Windows Server 2019 ADCS - Unable to Install Subordinate CA Certificate

pki windows-server-2019

I am setting up a two tier Active Directory Certificate Services PKI hierarchy with an offline standalone Root CA (Server 2019) and an online Enterprise Subordinate CA (also Server 2019).

I've configured the offline Root CA successfully (set CDP / AIA extensions) and the ADCS service starts with no issues. I then configure ADCS on the Enterprise Subordinate CA and a .req file is created inside "C:\". Copied the .req file over to the Root CA, issued the certificate, exported the *.p7b and moved back to the Sub CA. When I select "Install CA Certificate", I get the following error:

"An error was detected while configuring Active Directory Certificate Services. The Active Directory Certificate Services Setup Wizard will need to be rerun to complete the configuration. The new Certification Authority certificate cannot be installed because the CA Version extension is incorrect. The most recently generated request file should be used to obtain the new certificate: C:\CA(1).req The data is invalid. 0x800x7000d (WIN32: 13 ERROR_INVALID_DATA)

I am logged in the Enterprise Sub CA as an Domain Admin with Enterprise Admin rights added to my DA account. I have tried reinstalling ADCS on the Sub CA, creating a new .req, re-signing. I am 100% confident that I'm using the correct .req file when submitting to the Root CA and also exporting the correct Sub CA certificate.

I ran "certutil -dump *.req" on the original certificate request file, verified that the CA Version extension is V0.0. Then ran the same command on the signed Sub CA certificate exported from the Root CA and has the same exact CA Version extension.

Any ideas would be greatly appreciated. Please let me know if any additional information would be helpful.


Found the answer to my problems. Not sure if this is isolated to our AD domain, but I had to create a unique account with ONLY enterprise admin group added to it. Then followed the same process and was able to get the CA certificate installed.

To summarize:

If you're having the same issue as indicated above, try creating a single account with Enterprise Admin privileges and only use that single account when installing / configuring ADCS on the Enterprise Sub CA.

Related

GCP+Ansible: how to run a playbook with user account
Using Powershell to get a group of specific perfmon counters
Archlinux nfs is shutting down immediately
Why does RCN route addresses in 10.0.0.0/8 to some public machine?
Is reverse proxy recommended in production environment?
nagios wrongly reports packet loss
CentOS, revert back to a clean state (by backup or snapshot) without physically going to the server [closed]
GCP LB with static website and kubernetes
PMTA Timeout Centos 7
Logrotate appends "1" at the end of compressed file name
ssh-keygen: signing syntax - help needed with options
Certbot renew dry run fails with error: Input the webroot for sub.mydomain.com:. Skipping