Anmelden
 
HomeLibraryDownloadsSupportWebcasts & EventsCommunityForenBlogs
Ressourcen für IT-Professionals >
A certificate chain could not be built to a trusted root authority

Answered A certificate chain could not be built to a trusted root authority

  • Freitag, 25. Januar 2013 16:16
     
     
    Anmelden
    0

    Hello

    I am trying to establish in virtual test environment PKI in 2008 R2 and now I'm stuck so I need your help and advice for further steps. I've installed standalone root CA with CA role (it will be later offline, it is 2008 R2 standard). Also installed one DC and one issueing CA - enterprise subordinate CA (on 2008 R2 enterprise). When adding ent.subordinate CA role I've put option for Request Ceritficate to save into file.

    As Guide I've used Windows Server 2008 Active Directory Certificate Services Step-By-Step guide from

    http://www.microsoft.com/downloads/en/details.aspx?FamilyID=518d870c-fa3e-4f6a-97f5-acaf31de6dce&displaylang=en

    I've got as far as sending the certificate to the offline ROOT, the ROOT has issued it, but when I try to get this certificate back into the subordinate, I get the following error:

    "Cannot find the sertificate for CN=ROOT-CA to build a certificate chain. Do you wish to install this certificate now ? A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486)."

    So I'm having problems importing the issued certificate from the CAROOT.

    Can Anybody offer some assistance?

     

Alle Antworten

  • Samstag, 26. Januar 2013 00:46
     
     
    Anmelden
    1
    hi there, you need to publish the caroot certificate to the subca or better to all machines in active diretory. to do so run: certutil.exe -f -dspublish caroot.crt RootCA from the subordinate ca. wait a few minutes and run: gpupdate.exe /force wait a few minutes and now you shoul be able to import your subca cert without that error. hope that helps, lutz
     
  • Samstag, 26. Januar 2013 06:17
     
     
    Anmelden
    0

    Hi Lutz,

    I found that command line from another post.... so I'm led to believe I incorrectly performed a step before the command line portion.

    Would it be too much of a bother for me to ask you to post the steps to publish the caroot cert to the subca?

    Thanks in advance.

     
  • Samstag, 26. Januar 2013 06:42
     
     Beantwortet
    Anmelden
    0

    Yep, no problem

    1. Run on the root CA: certutil.exe -ca.cert rootcacert.crt

    2. copy the rootcacert.crt file to the subordinate CA

    3. run: certutil.exe -f -dspublish rootcacert.crt RootCA

    Regards,

    Lutz

     
  • Samstag, 26. Januar 2013 18:05
     
     
    Anmelden
    0

    Okay, 

    So I have no problem creating that cert. However, when creating the subordinate certificate issuer, it asks if you want to create or use existing.  Whichever "road"  I pick doesn't allow me to import that newly created cert from the root ca.  

    When I create the request on the sub server, I take it to the root, issue it, run the command and get my regular error, if I try to do the step directly above, I'm told the sub server is still waiting for its requested cert.

    Pardon me for my lack of knowledge.  I've just been introduced to this technology.

     
  • Samstag, 26. Januar 2013 19:58
     
     Beantwortet
    Anmelden
    0

    You are mixing up two very different things.

    1) You need to install the root CA certificate. You can use the certutil -dspublish Rootcert.crt RootCA and then run gpupdate /force to add the root CA certificate as a trusted root. I would just copy the root CA certificate from the C:\windows\system32\certsrv\certenroll folder on the root CA on a USB and install it on the subordinate from there.

    2) Did you submit the request generated on the subCA (the c:\CADNS_CAName.req) file to the root CA. This is done in the Certification Authority console. The resulting request should appear in the Pending requests container. You must then right-click the request and click Issued. 

    3) The resulting certificate is the one you need to install on the subcA. This is done by opening the certificate from the Certification Authority console, and on the details tab, copy it to a file (use PKCS#7 and include all certs in the chain). Copy this P7b file to a USB.

    4) On the subca, in the Certification Authority console, right-click the CA Name and Install the cert. Then you should be able to start Certificate Services

    There you go

    Brian

     
  • Montag, 28. Januar 2013 04:44
     
     
    Anmelden
    0

    I must be missing more than one step Brian.  I've a virtual environmental I'm going back to the snapshots I took earlier.  I'm also going to need to do some serious reading if I'm going to get this up for Tuesday.

    With that said, I know I'm not the only one who would like to see a step-by-step installation of an offline-Root/online-Sub CA.  I'll be posting it in its entirety once I'm complete. 

    If either of you would be able to recommend a book or continue on helping me out, I do appreciate it.

    Thank you both.  

    Relloski

     
  • Montag, 28. Januar 2013 06:20
     
     Beantwortet
    Anmelden
    2

    Here you go

    http://www.amazon.com/Windows-Server-Certificate-Security-PRO-Other/dp/0735625166

    This includes the step-by-steps you are looking for

    Brian