none
Issue using OpenSSL generated certificate with Subordinate CA RRS feed

  • Question

  • I've followed a guide to creating an OpenSSL CA to use as my standalone root CA.

    I generated the root and also generated an intermediate CA cert/key and signed it with the root. I then converted the intermediate CA cert/key to a p12 file.

    In Server 2012 I've installed ADCS and during the configuration I've selected Enterprise Subordinate CA. I then select Existing Certificate and browse for my p12 file. After selecting the certificate and clicking next I get and empty error dialog that just says Error in its title and has a red X.

    Apparently I can't add links or images right now but if I can I will do so at a later time.

    I'm hoping someone can offer some advice on how to troubleshoot this one. Thanks in advance.

    Friday, October 9, 2015 3:39 AM

Answers

  • Hi,

    >>If I go into the Certificates snap-in and try to request a new certificate it tells me there are no valid templates -- despite the fact that I am in the Enterprise Admins group. Not sure what's going on there.

    When we enroll a computer certificate, the computer account will be used for authentication. Please add the SubCA server into the duplicated template and give it read&enroll permission.

    >>If I go into the Certificate Templates snap-in I can duplicate the Subordinate CA template but I have no idea how I add information to the template such as OU, Country, O, etc.

    We can only edit the extensions on the duplicated template. The information such as OU, Country is required in the enrollment process. Here is the screenshot of my lab:

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by GregRzn Wednesday, October 14, 2015 7:30 PM
    Wednesday, October 14, 2015 1:41 AM
    Moderator

All replies

  • Why did you use OpenSSL to create the keypair and certificate for the subordinate? As much as possible, devices/users that own a certificate should be the entity that generates the keypair. I would suggest you consider a deployment scenairo where you install the subordinate CA and let it generate the keypair and create a certificate request. This request can then be submitted to your OpenSSL CA for issuance. Once it has been issued, you can then install it on the subordinate CA to complete the install process.

    The error you are seeing is most likely related to an improperly formatted certificate or an incorrect certificate all together. You can share the output of %windir%\certocm.log for confirmation.


    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

    Friday, October 9, 2015 12:41 PM
  • Thanks for the response Mark.

    I did actually try to do it your suggested way originally but I could not figure out how to get Windows to add information such as Organization, Country, etc to the request during the Enterprise Subordinate setup process. As I'm trying to follow some best practices, the CA could not sign the request (without relaxing the signing policy which I was hoping to avoid doing).

    If you can tell me how to get that information in the CSR then hopefully I can do it the preferred way and skip the rest of this trouble.

    Friday, October 9, 2015 7:33 PM
  • Hi,

    >>but I could not figure out how to get Windows to add information such as Organization, Country, etc

    We can request the Subordinate CA certificate from root CA by using MMC, then select the certificate when run the wizard.

    To add the information needed, just duplicate the Subordinate CA template and edit it.

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, October 12, 2015 8:30 AM
    Moderator
  • Thanks for the response Steven.

    Unfortunately I'm new to this so I only vaguely understand what you're suggesting.

    If I go into the Certificates snap-in and try to request a new certificate it tells me there are no valid templates -- despite the fact that I am in the Enterprise Admins group. Not sure what's going on there.

    If I go into the Certificate Templates snap-in I can duplicate the Subordinate CA template but I have no idea how I add information to the template such as OU, Country, O, etc.

    If anyone can provide a few more specifics it would be greatly appreciated.

    Tuesday, October 13, 2015 5:07 PM
  • Hi,

    >>If I go into the Certificates snap-in and try to request a new certificate it tells me there are no valid templates -- despite the fact that I am in the Enterprise Admins group. Not sure what's going on there.

    When we enroll a computer certificate, the computer account will be used for authentication. Please add the SubCA server into the duplicated template and give it read&enroll permission.

    >>If I go into the Certificate Templates snap-in I can duplicate the Subordinate CA template but I have no idea how I add information to the template such as OU, Country, O, etc.

    We can only edit the extensions on the duplicated template. The information such as OU, Country is required in the enrollment process. Here is the screenshot of my lab:

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by GregRzn Wednesday, October 14, 2015 7:30 PM
    Wednesday, October 14, 2015 1:41 AM
    Moderator
  • Thanks Steven, this got me most of the way there.

    The only difference is I didn't need to duplicate the template. Instead I had to go to Advanced > Create Custom Request from the Task menu in the Certificates Snap-in rather than Request New Certificate. Even after duplicating the template and enabling the Enroll privilege it would not show up in the Request New Certificate wizard. It said something about not being able to locate a valid certificate authority or something.

    In any case, using the Create Custom Request dialog and submitting/signing the CSR that way allowed me to install my Subordinate CA.

    Thanks again for your help!

    Wednesday, October 14, 2015 7:40 PM