Windows Server 2019 ADCS - Unable to Install Subordinate CA Certificate
I am setting up a two tier Active Directory Certificate Services PKI hierarchy with an offline standalone Root CA (Server 2019) and an online Enterprise Subordinate CA (also Server 2019).
I've configured the offline Root CA successfully (set CDP / AIA extensions) and the ADCS service starts with no issues. I then configure ADCS on the Enterprise Subordinate CA and a .req file is created inside "C:\". Copied the .req file over to the Root CA, issued the certificate, exported the *.p7b and moved back to the Sub CA. When I select "Install CA Certificate", I get the following error:
"An error was detected while configuring Active Directory Certificate Services. The Active Directory Certificate Services Setup Wizard will need to be rerun to complete the configuration. The new Certification Authority certificate cannot be installed because the CA Version extension is incorrect. The most recently generated request file should be used to obtain the new certificate: C:\CA(1).req The data is invalid. 0x800x7000d (WIN32: 13 ERROR_INVALID_DATA)
I am logged in the Enterprise Sub CA as an Domain Admin with Enterprise Admin rights added to my DA account. I have tried reinstalling ADCS on the Sub CA, creating a new .req, re-signing. I am 100% confident that I'm using the correct .req file when submitting to the Root CA and also exporting the correct Sub CA certificate.
I ran "certutil -dump *.req" on the original certificate request file, verified that the CA Version extension is V0.0. Then ran the same command on the signed Sub CA certificate exported from the Root CA and has the same exact CA Version extension.
Any ideas would be greatly appreciated. Please let me know if any additional information would be helpful.
Found the answer to my problems. Not sure if this is isolated to our AD domain, but I had to create a unique account with ONLY enterprise admin group added to it. Then followed the same process and was able to get the CA certificate installed.
To summarize:
If you're having the same issue as indicated above, try creating a single account with Enterprise Admin privileges and only use that single account when installing / configuring ADCS on the Enterprise Sub CA.