This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 65%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENP%3C/text%3E%3C/svg%3E)
Follwing below given Link from MS we migrated 2 tier PKI hierarchy from windows 2008 R2 to Windows 2019.
Migration went fine for Root CA and 2 Sub-CAs, we kept the hostname similar as current.
We were able to enroll certificates, issue, generate certificates after migration from both Sub CAs but in PKI view it is showing error in CA certificate as UNKNOWN. Nothing in event logs all looks good and online .
Has someone seen this? Please help if anyone have seen this after migration.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 76%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETT%3C/text%3E%3C/svg%3E)
Were you able to resolve this issue?
Yes it was resolved. power on root ca and update the CRLs.
Thank you for the update. I did the same thing by running certutil -CRL, and resolved the issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello @Nitin Paras
This issue may occur when the sub CA certificate can't be chained to a trusted root CA certificate or the revocation check is failed. As you mentioned above, after the migration there could be some communication or network filtering between CA and Sub CAs, please make sure that the CDP is still reachable from the sub CA server. Otherwise, revocation check will fail.
You also export the certificate as a file and run command to it
certutil -verify -URLFetch yourcert.cer
This traces the validation of the certificate all the way to the top and generally spells out any errors it may find.
Hope this helps with your query,
--
--If the reply is helpful, please Upvote and Accept as answer--
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 11%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3E4%3C/text%3E%3C/svg%3E)
Hi @Nitin Paras,
Using this command "certutil -verify -URLFetch yourcert.cer" I found a failed verification for AIA and CDP, see the images attached.
I run the command "certutil -CRL" but It doesn't seem helpful for me.
Any suggestions? In this moment I have to copy manually the Root file .crl in SubCA and also in CertData\CertEnroll folder in the server that hosts the "crl.domain.it" (I've to do that when the Root CRL expires).
Kind regards and thanks in advance,
Alessio.
SubCA_CertificateCheckPart1.png SubCA_CertificateCheckPart2.png