Windows 2008 CA can't issue to Windows 2003 server

>I apologize for the crosspost, but we are hurting here without a resolution
>to this issue.
> We have just setup a Windows 2008 PKI Infrastructure in our Windows 2003
> based domain. We need to issue certificates to Windows 2003 servers and
> Windows XP clients. We are getting "The integrity of this certificate
> cannot be guaranteed. The certificate may be corrupted or may have been
> altered." On the Details tab of the certificate, we see version is "V3",
> Public key is "RSA (1024 Bits)", Thumprint algorithm is "sha1". On the
> Certification Path tab, every certificate shows the error "This
> certificate
> has an nonvalid digital signature.".
> We can generate valid certificates for Windows 2008 servers and for Vista
> computers. Our research indicates we need to install the version 2
> templates, but don't know where to get them or how to install them.
> Thanks!
> Doug Evans
> IT Manager
> Association of Washington Cities
>

> You are mixing up certificate type (X.509 version 3) with certificate
> template type (a MS concept of what properties/algorithms are available).
> A couple of things to check:
> 1) Make sure that you are using legacy CSPs and signing algorithms. (not
> a Key storage provider)
> 2) Windows XP/2003 cannot consume certificates using SHA2 algorithms
> (SHA256, SHA512, SHA384).
> 3) This is for every certificate in the chain
> If you want, send me a PKCS#7 containing the full certificate chain for
> inspection
> Brian
>>I apologize for the crosspost, but we are hurting here without a
>>resolution to this issue.
>> We have just setup a Windows 2008 PKI Infrastructure in our Windows 2003
>> based domain. We need to issue certificates to Windows 2003 servers and
>> Windows XP clients. We are getting "The integrity of this certificate
>> cannot be guaranteed. The certificate may be corrupted or may have been
>> altered." On the Details tab of the certificate, we see version is "V3",
>> Public key is "RSA (1024 Bits)", Thumprint algorithm is "sha1". On the
>> Certification Path tab, every certificate shows the error "This
>> certificate
>> has an nonvalid digital signature.".
>> We can generate valid certificates for Windows 2008 servers and for Vista
>> computers. Our research indicates we need to install the version 2
>> templates, but don't know where to get them or how to install them.
>> Thanks!
>> Doug Evans
>> IT Manager
>> Association of Washington Cities
>

> You are mixing up certificate type (X.509 version 3) with certificate
> template type (a MS concept of what properties/algorithms are available).
> A couple of things to check:
> 1) Make sure that you are using legacy CSPs and signing algorithms. (not
> a Key storage provider)
> 2) Windows XP/2003 cannot consume certificates using SHA2 algorithms
> (SHA256, SHA512, SHA384).
> 3) This is for every certificate in the chain
> If you want, send me a PKCS#7 containing the full certificate chain for
> inspection
> Brian
>>I apologize for the crosspost, but we are hurting here without a
>>resolution to this issue.
>> We have just setup a Windows 2008 PKI Infrastructure in our Windows 2003
>> based domain. We need to issue certificates to Windows 2003 servers and
>> Windows XP clients. We are getting "The integrity of this certificate
>> cannot be guaranteed. The certificate may be corrupted or may have been
>> altered." On the Details tab of the certificate, we see version is "V3",
>> Public key is "RSA (1024 Bits)", Thumprint algorithm is "sha1". On the
>> Certification Path tab, every certificate shows the error "This
>> certificate
>> has an nonvalid digital signature.".
>> We can generate valid certificates for Windows 2008 servers and for Vista
>> computers. Our research indicates we need to install the version 2
>> templates, but don't know where to get them or how to install them.
>> Thanks!
>> Doug Evans
>> IT Manager
>> Association of Washington Cities
>

> What is the best way to recover from a scenario where you have a root CA
> and 2 issuing CAs, all Windows 2008, and the root was setup with a SHA256
> cert? Can you just change the cert? Do you have to uninstall everything
> and start over? If so, what is the best process to decommission a Windows
> 2008 PKI infrastructure?
> Thanks!
> Doug Evans
> IT Manager, AWC
>> You are mixing up certificate type (X.509 version 3) with certificate
>> template type (a MS concept of what properties/algorithms are available).
>> A couple of things to check:
>> 1) Make sure that you are using legacy CSPs and signing algorithms. (not
>> a Key storage provider)
>> 2) Windows XP/2003 cannot consume certificates using SHA2 algorithms
>> (SHA256, SHA512, SHA384).
>> 3) This is for every certificate in the chain
>> If you want, send me a PKCS#7 containing the full certificate chain for
>> inspection
>> Brian
>>>I apologize for the crosspost, but we are hurting here without a
>>>resolution to this issue.
>>> We have just setup a Windows 2008 PKI Infrastructure in our Windows 2003
>>> based domain. We need to issue certificates to Windows 2003 servers and
>>> Windows XP clients. We are getting "The integrity of this certificate
>>> cannot be guaranteed. The certificate may be corrupted or may have been
>>> altered." On the Details tab of the certificate, we see version is
>>> "V3",
>>> Public key is "RSA (1024 Bits)", Thumprint algorithm is "sha1". On the
>>> Certification Path tab, every certificate shows the error "This
>>> certificate
>>> has an nonvalid digital signature.".
>>> We can generate valid certificates for Windows 2008 servers and for
>>> Vista computers. Our research indicates we need to install the version
>>> 2 templates, but don't know where to get them or how to install them.
>>> Thanks!
>>> Doug Evans
>>> IT Manager
>>> Association of Washington Cities
>