Hi, I have created an internal PKI with an offline root and onlineenterprise Intermediate CA under Windows Server 2008.I have deployed the certificates into the active directory as per the Microsoft PKI Infrastructure book. I have a strange problem in that the two root and issuing certificates are added fine to Vista machines and the root cert is added to the Trusted Root Certificate Authorities store as expected.However theWindows XP clients joined to the same domain have the two certificates under Intermediate Certificate Authorities but the root certificate is not listed under the Root Certificate Authorities store, the certificates are therefore untrusted by the machine.The same applies toWindows Mobile 6 (when installing manually), I install the root cert by clicking on it and it says certificates have been installed but when I check the cert is in the intermediate store and no trusted root cert has been added.I haven't a clue what's going on, this is the same active directory domain as the vista boxes which seem to work fine. I cant find any error messages on the server nor the XP client.The certs can be viewed here:http://www.monsterserve.net/certs/issuing.cerhttp://www.monsterserve.net/certs/root.cerhttp://www.monsterserve.net/certs/root+issuing.p7b(i manually exported the entire chain here just for testing).Have I done anything wrong or generated unsuported certificates? Any ideas how can I get the above certs to be installed under Windows Mobile trusted root store and XP?Many thanks in advance,Chris

Could you provide two more details:1) What command did you use to publish the root and issuing CA certificates2) How is your autoenrollment group policy configured for the Computer GPO at the domain?Brian

Actually, look at the certificates, you missed a key point in Chapter 1 of the book.Only Windows Vista and Windows Server 2008 support CNG.You have create a root certificate with a SHA256 signature, that cannot be used or trusted by XP.XP SP3 can validate the certificate, but it cannot consume it. You have created, for lack of a better term, a Vista/2008 only PKI.You need to re-created the PKI using a SHA1 signature for now.Again, as discussed in Chapter 1, at a later date, when all clients are running Vista and all servers are 2008 or operating systens other than 2003 that support CNG (this excludes Mobile as well), then you can change the signing hash algorithmBrian

Dear Brian,Thanks for the prompt reply. Since the cert cannot be used properly under XP thats why its not added to the trusted root store?Ok I will rebuild the PKI! Thanks for pointing that out much appreciated. Autoenrollment is set to automatic for client computers in the Group Policy, but as i understand it Certificates are published by Active Directory itself by running thepost-setup commands as per the instructions in the book?Quick question, how would i remove the old root and intermediatecertificates that i told AD to publish (as above in the post setup steps)... not that im lazy its that your excellent book is on my desk at work at the moment!Is there anyway to purge the existing/old certificates currently installed on the clients?Cheers,Chris

Hi Chris, If you are permanently decommissioning the CA before its expected expiration data, then the CA certificate should be revoked from its parent CA for a certificate revocation reason of Cease of operation. If the CA is a self-signed root CA, then all certificates that have not expired should be revoked and a CRL should be generated with the same reason. This will indicate that the certificates are no longer valid because the CA has been decommissioned. To manually remove the CA objects from AD DS, you may use the PKIVIew tool included in Windows Server 2008. For example, to remove the old entry from NTAuth store from all of the clients in the domain , you may perform the following steps: 1. Run pkiview.msc to open the Enterprise PKI snap-in. Back to the console tree, right click Enterprise PKI -> Manage AD Containers -> Inside NTAuthCertificates tab, you will see all of the trusted root certificates here. Choose the old one, and remove it. 2. Click OK to quit. 3. If there are quite some DCs, please wait for a while to let the modification replicated to all of the DCs. 4. On the client side, you can either run gpupdate /force command, or reboot the machine. This will refresh the local store. Hope it helps.David Shen - MSFT