question

Chong-7118 avatar image
0 Votes"
Chong-7118 asked Chong-7118 commented

New Root CA server cannot deploy root certificate to domain client

Hi,

We have a old Win 2008 CA server and we just setup a new Windows 2019 root CA server (standalone, domain joint) and found new root CA cannot deploy root certificate to domain client automatically.

After some checking, seems AD only can auto deploy the root certificate from Win2008 CA, but the new Win2019 CA cannot. Do the AD recognize the old Win2008 CA is the "primary CA", so the other root CA cannot auto deploy their root certificate?

I know we can use GPO to deploy root certificate. But as we will remove that Win2008 CA later, how to change the "Primary CA" to the new CA?

Thanks

Best Regards
Chong

windows-server
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

GaryReynolds avatar image
0 Votes"
GaryReynolds answered Chong-7118 commented

Hi @Chong-7118

You have used two contradicting terms to define your new CA, it can be a standalone or domain (enterprise), but not both. If it's a standalone root CA, then you will need to publish the root certificate in the AD using the certutil -dspublish command.

Gary.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @GaryReynolds,

Thanks for the reply

I am not sure this is the problem root cause or not, and it may not the standard CA structure. But my CA server is domain joint, and select "standalone" and "Root CA" during setup CA.

Although the "certutil -dspublish" (and also use GPO) can publish the root certificate, we need to change the new CA to "primary" in AD so the root certificate can auto publish to client when we renew the root certificate each time.

Thanks

Chong

0 Votes 0 ·