Click here to get back home

Enterprise Root Certification Authority not trusted
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Enterprise Root Certification Authority not trusted jim_hampson 02-16-2006
Posted by jim_hampson on February 16, 2006, 2:07 pm
Please log in for more thread options
 Yesterday installed Enterprise Root and Enterprise Subordinate CA on
Windows 2003 standard in Windows 2000 active directory domain. It
appears that the enterprise root certificate has not been published in
active directory as my client machines are getting SSL warning "the
certificate cannot be verified up to a trusted certification
authority". When I view the certification path, the root certificate
has a red X and the status is "This CA Root certificate is not trusted
because it is not in the Trusted Root Certification Authorities store."
Also, the "send request immediately to an online certification
authority" is grayed out in IIS.

Background info/steps taken:
-Domain controllers running Windows 2000 SP4.
-Previous CA infrastructure consisted of stand alone root and stand
alone subordinate running windows 2000.
-Backed up the system state on domain controllers
-Backed up existing windows 2000 CAs
-uninstalled certificate service on existing windows 2000 CAs
-replicated AD links
-Manually cleaned up AD per this KB article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;555151
-replicated AD links
-Updated AD schema to windows 2003 using adprep.exe /forestprep
-replicated AD links
-installed enterprise root CA on server 1
-installed enterprise subordinate CA on server 2
-no errors encountered during installation.


This warning was logged in the application log on both the enterprise
root CA and the enterprise subordinate CA.

Event ID: 103
Source: CertSvc
Description: Certificate Services temporarily added the root
certificate of certificate chain 0 to the downloaded Enterprise Root
store. If this problem persists, publishing the root certificate to
the Active Directory may be necessary.

This warning was logged twice (once for each DC) in the application log
on enterprise root CA.

Event ID: 103
Source: CertSvc
Description: Certificate Services could not publish a Certificate for
request 2 to the following location on server dc1.channeladvisor.com:
CN=DC1,OU=Domain Controllers,DC=mydomain,DC=com. Insufficient access
rights to perform the operation. 0x80072098 (WIN32: 8344).
ldap: 0x32: 00002098: SecErr: DSID-03150646, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0
-----

No other errors or warnings on the DCs or CAs.

The DCs did successfully receive a domain controller certificate from
the root CA and I have been able to issue some web server certs
manually on the subordinate CA. Any suggestions appreciated. TIA.

Jim


Posted by S. Pidgorny on February 18, 2006, 1:03 am
Please log in for more thread options
 I'd suggest to add the certificate manually, or to use GPO to distribute it.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

> Yesterday installed Enterprise Root and Enterprise Subordinate CA on
> Windows 2003 standard in Windows 2000 active directory domain. It
> appears that the enterprise root certificate has not been published in
> active directory as my client machines are getting SSL warning "the
> certificate cannot be verified up to a trusted certification
> authority". When I view the certification path, the root certificate
> has a red X and the status is "This CA Root certificate is not trusted
> because it is not in the Trusted Root Certification Authorities store."
> Also, the "send request immediately to an online certification
> authority" is grayed out in IIS.
>
> Background info/steps taken:
> -Domain controllers running Windows 2000 SP4.
> -Previous CA infrastructure consisted of stand alone root and stand
> alone subordinate running windows 2000.
> -Backed up the system state on domain controllers
> -Backed up existing windows 2000 CAs
> -uninstalled certificate service on existing windows 2000 CAs
> -replicated AD links
> -Manually cleaned up AD per this KB article:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;555151
> -replicated AD links
> -Updated AD schema to windows 2003 using adprep.exe /forestprep
> -replicated AD links
> -installed enterprise root CA on server 1
> -installed enterprise subordinate CA on server 2
> -no errors encountered during installation.
>
>
> This warning was logged in the application log on both the enterprise
> root CA and the enterprise subordinate CA.
>
> Event ID: 103
> Source: CertSvc
> Description: Certificate Services temporarily added the root
> certificate of certificate chain 0 to the downloaded Enterprise Root
> store. If this problem persists, publishing the root certificate to
> the Active Directory may be necessary.
>
> This warning was logged twice (once for each DC) in the application log
> on enterprise root CA.
>
> Event ID: 103
> Source: CertSvc
> Description: Certificate Services could not publish a Certificate for
> request 2 to the following location on server dc1.channeladvisor.com:
> CN=DC1,OU=Domain Controllers,DC=mydomain,DC=com. Insufficient access
> rights to perform the operation. 0x80072098 (WIN32: 8344).
> ldap: 0x32: 00002098: SecErr: DSID-03150646, problem 4003
> (INSUFF_ACCESS_RIGHTS), data 0
> -----
>
> No other errors or warnings on the DCs or CAs.
>
> The DCs did successfully receive a domain controller certificate from
> the root CA and I have been able to issue some web server certs
> manually on the subordinate CA. Any suggestions appreciated. TIA.
>
> Jim
>



Posted by jim_hampson on February 19, 2006, 6:51 pm
Please log in for more thread options
I added the root certificate to the "Public Key Policies/Trusted Root
Certification Authorities" GPO for the domain and that seems to have
resolved my issue. thanks.

I am curious why AD didn't automatically publish the new CA as trusted
though?


Posted by S. Pidgorny on February 20, 2006, 5:24 am
Please log in for more thread options
It should, but in your case it couldn't because of some glitch during the
process... it's really hard to say without full admin access to your system
and ability to reproduce the problem.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

>I added the root certificate to the "Public Key Policies/Trusted Root
> Certification Authorities" GPO for the domain and that seems to have
> resolved my issue. thanks.
>
> I am curious why AD didn't automatically publish the new CA as trusted
> though?
>



Similar ThreadsPosted
Certification Authority root certificate seems to have expired early??? September 25, 2006, 4:40 pm
Migrate Enterprise root authority CA to stand-alone root CA December 13, 2005, 7:57 am
Smartcard logon and certification authority December 2, 2005, 4:29 am
Certification Authority Windows 2003 SBS August 27, 2006, 7:50 pm
Configuring Certification Authority in Windows Server 2003 January 25, 2007, 11:40 am
GPO for trusted root CA certs November 7, 2006, 8:12 am
Stans-alone root CA or Enterprise root CA August 31, 2006, 6:32 pm
Enterprise Ca authority anonymous access January 16, 2007, 4:07 pm
Root Certificate Authority October 22, 2006, 6:35 am
How to tell if Certificate Authority is root, stand-alone or? February 8, 2007, 10:27 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap