I'm having SSL related issues with various hosts on my network, and I'm asking if there is a way to verify if everthing is OK with the certificate chain and the issuing process.
In our environment we have a new 2012R2 standalone root CA and 1 Enterprise subordinate CA, also 2012R2.
Downloading the certificate chain shows everything is OK as far as I can see, BPA run on the subordinate (issuing CA) has no issues. Root CA has been propagated via AD, and I can see it on workstations.
However some things aren't working such as: connecting to the Issuing CA with Firefox nets me this error message"Peer's certificate has an invalid signature" with no other option to continue. Same error as when I use FF to connect to any server when the cert has been replaced by one issued from this CA. Yes the root is in FF's trusted store.
Another sign something isn't working is when trying to set up the CA signed certificates in our VCenter server. After six attempts of installing the issued cert combined with the CA Chain I get a error
"CertificateValidationException: Server certificate chain not verified
Return code is: SslHandshakeFailed"
There were problems number 3 and 4 which I didn't think to document at the time that also related to certs being issued from here.
Opening the P7B file shows no problems either.
Is there any way of checking from the CA side what may be causing us grief?
B
B