W2K8 CS: Import a CA-certificate into intermediate CA error
Hello, we've got a 2-Tier CA architecture - with one offline RootCA (W2K8 Std.) and one Enterprise Issueing CA (W2K8 Ent.). When the Server-Manager install routines for the CA-Roles ends, it extracts a certificate signing request for the Enterprise CA which should be signed by the offline Root ca. Let us name the request "ica.req". Now I copy the file over to the Offline RootCA, sign the request and extract the certificate(s) in pkcs#7 format (or other format, DER etc.) to ica.p7b. In the next step I try to install the certificate in the Enterprise CA through the CS-MMC "Install CA certificate ..." option. And now there ist this strange error message: "An error was detected while configuring certificate services". The Certificate Services Setup Wizard will need to rerun to complete the configuration. The new Certification Authority certificate cannot be installed because the CA Version extension is incorrect. The most recently generated request file should be used to obtain the new certificate: C:\ica(1).req The data is invalid. 0x8007000d (WIN32: 13)" Does anyone has any idea? I would be truly thankful because my internet resarch don't have come to any success. The only hint I've got is on the turkish Microsoft Platform team site - but I don't speak turkish - so I can't say if they found the solution already... http://blogs.technet.com/platformtr/archive/2010/04/14/the-new-certification-authority-certificate-cannot-be-installed-because-the-ca-version-extension-is-incorrect-hatas.aspx So, I really would appreciate any help - have a nice weekend, Pete
May 7th, 2010 4:48pm

Hi, It seems that your p7b file is not generated by the most recently req file. Please send the request file C:\ica(1).req to your parent CA to request the CA certificate for the subCA and install it. Hope it helps.This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 12th, 2010 12:01pm

Hi, first an foremost thanks for your answer. Unfortunately this request file (1) doesn't exist. There is an ica.req but no ica(1).req - but the error message talks about a "(1)" version. I've deleted and reinstalled the CA-Role - same phenomenon. I renamed the exported request file - same phenomenon. I am totally confused. It is definitelly the right Request-File. The Root-CA signs the request (there are not any other requests in the queue). The exported p7b contains the right Root and Intermediate CA Cert - the cert-chain is resolved correctly. The CA-Version extension includes V0.0. After reinstalling the role I always generate a new private key... Do you have any other idea? Thanks, Pete
May 12th, 2010 5:46pm

Hi, just one thing - if I compare the text-version of the request file with the text-version of the X.509 certificate, I can identify the following mismatch: ________Cert-Req: Certificate Request: Data: Version: 0 (0x0) _________Cert: Certificate: Data: Version: 3 (0x2) There is a version mismatch. From Gutmann's X.509 Style Guide: "This field is used mainly for marketing purposes to claim that software is X.509v3 compliant (even when it isn't). The default version is v1(0), if the issuerUniqueID or subjectUniqueID are present than the version must be v2(1) or v3(2). If extensions are present than the version must be v3(2). An implementation should target v3 certificates, which is what everyone is moving towards." Is this a problem? Thanks in advance, Pete
Free Windows Admin Tool Kit Click here and download it now
May 12th, 2010 5:57pm

Hi, You need to check the CA Version field instead of the Version. The CA Version of the certificate that you try to install on the CA must be the same as the CA Version of the request file.This posting is provided "AS IS" with no warranties, and confers no rights.
May 14th, 2010 8:39am

Hi, yes, you're right. Because this is the extension which is in the error message. In my pkcs#10 Request, the following extension exists: _______________________________________________________Req: Microsoft CA Version: X509v3 Subject Key Identifier: 60:F5:87:F7:46:90:86:FA:B4:B8:A4:9E:37:6B:1E:C9:D2:85:87:7B Domain Controller: X509v3 Key Usage critical: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints critical: CA:TRUE _______________________________________________________ There is no value for: 1.3.6.1.4.1.311.21.1 -> this is the ID for "Microsoft CA Version", and 1.3.6.1.4.1.311.20.2 -> this ist the ID for "Domain Controller" In the Text-Representation of the PKCS#10 it looks like this: Requested Extensions: 1.3.6.1.4.1.311.21.1: ... X509v3 Subject Key Identifier: 60:F5:87:F7:46:90:86:FA:B4:B8:A4:9E:37:6B:1E:C9:D2:85:87:7B 1.3.6.1.4.1.311.20.2: . What do those dots mean? In the Windows PKI blog, there is an article called "Suppressing certificate attributes". Should I try to suppress them or manually set them? See: http://blogs.technet.com/pki/archive/2008/10/05/suppressing-certificate-attributes-in-a-ca-certificate-request.aspx Thank you again, Pete
Free Windows Admin Tool Kit Click here and download it now
May 19th, 2010 1:08pm

Hello Void, Have you had any success with this? I'm having the same issue.
March 8th, 2011 2:27pm

Are you logged in as an Enterprise Admin for the completion of the AD CS installation?Solutions Architect
Free Windows Admin Tool Kit Click here and download it now
May 11th, 2011 10:41am

I have to troll the depths of my memory (it's been a while), but I do believe I was logged in with an account that was a member of the Enterprise Admin group.
May 11th, 2011 11:06am

Hi Did you get an answer to this. I am in the same boat with the same error.
Free Windows Admin Tool Kit Click here and download it now
May 17th, 2011 4:05pm

Sorry, no answer to this yet.
May 18th, 2011 9:34am

HI, I reinstalled every thing and it works now. The only thing I did different was that I made the enterprise admins part of local admins group on the issuing ca Thanks,
Free Windows Admin Tool Kit Click here and download it now
May 18th, 2011 12:30pm

I having the same issue. I have tried to recreate this problem in a test lab but I'm unable to do so. Anyone have any new info to add?
May 22nd, 2011 8:16pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics