Welcome to ServerForumz.com!
FAQFAQ      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

Root certificate authority no longer added to client machi..

  
   Windows Server (Home) -> Windows Server Security RSS
Next:  Problems with Enterprise CA  
Author Message
NothingtoSay?

External


Since: Jul 14, 2006
Posts: 1



(Msg. 1) Posted: Fri Jul 14, 2006 1:05 pm
Post subject: Root certificate authority no longer added to client machines
Archived from groups: microsoft>public>windows>server>security (more info?)
Hi all,

Our PKI is based on 2003 and using an offline root and issuing CAs.
All worked fine but about a month a go it developed a slight issue.

Whilst i can see the offline root cert is in AD under the correct node
(looking through adsiedit) and it is still valid (10yr validity)
when i add a new computer to the domain it does not get the root cert
added to the client pcs trusted store.

my two thoughts are to
1. republish the same certificate using certutil -dspublish
2. to use the thority gpo setting on the domain policy

Any comments ?
or better suggestions
Jonathan

 >> Stay informed about: Root certificate authority no longer added to client machi.. 
Back to top
Login to vote
"S. Pidgorny

External


Since: Oct 09, 2003
Posts: 160



(Msg. 2) Posted: Sun Jul 16, 2006 9:45 pm
Post subject: Re: Root certificate authority no longer added to client machines [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
I'd try both 1 and 2 - one will work for sure.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"NothingtoSay?" <jonathanglenister.RemoveThis@hotmail.com> wrote in message
news:1152907537.102712.233080@35g2000cwc.googlegroups.com...
> Hi all,
>
> Our PKI is based on 2003 and using an offline root and issuing CAs.
> All worked fine but about a month a go it developed a slight issue.
>
> Whilst i can see the offline root cert is in AD under the correct node
> (looking through adsiedit) and it is still valid (10yr validity)
> when i add a new computer to the domain it does not get the root cert
> added to the client pcs trusted store.
>
> my two thoughts are to
> 1. republish the same certificate using certutil -dspublish
> 2. to use the thority gpo setting on the domain policy
>
> Any comments ?
> or better suggestions
> Jonathan
>

 >> Stay informed about: Root certificate authority no longer added to client machi.. 
Back to top
Login to vote
StuartH

External


Since: Dec 14, 2006
Posts: 2



(Msg. 3) Posted: Thu Dec 14, 2006 3:20 am
Post subject: Re: Root certificate authority no longer added to client machines [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Did either of these work Jonathan?

The reason I ask is, funny enough, we have the same issue. I have read as
many articles/KB that I can and would like some clarification if anyone can,
PLEASE!!.

We have a standalone RootCA, with Enterprise issuing CAs. We have ran
DSpublish for the RootCA into the AD, but clients do not get entries added to
their trusted store. From what I understand, and read many times is things
like "When you install an enterprise root CA or a stand-alone root CA, the
certificate of the CA is added automatically to the Trusted Root
Certification Authorities Group Policy for the domain.". Well, if this is a
standalone Root, how the heck does it put it into a GPO ? Another article
states, that if the client is a domain member, then they will automatically
receive the CAs in the trusted store....but negates to say how.

So...in a complete Microsoft world (RootCA, SubEntCAs and clients)...how
does the trusted store get populated on a client ? Do you need a GPO or not ?
Thanks

Stuart

"S. Pidgorny <MVP>" wrote:

> I'd try both 1 and 2 - one will work for sure.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> "NothingtoSay?" <jonathanglenister.DeleteThis@hotmail.com> wrote in message
> news:1152907537.102712.233080@35g2000cwc.googlegroups.com...
> > Hi all,
> >
> > Our PKI is based on 2003 and using an offline root and issuing CAs.
> > All worked fine but about a month a go it developed a slight issue.
> >
> > Whilst i can see the offline root cert is in AD under the correct node
> > (looking through adsiedit) and it is still valid (10yr validity)
> > when i add a new computer to the domain it does not get the root cert
> > added to the client pcs trusted store.
> >
> > my two thoughts are to
> > 1. republish the same certificate using certutil -dspublish
> > 2. to use the thority gpo setting on the domain policy
> >
> > Any comments ?
> > or better suggestions
> > Jonathan
> >
>
>
>
 >> Stay informed about: Root certificate authority no longer added to client machi.. 
Back to top
Login to vote
Display posts from previous:   
Related Topics:
Disable screensaver locking on Windows XP Client in Window.. - Hello Everybody ! I´ve got a little tricky Problem with Windows 2003 GP and WinXPprof : I installed the W2003 Domain Controller in a "normal" way. After putting the WinXP Clients into the Domain, they always show the "Lockscreen" af...

Client to DC IPSec setup - I am trying to properly configure IPSec so that all communication to the server is secure. I set it up using certificates and got it working but I do not know how to add new machines to the domain because they can't make the initial connection to the DC...

How to replace Root CA? - Can anyone advise to best way to replace the ROOT/CA, currently the root is windows 2000 stand-alone server, and would like to replace it with a windows 2003 server. Please help. Thank you Karl Mikesell MCSE

Can't join domain through firewall with IPSec Policy on cl.. - I am unable to join the domain if an IPSec Policy is set up and my client is connecting to the DC through a firewall. I get an error that says "The network path was not found." My set up is as follows... Server1: Server 2003, DC, DNS Server2:...

Problem with WIndows 2003 Certificate Services: Computers .. - hello, We have an Active Directory-based domain structure, domain.com. root domain has no users, only a few servers. Enterprise root CA is installed here. I have a child domain for my country (no.domain.com), which has a Subordinate Enterprise CA..
   Windows Server (Home) -> Windows Server Security All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]