Re: Windows 2008 CA can't issue to Windows 2003 server
- From: "Brian Komar \(MVP\)" <brian.komar@xxxxxxxxxxxxxxxxx>
- Date: Wed, 25 Jun 2008 15:57:48 -0500
It is actually simpler to change the signing algorithm for the root CA, rather than decomissioning.
This method can also be used at a later date when you have clients (read Vista or higher) that support CNG
Here is the process:
1) Identify the CSP used by the root CA by running "certutil -getreg ca\csp\Provider".
2) Run "certutil -v -csplist and ensuring that SHA1 is reported as a supported protocol.
3) If SHA1 is supported, you would then add the values assigned to Algorithm Class, Algorithm Type and Algorithm Sub-id (typically this is 0x8004) and run "certutil -setreg ca\csp\HashAlgorithm 0x8004".
4) After executing the command, you must restart Certificate Services.
Issue a certificate from the root, and verify that the signature uses SHA1.
You must then renew the two issuing CA certificates.
Brian
"Doug Evans" <douge@xxxxxxxxxxxxxx> wrote in message news:C7084E6C-D1A3-4512-985D-86840F835AA8@xxxxxxxxxxxxxxxx
What is the best way to recover from a scenario where you have a root CA and 2 issuing CAs, all Windows 2008, and the root was setup with a SHA256 cert? Can you just change the cert? Do you have to uninstall everything and start over? If so, what is the best process to decommission a Windows 2008 PKI infrastructure?
Thanks!
Doug Evans
IT Manager, AWC
"Brian Komar (MVP)" <brian.komar@xxxxxxxxxxxxxxxxx> wrote in message news:26FE9E22-C389-474C-9594-04F75E802BA5@xxxxxxxxxxxxxxxxYou are mixing up certificate type (X.509 version 3) with certificate template type (a MS concept of what properties/algorithms are available).
A couple of things to check:
1) Make sure that you are using legacy CSPs and signing algorithms. (not a Key storage provider)
2) Windows XP/2003 cannot consume certificates using SHA2 algorithms (SHA256, SHA512, SHA384).
3) This is for every certificate in the chain
If you want, send me a PKCS#7 containing the full certificate chain for inspection
Brian
"Doug Evans" <douge@xxxxxxxxxxxxxx> wrote in message news:8CD0C14C-9D79-4B46-945A-FF1D532F456F@xxxxxxxxxxxxxxxxI apologize for the crosspost, but we are hurting here without a resolution to this issue.
We have just setup a Windows 2008 PKI Infrastructure in our Windows 2003
based domain. We need to issue certificates to Windows 2003 servers and
Windows XP clients. We are getting "The integrity of this certificate
cannot be guaranteed. The certificate may be corrupted or may have been
altered." On the Details tab of the certificate, we see version is "V3",
Public key is "RSA (1024 Bits)", Thumprint algorithm is "sha1". On the
Certification Path tab, every certificate shows the error "This certificate
has an nonvalid digital signature.".
We can generate valid certificates for Windows 2008 servers and for Vista computers. Our research indicates we need to install the version 2 templates, but don't know where to get them or how to install them.
Thanks!
Doug Evans
IT Manager
Association of Washington Cities
.
- Follow-Ups:
- Re: Windows 2008 CA can't issue to Windows 2003 server
- From: Doug Evans
- Re: Windows 2008 CA can't issue to Windows 2003 server
- References:
- Re: Windows 2008 CA can't issue to Windows 2003 server
- From: Brian Komar \(MVP\)
- Re: Windows 2008 CA can't issue to Windows 2003 server
- From: Doug Evans
- Re: Windows 2008 CA can't issue to Windows 2003 server
- Prev by Date: Re: Windows 2008 CA can't issue to Windows 2003 server
- Next by Date: Windows Security Log gets crowded!
- Previous by thread: Re: Windows 2008 CA can't issue to Windows 2003 server
- Next by thread: Re: Windows 2008 CA can't issue to Windows 2003 server
- Index(es):
Relevant Pages
|
