0

I have an offline root CA and an enterprise issuing CA. I created a req from the issuing CA and issued a cert with it on the offline root CA. When I try to install the cert on the issuing CA with the Certification Authority snap in I get the following error:

Cannot verify certificate chain. Do you wish to ignore the error and continue? The signature of the certificate can not be verified. 0x80096004 (-214689244)

Any idea?

Hauke Laging
  • 5,285
  • 2
  • 24
  • 40
Peter
  • 1
  • 1
  • 1
  • Is the root CA part of the CA pool on the intermediate CA system? – Hauke Laging Apr 26 '20 at 14:51
  • Root CA is standalone 2008 Standard Server (Work-group) and not part of CA Pool . – Peter Apr 26 '20 at 15:17
  • If it is not part of the CA pool, how should the signature be verified? So add it to the pool. – Hauke Laging Apr 26 '20 at 15:18
  • How can I do that? – Peter Apr 26 '20 at 15:36
  • I have no idea. You should have maked this a Windows question. – Hauke Laging Apr 26 '20 at 15:48
  • I’m voting to close this question because dead end of life operating system. – Greg Askew Apr 26 '20 at 16:02
  • @HaukeLaging you are posting a totally irrelevant and misleading comments. How CA Pool (I have no idea what it is) is related to the question? – Crypt32 Apr 27 '20 at 05:57
  • @Peter what OS runs your Enterprise CA? Can you post `certutil -verify cacert.cer` command output? – Crypt32 Apr 27 '20 at 06:03
  • @Crypt32 Impressive that you know my comment is "totally irrelevant and misleading" if you do not even get (in contrast to the OP!) what I mean by CA pool. Next time you don't understand somthing, ask before you insult someone. Not interested in explaining anything to you. – Hauke Laging Apr 27 '20 at 08:14
  • @HaukeLaging Impressive is that you can't figure that the question is related to Windows CA (there are 3 clues that indicate Windows CA) where there is no such term `CA pool`. Thus, your statements are still irrelevant (no 'CA pool' term in question's context) and misleading (OP will break his head to find CA Pool there and fail evenetually). Thanks for your attention. – Crypt32 Apr 27 '20 at 08:28

1 Answers1

1

It looks like you didn't install the root certificate in the servers 'trusted root certification Authorities' store. When you try to import the signed certificate - it cannot verify the chain as trusted - and the import fails.

Open MMC - Add remove Snnapin - Certificates - Local Machine, and import the root certificate into the 'trusted root certification Authorities' store.

CryptoDan
  • 85
  • 7