Subordinate CA

G

Guest

Hi

My company has an Enterprise Root CA in Colorado and many Subordinate CA in
its offices around the world.

One of these offices having a Subordinate CA with the Enterprise CA in
Colorado wants to use a certificate issued for this CA for a communication
encrypted by SSL between an external OWA client and the external interface of
the ISA server. This office was able to set up a certificate on the OWA
website from its Subordinate CA and the internall users are able to access
OWA using https protocol.
For the extenal access, this office wanted to export this certificate and PK
and then to import it into the ISA server certificate store, but they were
not able to export the private key.
My question is: Is possible use this Subordinate CA in order to get the
certificate for the external OWA access? if so, what should they do in order
to get the private key?
If not, should I install a new Enterprise root CA on the domain of this
office?
If I install this new Enterprise root CA on this office ... could this new
Enterprise root CA cause some conflict with current Subordinate CA?

Thank you for any thought about it

Sean
 
M

Miha Pihler

Hi Sean,

What version are your CA servers in question? Windows 2000? Are subordinate
CA servers Enterprise CA setup?

How was certificate issued to OWA? Using IIS or was it by web interface? If
certificate was imported to OWA manually was it marked as exportable before
it was imported?

Mike
 
G

Guest

Hi Mike

I have W2K SP4 and OWA 5.5 SP4
OWA was certificate using IIS. The office taked a certificate existing on
its DC and used it on OWA. When the office tried to export this certificate,
the PK option was unavailable. They cannot connect to our Enterprise CA to
get a new certificate ...

Checking its event view I realized that its certificate services was not
started. It's not able to start after applying SP4 on Subordinate CA's DC ...
do you think it might be the problem?

Thanks
Sean
 
M

Miha Pihler

Hi Sean,

Issue OWA it's own certificate on subordinate CA service. You can either use
IIS wizard or web interface to issue new certificate to OWA.

Try to start the certificate service and see if there are any pop-up error
messages what could be the problem. Also check event log for any specific
reasons why CA would not want to start. Check CA certificate in computer
store (Enterprise and Subordinate) to see of anything has expired or is not
trusted... SP4 should not cause any problem, but there are other patches
that might alter the way the certificate chain is build.

Mike
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Using Subordinate CA's 7
Requesting Certificate from Subordinate CA 1
Offline Root CA - AutoEnrollment 4
Enterprise CA 1
EFS and Certificate Services 9
Migrate Enterprise root authority CA to stand-alone root CA 0
Access is denied 0x8007005 error when adding Certiciate Authority 1
Certificates and templates 2

Top