Certificate chain issue with Ent Sub Ca & stand alone Root..

Hello,

thanks for taking the time to answer.

Unfortunatelly i spent hours today on this issue and I really feel dumb.

It's impossible to active to start the subordinate enterprise CA. I always
get the certifiacte chain issue. even when I put the StandAloneRootCA.crt in
the "Trusted Root Certification Authorities" of the default domain policy.
the certificate remains untrunsted ( the red x on the icon) although it's in
the "Trusted Root Certification Authorities" certificate status says "This CA
Root certificate is not trusted because it is not in the Trusted root
Certification Authorities Store" ...go figure.

In fact I checked Ms PKI stuffs but my problem concerns the activation of
the sub enterprise Ca that fails because of the cert chain.

Fortunately it was a subject for a Lab, it's a pity it didn't work.

Regards.
 >> Stay informed about: Certificate chain issue with Ent Sub Ca & stand alone Root.. 

In article , in the
microsoft.public.windows.server.security news group, =?Utf-8?B?
RGVlcGhheno=?= says...

> Hello,
>
> thanks for taking the time to answer.
>
> Unfortunatelly i spent hours today on this issue and I really feel dumb.
>
> It's impossible to active to start the subordinate enterprise CA. I always
> get the certifiacte chain issue. even when I put the StandAloneRootCA.crt in
> the "Trusted Root Certification Authorities" of the default domain policy.
> the certificate remains untrunsted ( the red x on the icon) although it's in
> the "Trusted Root Certification Authorities" certificate status says "This CA
> Root certificate is not trusted because it is not in the Trusted root
> Certification Authorities Store" ...go figure.

You're still not doing this correctly. You need to add the root
certificate to the local Trusted Root store on the subCA and you also
need to publish it to Active Directory using certutil -dspublish.

>
> In fact I checked Ms PKI stuffs but my problem concerns the activation of
> the sub enterprise Ca that fails because of the cert chain.

This is all covered in detail on the Microsoft web site.
>
> Fortunately it was a subject for a Lab, it's a pity it didn't work.

Deploying PKIs is what I do for a living and I can assure you that this
does in fact work.

--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain
 >> Stay informed about: Certificate chain issue with Ent Sub Ca & stand alone Root.. 

First, thanks for taking the time to answer me.

I eventually succeed in setting up a certificate chain.

I reinstalled both 2003 Ent srv as follow :

1 Offline >>> Offline Root CA
1 Online >>> Online Enterprise Subordinate CA

1st. Install the offline Root CA using defaults settings (set the default
Request handling action to Pending so that all the incoming requests will
automatically be stored int the pending directory of the CA, after that it's
up to you to issue the Certificate or not). At this point the default
settings for setup are good enough since CA is in a Test environment.

2nd. Install the online sub CA using defaults settings and store the CA
Certificate request to a file on a floppy disk.

3rd. Insert the floppy in the Root CA Srv device and enter "CERTREQ" at the
command prompt, select the *.req file that's stored on the floppy disk and
then select the CA that will issue the Certificate (the Offline Root CA)

4th. open the the CA mmc go to pending directory and issu the pending
request from the Online su CA, select properties of the issued CA and copy
the file as *.p7b file to the floppy disk

5th. Once the *.p7b file is on the floppy put it in the Online Enterprise
Sub CA and open the CA mmc. Right click on the CA > all tasks > Install CA
Certificate.
Start the Enterprise Subordiante CA.

I don't know why it worked this time. I didn't get the certifiate chain issue.

So here are things that might help a little more :

- When a CA is not trusted, it might help to install the untrusted
Certificate in the computer's Trusted Root Certification Authorities Store.

- Changing a CA's extensions' properties does not fix certificate chain issue.

- Install , uninstall, install, uninstall, .... of CA on the same srv is
probably not the best thing to do ^^

Regards.
 >> Stay informed about: Certificate chain issue with Ent Sub Ca & stand alone Root.. 

Hi,
I'm having the exact same issues that you had. Documentation seems to be
scarce for adding a subordinate enterprise ca to a standalone root ca in a
workgroup. I'm glad you got yours working. I'm stuck. I went through the
"EXACT" steps that you listed and I get to the 5th step when I install the CA
certificate and I get a "Cannot verify certificate chain. Do you wish to
ignore the error and continue? The revocation function was unable to check
revocation because the revocation server was offline. 0x80092013
(-2146885613)"

I hit "ok" and then I get the "The revocation function was unable to check
revocation because the revocation server was offline. 0x80092013
(-2146885613)"

The "offline" ca is actually turned on but it shouldn't matter to begin
with.

Any ideas what could be the problem? I read somewhere that there might be a
registry key that I would have to change to allow the import of the key from
the root ca?

Any help would be appreciated.
TIA,
jamie



"Deephazz" wrote:

> First, thanks for taking the time to answer me.
>
> I eventually succeed in setting up a certificate chain.
>
> I reinstalled both 2003 Ent srv as follow :
>
> 1 Offline >>> Offline Root CA
> 1 Online >>> Online Enterprise Subordinate CA
>
> 1st. Install the offline Root CA using defaults settings (set the default
> Request handling action to Pending so that all the incoming requests will
> automatically be stored int the pending directory of the CA, after that it's
> up to you to issue the Certificate or not). At this point the default
> settings for setup are good enough since CA is in a Test environment.
>
> 2nd. Install the online sub CA using defaults settings and store the CA
> Certificate request to a file on a floppy disk.
>
> 3rd. Insert the floppy in the Root CA Srv device and enter "CERTREQ" at the
> command prompt, select the *.req file that's stored on the floppy disk and
> then select the CA that will issue the Certificate (the Offline Root CA)
>
> 4th. open the the CA mmc go to pending directory and issu the pending
> request from the Online su CA, select properties of the issued CA and copy
> the file as *.p7b file to the floppy disk
>
> 5th. Once the *.p7b file is on the floppy put it in the Online Enterprise
> Sub CA and open the CA mmc. Right click on the CA > all tasks > Install CA
> Certificate.
> Start the Enterprise Subordiante CA.
>
> I don't know why it worked this time. I didn't get the certifiate chain issue.
>
> So here are things that might help a little more :
>
> - When a CA is not trusted, it might help to install the untrusted
> Certificate in the computer's Trusted Root Certification Authorities Store.
>
> - Changing a CA's extensions' properties does not fix certificate chain issue.
>
> - Install , uninstall, install, uninstall, .... of CA on the same srv is
> probably not the best thing to do ^^
>
> Regards.
 >> Stay informed about: Certificate chain issue with Ent Sub Ca & stand alone Root.. 

In article , in the
microsoft.public.windows.server.security news group, =?Utf-8?B?
amRjNDM1Nw==?= says...

> I'm having the exact same issues that you had. Documentation seems to be
> scarce for adding a subordinate enterprise ca to a standalone root ca in a
> workgroup. I'm glad you got yours working. I'm stuck. I went through the
> "EXACT" steps that you listed and I get to the 5th step when I install the CA
> certificate and I get a "Cannot verify certificate chain. Do you wish to
> ignore the error and continue? The revocation function was unable to check
> revocation because the revocation server was offline. 0x80092013
> (-2146885613)"
>
> I hit "ok" and then I get the "The revocation function was unable to check
> revocation because the revocation server was offline. 0x80092013
> (-2146885613)"

These errors mean exactly what they are telling you. You can't start the
SubCA as it can't find the Certificate Revocation List (CRL) of the root
CA. What URL are you using for the root CA's CRL? Open the certificate
issued to the SubCA, on the Details tab, look at the CRL Distribution
Points extension and make sure that the root CA's CRL is in the location
(s) listed there.

>
> The "offline" ca is actually turned on but it shouldn't matter to begin
> with.
>
> Any ideas what could be the problem? I read somewhere that there might be a
> registry key that I would have to change to allow the import of the key from
> the root ca?
>

--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain
 >> Stay informed about: Certificate chain issue with Ent Sub Ca & stand alone Root.. 

Friends!
I have the MS CA on the stand-alone win2003 server. Of cause, it is a
stand-alone CA, it's a my RootCA
I need to use subCA. It's MS CA on the member of the domain, of cause ,
it's a Enterprice subordinate CA.
I need to sign his certificate in RootCA. But Root CA is a stand-alone,
and I can't cange expiration date for subCA. I recive cert for SubCA
only to 1 year.
How I can do it for 5 year?


--
igor533
------------------------------------------------------------------------
igor533's Profile: http://forums.techarena.in/member.php?userid=25806
View this thread: http://forums.techarena.in/showthread.php?t=503583

http://forums.techarena.in
 >> Stay informed about: Certificate chain issue with Ent Sub Ca & stand alone Root.. 

On Sun, 20 May 2007 13:35:12 +0530, igor533 wrote:

> Friends!
> I have the MS CA on the stand-alone win2003 server. Of cause, it is a
> stand-alone CA, it's a my RootCA
> I need to use subCA. It's MS CA on the member of the domain, of cause ,
> it's a Enterprice subordinate CA.
> I need to sign his certificate in RootCA. But Root CA is a stand-alone,
> and I can't cange expiration date for subCA. I recive cert for SubCA
> only to 1 year.
> How I can do it for 5 year?

You need to read the Best Practices white paper available at
www.microsoft.com/pki

The two registry values that need to be updated are ValidityPeriod and
ValidityPeriodUnits. Please see the whitepaper for the syntax of the
certutil command and the values to use.

Brian
 >> Stay informed about: Certificate chain issue with Ent Sub Ca & stand alone Root..