Enterprise Root Certification Authority not trusted
- From: jim_hampson@xxxxxxxxxxx
- Date: 16 Feb 2006 11:07:29 -0800
Yesterday installed Enterprise Root and Enterprise Subordinate CA on
Windows 2003 standard in Windows 2000 active directory domain. It
appears that the enterprise root certificate has not been published in
active directory as my client machines are getting SSL warning "the
certificate cannot be verified up to a trusted certification
authority". When I view the certification path, the root certificate
has a red X and the status is "This CA Root certificate is not trusted
because it is not in the Trusted Root Certification Authorities store."
Also, the "send request immediately to an online certification
authority" is grayed out in IIS.
Background info/steps taken:
-Domain controllers running Windows 2000 SP4.
-Previous CA infrastructure consisted of stand alone root and stand
alone subordinate running windows 2000.
-Backed up the system state on domain controllers
-Backed up existing windows 2000 CAs
-uninstalled certificate service on existing windows 2000 CAs
-replicated AD links
-Manually cleaned up AD per this KB article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;555151
-replicated AD links
-Updated AD schema to windows 2003 using adprep.exe /forestprep
-replicated AD links
-installed enterprise root CA on server 1
-installed enterprise subordinate CA on server 2
-no errors encountered during installation.
This warning was logged in the application log on both the enterprise
root CA and the enterprise subordinate CA.
Event ID: 103
Source: CertSvc
Description: Certificate Services temporarily added the root
certificate of certificate chain 0 to the downloaded Enterprise Root
store. If this problem persists, publishing the root certificate to
the Active Directory may be necessary.
This warning was logged twice (once for each DC) in the application log
on enterprise root CA.
Event ID: 103
Source: CertSvc
Description: Certificate Services could not publish a Certificate for
request 2 to the following location on server dc1.channeladvisor.com:
CN=DC1,OU=Domain Controllers,DC=mydomain,DC=com. Insufficient access
rights to perform the operation. 0x80072098 (WIN32: 8344).
ldap: 0x32: 00002098: SecErr: DSID-03150646, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0
-----
No other errors or warnings on the DCs or CAs.
The DCs did successfully receive a domain controller certificate from
the root CA and I have been able to issue some web server certs
manually on the subordinate CA. Any suggestions appreciated. TIA.
Jim
.
- Prev by Date: Re: Allow ONLY "Administrator" and "System" groups full control to
- Next by Date: Re: Windows Explorer changes user account during connection to share folder
- Previous by thread: Re: Allow ONLY "Administrator" and "System" groups full control to C:\
- Next by thread: Re: Enterprise Root Certification Authority not trusted
- Index(es):
Relevant Pages
|
