Home / server / Questions / 352722
Accepted
Jonathan
Asked: 2012-01-24 06:11:22 +0800 CST

How to debug missing enterprise root ca certificate?

  • 772

We have a openssl offline root CA with a Windows 2008 R2 AD-integrated SubCA.

The Openssl Root CA was published to ldap CN=ROOTCANAME,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=DOMAIN using certutil -dspublish -f root.cer RootCA

Everything works ok, except for one thing. So far two clients (both XP) showed up which did not import the Root CA Cert to the trusted enterprise root certificate authorities store.

On my working workstation, I get the following output:

C:\>certutil -store -enterprise root
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
================ Certificate 0 ================
Serial Number: f818516373f917e8
Issuer: E=hostmaster@DOMAIN, CN=ROOTCA, O=Organisation, L=Location, S=State, C=DE
Subject: E=hostmaster@DOMAIN, CN=ROOTCA, O=Organisation, L=Location, S=State, C=DE
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): a6 ed 80 59 04 80 c7 1f 4e cb aa e1 8d e7 77 4a 2a 98 43 97
No key provider information
No stored keyset property
CertUtil: -store command completed successfully.

On a workstation which does not import the root CA cert. The output is:

C:\>certutil -store -enterprise root
CertUtil: -store command completed successfully.

Even after importing the certificate manually. This particular machine was even rejoined to the domain. To no avail.

Questions now are:

  • where to look for errors or debugging information?
  • how to identify machines with this problem?
  • how to manually trigger the import of ldap certificates?
  • Is this the right approach to distribute the root ca cert? I prefer to not use a group policy for simple distribution but on the other side can not find much information regarding the ldap distribution process.
windows active-directory pki openssl

2 Answers

  1. "I prefer to not use a group policy for simple distribution..."

    Why not? That is exactly what GP was designed for - to distribute common settings/configuration to domain PCs. Just import the root cert to a GPO under Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities

    • 1
  2. Best Answer

    A few things to check:

    • Has certificate autoenrollment been disabled on this client? Lack of autoenrollment would explain lack of import.
    • Is the certificate in the trusted roots store, just not in the enterprise trust container, due to the manual import? Check the Trusted Roots store for the computer account in certmgr.msc.
    • Has it maybe been imported then deleted for some reason? If it thinks it's been imported, then it won't import again; clear out the sub-keys under HKLM\Software\Microsoft\Cryptography\AutoEnrollment\AEDirectoryCache, then re-run autoenroll with certutil -pulse.
    • 1