elway7 Posted October 24, 2011 Posted October 24, 2011 I am trying to set up the following environment: Standalone Root CA and Enterprise Sub CA, both running windows 2008 R2 core. To set up the ROOT CA i have done the following: Install the Certificate Services Roll by typing the following at the command line: Cscript C:\Windows\System32\setupca.vbs /IS /sn RootCA /sp "RSA#Microsoft Software Key Storage Provider" /sk 2048 /sa SHA256 /SV 20 Run the following commands on the ROOT CA to set the issuing validity period to 20 years certutil -setreg ca\ValidityPeriod "Years" certutil -setreg ca\ValidityPeriodUnits "20" net stop certsvc & net start certsvc Install the CRL List in Active Directory by running the following commands Certutil setreg ca\DSConfigDN CN=Configuration, DC=Test,dc=local Certutil setreg ca\DSDomainDN DC=Test,dc=local Net stop certsvc & net start certsvc Certutil dspublish f C:\windows\system32\CertSrv\CertEnroll\Root CA.crl For the SUB CA I run the follwoing command: Cscript C:\Windows\System32\setupca.vbs /IF /sn Sub CA /DN DC=DC=Test,dc=local /sp "RSA#Microsoft Software Key Storage Provider" /sk 2048 /sa SHA256 /OR "C:\CA\SUBReq.req" I then submit the request to the ROOT CA and subsequently issue the pending request. When I try to accept the response using the certreq -accept command I get the following error: Certificate Request Processor: Cannot Find object or property and of course the SUB CA will not start as it does not have a vaild certificate. I have even tried to create a new certificate and although i can import it using the certreq -accept command the service will not start correctly. Any help would be appreciated... Thanks in advance Quote
ICTCity Posted October 25, 2011 Posted October 25, 2011 Are you sure this is correct? /DN DC=DC=Test,dc=local It should be: /DN DC=Test,dc=local Maybe I'm wrong... but this is my only idea. Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
elway7 Posted October 25, 2011 Author Posted October 25, 2011 That is a typo by my part...i do in fact have /DN DC=Test,dc=local Quote
ICTCity Posted October 25, 2011 Posted October 25, 2011 So I think your problem is the private key, in some way Windows cannot find it anymore and so cannot associate the pair. I found this article, http://technet.microsoft.com/en-us/library/dd362655.aspx but it is useless because you need the GUI in order to proceed. No idea, sorry. Quote -------------------------------------------------------- Tu peux aussi crire en franais. Du kannst auch auf Deutsch schreiben. Puoi scrivere anche in italiano. --------------------------------------------------------
Recommended Posts