Hi,

I have a problem regarding old Root CA replacing.

we have 2 DC. right now 1 DC called DC1 is holding the Cert Auth with the old Root Cert. We have generated a new Root cert with linux, and created a Windows Sub CA with the correct chain (so it contains the new root CA) On Linux

I would like to promote my DC2 server as Cert Auth, next to the "old" cert auth, till the old will be decommissioned. 

When i try to promote my DC2 server with the following settings:

Cert Auth,

Cert Auth Web enrollment

-->>setup type enterprise

-->> CA Type: Subordinate CA

-->>Private Key --> Use existing private key (Select a cert and use its associated private key)

Existing Certificate. I browse here the "windows subca.p12" file with the correct password and i try to click next i get the following error message:
The Selected Certificate could not be used.

Am i doing something wrong? Here should be placed the Root CA? I am using the sub (intermediate) Ca with the root chain...

This certificate was generated with linux with signature hash algorithm sha512

and with thumbprint algorithm sha1

thank you for any advice!

regards,

Did you try to create a new private key?

actually i just got the certificate from a linux engineer. But maybe i can give a try to ask him to re-create.

Is it possible that i am going wrong, as i am trying to give the SUB-CA to the cert auth, and not the root CA?

or it is faulty of the generated sub-ca? any idea what kind of parameters are needed?

thanks for helping

Hello,

Why would you link sub-ca to root that you will decommission? Why not establish new root instead?

For getting the Sub-CA running in your case:

If i were you, i would not use the Linux approach. You have all that is needed in Window:

1. When installing the Subordinate CA the Wizard will generate the request file and place it on the root of the system drive.
2. Copy this file to the Root CA (which is still available, right?), submit it as new request in the CA console then issue the certificate.
3. After this is done, copy the signed certificate from the Root CA to the Sub-CA, install it via CA Administrator console and the AD CS should start.

• Edited by Aleksandar V 4 hours 1 minutes ago

Thank you for your help. The main point regarding the root ca replace because this new root ca is(generated with linux) more secure than the Microsoft generated root ca?!. We would like to keep offline the linux root ca generator computer. On this computer was generated the sub ca for windows without any request file. But it does not work. If i request the sub ca i can validate it with linux after all i will give a try and will let you know. Thank you!