Certificate chain issue with Ent Sub Ca & stand alone Root CA

hello,

I try to install a CA certificate from a stand alone Root CA that is not in
AD to an Enterprise subordinate CA that's included in AD.


What si do is :

I save my CA certificate Request on a floppy disk.
Submit it to the stand alone Root Ca and issue it.
copy the certificate as *.p7b on the floppy and bring it to the enterprise
subordinate CA. Once i've done that I install the parent CA certificate ( the
stand alone Root CA certificate) in the intermediate certification
Authorites certificate store on the server where I've installed my enterprise
subordinate CA.
Then I open the certification authority console and try to install the CA
certificate that i got from the stand alone root CA and....
I always get the following error msg : "Cannot verify certificate chain. ...
0x800b0101)

MS is not so clear about the way it works.

Is it possible to have a subordinate CA that's an Enterprise Sub Ca and a
Root Ca that's a stand alone root CA not included in AD ?


Regards.

 

microsoft.public.windows.server.security news group, =?Utf-8?B?

Why would you put the root certificate in the intermediate store, it
belongs in the root store. You should also publish it to Active
Directory so that it will be available to all of your clients.

You need to make sure that you've got the root cert in the correct
place, and that you've got the CRL and AIA distribution points correct.

MS is _very_ clear on how it works. http://www.microsoft.com/pki and look
at the technical materials, especially the Best Practices stuff. You
may also want to look for the book my partner, Brian Komar wrote -

http://www.amazon.com/gp/product/0735620210/002-3430012-1650457?
v=glance&n=283155

or

http://tinyurl.com/f4mnz

--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain

 

microsoft.public.windows.server.security news group, Paul Adare

--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain

 

Hello,

thanks for taking the time to answer.

Unfortunatelly i spent hours today on this issue and I really feel dumb.

It's impossible to active to start the subordinate enterprise CA. I always
get the certifiacte chain issue. even when I put the StandAloneRootCA.crt in
the "Trusted Root Certification Authorities" of the default domain policy.
the certificate remains untrunsted ( the red x on the icon) although it's in
the "Trusted Root Certification Authorities" certificate status says "This CA
Root certificate is not trusted because it is not in the Trusted root
Certification Authorities Store" ...go figure.

In fact I checked Ms PKI stuffs but my problem concerns the activation of
the sub enterprise Ca that fails because of the cert chain.

Fortunately it was a subject for a Lab, it's a pity it didn't work.

Regards.

 

microsoft.public.windows.server.security news group, =?Utf-8?B?

You're still not doing this correctly. You need to add the root
certificate to the local Trusted Root store on the subCA and you also
need to publish it to Active Directory using certutil -dspublish.

This is all covered in detail on the Microsoft web site.

Deploying PKIs is what I do for a living and I can assure you that this
does in fact work.

--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain

 

First, thanks for taking the time to answer me.

I eventually succeed in setting up a certificate chain.

I reinstalled both 2003 Ent srv as follow :

1 Offline >>> Offline Root CA
1 Online >>> Online Enterprise Subordinate CA

1st. Install the offline Root CA using defaults settings (set the default
Request handling action to Pending so that all the incoming requests will
automatically be stored int the pending directory of the CA, after that it's
up to you to issue the Certificate or not). At this point the default
settings for setup are good enough since CA is in a Test environment.

2nd. Install the online sub CA using defaults settings and store the CA
Certificate request to a file on a floppy disk.

3rd. Insert the floppy in the Root CA Srv device and enter "CERTREQ" at the
command prompt, select the *.req file that's stored on the floppy disk and
then select the CA that will issue the Certificate (the Offline Root CA)

4th. open the the CA mmc go to pending directory and issu the pending
request from the Online su CA, select properties of the issued CA and copy
the file as *.p7b file to the floppy disk

5th. Once the *.p7b file is on the floppy put it in the Online Enterprise
Sub CA and open the CA mmc. Right click on the CA > all tasks > Install CA
Certificate.
Start the Enterprise Subordiante CA.

I don't know why it worked this time. I didn't get the certifiate chain issue.

So here are things that might help a little more :

- When a CA is not trusted, it might help to install the untrusted
Certificate in the computer's Trusted Root Certification Authorities Store.

- Changing a CA's extensions' properties does not fix certificate chain issue.

- Install , uninstall, install, uninstall, .... of CA on the same srv is
probably not the best thing to do ^^

Regards.

 

Hi,
I'm having the exact same issues that you had. Documentation seems to be
scarce for adding a subordinate enterprise ca to a standalone root ca in a
workgroup. I'm glad you got yours working. I'm stuck. I went through the
"EXACT" steps that you listed and I get to the 5th step when I install the CA
certificate and I get a "Cannot verify certificate chain. Do you wish to
ignore the error and continue? The revocation function was unable to check
revocation because the revocation server was offline. 0x80092013
(-2146885613)"

I hit "ok" and then I get the "The revocation function was unable to check
revocation because the revocation server was offline. 0x80092013
(-2146885613)"

The "offline" ca is actually turned on but it shouldn't matter to begin
with.

Any ideas what could be the problem? I read somewhere that there might be a
registry key that I would have to change to allow the import of the key from
the root ca?

Any help would be appreciated.
TIA,
jamie

 

microsoft.public.windows.server.security news group, =?Utf-8?B?

These errors mean exactly what they are telling you. You can't start the
SubCA as it can't find the Certificate Revocation List (CRL) of the root
CA. What URL are you using for the root CA's CRL? Open the certificate
issued to the SubCA, on the Details tab, look at the CRL Distribution
Points extension and make sure that the root CA's CRL is in the location
(s) listed there.

--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain

 

Hello,

That's a point I don't understand. i didn't have to check for the stand
alone root CRL on the enterprise sub CA when it eventually worked. I juste
issued a request from the ent sub CA on a floppy disk , submitted the request
to the stand alone root CA through the command line "certreq", issued the CA
Certificate, installed on the ent sub ca, nothing more.

So, it makes me wonder if the CRL's are that important for starting the
enterprise sub CA as I succeeded without modifying the default CRL's of the
Stand alone Root CA.
It sounds like they become important once you've first started the CA.

So maybe to ease the process of "validating" the certificate chain on an
enterprise sub CA, it's better to install IIS, if IIS is installed after the
CA, at the command prompt type certutil -vroot, it will publish the Microsoft
Certificate Services website (you can acces it at
http://CA_SERVER_IP/certserv/), once you have the certificate services
webiste you can donwload the CRL from the enterprise subordinate CA and then
install the CRL to the Trusted Root Certification Authorities store of the
(well MS says it should be installed in the computer store but when i did so
it didn't work :\ , so i installed it into both computer and current User
store).

Otherwise just "copy" the CRL from the "%windir%\system32\certsrv\" from the
CA server instead of using the web interface.

Regards.

 

microsoft.public.windows.server.security news group, =?Utf-8?B?

I don't understand what you mean by this. Obviously if you can't start
the SubCA, nothing is working.

Right and nothing you've done up to this point would cause a check of
the CRL to occur.

Obviously since that is what is preventing the SubCA from starting in
the first place.

None of the above makes any sense in relation to the problem you're
having. I've already told you what to check. If you're unwilling to
follow my advice then I really don't see how I can be of any further
assistance here.

--
Paul Adare - MVP Virtual Machines
It all began with Adam. He was the first man to tell a joke--or a lie.
How lucky Adam was. He knew when he said a good thing, nobody had said
it before. Adam was not alone in the Garden of Eden, however, and does
not deserve all the credit; much is due to Eve, the first woman, and
Satan, the first consultant." - Mark Twain

 

Thanks for the quick reply. I'm a cert newb so bear with me. I thought the
whole purpose of having an offline root ca is that you kept it offline. My
root ca does not have IIS installed and my CRL path of the subordinate
enterprise ca does point to an url of my root ca. So I guess that is what is
breaking. So can you confirm that I need to have the root ca on and IIS
running to have my subordinate ca start up for the first time only.

Thanks guys!!!
jamie

 

You need to read the Best Practices white paper available at
www.microsoft.com/pki

The two registry values that need to be updated are ValidityPeriod and
ValidityPeriodUnits. Please see the whitepaper for the syntax of the
certutil command and the values to use.

Brian