Re: Certificate chain issue with Ent Sub Ca & stand alone Root CA

In article <6793B3B2-B851-48F9-A1A1-EA4CFE66EC5B@xxxxxxxxxxxxx>, in the
microsoft.public.windows.server.security news group, =?Utf-8?B?
RGVlcGhheno=?= <Deephazz@xxxxxxxxxxxxxxxxxxxxxxxxx> says...

Hello,

That's a point I don't understand. i didn't have to check for the stand
alone root CRL on the enterprise sub CA when it eventually worked.

I don't understand what you mean by this. Obviously if you can't start
the SubCA, nothing is working.

I juste
issued a request from the ent sub CA on a floppy disk , submitted the request
to the stand alone root CA through the command line "certreq", issued the CA
Certificate, installed on the ent sub ca, nothing more.

Right and nothing you've done up to this point would cause a check of
the CRL to occur.


So, it makes me wonder if the CRL's are that important for starting the
enterprise sub CA as I succeeded without modifying the default CRL's of the
Stand alone Root CA.
It sounds like they become important once you've first started the CA.

Obviously since that is what is preventing the SubCA from starting in
the first place.


So maybe to ease the process of "validating" the certificate chain on an
enterprise sub CA, it's better to install IIS, if IIS is installed after the
CA, at the command prompt type certutil -vroot, it will publish the Microsoft
Certificate Services website (you can acces it at
http://CA_SERVER_IP/certserv/), once you have the certificate services
webiste you can donwload the CRL from the enterprise subordinate CA and then
install the CRL to the Trusted Root Certification Authorities store of the
(well MS says it should be installed in the computer store but when i did so
it didn't work :\ , so i installed it into both computer and current User
store).

Otherwise just "copy" the CRL from the "%windir%\system32\certsrv\" from the
CA server instead of using the web interface.

None of the above makes any sense in relation to the problem you're
having. I've already told you what to check. If you're unwilling to
follow my advice then I really don't see how I can be of any further
assistance here.

--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain
.