Renew Issuing CA Certificate via offline Root CA

certificatewindows-server-2008

I have an offline root CA and an enterprise issuing CA. I created a req from the issuing CA and issued a cert with it on the offline root CA. When I try to install the cert on the issuing CA with the Certification Authority snap in I get the following error:

Cannot verify certificate chain. Do you wish to ignore the error and continue? The signature of the certificate can not be verified. 0x80096004 (-214689244)

Any idea?

Best Answer

It looks like you didn't install the root certificate in the servers 'trusted root certification Authorities' store. When you try to import the signed certificate - it cannot verify the chain as trusted - and the import fails.

Open MMC - Add remove Snnapin - Certificates - Local Machine, and import the root certificate into the 'trusted root certification Authorities' store.

Related Solutions

Install Trusted root certificate authority certificate via GPO

I've created a GPO, imported the certificate in Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certificate Authorities and assign the GPO to a group of users

If you are using the "Computer Configuration" policy tree then it will need to be linked to an OU where the computer accounts are stored.

If you need to install the certificates into the user's certificate store then certutil mioght help. Microsoft's documentation on certutil. Use certutil -installcert <certfile> (I think that one can be run as a user) or certutil -addstore -user root <cert file> in a login script. Note, I haven't tested these, the commands are straight from the help certutil -v -?.

SSL Error: self signed certificate in certificate chain

You don't need the root certificate in the chain (though I don't believe having it hurts anything).

That error is more of a warning from openssl in this case I think. I believe what it means is just that openssl doesn't know that it should trust the root certificate of that chain. If you pull out just the root certificate from that bundle and point that openssl command at it with the -CAfile argument I expect that "error" should go away.

Inside the sf_bundle.crt file you should see two

-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----

blocks (possibly with plain text above each block showing what certificate the block contains). If you split each of those blocks into its own file so you end up with block1.crt and block2.crt you should be able to run openssl x509 -noout -subject -in <file.crt> on each of them to get their respective certificate subject lines.

Assuming that block2.crt has a subject line of /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority you should then be able to run openssl s_client -CAfile block2.crt -connect imap.domain.ltd:465 and that should, hopefully, connect without giving you the self-signed certificate error.

Best Answer

Related Solutions

Install Trusted root certificate authority certificate via GPO

SSL Error: self signed certificate in certificate chain

Related Topic