxxxxxxxxxxx> wrote in message
news:MPG.206d81a9aece298b9896c9@xxxxxxxxxxxxxxxxxxxxxxx

In article <u4E5rrTbHHA.1400@xxxxxxxxxxxxxxxxxxxx>,
jwdaigle@xxxxxxxxxxxxx says...

I have a 2 tier heirarchy - an offline standalone root ca, and an online
issuing CA.

While following Brian Komar's 2003 PKI reference, I did a dumb thing. I
did
a "certutil -dspublish -f my_offline_root_standalone_ca SubCA" in
addition
to the "certutil -dspublish -f my_offline_root_standalone_ca RootCA".
Note
the SubCA versus RootCA.

So now all the workstations in the domain think that the RootCA is both a
RootCA and a subordinate CA.

Is there anyway I can remove the "subCA-ness" of my Root CA without
trashing
the whole PKI infrastructure?

Thanks in advance for any help,

Joe

Actually, you have not done anything wrong.
- When you use -dspublish with RootCA, you publish the
CA certificate to the Certification Authorities *and*
AIA container.

- When you use -dspublish with SubCA, you publish the CA
certificate only to the AIA container.

You use of -f in the command just caused an overwrite of
the existing certificate in the AIA container (which is
the same certificate).

You want the "subCA-ness" to allow the building of
chains after certificate renewal with a new key, when a
root CA can appear as a subordinate CA in a chain.

Brian

Ah, ok So there is nothing wrong with this.

I noticed that my root certificate was also listed in the intermediate CAs
list in Internet Explorer on all my machines. When I went back to check it,
I realzied that I published the root cert as a SubCA in addition to the Root
CA.

Thank you for the explanation.

Joe


.

---

• References:
  • "unpuiblish" a certutil -dspublish 'd ca
    • From: Joe
  • Re: "unpuiblish" a certutil -dspublish 'd ca
    • From: Brian Komar [MVP]

• Prev by Date: Re: none of you smart fellers heard about GHP?
• Next by Date: Re: Trusting Certs from Non Trusted root
• Previous by thread: Re: "unpuiblish" a certutil -dspublish 'd ca
• Next by thread: Re: windows firewall
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Root certificate authority no longer added to client machines ... We have a standalone RootCA, ... Windows Server 2003 then you should be publishing the root ... certificate of the CA is added automatically to the Trusted Root ... (microsoft.public.security) Re: "unpuiblish" a certutil -dspublish d ca ... While following Brian Komar's 2003 PKI reference, ... the SubCA versus RootCA. ... CA certificate to the Certification Authorities *and* ... When you use -dspublish with SubCA, ... (microsoft.public.security) Re: Microsoft Certificate Expiry Date ... It is probably RootCA -- but it depends on how many CAs you have (you can ... You can't change RootCA certificate. ... > When you refere to CA server is it the same as ROOT CA? ... > If so then Yes our root CA has been set up to expire in two years and I ... (microsoft.public.windows.server.general) Re: IIS SSL and Clien Certificates ... The client needs the Root CA cert installed. ... > certificate from SubCA ... (microsoft.public.inetserver.iis.security) IIS SSL and Clien Certificates ... certificate chain for client authentication" posted here a ... The only way to get it to work for me right now (ie, client ... >certificate from SubCA ... >Now I think everything is setup correctly, I have the Root ... (microsoft.public.inetserver.iis.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.security  > 2007-03