ADCS Installation (Part 8): CA Policy problems with my online issuing CA and certificate from my issuing CA
After diagnosing the problem to configure the Certificate Web Enrollment page with HTTPS, I have found the possible cause of the problem: The certificate for a web server issued from my online issuing CA has only one purpose: This certificate is intended for the following purpose(s): * Ensure the identity of a remote computer On my lab CA environment (without using CAPolicy.inf files), same certificate contains two purposes: This certificate is intended for the following purpose(s): * Proves your identity to a remote computer * Ensure the identity of a remote computer I believe that the "Proves your identity to a remote computer " is used for SSL website access. As my certificate does not have it, I cannot access the Certificate Web Enrollment page remotely. Therefore, I have also checked my SubCA certificate from my offline root CA to my online issuing CA: This certificate is intended for the following purpose(s): * All application policies While my lab CA environment has the following: This certificate is intended for the following purpose(s): * All issuance policies * All application policies Therefore, my online issuing CA does not have "All issuance policies " which may cause the web server certificate's problem. I am investigating this at the moment. Meanwhile, please help me find a solution for my problem. I have appended my CAPolicy.inf for my offline root CA and online issuing CA. Thanks, SJJ123 Here is the CAPolicy.inf for my offline root CA: ;**************************************************************** [Version] Signature= "$Windows NT$" [PolicyStatementExtension] Policies = LegalPolicy Critical = 0 [LegalPolicy] OID=1.3.6.1.4.1.My_PEN.21.43 Notice = “Legal policy statement text.” URL = “http://www.MyCompany.com/certdata/cps.asp” [CRLDistributionPoint] [AuthorityInformationAccess] [Certsrv_Server] RenewalKeyLength=2048 RenewalValidityPeriod=Years RenewalValidityPeriodUnits=10 ;**************************************************************** Here is the CAPolicy.inf for my online issuing CA: ;**************************************************************** [Version] Signature = "$Windows NT$" [certsrv_server] renewalkeylength=2048 RenewalValidityPeriodUnits=10 RenewalValidityPeriod=years CRLPeriod = days CRLPeriodUnits = 3 CRLOverlapPeriod = hours CRLOverlapUnits = 4 CRLDeltaPeriod = hours CRLDeltaPeriodUnits = 12 AlternateSignatureAlgorithm = 1 LoadDefaultTemplates = 0 ;****************************************************************
February 1st, 2010 3:35pm

Ensure the identity of a remote computer - This is for Server Authentication which is what is required for SSL.Proves your identity to a remote computer - This is for Client Authentication and is not required for SSL.The lack of All Issuance Policies on your SubCA cert won't have any impact on access to an SSL site.Check to see which templates were used in your lab/production environments.Paul Adare CTO IdentIT Inc. ILM MVP
Free Windows Admin Tool Kit Click here and download it now
February 1st, 2010 3:52pm

Hello Paul, Thank for your reply to clarify the Web Server Authentication requirement. Based on the wording, I thought "Proves your identity to a remote computer " for web server. I have checked both my lab and production CA servers re the certificate templates. The CA server on my lab is a domain controller and its certificate is based on Domain Controller Certificate template while my production online issuing CA server is a member of our domain and it has used the Web Server certificate template. But it still does not solve why I cannot access the HTTPS CertSrv from network computer even though I can run the exact same HTTPS URL on the server without problem. Browsing https://www.mycompany.com/ or https://www.mycompany.com/certsrv from my desktop PC will generate "Internet Explorer cannot display the webpage" while I can run "telnet www.mycompany.com 443 " in command prompt and my session is connected. Thanks, Shang
February 1st, 2010 6:55pm

Hello, I have used FireFox to browse the same url: https://www.mycompany.com. And I have futher message for the page: Secure Connection Failed An error occurred during a connection to www.mycompany.com Peer's certificate has an invalid signature. (Error code: sec_error_bad_signature) I have not applied a GPO to add my online issuing CA as trusted CA but I did publish the offline root CA to the AD. When I issued the certificate, I have accepted the default settings for CSP: Microsoft RSA SChannel Cryptographic Provider with key length 1024 bit. Thanks, Shang
Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2010 12:23pm

What signature algorithim is being used on the web server certificate (from the Details tab of the certificate)?Paul Adare CTO IdentIT Inc. ILM MVP
February 2nd, 2010 1:03pm

Hello Paul, The Details tab in the web server certificate contains Signature algorithm: RSASSA-PSS Thanks, Shang
Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2010 1:54pm

Shang,That should be fine, as RSASSA-PSS translates to- An RSA key pair- SHA1 signaturehash algorithm.Brian
February 2nd, 2010 5:12pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics