Generic unknown status in pkiview after migration Active Directory Certificate Services from Windows Server 2008R2 to Windows 2019.

Nitin Paras 26 Reputation points

Follwing below given Link from MS we migrated 2 tier PKI hierarchy from windows 2008 R2 to Windows 2019.

Migration went fine for Root CA and 2 Sub-CAs, we kept the hostname similar as current.
We were able to enroll certificates, issue, generate certificates after migration from both Sub CAs but in PKI view it is showing error in CA certificate as UNKNOWN. Nothing in event logs all looks good and online .

Has someone seen this? Please help if anyone have seen this after migration.


Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,752 questions
{count} vote

Accepted answer
  1. Limitless Technology 44,021 Reputation points

    Hello @Nitin Paras

    This issue may occur when the sub CA certificate can't be chained to a trusted root CA certificate or the revocation check is failed. As you mentioned above, after the migration there could be some communication or network filtering between CA and Sub CAs, please make sure that the CDP is still reachable from the sub CA server. Otherwise, revocation check will fail.

    You also export the certificate as a file and run command to it

    certutil -verify -URLFetch yourcert.cer

    This traces the validation of the certificate all the way to the top and generally spells out any errors it may find.

    Hope this helps with your query,

    --If the reply is helpful, please Upvote and Accept as answer--

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful