Can you help with 2-tier PKI on second issuing CAs on same Root CA?
PKI, CA, Public key infrastructure, Certificate Authority, Window Server, ADCS, Active Directory, Server Manager, Issuing CA, Root CA, Subordinate CA, Azure,
0.00 (0 votes)

I am running into an issue and hoping someone can help me. We were asked to set up a new Root CA and 2 subordinate (issuing) CAs under it (the request includes using Azure and placing each VM in a different region for redundancy). We issued the root, and first subordinate CA, but on the second subordinate CA we are getting 2 errors. -The first is one that we had the option to ignore and did so, it is "Cannot verify certificate chain. Do you wish to ignore the error and continue? The revocation function was unable to check revocation because the revocation server was offline. 0x80092013" -When we clicked ok and ran it anyway, we got "Certutil: -installCert command FAILED: 0x8007139f (WIN32: 5023 ERROR_INVALID_STATE) CertUtil: The group resource is not in the correct state to perform the requested operation." The weird thing is it said everything went well and we just needed to restart for it to take effect and then gave us the second error. All this is in Windows Server 2016

We used this Instruction Part 2 is the part where the issuing CAs start. We followed the same instructions for the second one, but as stated above, it didn't work out.

30-09-2022 21:20:45


Solution #1

0.00 (0 votes)

Based on the errors you mentioned, it seems that there might be a problem with the certificate revocation list (CRL) or the certificate chain on the second subordinate CA. Here are some steps you can take to troubleshoot the issue:

  1. Check the CRL distribution point (CDP) settings on the certificates of the second subordinate CA. Make sure that they are pointing to a valid URL or file location where the CRL can be downloaded.

  2. Ensure that the CRL has been published by the first subordinate CA and that it is accessible by the second subordinate CA. You can check the CRL publication settings on the first subordinate CA and verify that the CRL file is located in the correct location.

  3. Check the certificate chain on the second subordinate CA. Make sure that it includes all the necessary certificates, including the root CA and the first subordinate CA. You can use the Certificate MMC snap-in on the second subordinate CA to view the certificate chain and verify that it is complete.

  4. Verify that the clocks on all the servers involved in the PKI hierarchy are synchronized. Time discrepancies can cause certificate validation errors.

  5. Ensure that the permissions on the certificate stores are correct. Make sure that the account running the certutil command has the necessary permissions to install the certificate.

  6. Check the event logs on the second subordinate CA for any additional error messages or warnings that might provide more information about the issue.

If the above steps do not resolve the issue, you may need to seek the assistance of a PKI expert or Microsoft support to help diagnose and resolve the problem.

Pallav Kumar
30-03-2023 13:27:36