Windows 2012r2, single domain, new 2-tier PKI infrastructure, with sub-CA being Enterprise CA for the domain, just setup. PKIView and MMC Cert Auth both show a 'green board' (no alerts, issues, or errors). All services start and all logs are clear. SHA512 was used, no SHA1 anywhere. Offline Root cert is 4096 so it 'lasts longer' as it were.
Certificates are published in AD.
My host Windows 10 shows the root cert in "Trusted Root Certificate Authorities" and the sub-CA (cert issuing CA) certificate in "Intermediate Certificate Authorities". In fact, BOTH the offline root and the sub-CA certs are in the 'Intermediate Certificate Authority" containers (is that an issue? ....not sure how it occurred ..)
I have a CentOS based web server that runs my helpdesk software. I used openssl to generate a CSR, and used the certutil applet to issue the cert from the sub-CA using the WebServer template. Quick reconfig of Apache and now the cert is properly 'attached' to the website. All DNS has been checked, the site and the cert are properly setup as far as we can see. Also, time is correct on all servers and hosts.
The issue is that Edge and Firefox both show the cert as 'untrusted' and give the full 'They are stealing your face!' warnings. Strangely though, if you dig deeper in and display the certificate, it shows the proper chain with no red or alert markings and also claims 'This certificate is OK' for each. So the certificates are OK, but they are being refused anyway?
I am stumped as to why these "OK" certificates are not being trusted. Any help would be greatly appreciated!