Re: "unpuiblish" a certutil -dspublish 'd ca


"williameric" <williameric@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8DBC9A42-EF39-4F4B-B9C3-16793F746EC7@xxxxxxxxxxxxxxxx
is it possible to put that in plain english, we are not so technically
mided
and your post made ablolutly no sense to me, i wish it did but not being
conversant in the technical jargon it is way over my head
--
good xping and best regards
williameric


"Brian Komar [MVP]" wrote:

In article <u4E5rrTbHHA.1400@xxxxxxxxxxxxxxxxxxxx>,
jwdaigle@xxxxxxxxxxxxx says...
I have a 2 tier heirarchy - an offline standalone root ca, and an
online
issuing CA.

While following Brian Komar's 2003 PKI reference, I did a dumb thing.
I did
a "certutil -dspublish -f my_offline_root_standalone_ca SubCA" in
addition
to the "certutil -dspublish -f my_offline_root_standalone_ca RootCA".
Note
the SubCA versus RootCA.

So now all the workstations in the domain think that the RootCA is both
a
RootCA and a subordinate CA.

Is there anyway I can remove the "subCA-ness" of my Root CA without
trashing
the whole PKI infrastructure?

Thanks in advance for any help,

Joe




Actually, you have not done anything wrong.
- When you use -dspublish with RootCA, you publish the
CA certificate to the Certification Authorities *and*
AIA container.

- When you use -dspublish with SubCA, you publish the CA
certificate only to the AIA container.

You use of -f in the command just caused an overwrite of
the existing certificate in the AIA container (which is
the same certificate).

You want the "subCA-ness" to allow the building of
chains after certificate renewal with a new key, when a
root CA can appear as a subordinate CA in a chain.

Brian


WilliamEric:

Are you nuts? Brian ***literally*** wrote the book on how to deal with
Windows Server CAs. Although I dont consider myself an expert on this
subject area by any stretch of imagination, I did take the time to actually
learn the basics, terminology, and concepts before I asked for help in this
group.

I suggest you do the same.

Brians (among others) membership here is invaluable once you prepare
yourself to learn.


Joe


.

Relevant Pages

  • Re: "unpuiblish" a certutil -dspublish d ca
    ... the SubCA versus RootCA. ... Is there anyway I can remove the "subCA-ness" of my Root CA without ... CA certificate to the Certification Authorities *and* ... When you use -dspublish with SubCA, ...
    (microsoft.public.security)
  • Re: "unpuiblish" a certutil -dspublish d ca
    ... While following Brian Komar's 2003 PKI reference, ... the SubCA versus RootCA. ... CA certificate to the Certification Authorities *and* ... When you use -dspublish with SubCA, ...
    (microsoft.public.security)
  • Re: Microsoft Certificate Expiry Date
    ... It is probably RootCA -- but it depends on how many CAs you have (you can ... You can't change RootCA certificate. ... > When you refere to CA server is it the same as ROOT CA? ... > If so then Yes our root CA has been set up to expire in two years and I ...
    (microsoft.public.windows.server.general)
  • Auto Enrollment errors, offline rootca
    ... Im wondering if there is a way to keep my rootca offline. ... i start getting autoenrollment erroros referring to dcom erros saying ... can i issue a certificate ...
    (microsoft.public.windows.group_policy)