Hello,
I'm facing with a problem while trying to install a 3rd-party digital certificate on a Windows 2008 Domain Controller.
Basically, I'm following this TechNet
http://technet.microsoft.com/en-us/library/cc783835(v=ws.10).aspx
1) I did create the file Reqdccert.vbs on the Domain Controller
2) then I did generate the inf file
cscript reqdccert.vbs DomainController E
3) and then I generated a certificate request
certreq -new AD.inf AD.req
4) also I've imported RootCA and SubCA into the Certificate Store of the DC
5) I got a signed certificate from our 3rd-party CA running on Windows 2000
6) when importing the certificate I get the below error
C:\>certreq -ACCEPT ad.p7c
Certificate Request Processor: The signature of the certificate cannot be verifi
ed. 0x80096004 (-2146869244)
Here is the verbose log from CAPI2:
+ System- Provider
[ Name] Microsoft-Windows-CAPI2
[ Guid] {5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}
EventID 11
Version 0
Level 2
Task 11
Opcode 2
Keywords 0x4000000000000003
- TimeCreated
[ SystemTime] 2014-06-13T09:33:02.604870500Z
EventRecordID 304
Correlation
- Execution
[ ProcessID] 1700
[ ThreadID] 3032
Channel Microsoft-Windows-CAPI2/Operational
Computer ad.eac.igs
- Security
[ UserID] S-1-5-21-4171312682-976198474-2692596432-500
- UserData
- CertGetCertificateChain
- Certificate
[ fileRef] 4DA02894B4AFB76F8D6B8722A96A3444041573C6.cer
[ subjectName] ad.eac.com
- AdditionalStore
- Certificate
[ fileRef] 691847ADD248AEB8579462249B063A1555716B21.cer
[ subjectName] SubCA
- Certificate
[ fileRef] 4DA02894B4AFB76F8D6B8722A96A3444041573C6.cer
[ subjectName] ad.eac.com
- Certificate
[ fileRef] 0175DDA12776ED8CA4657E921E9AE3C6B0698F71.cer
[ subjectName] RootCA
ExtendedKeyUsage
- Flags
[ value] 0
- ChainEngineInfo
[ context] user
- AdditionalInfo
- NetworkConnectivityStatus
[ value] 1
[ _SENSAPI_NETWORK_ALIVE_LAN] true
- CertificateChain
[ chainRef] {0B005F9F-F15B-4FE2-A630-7BBEE6AB5C0A}
- TrustStatus
- ErrorStatus
[ value] 8
[ CERT_TRUST_IS_NOT_SIGNATURE_VALID] true
- InfoStatus
[ value] 0
- ChainElement
- Certificate
[ fileRef] 4DA02894B4AFB76F8D6B8722A96A3444041573C6.cer
[ subjectName] ad.eac.com
- SignatureAlgorithm
[ oid] 1.2.840.113549.1.1.11
[ hashName] SHA256
[ publicKeyName] RSA
- PublicKeyAlgorithm
[ oid] 1.2.840.113549.1.1.1
[ publicKeyName] RSA
[ publicKeyLength] 2048
- TrustStatus
- ErrorStatus
[ value] 8
[ CERT_TRUST_IS_NOT_SIGNATURE_VALID] true
- InfoStatus
[ value] 4
[ CERT_TRUST_HAS_NAME_MATCH_ISSUER] true
- ApplicationUsage
- Usage
[ oid] 1.3.6.1.5.5.7.3.1
[ name] Server Authentication
- Usage
[ oid] 1.3.6.1.5.5.7.3.2
[ name] Client Authentication
- Usage
[ oid] 1.3.6.1.4.1.311.20.2.2
[ name] Smart Card Logon
IssuanceUsage
- ChainElement
- Certificate
[ fileRef] 691847ADD248AEB8579462249B063A1555716B21.cer
[ subjectName] SubCA
- SignatureAlgorithm
[ oid] 1.2.840.113549.1.1.5
[ hashName] SHA1
[ publicKeyName] RSA
- PublicKeyAlgorithm
[ oid] 1.2.840.113549.1.1.1
[ publicKeyName] RSA
[ publicKeyLength] 2048
- TrustStatus
- ErrorStatus
[ value] 0
- InfoStatus
[ value] 101
[ CERT_TRUST_HAS_EXACT_MATCH_ISSUER] true
[ CERT_TRUST_HAS_PREFERRED_ISSUER] true
- ApplicationUsage
[ any] true
IssuanceUsage
- ChainElement
- Certificate
[ fileRef] 0175DDA12776ED8CA4657E921E9AE3C6B0698F71.cer
[ subjectName] RootCA
- SignatureAlgorithm
[ oid] 1.2.840.113549.1.1.5
[ hashName] SHA1
[ publicKeyName] RSA
- PublicKeyAlgorithm
[ oid] 1.2.840.113549.1.1.1
[ publicKeyName] RSA
[ publicKeyLength] 2048
- TrustStatus
- ErrorStatus
[ value] 0
- InfoStatus
[ value] 10C
[ CERT_TRUST_HAS_NAME_MATCH_ISSUER] true
[ CERT_TRUST_IS_SELF_SIGNED] true
[ CERT_TRUST_HAS_PREFERRED_ISSUER] true
- ApplicationUsage
[ any] true
- IssuanceUsage
[ any] true
- EventAuxInfo
[ ProcessName] certreq.exe
[ startTime] 2014-06-13T09:32:53.369Z
[ endTime] 2014-06-13T09:33:02.604Z
[ duration] PT9.232850S
- CorrelationAuxInfo
[ TaskId] {A8DC7725-FEE9-4E09-905A-FEFF7FAE9B8B}
[ SeqNumber] 27
- Result The signature of the certificate cannot be verified.
[ value] 80096004
Any idea what the problem is?
Thanks in advance,
Davide.