Network details: Two domain: domain.ad and child.domain.ad. Two tier CA hierarchy Root CA: SERVERCAROT1, Wind 2008 Ent, Standalone Issuing CA: SERVERCAISU1, Wind 2008 Ent, Domain member (child.domain.ad) CA install settings: CSP - Microsoft strong CSP, hash- SHA1 Post install script on Issuing CA: .......................................... certutil -setreg CA\DSConfigDN CN=Configuration,DC=domain,DC=ad certutil -setreg CA\CRLPeriodUnits 3 certutil -setreg CA\CRLPeriod "Days" certutil -setreg CA\CRLOverlapUnits 4 certutil -setreg CA\CRLOverlapPeriod "Hours" certutil -setreg CA\CRLDeltaPeriodUnits 12 certutil -setreg CA\CRLDeltaPeriod "Hours" certutil -setreg CA\CRLPublicationURLs "65:%windir%\system32\CertSrv\CertEnroll\%3%8%9.crl\n79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n6:http://cert.CHILD.domain.ad/CertEnroll/%3%8%9.crl\n6:http://%1/CertEnroll/%3%8%9.crl" certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%1_%3%4.crt\n3:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11\n2:http://cert.CHILD.domain.ad/CertEnroll/%1_%3%4.crt\n2:http://%1/CertEnroll/%1_%3%4.crt" certutil -setreg CA\AuditFilter 127 Certutil –setreg CA\csp\AlternateSignatureAlgorithm 1 certutil -setreg CA\ValidityPeriodUnits 2 certutil -setreg CA\ValidityPeriod "Years" net stop certsvc & net start certsvc certutil –crl ............................. Copied template (RAS & IAS) and created new template with name DOMAIN Server authentication. On new template gave READ and ENROLL permissions to CHILD\Authenticated users and CHILD\Domain computers. Copied all ROOT/Issuing CA cert and CRLs under http://cert.CHILD.domain.ad/CertEnroll. Checked via PKIVIEW at Issuing CA, every thing was okay. Issued a Server authentication certifiacte to SERVERVPN002 (Windows 2003). When installed the cert on the server, server shows errors: .... The integrity of this certificate cannot be guaranteed. The certificate may be corrupted or may have been altered. The signature of the certificate cannot be verified. ....... The server has certifiacte of root CA in trusted root CA store (already published into AD, certutil -dspublish) The server can validate the certifcate of root ca and issuing ca but cannot validate its cert. When same certifiacte is checked on 2008 server or Win7, that can validate the cert. Already checked KB938397 but I think I am not suing SHA2 any where. Even the CSP is Microsoft strong CSP which was supported in 2003. I checkied from SERVERVPN002, I can access the CDP and AIA paths, I can download CA cert and CRL. Here is the output of certutil -urlfetch -verify ........ Issuer: CN=DOMAIN Issuing CA DC=CHILD DC=DOMAIN DC=ad Subject: E=MAILID@na.DOMAIN.com CN=SERVERVPN002.CHILD.DOMAIN.ad OU=SALES O=DOMAIN Technologies L=Milton S=GA C=US Cert Serial Number: 142661aa000000000004 dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8) ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) SimpleChain.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8) SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) CertContext[0][0]: dwInfoStatus=2 dwErrorStatus=1000048 Issuer: CN=DOMAIN Issuing CA, DC=CHILD, DC=DOMAIN, DC=ad Subject: E=MAILID@na.DOMAIN.com, CN=SERVERVPN002.CHILD.DOMAIN.ad, OU=SALES, O=DOMAIN Technologies, L=Milton, S=GA, C=US Serial: 142661aa000000000004 Template: 1.3.6.1.4.1.311.21.8.1684853.14465115.11945623.13485759.1303253.100.7858302.15520548 2a ba 5f 25 3a e9 80 7f 45 1d ec b7 af 02 76 72 17 c9 26 41 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwErrorStatus = CERT_TRUST_IS_NOT_SIGNATURE_VALID (0x8) Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) ---------------- Certificate AIA ---------------- Wrong Issuer "Certificate (0)" Time: 0 [0.0] ldap:///CN=DOMAIN%20Issuing%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=ad?cACertificate?base?objectClass=certificationAuthority Wrong Issuer "Certificate (0)" Time: 18 [1.0] http://cert.CHILD.DOMAIN.ad/CertEnroll/SERVERCAISU1.CHILD.DOMAIN.ad_DOMAIN%20Issuing%20CA.crt Wrong Issuer "Certificate (0)" Time: 4 [2.0] http://SERVERcaisu1.CHILD.DOMAIN.ad/CertEnroll/SERVERCAISU1.CHILD.DOMAIN.ad_DOMAIN%20Issuing%20CA.crt ---------------- Certificate CDP ---------------- Wrong Issuer "Base CRL (6)" Time: 0 [0.0] ldap:///CN=DOMAIN%20Issuing%20CA,CN=SERVERCAISU1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=ad?certificateRevocationList?base?objectClass=cRLDistributionPoint Wrong Issuer "Delta CRL (6)" Time: 0 [0.0.0] ldap:///CN=DOMAIN%20Issuing%20CA,CN=SERVERCAISU1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=ad?deltaRevocationList?base?objectClass=cRLDistributionPoint Wrong Issuer "Delta CRL (6)" Time: 4 [0.0.1] http://cert.CHILD.DOMAIN.ad/CertEnroll/DOMAIN%20Issuing%20CA+.crl Wrong Issuer "Delta CRL (6)" Time: 18 [0.0.2] http://SERVERcaisu1.CHILD.DOMAIN.ad/CertEnroll/DOMAIN%20Issuing%20CA+.crl Wrong Issuer "Base CRL (6)" Time: 4 [1.0] http://cert.CHILD.DOMAIN.ad/CertEnroll/DOMAIN%20Issuing%20CA.crl Wrong Issuer "Delta CRL (6)" Time: 0 [1.0.0] ldap:///CN=DOMAIN%20Issuing%20CA,CN=SERVERCAISU1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=ad?deltaRevocationList?base?objectClass=cRLDistributionPoint Wrong Issuer "Delta CRL (6)" Time: 4 [1.0.1] http://cert.CHILD.DOMAIN.ad/CertEnroll/DOMAIN%20Issuing%20CA+.crl Wrong Issuer "Delta CRL (6)" Time: 4 [1.0.2] http://SERVERcaisu1.CHILD.DOMAIN.ad/CertEnroll/DOMAIN%20Issuing%20CA+.crl Wrong Issuer "Base CRL (6)" Time: 18 [2.0] http://SERVERcaisu1.CHILD.DOMAIN.ad/CertEnroll/DOMAIN%20Issuing%20CA.crl Wrong Issuer "Delta CRL (6)" Time: 0 [2.0.0] ldap:///CN=DOMAIN%20Issuing%20CA,CN=SERVERCAISU1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=ad?deltaRevocationList?base?objectClass=cRLDistributionPoint Wrong Issuer "Delta CRL (6)" Time: 4 [2.0.1] http://cert.CHILD.DOMAIN.ad/CertEnroll/DOMAIN%20Issuing%20CA+.crl Wrong Issuer "Delta CRL (6)" Time: 4 [2.0.2] http://SERVERcaisu1.CHILD.DOMAIN.ad/CertEnroll/DOMAIN%20Issuing%20CA+.crl -------------------------------- Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=DOMAIN Root CA, DC=DOMAIN, DC=AD Subject: CN=DOMAIN Issuing CA, DC=CHILD, DC=DOMAIN, DC=ad Serial: 13ea9a52000000000002 Template: SubCA a5 3f f1 4b 80 f9 b1 c1 e1 f8 02 6b c7 de 08 e3 f0 c6 57 06 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No CRL "Certificate (0)" Time: 0 [0.0] ldap:///CN=DOMAIN%20Root%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=AD?cACertificate?base?objectClass=certificationAuthority No CRL "Certificate (0)" Time: 18 [1.0] http://cert.CHILD.DOMAIN.ad/CertEnroll/SERVERCAROT1_DOMAIN%20Root%20CA.crt ---------------- Certificate CDP ---------------- Verified "Base CRL (5)" Time: 4 [0.0] http://cert.CHILD.DOMAIN.ad/CertEnroll/DOMAIN%20Root%20CA.crl Verified "Base CRL (5)" Time: 0 [1.0] ldap:///CN=DOMAIN%20Root%20CA,CN=SERVERCAROT1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=AD?certificateRevocationList?base?objectClass=cRLDistributionPoint ---------------- Base CRL CDP ---------------- No URLs "None" Time: 0 -------------------------------- CRL 5: Issuer: CN=DOMAIN Root CA, DC=DOMAIN, DC=AD d3 c4 34 40 e9 e7 ac 92 41 73 df e7 90 4e f3 85 59 5f 01 5a Issuance[0] = 1.3.6.1.4.1.311.21.8.2.840.113556.1.8000.1.402 CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=DOMAIN Root CA, DC=DOMAIN, DC=AD Subject: CN=DOMAIN Root CA, DC=DOMAIN, DC=AD Serial: 5cd703e9a488d8aa463b9999976fd21a ea c2 7f 95 36 ea cb dd c8 b1 f3 a6 c2 68 ac b7 16 15 11 7b Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 -------------------------------- Exclude leaf cert: c5 1d dd df 88 7f fa c2 79 a7 8f 6c 6e 3d 59 68 b4 9e 95 9a Full chain: e0 d6 a8 73 bb fe 26 7c 81 c2 98 e6 39 dd 93 66 e7 01 f5 eb Issuer: CN=DOMAIN Issuing CA, DC=CHILD, DC=DOMAIN, DC=ad Subject: E=MAILID@na.DOMAIN.com, CN=SERVERVPN002.CHILD.DOMAIN.ad, OU=SALES, O=DOMAIN Technologies, L=Milton, S=GA, C=US Serial: 142661aa000000000004 Template: 1.3.6.1.4.1.311.21.8.1684853.14465115.11945623.13485759.1303253.100.7858302.15520548 2a ba 5f 25 3a e9 80 7f 45 1d ec b7 af 02 76 72 17 c9 26 41 The signature of the certificate can not be verified. 0x80096004 (-2146869244) ------------------------------------ CertUtil: -verify command FAILED: 0x80096004 (-2146869244) CertUtil: The signature of the certificate can not be verified. ............................. I checked all the HTTP and LDAP paths shown after Wrong Issuer, all are accessible. Please suggest. .Manoj

Used PKIVIEW.msc on a windows 2003 server, everything was okay. just Delta CRLs were showing as expiring.Manoj

How did you issue and install the certificate? How does the certificate behave when looking at it on the CA, if you simply verify the cert and dump its content using certutil on the CA server? /Hasain

this setting causes this issue: Certutil –setreg CA\csp\AlternateSignatureAlgorithm 1 you must disable alternate signature algorithms and re-issue end certificate.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Issued the certificate via Web (http://server/CertSrv). Saved that in pb7 and installed on the server via certificate mmc. Certificate is looking good on the CA server. Output of CERTUTIL - VERIFY at Issuing CA ............................................ Issuer: CN=DOMAIN Issuing CA DC=CHILD DC=DOMAIN DC=ad Subject: E=EMAILID@na.DOMAIN.com CN=SERVERVPN002.CHILD.DOMAIN.ad OU=SALES O=DOMAIN Technologies L=Milton S=GA C=US Cert Serial Number: 142661aa000000000004 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwRevocationFreshnessTime: 5 Days, 1 Hours, 9 Minutes, 20 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwRevocationFreshnessTime: 5 Days, 1 Hours, 9 Minutes, 20 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=DOMAIN Issuing CA, DC=CHILD, DC=DOMAIN, DC=ad NotBefore: 9/9/2011 2:26 PM NotAfter: 9/8/2013 2:26 PM Subject: E=EMAILID@na.DOMAIN.com, CN=SERVERVPN002.CHILD.DOMAIN.ad, OU=SALES, O=DOMAIN Technologies, L=Milton, S=GA, C=US Serial: 142661aa000000000004 Template: 1.3.6.1.4.1.311.21.8.1684853.14465115.11945623.13485759.1303253.100.7858302.15520548 2a ba 5f 25 3a e9 80 7f 45 1d ec b7 af 02 76 72 17 c9 26 41 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) CRL 6: Issuer: CN=DOMAIN Issuing CA, DC=CHILD, DC=DOMAIN, DC=ad b7 47 1c f9 eb ee e0 4d 5d cb 75 04 e8 92 51 33 15 2a b8 29 Delta CRL 10: Issuer: CN=DOMAIN Issuing CA, DC=CHILD, DC=DOMAIN, DC=ad f4 aa 42 4a 05 1d 3e 35 c5 9f 49 0b 77 c9 19 ea d7 99 7f e7 Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=DOMAIN Root CA, DC=DOMAIN, DC=AD NotBefore: 9/9/2011 1:20 PM NotAfter: 9/9/2021 1:30 PM Subject: CN=DOMAIN Issuing CA, DC=CHILD, DC=DOMAIN, DC=ad Serial: 13ea9a52000000000002 Template: SubCA a5 3f f1 4b 80 f9 b1 c1 e1 f8 02 6b c7 de 08 e3 f0 c6 57 06 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) CRL 5: Issuer: CN=DOMAIN Root CA, DC=DOMAIN, DC=AD d3 c4 34 40 e9 e7 ac 92 41 73 df e7 90 4e f3 85 59 5f 01 5a Issuance[0] = 1.3.6.1.4.1.311.21.8.2.840.113556.1.8000.1.402 CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=DOMAIN Root CA, DC=DOMAIN, DC=AD NotBefore: 9/8/2011 7:27 PM NotAfter: 9/8/2031 7:37 PM Subject: CN=DOMAIN Root CA, DC=DOMAIN, DC=AD Serial: 5cd703e9a488d8aa463b9999976fd21a ea c2 7f 95 36 ea cb dd c8 b1 f3 a6 c2 68 ac b7 16 15 11 7b Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Exclude leaf cert: af e6 1e a5 a3 11 f0 d0 56 9f 10 6f f6 86 87 0a 69 f7 fc 77 Full chain: c8 f2 a7 80 de f7 1f 3e 52 9e f9 57 17 f7 f5 2a cb 25 dd 1a ------------------------------------ Verified Issuance Policies: None Verified Application Policies: 1.3.6.1.5.5.7.3.1 Server Authentication 1.3.6.1.5.5.7.3.2 Client Authentication Leaf certificate revocation check passed CertUtil: -verify command completed successfully. ...................................................................................................... Output of CertUtil -dump at Issuing CA ................................................................................ X509 Certificate: Version: 3 Serial Number: 142661aa000000000004 Signature Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.10 RSASSA-PSS Algorithm Parameters: 30 00 Issuer: CN=DOMAIN Issuing CA DC=CHILD DC=DOMAIN DC=ad NotBefore: 9/9/2011 2:26 PM NotAfter: 9/8/2013 2:26 PM Subject: E=EMAILID@na.DOMAIN.com CN=SERVERVPN002.CHILD.DOMAIN.ad OU=SALES O=DOMAIN Technologies L=Milton S=GA C=US Public Key Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN) Algorithm Parameters: 05 00 Public Key Length: 2048 bits Public Key: UnusedBits = 0 0000 30 82 01 0a 02 82 01 01 00 c1 5e 03 a0 62 ed db 0010 e1 24 81 06 d6 8b 89 32 e4 5b 01 c4 a0 9f bd ec 0020 24 67 e7 74 ee 7a dd 3a 1d 3b 8b 7b 00 44 21 a3 0030 83 78 67 75 47 c0 3d 61 ae 72 e0 ec 8f f1 22 72 0040 9e d9 95 5b 61 ce 0a a7 93 24 f5 f3 42 05 36 86 0050 25 d1 4f 36 da bc 21 c1 fe 13 d1 c5 34 d7 2e 18 0060 60 a3 77 92 95 be ac ab 47 52 b0 e7 42 a6 f2 6e 0070 d9 75 23 26 57 89 c7 24 16 29 3b 08 51 a7 ba ae 0080 bb 9b 9c 12 82 12 bc 8d 1d fc 5c 26 d9 e1 df 5d 0090 ac ef d2 7a f1 d9 b8 35 87 b5 e8 53 41 56 61 82 00a0 4f 1b 65 2f cd 15 df 40 c9 42 7c 78 61 da 45 d2 00b0 52 7c 18 c9 d9 6f 1f ed c5 46 b5 26 7b 7e 9f a7 00c0 4c 9e 07 fa 85 7f 4c e4 44 4b 8c 70 d1 b8 66 47 00d0 c7 d5 96 e2 16 85 98 0b 5d c4 cd 44 85 11 00 c5 00e0 40 ea 93 c1 dc b4 60 a7 73 8d 49 78 74 3b 8a fe 00f0 2b 26 99 16 96 1a d5 d2 58 8a 90 68 86 df ea 34 0100 cf 86 5c 09 42 44 2f bb e3 02 03 01 00 01 Certificate Extensions: 8 2.5.29.15: Flags = 1(Critical), Length = 4 Key Usage Digital Signature, Key Encipherment (a0) 2.5.29.14: Flags = 0, Length = 16 Subject Key Identifier de 22 a0 21 8d 83 a5 ca f7 3e fc 66 ad 6f b3 0a 11 89 ac 1c 1.3.6.1.4.1.311.21.7: Flags = 0, Length = 2e Certificate Template Information Template=1.3.6.1.4.1.311.21.8.1684853.14465115.11945623.13485759.1303253.100.7858302.15520548 Major Version Number=100 Minor Version Number=4 2.5.29.35: Flags = 0, Length = 18 Authority Key Identifier KeyID=63 22 90 af 78 31 a0 ff 15 d5 a4 db 67 52 00 b1 53 43 81 4c 2.5.29.31: Flags = 0, Length = 158 CRL Distribution Points [1]CRL Distribution Point Distribution Point Name: Full Name: URL=ldap:///CN=DOMAIN%20Issuing%20CA,CN=SERVERCAISU1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=ad?certificateRevocationList?base?objectClass=cRLDistributionPoint URL=http://cert.CHILD.DOMAIN.ad/CertEnroll/DOMAIN%20Issuing%20CA.crl URL=http://SERVERcaisu1.CHILD.DOMAIN.ad/CertEnroll/DOMAIN%20Issuing%20CA.crl 1.3.6.1.5.5.7.1.1: Flags = 0, Length = 190 Authority Information Access [1]Authority Info Access Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2) Alternative Name: URL=ldap:///CN=DOMAIN%20Issuing%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=ad?cACertificate?base?objectClass=certificationAuthority [2]Authority Info Access Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2) Alternative Name: URL=http://cert.CHILD.DOMAIN.ad/CertEnroll/SERVERCAISU1.CHILD.DOMAIN.ad_DOMAIN%20Issuing%20CA.crt [3]Authority Info Access Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2) Alternative Name: URL=http://SERVERcaisu1.CHILD.DOMAIN.ad/CertEnroll/SERVERCAISU1.CHILD.DOMAIN.ad_DOMAIN%20Issuing%20CA.crt 2.5.29.37: Flags = 0, Length = 16 Enhanced Key Usage Server Authentication (1.3.6.1.5.5.7.3.1) Client Authentication (1.3.6.1.5.5.7.3.2) 1.3.6.1.4.1.311.21.10: Flags = 0, Length = 1a Application Policies [1]Application Certificate Policy: Policy Identifier=Server Authentication [2]Application Certificate Policy: Policy Identifier=Client Authentication Signature Algorithm: Algorithm ObjectId: 1.2.840.113549.1.1.10 RSASSA-PSS Algorithm Parameters: 30 00 Signature: UnusedBits=0 0000 1f 12 2c 7a ec 3b d4 79 1a 80 2f 30 80 2d b4 90 0010 ba 80 35 cb de 94 91 db 21 9b 81 4a 37 e7 75 20 0020 58 12 57 a5 b4 1d a6 0e ed 20 44 d2 de 93 33 14 0030 d0 6f d7 c1 bb c0 a3 59 ef fc 3f ac 14 7e fd 30 0040 3e bd 94 ea 3c a9 3e a1 a7 12 1c 0b b4 5b 89 ce 0050 68 53 0b bc f2 6e 86 b6 21 77 d4 4a ad 26 48 46 0060 45 f7 0b d7 09 b4 c7 88 40 fd 18 83 66 0c 3c a9 0070 56 ee 33 38 ae 17 c5 38 c8 f3 fb f8 97 02 fe 53 0080 84 7f 2e 69 87 d5 16 d7 a5 fa ec e7 dc 3f 77 d6 0090 23 d7 07 2b ae a2 54 9b c6 14 c2 28 ff 7b 21 11 00a0 12 20 5c c5 96 90 d0 64 91 8b af 2c 6f d6 bb 79 00b0 96 89 a3 90 b1 2b 66 d6 c8 6f 00 6d 1a 7a c7 80 00c0 a0 08 8d 94 88 df cc 60 94 96 00 6d ab 67 e3 66 00d0 72 dd ae d5 25 34 7c 42 06 18 20 36 c4 bb d2 98 00e0 b1 a5 fd 9e a1 f1 ad 7f a2 b9 14 a4 ab 8e fe 26 00f0 b4 25 3b 57 27 f2 31 31 5e d7 75 42 50 0b b7 64 Non-root Certificate Key Id Hash(rfc-sha1): 03 ed 0c 33 76 78 a8 68 3a a5 71 ce 63 c8 50 fc 27 dc c5 96 Key Id Hash(sha1): de 22 a0 21 8d 83 a5 ca f7 3e fc 66 ad 6f b3 0a 11 89 ac 1c Cert Hash(md5): 82 77 14 5f ff 9d d4 cf 2b ad c3 da 86 e5 fe 38 Cert Hash(sha1): 2a ba 5f 25 3a e9 80 7f 45 1d ec b7 af 02 76 72 17 c9 26 41 CertUtil: -dump command completed successfully. Another observation: My Radius server is published in AD and that has ENROLL and READ permission on the template. When I try to request certificate via MMC > Certificates (my computer) >> Personal >> Request new certificate, I get error: The wizard cannot be started because of one or more of the following conditions: - There are no trusted certification authorities (CAs) available. - You do not have the permissions to request certificates from the available CAs. - The available CAs issue certificates for which you do not have permissions. Though I have checked http://support.microsoft.com/kb/927066 and will try the solution, just wanted to mention if that might be related. Manoj

this setting causes this issue: Certutil –setreg CA\csp\AlternateSignatureAlgorithm 1 you must disable alternate signature algorithms and re-issue end certificate. My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki Agree with Vadims, totally missed the AlternateSignatureAlgorithm! /Hasain