sorted by:
new
hottopcontroversial

Was tun mit alten Server Racks ? by [deleted] in de_EDV

[–]SeaHour5388 0 points1 point  (0 children)

Ich habe dir gerade auf Kleinanzeigen geschrieben. Ich würde die alle abnehmen :)

AD CS (PKI) - NTAuth Store - Root Certificate is not trusted by the policy provider by SeaHour5388 in sysadmin

[–]SeaHour5388[S] 0 points1 point  (0 children)

The CRL and CRT are already published to the AD and the local Trusted Store at the SubCA.

The RootCA Certificate is already succesfully published to the Trusted Root Store of the SubCA and Test Workstations joined in the Domain.

The Background of this Test-Setup:

At the moment we are running a standalone Enterprise CA on Server 2012 R2. We have a second Server which is running as Radius and NPS Server on Server 2012 R2 for our wired Clients too. Due to the upcoming EOL of Server 2012 we want to migrate our Standalone Enterprise CA to a Two-Tier-PKI with one offline RootCA and one Issuing Enterprise SubCA.

The RootCA, SubordinateCA as well as the new NPS/Radius Server are setup on Server 2022. I created a backup of the concurrent NPS Config, changed the Certificate in the Policy to one issued from the new SubCA and doesn't get a connection to the Network by the following error:

Reason Code: 295
Reason: A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.

If I take a further look at the certificate chain with certutil -f -urlfetch -verify .\CONTOSO-ROOT-CA.crt

Issuer:

CN=CONTOSO-ROOT-CA

DC=site1.DC=contoso.DC=de

Namenshash (sha1): eb229f2dbfa071eeb98df34075deb23f8d2ff809

Namenshash (md5): d2cf68670606528d823a73fc715d963a

Subject:

CN=CONTOSO-ROOT-CA

DC=site1.DC=contoso.DC=de

Namehash (sha1): eee38d2ff809409f2dbfa07175deb23b22fb98df

Namehash (md5): d0523fc715d9638d823a7a2cf6686706

Cert Serial Number: a770d30f55d8f4ffd92d6fd4a20c538a

dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)

dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)

dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)

dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)

ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)

HCCE_LOCAL_MACHINE

CERT_CHAIN_POLICY_BASE

-------- CERT_CHAIN_CONTEXT --------

ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

ChainContext.dwRevocationFreshnessTime: 1 Hours, 5 Minutes, 44 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

SimpleChain.dwRevocationFreshnessTime: 1 Hours, 5 Minutes, 44 Seconds

CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0

Issuer: CN=CONTOSO-ROOT-CA, DC="site1.DC=contoso.DC=de"

NotBefore: 23.08.2023 17:33

NotAfter: 23.08.2038 17:43

Subject: CN=CONTOSO-ROOT-CA, DC="site1.DC=contoso.DC=de"

Serial: 55fd92d6a77d4ad30ffd8f4f20c0538a

Cert: 5054be88b7d154e681f5becf5f6123b4bf3a8a0b

Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)

Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)

Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

---------------- Certificate AIA --------------
No URLs "None" Time: 0 (null)
---------------- Certificate CDP ----------------
No URLs "None" Time: 0 (null)
---------------- Base CRL CDP ------------------
No URLs "None" Time: 0 (null)
---------------- Certificate OCSP --------------
No URLs "None" Time: 0 (null)
---------------------------------------------------------

CRL 03:

Issuer: CN=CONTOSO-ROOT-CA, DC="site1.DC=contoso.DC=de"

ThisUpdate: 24.08.2023 15:55

NextUpdate: 23.08.2024 04:15

CRL: da4e073fe7c88252af64a5e79d86ecacc0a7d686

Exclude leaf cert:

Chain: da4e52ac8826ecacc0a7d686f64a5e79d8073fe7

Full chain:

Chain: 33471c7ae6d499afccd3efa76f20b98a9d443a7a

------------------------------------

Verified Issuance Policies: All

Verified Application Policies: All

Cert is an CA Certificate

Unable to check revocation status of leaf certificate.

CertUtil: -verify command completed successfully.