Re: Certificate chain issue with Ent Sub Ca & stand alone Root CA
- From: jdc4357 <jdc4357@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 18 May 2006 20:08:01 -0700
Hi,
I'm having the exact same issues that you had. Documentation seems to be
scarce for adding a subordinate enterprise ca to a standalone root ca in a
workgroup. I'm glad you got yours working. I'm stuck. I went through the
"EXACT" steps that you listed and I get to the 5th step when I install the CA
certificate and I get a "Cannot verify certificate chain. Do you wish to
ignore the error and continue? The revocation function was unable to check
revocation because the revocation server was offline. 0x80092013
(-2146885613)"
I hit "ok" and then I get the "The revocation function was unable to check
revocation because the revocation server was offline. 0x80092013
(-2146885613)"
The "offline" ca is actually turned on but it shouldn't matter to begin
with.
Any ideas what could be the problem? I read somewhere that there might be a
registry key that I would have to change to allow the import of the key from
the root ca?
Any help would be appreciated.
TIA,
jamie
"Deephazz" wrote:
First, thanks for taking the time to answer me..
I eventually succeed in setting up a certificate chain.
I reinstalled both 2003 Ent srv as follow :
1 Offline >>> Offline Root CA
1 Online >>> Online Enterprise Subordinate CA
1st. Install the offline Root CA using defaults settings (set the default
Request handling action to Pending so that all the incoming requests will
automatically be stored int the pending directory of the CA, after that it's
up to you to issue the Certificate or not). At this point the default
settings for setup are good enough since CA is in a Test environment.
2nd. Install the online sub CA using defaults settings and store the CA
Certificate request to a file on a floppy disk.
3rd. Insert the floppy in the Root CA Srv device and enter "CERTREQ" at the
command prompt, select the *.req file that's stored on the floppy disk and
then select the CA that will issue the Certificate (the Offline Root CA)
4th. open the the CA mmc go to pending directory and issu the pending
request from the Online su CA, select properties of the issued CA and copy
the file as *.p7b file to the floppy disk
5th. Once the *.p7b file is on the floppy put it in the Online Enterprise
Sub CA and open the CA mmc. Right click on the CA > all tasks > Install CA
Certificate.
Start the Enterprise Subordiante CA.
I don't know why it worked this time. I didn't get the certifiate chain issue.
So here are things that might help a little more :
- When a CA is not trusted, it might help to install the untrusted
Certificate in the computer's Trusted Root Certification Authorities Store.
- Changing a CA's extensions' properties does not fix certificate chain issue.
- Install , uninstall, install, uninstall, .... of CA on the same srv is
probably not the best thing to do ^^
Regards.
- Follow-Ups:
- Re: Certificate chain issue with Ent Sub Ca & stand alone Root CA
- From: Paul Adare
- Re: Certificate chain issue with Ent Sub Ca & stand alone Root CA
- Prev by Date: Application configuration file binding redirect
- Next by Date: How do I monitor file access rights on Win2003?
- Previous by thread: Application configuration file binding redirect
- Next by thread: Re: Certificate chain issue with Ent Sub Ca & stand alone Root CA
- Index(es):
Relevant Pages
|
