Re: Certificate chain issue with Ent Sub Ca & stand alone Root CA

From: Paul Adare <padare@xxxxxxxxxxx>
Date: Sat, 29 Apr 2006 04:39:28 -0400

In article <955D2601-5C9E-407D-9C00-5135808F5A56@xxxxxxxxxxxxx>, in the
microsoft.public.windows.server.security news group, =?Utf-8?B?
RGVlcGhheno=?= <Deephazz@xxxxxxxxxxxxxxxxxxxxxxxxx> says...

Hello,

thanks for taking the time to answer.

Unfortunatelly i spent hours today on this issue and I really feel dumb.

It's impossible to active to start the subordinate enterprise CA. I always
get the certifiacte chain issue. even when I put the StandAloneRootCA.crt in
the "Trusted Root Certification Authorities" of the default domain policy.
the certificate remains untrunsted ( the red x on the icon) although it's in
the "Trusted Root Certification Authorities" certificate status says "This CA
Root certificate is not trusted because it is not in the Trusted root
Certification Authorities Store" ...go figure.

You're still not doing this correctly. You need to add the root
certificate to the local Trusted Root store on the subCA and you also
need to publish it to Active Directory using certutil -dspublish.

In fact I checked Ms PKI stuffs but my problem concerns the activation of
the sub enterprise Ca that fails because of the cert chain.

This is all covered in detail on the Microsoft web site.

Fortunately it was a subject for a Lab, it's a pity it didn't work.

Deploying PKIs is what I do for a living and I can assure you that this
does in fact work.

--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain
.

References:
- Re: Certificate chain issue with Ent Sub Ca & stand alone Root CA
  - From: Paul Adare
- Re: Certificate chain issue with Ent Sub Ca & stand alone Root CA
  - From: Paul Adare

Prev by Date: Re: Domain Users to have Local Admin rights
Next by Date: Re: special permissions on folder don't work
Previous by thread: Re: Certificate chain issue with Ent Sub Ca & stand alone Root CA
Next by thread: special permissions on folder don't work
Index(es):
- Date
- Thread

Relevant Pages

Re: Connect exchange mailbox using http "Outlook 2003"
... this to make sure that it is in the computers trusted root store. ... certificate on my laptop and the connection just goes straight in now. ... Outlook will verify the certificate back to the Certificate Authority ... I am running Exchange Server 2003 and am trying to connect via http ...
(microsoft.public.outlook.installation)
Certificate Trust List
... EventID 36885 is registered when a user presents a client certificate. ... Patch the server from Windows Update including refreshing trusted root ... Install a client certificate issued by the CA from step 4 to IE6. ... On the server the following event is recorded in the System Log: ...
(microsoft.public.inetserver.iis.security)
Re: Server certificate instance refuses
... have you configured the IIS server mapping? ... "Arek Lichwa" wrote in message ... > using mmc snapin for certificate moved the apropriate cert to trusted root ...
(microsoft.public.win2000.security)
Re: Server certificate instance refuses
... using mmc snapin for certificate moved the apropriate cert to trusted root ... client, the client cert (issued by thawte for post.polcard.com.pl with valid ... > 1) The Server certificate should chain up to a trusted root on the client ...
(microsoft.public.win2000.security)
Re: Server certificate instance refuses
... The Server certificate should chain up to a trusted root on the client ... The client certificate should chain up to a trusted root on the server ...
(microsoft.public.win2000.security)