Announcement

Collapse
No announcement yet.

Certificate Services - SUB CA Issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Certificate Services - SUB CA Issue

    I am trying to set up the following environment: Standalone Root CA and Enterprise Sub CA, both running windows 2008 R2 core.

    To set up the ROOT CA i have done the following:
    Install the Certificate Services Roll by typing the following at the command line:
    Cscript C:\Windows\System32\setupca.vbs /IS /sn RootCA /sp "RSA#Microsoft Software Key Storage Provider" /sk 2048 /sa SHA256 /SV 20
    Run the following commands on the ROOT CA to set the issuing validity period to 20 years

    certutil -setreg ca\ValidityPeriod "Years"
    certutil -setreg ca\ValidityPeriodUnits "20"
    net stop certsvc & net start certsvc

    Install the CRL List in Active Directory by running the following commands
    Certutil –setreg ca\DSConfigDN “CN=Configuration, DC=Test,dc=local”
    Certutil –setreg ca\DSDomainDN “DC=Test,dc=local”
    Net stop certsvc & net start certsvc
    Certutil –dspublish –f “C:\windows\system32\CertSrv\CertEnroll\Root CA.crl”

    For the SUB CA I run the follwoing command:

    Cscript C:\Windows\System32\setupca.vbs /IF /sn “Sub CA” /DN DC=DC=Test,dc=local /sp "RSA#Microsoft Software Key Storage Provider" /sk 2048 /sa SHA256 /OR "C:\CA\SUBReq.req"

    I then submit the request to the ROOT CA and subsequently issue the pending request. When I try to accept the response using the certreq -accept command I get the following error:
    “Certificate Request Processor: Cannot Find object or property”
    and of course the SUB CA will not start as it does not have a vaild certificate.

    I have even tried to create a new certificate and although i can import it using the certreq -accept command the service will not start correctly.

    Any help would be appreciated...

    Thanks in advance

  • #2
    Re: Certificate Services - SUB CA Issue

    Cscript C:\Windows\System32\setupca.vbs /IF /sn “Sub CA” /DN DC=DC=Test,dc=local /sp "RSA#Microsoft Software Key Storage Provider" /sk 2048 /sa SHA256 /OR "C:\CA\SUBReq.req"
    I may be wrong.


    but your /DN looks wrong, unless you have taken something out of the post, as it looks like it's not a full DN

    you have:

    /DN DC=
    DC=test,
    DC=LOCAL

    I've had a quick look at this:
    http://blogs.technet.com/b/pki/archi...nd-2008r2.aspx
    which suggests you may not even need that /DN

    I'll do some more looking shortly
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Certificate Services - SUB CA Issue

      That is a typo on my part in this post...i do in fact have the correct DN

      Comment

      Working...
      X