?
Solved

Two tier Certificate Services deployment with root CA in stand-a-lone and issuing CA in domain. Can't apply root certificate to issuing CA.

Posted on 2011-09-09
1
Medium Priority
?
1,393 Views
Last Modified: 2012-05-12
Windows 2008 Ad environment. I have made a request for the root CA and copied and signed the CERT, saved the file as a .P7B file, then attempted to import into my issuing CA.
It won't import. The CA service will not start on my Issuing CA either.
I get the following error when I try to start the CS services on my issuing CA.
"The certificate for the CA "mycertname" on "myserver" is missing. Do you want to install this certificate?"
When I say yes and select the signed Cert I got from my Root CA that is stand-a-lone it errors out at well.
The error is;
Cannot find the certificate for CN=Root-CA to build a certificate chain. do you wish to install this certificate now? A certificate
chain could not be built to a trusted root authority. 0x800b010a (-2146762486).

And so I am stuck.

This is a test environment and I have used Enterprise PKI to remove any legacy objects.
0
Comment
Question by:lanman777
1 Comment
 
LVL 19

Accepted Solution

by:
CoccoBill earned 2000 total points
ID: 36515868
Sounds like you haven't installed the standalone root's CA cert in the trusted root ca store yet. Use "certutil -dspublish -f <rootcertfile.crt> RootCA" to do that, then try again.
0

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses
Course of the Month3 days, 13 hours left to enroll

599 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question