Can't install certificate from standalone-offline CA to enterprise sub CA
Hello All, I'm trying to install MS ADCS CA, as an Enterprise Subordinate CA. I had no problems installing my offline root CA or my Enterprise Subordinate CA. The farthest I get is to successfully generate my subordinate CA request (req.req) and then process it with my Root CA to get a certificate (cer.cer). When I go to install my certificate, I get the following error message: "An error was detected while configuring Active Directory Certificate Services. The Active Directory Certificate Services Setup Wizard will need to be rerun to complete the configuration. The new Certification Authority certificate cannot be installed because the CA Version extension is incorrect. The most recently generated request file should be used to obtain the new certificate: z:\tmp\req(1).req The data is invalid. 0x800x7000d (WIN32: 13)". I've tried reinstalling my Subordniate CA, I've purged and reinstalled Windows Server and reinstalled Certificate Services of my SubCA, still no luck. Can anyone help? I've logged into my sub CA as a member of the Enterprise Admin group, as the Administrator of the Domain (Administrator account in Enterprise Admin group). Here are my req.req files and the generated certificate: CERTUTIL -DUMP REQ.REQ: PKCS10 Certificate Request: Version: 1 Subject: CN=Sub-CA OU=OrgU O=Org S=QC C=CA Public Key Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA Algorithm Parameters: 05 00 Public Key Length: 1024 bits Public Key: UnusedBits = 0 0000 30 81 89 02 81 81 00 bc 86 43 be 1a bf b5 d6 0d 0010 ff 85 a0 62 25 e5 a0 bd e4 2d 97 c6 da 26 55 3e 0020 21 63 63 de 4f 30 60 e3 74 3d 02 75 f2 e7 e7 98 0030 19 9d f7 8d 43 37 01 ec b2 f9 66 a8 f5 37 a8 25 0040 e0 9f 34 fc 8f de f0 64 10 c5 47 1b 23 e4 3b f7 0050 80 83 b4 06 ee 9c 76 c6 ad 04 04 89 11 e2 76 6d 0060 e0 a2 44 4b 76 9d 32 38 85 e2 58 70 89 d4 f1 b5 0070 16 84 77 33 6e 2b 40 95 b0 8b f3 36 8b 5c 47 b1 0080 b4 1e 64 1f aa 98 67 02 03 01 00 01 Request Attributes: 2 2 attributes: Attribute[0]: 1.3.6.1.4.1.311.13.2.3 (OS Version) Value[0][0]: 6.1.7600.2. Attribute[1]: 1.2.840.113549.1.9.14 (Certificate Extensions) Value[1][0]: Unknown Attribute type Certificate Extensions: 6 1.3.6.1.4.1.311.21.1: Flags = 0, Length = 3 CA Version V0.0 2.5.29.14: Flags = 0, Length = 16 Subject Key Identifier ea 3a 8f cc 10 0c 06 06 a4 fd a6 66 e1 c0 42 d2 83 13 6c 9f 2.5.29.32: Flags = 0, Length = ba Certificate Policies [1]Certificate Policy: Policy Identifier=9.9.9.9.9.9 [1,1]Policy Qualifier Info: Policy Qualifier Id=User Notice Qualifier: Notice Text=Verification niveau rudimentaire [1,2]Policy Qualifier Info: Policy Qualifier Id=CPS Qualifier: ldap://anco:389/CN=principes_gestion,OU=ou,O=org,ST=QC,c=CA 1.3.6.1.4.1.311.20.2: Flags = 0, Length = c Certificate Template Name (Certificate Type) SubCA 2.5.29.15: Flags = 1(Critical), Length = 4 Key Usage Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86) 2.5.29.19: Flags = 1(Critical), Length = 5 Basic Constraints Subject Type=CA Path Length Constraint=None Signature Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA Algorithm Parameters: 05 00 Signature: UnusedBits=0 0000 40 3c 3e a6 ea 46 e0 d2 30 79 6d e3 67 b1 c2 d5 0010 34 44 1a bf 1f e3 c9 6b e0 56 48 2b 21 28 d8 36 0020 c2 eb 75 b2 f1 00 d9 49 00 f9 31 d6 61 fc 9f ab 0030 54 24 32 9b f9 ef af 5e d2 fd 3c 7c 20 58 19 8d 0040 66 93 32 10 0d ef 36 58 c0 bb 07 73 27 95 c7 b1 0050 fc 63 33 39 58 b2 d4 10 72 95 3b e8 fe 18 a0 c2 0060 42 6f 43 d1 f8 3f f5 92 27 04 88 2f e2 98 e2 99 0070 d4 05 62 52 77 c4 d2 49 f3 28 93 e3 cc f6 36 43 Signature matches Public Key Key Id Hash(rfc-sha1): ea 3a 8f cc 10 0c 06 06 a4 fd a6 66 e1 c0 42 d2 83 13 6c 9f Key Id Hash(sha1): 61 b1 5a d5 9c 84 74 ec 94 34 9b 01 1f cb 8b 9e 0f 61 12 df CertUtil: -dump command completed successfully. CERTUTIL -DUMP CER.CER PKCS7 Message: CMSG_SIGNED(2) CMSG_SIGNED_DATA_PKCS_1_5_VERSION(1) Content Type: 1.2.840.113549.1.7.1 PKCS 7 Data No PKCS7 Message Content No Signer No Recipient Certificates: ================ Begin Nesting Level 1 ================ Element 0: X509 Certificate: Version: 3 Serial Number: 6065699c031f26a541da1dc9a6190298 Signature Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA Algorithm Parameters: 05 00 Issuer: CN=Root-CA OU=OrgU O=Org S=QC C=CA NotBefore: 1/26/2011 5:32 PM NotAfter: 1/26/2031 5:42 PM Subject: CN=Root-CA OU=OrgU O=Org S=QC C=CA Public Key Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA Algorithm Parameters: 05 00 Public Key Length: 2048 bits Public Key: UnusedBits = 0 0000 30 82 01 0a 02 82 01 01 00 a7 c3 0c 03 a7 70 2a 0010 99 df b7 89 bd 8d 18 d6 0d cb 9c 88 3c 7c 82 ba 0020 60 f8 02 22 9d a4 2b a9 12 f7 0d 61 b8 19 89 3a 0030 1b 49 6d 5e 5f 9e a9 10 f2 d1 ae c3 87 58 33 12 0040 e6 5a 7e f3 9b df 50 8d 19 22 6c cb b0 3d 79 a3 0050 9c b8 6b 3d 2b c8 a6 00 2b 08 89 0e 51 a0 e0 11 0060 1a 45 c2 08 42 49 24 63 09 79 db ed 9f 97 35 51 0070 1e 35 75 26 2d da bb 13 7e f0 fc 76 56 b1 3b 20 0080 3e e5 ee 15 57 5f b2 04 f8 0f 54 f5 5c 2d cf b1 0090 59 1a 40 ce 91 7c 50 b9 16 dc cc 42 a8 61 aa 81 00a0 47 48 84 64 09 5d c0 33 06 c5 3d 9b 6f 8f d9 2c 00b0 c5 15 8b 6b 1a 08 57 d7 05 a3 0d a3 47 47 3a 0d 00c0 5c 65 bf 30 76 5c 02 78 fe c4 85 9c b0 22 00 fe 00d0 a3 ca 7a 07 45 06 f4 bf af b6 91 f3 4c 90 a6 a3 00e0 0a 5d dc cb 4f b3 f5 f2 38 d2 03 7a 7e 89 d6 1e 00f0 63 6a 56 55 91 86 6e 7d 34 12 30 8b 7d 26 28 32 0100 92 e4 67 ad 62 e9 77 10 fb 02 03 01 00 01 Certificate Extensions: 4 2.5.29.15: Flags = 1(Critical), Length = 4 Key Usage Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86) 2.5.29.19: Flags = 1(Critical), Length = 5 Basic Constraints Subject Type=CA Path Length Constraint=None 2.5.29.14: Flags = 0, Length = 16 Subject Key Identifier c6 af 14 ae 1c 12 f4 ab 2d f4 57 95 35 c6 a2 2b 3a 97 71 ce 1.3.6.1.4.1.311.21.1: Flags = 0, Length = 3 CA Version V0.0 Signature Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA Algorithm Parameters: 05 00 Signature: UnusedBits=0 0000 42 27 b2 09 cc 11 c2 e4 96 81 0c 91 da 84 c8 78 0010 d8 3f 7a 1e df 10 d8 90 9a c6 cd fc 57 1d bd 8e 0020 18 1a a6 ea 58 60 9d ea 6c c9 dd e4 9b 18 d6 49 0030 3f c6 25 a2 28 5e 7f fa 2b 2a b0 81 cf bc 03 7f 0040 b1 e2 c4 19 ce 2e c4 6e a5 a3 2a 84 e6 a8 44 ab 0050 df e9 74 20 e8 c7 1d 4d 3b 7f f0 8e 11 78 27 59 0060 d2 15 44 c9 63 a2 f7 ce f5 d0 10 f1 88 2d 32 c5 0070 0f 1e 83 da 72 76 cf 45 3d 84 2c 80 59 54 df 19 0080 df 2b c4 fe 90 0f f6 de 13 99 1a ee 50 32 4d 4e 0090 63 35 ce 14 69 ab 3c 47 39 a0 10 d0 b4 01 9b 40 00a0 b1 ba ea 60 79 49 d0 bf 32 cd 84 ce d7 03 75 36 00b0 35 dc ab f1 2f c1 07 69 d7 66 f0 d2 c1 9c ba 78 00c0 36 f3 23 28 8c 18 6b bc 8c cc 0a f9 04 a9 d5 d0 00d0 63 3f bd 96 a5 9b 22 e8 c8 7f 74 60 13 bc 40 0f 00e0 ef 47 73 6d bf 81 53 c3 7e 51 b8 9d 7c a2 ab b5 00f0 fc b3 b8 d8 6b 89 60 f8 f0 f3 db d5 0a ac 4b 78 Signature matches Public Key Root Certificate: Subject matches Issuer Key Id Hash(rfc-sha1): c6 af 14 ae 1c 12 f4 ab 2d f4 57 95 35 c6 a2 2b 3a 97 71 ce Key Id Hash(sha1): 78 a7 77 63 34 4a 24 14 fa ec dd c1 97 7c 8d d0 41 5a b4 5b Cert Hash(md5): ff 26 5a cc 14 b8 c2 50 09 0a 0b 7e de c9 02 36 Cert Hash(sha1): 03 7d 11 b9 1c 4b 62 58 9f 48 5f 6b 95 c8 38 53 5a de 4d 4d ---------------- End Nesting Level 1 ---------------- ================ Begin Nesting Level 1 ================ Element 1: X509 Certificate: Version: 3 Serial Number: 10a9a3a9000000000011 Signature Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA Algorithm Parameters: 05 00 Issuer: CN=Root-CA OU=OrgU O=Org S=QC C=CA NotBefore: 3/10/2011 3:40 PM NotAfter: 3/10/2021 3:50 PM Subject: CN=Sub-CA OU=OrgU O=Org S=QC C=CA Public Key Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA Algorithm Parameters: 05 00 Public Key Length: 1024 bits Public Key: UnusedBits = 0 0000 30 81 89 02 81 81 00 bc 86 43 be 1a bf b5 d6 0d 0010 ff 85 a0 62 25 e5 a0 bd e4 2d 97 c6 da 26 55 3e 0020 21 63 63 de 4f 30 60 e3 74 3d 02 75 f2 e7 e7 98 0030 19 9d f7 8d 43 37 01 ec b2 f9 66 a8 f5 37 a8 25 0040 e0 9f 34 fc 8f de f0 64 10 c5 47 1b 23 e4 3b f7 0050 80 83 b4 06 ee 9c 76 c6 ad 04 04 89 11 e2 76 6d 0060 e0 a2 44 4b 76 9d 32 38 85 e2 58 70 89 d4 f1 b5 0070 16 84 77 33 6e 2b 40 95 b0 8b f3 36 8b 5c 47 b1 0080 b4 1e 64 1f aa 98 67 02 03 01 00 01 Certificate Extensions: 9 1.3.6.1.4.1.311.21.1: Flags = 0, Length = 3 CA Version V0.0 2.5.29.14: Flags = 0, Length = 16 Subject Key Identifier ea 3a 8f cc 10 0c 06 06 a4 fd a6 66 e1 c0 42 d2 83 13 6c 9f 2.5.29.32: Flags = 0, Length = ba Certificate Policies [1]Certificate Policy: Policy Identifier=9.9.9.9.9.9 [1,1]Policy Qualifier Info: Policy Qualifier Id=User Notice Qualifier: Notice Text=Verification niveau rudimentaire [1,2]Policy Qualifier Info: Policy Qualifier Id=CPS Qualifier: ldap://anco:389/CN=principes_gestion,OU=OrgU,O=Org,ST=QC,c=CA 1.3.6.1.4.1.311.20.2: Flags = 0, Length = c Certificate Template Name (Certificate Type) SubCA 2.5.29.15: Flags = 0, Length = 4 Key Usage Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86) 2.5.29.19: Flags = 1(Critical), Length = 5 Basic Constraints Subject Type=CA Path Length Constraint=None 2.5.29.35: Flags = 0, Length = 18 Authority Key Identifier KeyID=c6 af 14 ae 1c 12 f4 ab 2d f4 57 95 35 c6 a2 2b 3a 97 71 ce 2.5.29.31: Flags = 0, Length = 10c CRL Distribution Points [1]CRL Distribution Point Distribution Point Name: Full Name: URL=http://www.org.com/certificat/rootca.crl URL=ldap:///CN=RootCA-CA,CN=RootCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Domain,DC=Org,DC=QC,DC=CA?certificateRevocationList?base?objectClass=cRLDistributionPoint 1.3.6.1.5.5.7.1.1: Flags = 0, Length = 101 Authority Information Access [1]Authority Info Access Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2) Alternative Name: URL=http://www.org.com/certificat/rootca.cer [2]Authority Info Access Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2) Alternative Name: URL=ldap:///CN=SubCA-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Domain,DC=Org,DC=QC,DC=CA?cACertificate?base?objectClass=certificationAuthority Signature Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA Algorithm Parameters: 05 00 Signature: UnusedBits=0 0000 71 6d 37 85 92 f8 a7 c9 fc d5 e5 37 97 cf 1f ca 0010 5f ca 93 9e c0 b2 fb 3e 4e 20 0c 68 1e 09 3b 4b 0020 ba cb 31 93 8e ec 7d f4 52 4a 78 2d 0f dc 9a bd 0030 e8 08 23 4d 01 90 a2 ff f9 14 64 b4 8f 12 42 86 0040 1e 3b 20 a2 fb b3 47 f1 38 02 be 49 04 5f 42 e2 0050 4e 43 8f 8f 01 73 2a 83 9f d9 73 79 47 cf 4f a2 0060 eb 5c 79 97 5b ab 1b 0b a7 33 6e b8 50 39 5d a6 0070 98 a1 3c ae a8 8a 1a 57 9a ba 44 64 f6 99 72 92 0080 2e 74 d9 56 9e 9c bf 0d 2d 7b 6f e1 cd a5 1e 3b 0090 88 70 4f cc 86 be 5b 9b f3 12 39 86 76 35 25 69 00a0 3c 91 03 71 e4 7b 75 d3 f1 e8 cd a0 c2 df 39 00 00b0 0a 76 71 bf 09 e2 6a c5 4d 54 2a 63 d8 fa 1e 93 00c0 d4 d2 c0 6c 53 cf 29 c1 61 1a 35 28 5f 6d 1f 9f 00d0 fa 29 22 98 4f d8 b0 34 a0 f6 6b 32 5a 21 91 10 00e0 93 c8 24 2d 86 dc 1a e8 b4 e4 82 76 3d 8e 00 29 00f0 cd de ca 59 ae 0c a3 20 35 4e 3b 82 a4 32 45 4c Non-root Certificate Key Id Hash(rfc-sha1): ea 3a 8f cc 10 0c 06 06 a4 fd a6 66 e1 c0 42 d2 83 13 6c 9f Key Id Hash(sha1): 61 b1 5a d5 9c 84 74 ec 94 34 9b 01 1f cb 8b 9e 0f 61 12 df Cert Hash(md5): fd 26 e5 47 8c 5e ba 84 51 6c b5 3b 09 f8 ce 70 Cert Hash(sha1): 13 3b c1 bc a7 0d 7f 54 92 2e 42 34 5d 32 6d 61 16 9c 6b ca ---------------- End Nesting Level 1 ---------------- No CRLs CertUtil: -dump command completed successfully.
March 11th, 2011 12:23am

Did you publish your offline root CA information into AD before the installation? Is the Root CA a trusted authority on the Subordinate?fr3dd
Free Windows Admin Tool Kit Click here and download it now
March 11th, 2011 6:21pm

Fr3dd, Yes, I did publish the Root CA certificate to AD in the AIA and Certificate Authorities AD containers. I also published the Root ARL in the CRL AD container. I waited for the GPO to replicate locally to the Sub CA, and confirmed the Root CA cert in the local machine Trusted CA store. I even manually put the ARL in the local machine store. No luck.
March 11th, 2011 6:49pm

Can you open the Enterprise PKI console (pkiview.msc) and verify that you do not have any errors on the Root authority? Also, I do not know what you are referring to as an ARL as that is nothing I have ever heard of. The AIA (Authority Information Access) is where the certificate is published and the CDP (CRL Distribution Point) is where the CRL is published. When you setup the Root, you defined paths where this information was to be stored and the console can help you identify issues in configuration. Also, when you export the certificate from the Root CA, you will need to export it as a P7B file which includes all CAs in the path.fr3dd
Free Windows Admin Tool Kit Click here and download it now
March 11th, 2011 7:13pm

Fr3dd, I cannot access the pkiview.msc console as the Sub CA ADCS service won't start (An Enterprise CA cannot be located. Verify that an Enterprise CA exists in your forest and is listed in the Enrollment Services container on your domain controller). ARL is just a different name for a CRL issued by a Root CA. AIA and CDP points in the Root CA config are configured as shown in the dumps above. The Sub CA certificate was exported in binary (p7b) format.
March 11th, 2011 7:21pm

The failure with the server should not prevent the console from reporting the information that is in AD. Can you verify that you performed the following with the root information under Enterprise Admin credentials in the domain: certutil -addstore -f Root <filename.crt> certutil -addstore -f Root <filename.crl> certutil -dspublish -f <filename.crt> RootCA certutil -dspublish -f <filename.crl> <MACHINENAME> fr3dd
Free Windows Admin Tool Kit Click here and download it now
March 11th, 2011 7:45pm

Are you still having this issue?fr3dd
March 14th, 2011 5:57pm

Yes, I am :-( I've dug deeper, and found some additional error messages in the Event Log: **************** Event Type: Error Event Source: DCOM Event Category: None Event ID: 10010 Date: 10.03.2008 Time: 13:41:10 User: N/A Computer: CA_Server Description: The server {D99E6E73-FC88-11D0-B498-00A0C90312F3} did not register with DCOM within the required timeout. **************** I'm tracing back and this may be an issue regarding my console. I'm using a 3rd party console (CORD) to connect to my CA server (which is itself a VM). I've found a technet article at the following location: http://support.microsoft.com/kb/959117 So I'm still investigating.
Free Windows Admin Tool Kit Click here and download it now
March 14th, 2011 6:06pm

Are you still having this issue? I am not familiar with CORD, but if it is a tool to remotely access the server then I do not believe this to be the issue.fr3dd
March 28th, 2011 7:53pm

fr3dd, Frankly, I've given up. I'm sure it's something to do with my VM setup and some kind of permissions issue, but I've got too many other fish to fry to be banging my head against this particular wall. Next time I see this, I'll pull back to this thread and hopefully have something positive to add and help someone else out :-) Thanks for all the help so far though. Until then, I'm going to let this sleeping dog lie still.
Free Windows Admin Tool Kit Click here and download it now
April 15th, 2011 4:10pm

It might be easier to start from scratch at this point rather than troubleshooting. I followed this guide a few days ago and it's currently working fine form me: http://marckean.wordpress.com/2010/07/28/build-an-offline-root-ca-with-a-subordinate-ca/
April 25th, 2012 8:58am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics