Certificate chain issue with Ent Sub Ca & stand alone Root CA

Discussion in 'Server Security' started by Deephazz, Apr 27, 2006.

  1. Deephazz

    Deephazz Guest

    hello,

    I try to install a CA certificate from a stand alone Root CA that is not in
    AD to an Enterprise subordinate CA that's included in AD.


    What si do is :

    I save my CA certificate Request on a floppy disk.
    Submit it to the stand alone Root Ca and issue it.
    copy the certificate as *.p7b on the floppy and bring it to the enterprise
    subordinate CA. Once i've done that I install the parent CA certificate ( the
    stand alone Root CA certificate) in the intermediate certification
    Authorites certificate store on the server where I've installed my enterprise
    subordinate CA.
    Then I open the certification authority console and try to install the CA
    certificate that i got from the stand alone root CA and....
    I always get the following error msg : "Cannot verify certificate chain. ...
    0x800b0101)

    MS is not so clear about the way it works.

    Is it possible to have a subordinate CA that's an Enterprise Sub Ca and a
    Root Ca that's a stand alone root CA not included in AD ?


    Regards.
     
    Deephazz, Apr 27, 2006
    #1
    1. Advertisements

  2. Deephazz

    Paul Adare Guest

    microsoft.public.windows.server.security news group, =?Utf-8?B?
    Why would you put the root certificate in the intermediate store, it
    belongs in the root store. You should also publish it to Active
    Directory so that it will be available to all of your clients.
    You need to make sure that you've got the root cert in the correct
    place, and that you've got the CRL and AIA distribution points correct.
    MS is _very_ clear on how it works. http://www.microsoft.com/pki and look
    at the technical materials, especially the Best Practices stuff. You
    may also want to look for the book my partner, Brian Komar wrote -

    http://www.amazon.com/gp/product/0735620210/002-3430012-1650457?
    v=glance&n=283155

    or

    http://tinyurl.com/f4mnz
    --
    Paul Adare - MVP Virtual Machines
    It all began with Adam. He was the first man to tell a joke--or a lie.
    How lucky Adam was. He knew when he said a good thing, nobody had said
    it before. Adam was not alone in the Garden of Eden, however, and does
    not deserve all the credit; much is due to Eve, the first woman, and
    Satan, the first consultant." - Mark Twain
     
    Paul Adare, Apr 28, 2006
    #2
    1. Advertisements

  3. Deephazz

    Paul Adare Guest

    microsoft.public.windows.server.security news group, Paul Adare

    --
    Paul Adare - MVP Virtual Machines
    It all began with Adam. He was the first man to tell a joke--or a lie.
    How lucky Adam was. He knew when he said a good thing, nobody had said
    it before. Adam was not alone in the Garden of Eden, however, and does
    not deserve all the credit; much is due to Eve, the first woman, and
    Satan, the first consultant." - Mark Twain
     
    Paul Adare, Apr 28, 2006
    #3
  4. Deephazz

    Deephazz Guest

    Hello,

    thanks for taking the time to answer.

    Unfortunatelly i spent hours today on this issue and I really feel dumb.

    It's impossible to active to start the subordinate enterprise CA. I always
    get the certifiacte chain issue. even when I put the StandAloneRootCA.crt in
    the "Trusted Root Certification Authorities" of the default domain policy.
    the certificate remains untrunsted ( the red x on the icon) although it's in
    the "Trusted Root Certification Authorities" certificate status says "This CA
    Root certificate is not trusted because it is not in the Trusted root
    Certification Authorities Store" ...go figure.

    In fact I checked Ms PKI stuffs but my problem concerns the activation of
    the sub enterprise Ca that fails because of the cert chain.

    Fortunately it was a subject for a Lab, it's a pity it didn't work.

    Regards.
     
    Deephazz, Apr 28, 2006
    #4
  5. Deephazz

    Paul Adare Guest

    microsoft.public.windows.server.security news group, =?Utf-8?B?
    You're still not doing this correctly. You need to add the root
    certificate to the local Trusted Root store on the subCA and you also
    need to publish it to Active Directory using certutil -dspublish.
    This is all covered in detail on the Microsoft web site.
    Deploying PKIs is what I do for a living and I can assure you that this
    does in fact work.

    --
    Paul Adare - MVP Virtual Machines
    It all began with Adam. He was the first man to tell a joke--or a lie.
    How lucky Adam was. He knew when he said a good thing, nobody had said
    it before. Adam was not alone in the Garden of Eden, however, and does
    not deserve all the credit; much is due to Eve, the first woman, and
    Satan, the first consultant." - Mark Twain
     
    Paul Adare, Apr 29, 2006
    #5
  6. Deephazz

    Deephazz Guest

    First, thanks for taking the time to answer me.

    I eventually succeed in setting up a certificate chain.

    I reinstalled both 2003 Ent srv as follow :

    1 Offline >>> Offline Root CA
    1 Online >>> Online Enterprise Subordinate CA

    1st. Install the offline Root CA using defaults settings (set the default
    Request handling action to Pending so that all the incoming requests will
    automatically be stored int the pending directory of the CA, after that it's
    up to you to issue the Certificate or not). At this point the default
    settings for setup are good enough since CA is in a Test environment.

    2nd. Install the online sub CA using defaults settings and store the CA
    Certificate request to a file on a floppy disk.

    3rd. Insert the floppy in the Root CA Srv device and enter "CERTREQ" at the
    command prompt, select the *.req file that's stored on the floppy disk and
    then select the CA that will issue the Certificate (the Offline Root CA)

    4th. open the the CA mmc go to pending directory and issu the pending
    request from the Online su CA, select properties of the issued CA and copy
    the file as *.p7b file to the floppy disk

    5th. Once the *.p7b file is on the floppy put it in the Online Enterprise
    Sub CA and open the CA mmc. Right click on the CA > all tasks > Install CA
    Certificate.
    Start the Enterprise Subordiante CA.

    I don't know why it worked this time. I didn't get the certifiate chain issue.

    So here are things that might help a little more :

    - When a CA is not trusted, it might help to install the untrusted
    Certificate in the computer's Trusted Root Certification Authorities Store.

    - Changing a CA's extensions' properties does not fix certificate chain issue.

    - Install , uninstall, install, uninstall, .... of CA on the same srv is
    probably not the best thing to do ^^

    Regards.
     
    Deephazz, May 13, 2006
    #6
  7. Deephazz

    jdc4357 Guest

    Hi,
    I'm having the exact same issues that you had. Documentation seems to be
    scarce for adding a subordinate enterprise ca to a standalone root ca in a
    workgroup. I'm glad you got yours working. I'm stuck. I went through the
    "EXACT" steps that you listed and I get to the 5th step when I install the CA
    certificate and I get a "Cannot verify certificate chain. Do you wish to
    ignore the error and continue? The revocation function was unable to check
    revocation because the revocation server was offline. 0x80092013
    (-2146885613)"

    I hit "ok" and then I get the "The revocation function was unable to check
    revocation because the revocation server was offline. 0x80092013
    (-2146885613)"

    The "offline" ca is actually turned on but it shouldn't matter to begin
    with.

    Any ideas what could be the problem? I read somewhere that there might be a
    registry key that I would have to change to allow the import of the key from
    the root ca?

    Any help would be appreciated.
    TIA,
    jamie
     
    jdc4357, May 19, 2006
    #7
  8. Deephazz

    Paul Adare Guest

    microsoft.public.windows.server.security news group, =?Utf-8?B?
    These errors mean exactly what they are telling you. You can't start the
    SubCA as it can't find the Certificate Revocation List (CRL) of the root
    CA. What URL are you using for the root CA's CRL? Open the certificate
    issued to the SubCA, on the Details tab, look at the CRL Distribution
    Points extension and make sure that the root CA's CRL is in the location
    (s) listed there.
    --
    Paul Adare - MVP Virtual Machines
    It all began with Adam. He was the first man to tell a joke--or a lie.
    How lucky Adam was. He knew when he said a good thing, nobody had said
    it before. Adam was not alone in the Garden of Eden, however, and does
    not deserve all the credit; much is due to Eve, the first woman, and
    Satan, the first consultant." - Mark Twain
     
    Paul Adare, May 19, 2006
    #8
  9. Deephazz

    Deephazz Guest

    Hello,

    That's a point I don't understand. i didn't have to check for the stand
    alone root CRL on the enterprise sub CA when it eventually worked. I juste
    issued a request from the ent sub CA on a floppy disk , submitted the request
    to the stand alone root CA through the command line "certreq", issued the CA
    Certificate, installed on the ent sub ca, nothing more.

    So, it makes me wonder if the CRL's are that important for starting the
    enterprise sub CA as I succeeded without modifying the default CRL's of the
    Stand alone Root CA.
    It sounds like they become important once you've first started the CA.

    So maybe to ease the process of "validating" the certificate chain on an
    enterprise sub CA, it's better to install IIS, if IIS is installed after the
    CA, at the command prompt type certutil -vroot, it will publish the Microsoft
    Certificate Services website (you can acces it at
    http://CA_SERVER_IP/certserv/), once you have the certificate services
    webiste you can donwload the CRL from the enterprise subordinate CA and then
    install the CRL to the Trusted Root Certification Authorities store of the
    (well MS says it should be installed in the computer store but when i did so
    it didn't work :\ , so i installed it into both computer and current User
    store).

    Otherwise just "copy" the CRL from the "%windir%\system32\certsrv\" from the
    CA server instead of using the web interface.

    Regards.
     
    Deephazz, May 19, 2006
    #9
  10. Deephazz

    Paul Adare Guest

    microsoft.public.windows.server.security news group, =?Utf-8?B?
    I don't understand what you mean by this. Obviously if you can't start
    the SubCA, nothing is working.
    Right and nothing you've done up to this point would cause a check of
    the CRL to occur.
    Obviously since that is what is preventing the SubCA from starting in
    the first place.
    None of the above makes any sense in relation to the problem you're
    having. I've already told you what to check. If you're unwilling to
    follow my advice then I really don't see how I can be of any further
    assistance here.

    --
    Paul Adare - MVP Virtual Machines
    It all began with Adam. He was the first man to tell a joke--or a lie.
    How lucky Adam was. He knew when he said a good thing, nobody had said
    it before. Adam was not alone in the Garden of Eden, however, and does
    not deserve all the credit; much is due to Eve, the first woman, and
    Satan, the first consultant." - Mark Twain
     
    Paul Adare, May 19, 2006
    #10
  11. Deephazz

    jdc4357 Guest

    Thanks for the quick reply. I'm a cert newb so bear with me. I thought the
    whole purpose of having an offline root ca is that you kept it offline. My
    root ca does not have IIS installed and my CRL path of the subordinate
    enterprise ca does point to an url of my root ca. So I guess that is what is
    breaking. So can you confirm that I need to have the root ca on and IIS
    running to have my subordinate ca start up for the first time only.

    Thanks guys!!!
    jamie
     
    jdc4357, May 19, 2006
    #11
  12. Deephazz

    Brian Komar Guest

    You need to read the Best Practices white paper available at
    www.microsoft.com/pki

    The two registry values that need to be updated are ValidityPeriod and
    ValidityPeriodUnits. Please see the whitepaper for the syntax of the
    certutil command and the values to use.

    Brian
     
    Brian Komar, May 21, 2007
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.