I have an environment based on a 2-tier PKI.
Both servers belong to the domain.
The PKI has been running for many years and has survived 2 migrations from level 2003, through 2008r2 to 2012r2.
the SubCA is about to expire and when I try to renew it I get an error that the SubCA certificate is not a CA certificate.
Indeed, the Basic Constraints type tag is not enabled in the query. So then the certificate does not have this entry.
I have reinstalled SubCA, trying to add another new one using CAPolicy.inf. Unfortunately without success.
Does anyone have an idea?