Our customer performed renewal of certificate on one of CA instances and published new KRA certificate.
Configuration was implemented according standard procedure, pfx of KRA certificate was imported on CMS (Card Management System) server with path and password in configuration.
Currently after attempt of issuance new card with certificate from this instance we received following error message:
The card update failed.
Unknown Error: Security module synchronization failed. An internal provider error has occurred in provider Microsoft Certificate Server 2003, context SubCA3.
External operation error. (0x0000000C) MSPKI_DENIED_REQUEST : Error Verifying Request Signature or Signing Certificate A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
0x800b0112 (-2146762478).
I found that besides running Certutil -enteprise -addstore NTAuth CaCertificate.cer on CMS server it also needed to be run on the Intemediary CA server.
I've found out also that CA certificate wasn't published to all places in LDAP where it should be (to be exact to CN=NTAuthCertificates,CN=Public Key Services,CN=Services)
I do not understand why certutil needed to run on the Intermediary CA server when the certificate had already been added to the CMS server. What is the process behind this?
I'm new to the whole CA merry-go-round, so please be gentle :)