Two tier Certificate Services deployment and running the CSUTIL DSPUBLISH for the cert .
Posted on 2011-09-13
This is a new first time install.
I have a stand-alone Windows 2008 Enterprise R2 SP1 server in a workgroup.
I also have a subCA issuing Certificate Services server in my domain. It is a Windows 2008 Enterprise R2 SP1 server in our domain.
My issuing subCA generates a request for the root CA. I copy this .REQ file to my stand-alone ROOT CA server. It signs and issues the new cert.
I then open the cert and do a copy/export. It defaults to file with an extension of .P7B.
I copy this .P7B file to my issuing SubCA in my domain.
It is my understanding I need to run CSUTIL DSPUBLISH on this file now so it is in our Active Directory.
IS THIS CORRECT??
Or when I to my copy/export on my stand-alone root CA, do I need to save the file as a .CER file extension, then copy to my issuing subCA server. Where I run CSUTIL DSPUBLISH?
The problem I am having is when I start the services on my issuing subCA it won't start an wants to import my Root CA. When I point it at my copied .P7B file it errors out with the following error:
"The certificate for the CA "mycert-ca" on myserver.mydomain.com is mssing. Do you want to install the certificate?"
I say yes, then point it at the copied file. Which is a .P7B extension.
Then I get the error;
Cannot find the certificate to build a certificate chain. A certificate chain could not be built to a trusted root authority.
Looks Like I need to run the CSUTIL DSPUBLISH command, but on which file extension?
I just want to be certain before I publish this to my AD.
Am I on the right track? If so which file ext. should I use that I copied from my stand-alone root CA?