I'm trying to set up one of our servers as a stand-alone subordinate CA so that I can issue client certificates to web browsers for accessing our intranet web server. The goal is for our web server to be able to read the client cert and identify the user. Symptom: When I try to install a CA into the Certification Authority manager, I get the following error: "Cannot create a certificate context using the Certification Authority certificate: ASN1 unexpected end of data. 0x80093102 (ASN:258) Here's what we've got: Windows 2003 server, SP2 IIS 6.0 Here's what I've done so far: - We got an SSL certificate from godaddy.com and installed it into IIS. We know that it works - we've been using it for months. Let's say that the cert is for 'myhost.mydomain.com' - I installed CA services from the Add/Remove Windows Component control panel as a standalone subordinate CA, setting the CN as 'myhost.mydomain.com' I did not specify a DN. In the Certification Authority program, I can see my host in the tree: 'myhost.mydomain.com' I then go into IIS manager, export the certificate to a .pfx file, and I make up a password for it. I go back to the CA program, right-click on my host > All Tasks > Install CA certificate. I then choose the .pfx file I exported from the IIS manager, and then I get the error message that I describe above. What am I doing wrong?

Who is your subordinate CA server subordinate to? Don't you need to build/install a Root CA server first? There are different certificates based on different templates, users certificates, web server certificates, Root Certificate Authority, Subordinate Certificate Authority, etc. I believe you aquired a web server certificate from GoDaddy.com so you are trying to stick a square peg into a round hole. If I knew more about your environment I would recommend an online (not standalone) Root CA, heck I recommend that anyways, keep it simple.

Greg hit the nail on the head.You cannot install a CA using a godaddy.com certificate as the CA certificate.Please go to www.microsoft.com/pki and read up on how to install certificate services.You really need to do some research before you start installationBrian

OK, so maybe we're going about this the wrong way. The basic problem we're trying to solve is this: we have a web application that needs to read the CN from a client's browser. So we need to be able to create client certificates for our users. From what I gathered, it looks like certificate services needed to be running on the server in order to issue client certs. So maybe there's simpler way to do this?

Ok, I appreciate you taking a step back and saying here's the problem we are trying to solve, that's a good first step rather than rushing to an implementation of a random solution. Active Directory creates a relative distinguished name and a canonical name for each object based upon information that was provided when the object was created or modified. I assume by CN you mean Canonical Name, right? The LDAP distinguished name is globally unique. For example, the distinguished name of a computer named mycomputer in the MyOrganizationalUnit organizational unit in the microsoft.com domain is CN=mycomputer, OU=MyOrganizationalUnit, DC=microsoft, DC=com. The canonical name is constructed the same way as the distinguished name, but it is represented using a different notation. The canonical name of the computer in the previous example would be Microsoft.com/MyOrganizationalUnit/mycomputer. Really what you are trying to do is query Active Directory information, as in LDAP lookups. I don't see how this relates to Certificates in any way. You most likely will run some sort of VBScript from the webpage of your web application or some LDAP query command. Try Googling LDAP lookup or LDAP query Just trying to help