locked
PKI - Offline Root CA & Offline Subordinate Policy CA RRS feed

  • Question

  • I have a regulatory requirement to that requires the use of an Offline Root Ca, and Offline Subordinate/Policy CA, and Enterprise Subordinate/Issuers CA. Basically a 3 Tier architecture using server 2012 R2.

    Where I am running into a issue is after I create the root, I am able to export both the .crt and .crl files to removable media. I then build the subordinate/policy ca, submit the certificate request through removable media to the root ca. I then issue a certificate to the request from the root to the policy on removable media and copy all the .crt, .p7b, and .crl into a directory on the subordinate/policy CA. When I try to install the .p7b certificate on the subordinate, I get an error stating that it cannot verify the certificate chain, which I understand to a degree since the Root CA is offline. I have tried right clicking on each of the certificate files in the directory where they on the subordinate and installing from their location. But the issue still exists, the certificate chain can not be verified.

    So my question is, where do I install or how do I configure the Root's .crl and .cer on the subordinate so the certificate chain can be verified. I will also have to accomplish this same task on the enterprise subordinate/Issuers.

    Any and all help is greatly appreciated.

    Friday, November 15, 2013 6:36 PM