Re: Certificate chain issue with Ent Sub Ca & stand alone Root CA

In article <A1B8A5EB-C62C-48DD-A19E-FF4E60782502@xxxxxxxxxxxxx>, in the
microsoft.public.windows.server.security news group, =?Utf-8?B?
RGVlcGhheno=?= <Deephazz@xxxxxxxxxxxxxxxxxxxxxxxxx> says...

hello,

I try to install a CA certificate from a stand alone Root CA that is not in
AD to an Enterprise subordinate CA that's included in AD.


What si do is :

I save my CA certificate Request on a floppy disk.
Submit it to the stand alone Root Ca and issue it.
copy the certificate as *.p7b on the floppy and bring it to the enterprise
subordinate CA. Once i've done that I install the parent CA certificate ( the
stand alone Root CA certificate) in the intermediate certification
Authorites certificate store on the server where I've installed my enterprise
subordinate CA.

Why would you put the root certificate in the intermediate store, it
belongs in the root store. You should also publish it to Active
Directory so that it will be available to all of your clients.

Then I open the certification authority console and try to install the CA
certificate that i got from the stand alone root CA and....
I always get the following error msg : "Cannot verify certificate chain. ...
0x800b0101)

You need to make sure that you've got the root cert in the correct
place, and that you've got the CRL and AIA distribution points correct.


MS is not so clear about the way it works.

MS is _very_ clear on how it works. http://www.microsoft.com/pki and look
at the technical materials, especially the Best Practices stuff. You
may also want to look for the book my partner, Brian Komar wrote -

http://www.amazon.com/gp/product/0735620210/002-3430012-1650457?
v=glance&n=283155

or

http://tinyurl.com/f4mnz


Is it possible to have a subordinate CA that's an Enterprise Sub Ca and a
Root Ca that's a stand alone root CA not included in AD ?

if yes then why doesn't it work ?


Regards.



--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain
.

Relevant Pages

  • Secure Exchange 2003 Web access
    ... I'm trying to setup seucre exchange 2003 web access, ... I'm going to create my own certificate instead of purchasing one...but I'm ... Enterprise root CA, enterprise subordinate CA, stand alone root CA, ...
    (microsoft.public.exchange.setup)
  • Can not renew root ca
    ... I have a Windows 2003 SP1 server running as a Stand Alone Root CA. ... certificate is about to expire. ... Whether I choose "Renew Certificate with ...
    (microsoft.public.security)
  • Re: How to determine Role on a installed CA?
    ... If you do you can be 100% sure you have Enterprise ... To see if it is subordinate or root, check your CA certificate... ...
    (microsoft.public.windows.server.networking)
  • Which certificate do I have to deploy ? Root CA or Subordinate CA certificate ?
    ... we will have a Root CA and a subordinate CA (enterprise online integrated to AD). ... My question is which certificate should I have to deploy to my computer Trusted Root Certification Authorities Store? ...
    (microsoft.public.windows.server.security)
  • RE: Upgrade Standard CA to an Enterprise CA
    ... Do you mean you want to migrate the stand-alone CA to Enterprise CA? ... Back up the certificate database, the CA certificate, and the CA private ... 8.Select Preserve existing certificate database to use the old database. ...
    (microsoft.public.security)
Loading