Share via

Root and sub CA not getting automatically published

Eiman Fransi 1 Reputation point
Jul 22, 2021, 6:26 AM

we are having a strange issue, since we are using Enterprise CA installed on a domain joined Root CA and Sub-ordinate CA servers ( not DC's ) , we are expecting and by design to have the root and intermediate published automatically to the trust root certificate authority and intermediate certificate authority local stores once we add/join the servers to the domain, which is not the case right now, can anyone help on this ? Do we need to apply changes on the rootca server or intermediate ca server to get this done ?
Thanks

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,726 questions

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 31,611 Reputation points Microsoft External Staff
    Jul 22, 2021, 8:48 AM

    Hello anonymous user,

    Thank you for posting here.

    Based on the description, you have two-tier CA with Root CA and Sub-ordinate CA.

    Is your two-tier PKI with offline Standalone root CA and online Enterprise issuing CA or online Enterprise root CA and online Enterprise issuing CA?

    Offline Standalone root CA server is not in the domain.

    Online Enterprise issuing CA server is in the domain.

    If your root CA is Offline Standalone root CA, you should run the command below on one DC to publish
    root CA cert to the domain. Then it will dispatch this root cert to all domain joined clients root store.

    certutil -f -dspublish <the full path of CA certificate> RootCA

    For more information, please refer to link below.

    AD CS Step by Step Guide: Two Tier PKI Hierarchy Deployment
    https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx

    Q: Which is not the case right now, can anyone help on this?
    Do you mean there is no root CA cert in the trust root certificate authority and there is no sub CA cert in the intermediate certificate authority local stores on all domain-joined machines?

    Hope the information above is helpful to you.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================
    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  2. Eiman Fransi 1 Reputation point
    Jul 22, 2021, 9:05 AM

    Hi Daisy,
    Thanks for your message.
    Both CA servers are domain joined , online Enterprise root CA and online Enterprise issuing CA. So why the root ca's and sub are not getting published automatically to domain joined members ?
    However, this is not a very secure way of dealing with certs i guess , we would better switch off the ROOT CA server ...so would it be possible to take de ROOT CA server out of the domain and make it a standalone offline and issue the command certutil -f -dspublish <the full path of CA certificate> RootCA ??
    By the way what should be the path of CA certificate? is that a default path ?

    Pls advise the best approach ..
    Thanks

    0 comments
  3. Daisy Zhou 31,611 Reputation points Microsoft External Staff
    Jul 23, 2021, 2:50 AM

    Hello anonymous user,

    Thank you for your update.

    Here are the answers for your reference.

    So why the root ca's and sub are not getting published automatically to domain joined members ?
    A1: If both your root CA server and sub CA server are in the domain, this should eventually happen automatically.

    Currently, I am sorry, I do not know why. But you can try to publish root CA cert and sub CA cert to domain via command above to see if it helps.

    Similar thread for your reference.
    How Does A Root CA Certificate Get Distributed To Domain Clients?
    https://social.technet.microsoft.com/Forums/windowsserver/de-DE/dc4891be-e3ea-4321-972f-e66eee6ed1d1/how-does-a-root-ca-certificate-get-distributed-to-domain-clients?forum=winserversecurity

    However, this is not a very secure way of dealing with certs i guess , we would better switch off the ROOT CA server ...so would it be possible to take de ROOT CA server out of the domain and make it a standalone offline and issue the command certutil -f -dspublish <the full path of CA certificate> RootCA ??
    A2: If you want to make your existing enterprise root CA to standalone root CA, the steps you mentioned should be not correct.

    Because if you take ROOT CA server out of the domain, the CA type is not changed from enterprise root CA to standalone root CA.

    117226-ca1.png

    For the correct steps, you can refer to the similar thread below.

    Convert Enterprise Root CA to Standalone Root CA and create new Subordinate CAs
    https://social.technet.microsoft.com/Forums/windows/en-US/df2105e3-844d-4ead-a202-e49a227511df/convert-enterprise-root-ca-to-standalone-root-ca-and-create-new-subordinate-cas?forum=winserversecurity

    Note: If you really want to do this type of CA migration, please first migrate in the test environment to check whether everything is normal. If everything is normal in the test environment, you then consider whether you need to operate in the production environment.

    By the way what should be the path of CA certificate? is that a default path ?
    A3: You can open CA Properties and select AIA extension and check the location of the CA certificate.

    117129-ca2.png

    Hope the information above is helpful to you.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  4. Eiman Fransi 1 Reputation point
    Jul 26, 2021, 11:42 AM

    Hi Daisy, Thanks for your time and the answers, below you will find my response : A1: If both your root CA server and sub CA server are in the domain, this should eventually happen automatically. Currently, I am sorry, I do not know why. But you can try to publish root CA cert and sub CA cert to domain via command above to see if it helps. Could be the case that a GPO is blocking this from happening ? below you will the default domain policy, i don't that this could be the reason, as block inheritance is enabled on the OU where the systems are located.. ![117937-screenshot-2021-07-26-at-125847.png][1] A well did try to run the commands as advised and got the message that the certs are already published to AD . Certificate already in DS store. CertUtil: -dsPublish command completed successfully. Similar thread for your reference. How Does A Root CA Certificate Get Distributed To Domain Clients? https://social.technet.microsoft.com/Forums/windowsserver/de-DE/dc4891be-e3ea-4321-972f-e66eee6ed1d1/how-does-a-root-ca-certificate-get-distributed-to-domain-clients?forum=winserversecurity I did check the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEDirectoryCache key and we don't have that key on the systems.. pls advise how to troubleshoot as am running out of ideas. Using the GPO to auth enrol the enterprise certs ( root and subordinate ) is not the way we would like to use, as i need to renew them every now and then when they expires as this suppose to be done automatically in our case. Thank you Daisy. [1]: /api/attachments/117937-screenshot-2021-07-26-at-125847.png?platform=QnA

    0 comments
  5. Eiman Fransi 1 Reputation point
    Jul 28, 2021, 10:11 AM

    just a side note :
    When I run certutil -cainfo on the Subordinate CA server :

    C:\Windows\system32>certutil -cainfo
    Exit module count: 1
    CA name: xxx-Subordinate-CA
    Sanitized CA short name (DS name): xxx-Subordinate-CA
    CA type: 1 -- Enterprise Subordinate CA
    ENUM_ENTERPRISE_SUBCA -- 1
    CA cert count: 2
    KRA cert count: 0
    KRA cert used count: 0
    CA cert[0]: 3 -- Valid
    CA cert[1]: 3 -- Valid
    CA cert version[0]: 0 -- V0.0
    CA cert version[1]: 1 -- V1.0
    CA cert verify status[0]: 0
    CA cert verify status[1]: 0
    CRL[0]: 3 -- Valid
    CRL[1]: 1 -- Error: No CRL for this Cert
    CRL Publish Status[0]: 5
    CPF_BASE -- 1
    CPF_COMPLETE -- 4
    Delta CRL Publish Status[0]: 6
    CPF_DELTA -- 2
    CPF_COMPLETE -- 4
    DNS Name: CA02.xxxxnet
    Advanced Server: 1
    CA locale name: en-US
    Subject Template OIDs: 1.2.840.113549.1.9.1
    2.5.4.3
    2.5.4.11
    2.5.4.10
    2.5.4.7
    2.5.4.8
    0.9.2342.19200300.100.1.25
    2.5.4.6
    CertUtil: -CAInfo command completed successfully.
    Getting CRL error, could this be the issue ?

    below the output command as well but now on the Root CA server :
    C:\Windows\system32>certutil -cainfo
    Exit module count: 1
    CA name: xxxx-Root-CA
    Sanitized CA short name (DS name): xxx-Root-CA
    CA type: 0 -- Enterprise Root CA
    ENUM_ENTERPRISE_ROOTCA -- 0
    CA cert count: 1
    KRA cert count: 0
    KRA cert used count: 0
    CA cert[0]: 3 -- Valid
    CA cert version[0]: 0 -- V0.0
    CA cert verify status[0]: 0
    CRL[0]: 3 -- Valid
    CRL Publish Status[0]: 5
    CPF_BASE -- 1
    CPF_COMPLETE -- 4
    Delta CRL Publish Status[0]: 6
    CPF_DELTA -- 2
    CPF_COMPLETE -- 4
    DNS Name: CA01.xxx.net
    Advanced Server: 1
    CA locale name: en-US
    Subject Template OIDs: 1.2.840.113549.1.9.1
    2.5.4.3
    2.5.4.11
    2.5.4.10
    2.5.4.7
    2.5.4.8
    0.9.2342.19200300.100.1.25
    2.5.4.6

    CertUtil: -CAInfo command completed successfully.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.