Re: Certificate chain

From: Brian Komar <bkomarr@xxxxxxxxxxxxxxxxx>
Date: Thu, 26 Apr 2007 15:42:00 -0500

On Thu, 26 Apr 2007 22:05:45 +0200, JB Miha wrote:

A setup. I have
Windows Server 2003 R2 as offline standalone root CA. That CA has self
signet certificate. Then I installed subordinate enterprise CA on Windows
Server 2003 R2. I copyed request to root CA and then exported certificate
for subordinate CA from root CA. After that I made request on IIS for
certificate.

No that is not normal.
You need to do a few things:
1) Did you configure the root CA to publish its CRL and CA Certificate to
publicly available locations. If not, you need to reconfigure and redeploy
your CAs (see the best practices white paper for details at
www.microsoft.com/pki).

2) Did you publish the root CA to the trusted root store in AD for
installation at all clients (certutil -dspublish -f certname.crt RootCA)

Brian
.

Follow-Ups:
- Re: Certificate chain
  - From: JB Miha

References:
- Certificate chain
  - From: JB Miha

Prev by Date: Certificate chain
Next by Date: Re: MS Update Schedule
Previous by thread: Certificate chain
Next by thread: Re: Certificate chain
Index(es):
- Date
- Thread

Relevant Pages

Re: Isolation of the Root CA
... Windows Server 2003 web enrollment and troubleshooting guide: ... Best Practices for implementing Windows Server 2003 PKI: ... Troubleshooting Certificate Status and Revocation whitepaper: ... >>> standalone root CA and use it to issue a certificate for an Enterprise ...
(microsoft.public.win2000.security)
Re: Certificate chain issue with Ent Sub Ca & stand alone Root CA
... certificate and I get a "Cannot verify certificate chain. ... revocation because the revocation server was offline. ... the root ca? ... Online>>> Online Enterprise Subordinate CA ...
(microsoft.public.windows.server.security)
Re: Newbie wants to learn about PKI Server 2003......
... 2003 PKI Certificate Security", and have been lurking here for a bit. ... We will implement a 2 tier heirarchy, with the Root CA being offline. ... All clients that attempt revocation checking will first attempt to retrieve the CRL from the ... level below a self-signed cert, so applications that are 3280 compliant would never check the ...
(microsoft.public.windows.server.security)
Re: Is it possible??.... Defining Root Certificate KeyUsage
... For instance, the self signed certificate ... intermediate servers list every possible key usage defined within the PKI ... Component Verification, OEM Windows System Component Verification, Embedded ... Since the only use these root and intermediate keys are designed for is ...
(microsoft.public.security)
Re: Is it possible??.... Defining Root Certificate KeyUsage
... For instance, the self signed certificate ... intermediate servers list every possible key usage defined within the PKI ... Component Verification, OEM Windows System Component Verification, Embedded ... Since the only use these root and intermediate keys are designed for is ...
(microsoft.public.inetserver.iis.security)