I am trying to set up the following environment: Standalone Root CA and Enterprise Sub CA, both running windows 2008 R2 core.
To set up the ROOT CA i have done the following:
Install the Certificate Services Roll by typing the following at the command line:
Cscript C:\Windows\System32\setupca.vbs /IS /sn RootCA /sp "RSA#Microsoft Software Key Storage Provider" /sk 2048 /sa SHA256 /SV 20
Run the following commands on the ROOT CA to set the issuing validity period to 20 years
certutil -setreg ca\ValidityPeriod "Years"
certutil -setreg ca\ValidityPeriodUnits "20"
net stop certsvc & net start certsvc
Install the CRL List in Active Directory by running the following commands
Certutil –setreg ca\DSConfigDN “CN=Configuration, DC=Test,dc=local”
Certutil –setreg ca\DSDomainDN “DC=Test,dc=local”
Net stop certsvc & net start certsvc
Certutil –dspublish –f “C:\windows\system32\CertSrv\CertEnroll\Root CA.crl”
For the SUB CA I run the follwoing command:
Cscript C:\Windows\System32\setupca.vbs /IF /sn “Sub CA” /DN DC=DC=Test,dc=local /sp "RSA#Microsoft Software Key Storage Provider" /sk 2048 /sa SHA256 /OR "C:\CA\SUBReq.req"
I then submit the request to the ROOT CA and subsequently issue the pending request. When I try to accept the response using the certreq -accept command I get the following error:
“Certificate Request Processor: Cannot Find object or property”
and of course the SUB CA will not start as it does not have a vaild certificate. I have even tried to create a new certificate and although i can import it using the certreq -accept command the service will not start correctly.
Any help would be appreciated...
Thanks in advance
To set up the ROOT CA i have done the following:
Install the Certificate Services Roll by typing the following at the command line:
Cscript C:\Windows\System32\setupca.vbs /IS /sn RootCA /sp "RSA#Microsoft Software Key Storage Provider" /sk 2048 /sa SHA256 /SV 20
Run the following commands on the ROOT CA to set the issuing validity period to 20 years
certutil -setreg ca\ValidityPeriod "Years"
certutil -setreg ca\ValidityPeriodUnits "20"
net stop certsvc & net start certsvc
Install the CRL List in Active Directory by running the following commands
Certutil –setreg ca\DSConfigDN “CN=Configuration, DC=Test,dc=local”
Certutil –setreg ca\DSDomainDN “DC=Test,dc=local”
Net stop certsvc & net start certsvc
Certutil –dspublish –f “C:\windows\system32\CertSrv\CertEnroll\Root CA.crl”
For the SUB CA I run the follwoing command:
Cscript C:\Windows\System32\setupca.vbs /IF /sn “Sub CA” /DN DC=DC=Test,dc=local /sp "RSA#Microsoft Software Key Storage Provider" /sk 2048 /sa SHA256 /OR "C:\CA\SUBReq.req"
I then submit the request to the ROOT CA and subsequently issue the pending request. When I try to accept the response using the certreq -accept command I get the following error:
“Certificate Request Processor: Cannot Find object or property”
and of course the SUB CA will not start as it does not have a vaild certificate. I have even tried to create a new certificate and although i can import it using the certreq -accept command the service will not start correctly.
Any help would be appreciated...
Thanks in advance
