question

AaradhyaChauhan avatar image
0 Votes"
AaradhyaChauhan asked Reza-Ameri commented

Windows Server 2019: Cannot add my Intermediate/Root CA in AD CS

I created a CA in openssl and all the infrastructure operations take place through the same. I created a .p12 file to import the CA in the newly installed Active Directory Certificate Services (AD CS), as a Standalone CA. Tried importing that PFX in both the cases but although in the initial steps when i typed the import password, it accepted the CA. But, when I proceeded to the final step of importing the CA, it gave an empty error box. Not error codes, just a blank box. Please help me in troubleshooting and fixing the issue.

windows-server-security
· 6
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Reza-Ameri avatar image Reza-Ameri ·

Would you mind take a screenshot and post it here?
Have you tried insert a different certificate to verify if problem persist?
Try remove the ADCS role and restart your Server and then add it again and see if the problem persist?

0 Votes 0 ·
AaradhyaChauhan avatar image AaradhyaChauhan Reza-Ameri ·

Sure... Here it is:80265-capture.png



*btw i tried all those things. It is not accepting any certificates and private key unless you create a new one on the server itself, which is impossible to do in my case, as it will break the trust anchor.

0 Votes 0 ·
capture.png (50.2 KiB)
Crypt32 avatar image Crypt32 ·

what is the point in generating certs in OpenSSL and then importing to ADCS CA?
it would be better if you could post the dump of the certificate: certutil -dump cacert.pfx, enter PFX password when prompted and post the output here.

0 Votes 0 ·
AaradhyaChauhan avatar image AaradhyaChauhan Crypt32 ·

The CA I generated dates back a year. I just tried to make the issuance easier by now importing the CA in AD CS. I cannot afford to create a new CA in AD CS and need to import it only. If you have any solution regarding the same, I'd be grateful to you. :)

Attaching both the dump results for my subordinate CA below


<Removed for Privacy>

0 Votes 0 ·
Crypt32 avatar image Crypt32 AaradhyaChauhan ·

ok, now show please certutil -v -dump signingca.p12. The output will be more verbose.

0 Votes 0 ·
Reza-Ameri avatar image Reza-Ameri AaradhyaChauhan ·

This is a public forum and please do not share anything containing personal information for privacy reason.

0 Votes 0 ·

1 Answer

Reza-Ameri avatar image
0 Votes"
Reza-Ameri answered Reza-Ameri commented

From your screenshot, I believe this is a bug, try use a Windows 10 device and open the Feedback Hub app and under the category select Windows Server and there file a bug report and explain your issue and you may attach all log files, screenshots and other relevant issues so Windows Server team would be able to investigate. Make sure do not share private and personal information and just share necessary log files and hide personal information.

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AaradhyaChauhan avatar image AaradhyaChauhan ·

Thanks, I will do the same!

0 Votes 0 ·
Crypt32 avatar image Crypt32 ·

This doesn't really answer the question. Empty message box is least issue here, but actual issue is not solved.

0 Votes 0 ·
Reza-Ameri avatar image Reza-Ameri Crypt32 ·

The main issue was the empty message box which is something need to be investigated with the Windows Server team. The issue you discussed is different issue and in case you have any other problem, please create a new question.

0 Votes 0 ·