I set up a fresh 2-tier PKI to try and replace an old broken PKI with a CA that was no longer available. Everything seems to be working between the offline root and online issuing CAs, but now I'm trying to move my DCs Domain Controller certs from the old dead CA to the new PKI and getting an error. When I try to manually request on a DC with a new key, I get:
STATUS: Request denied
A certificate's basic constraint has not been observed.
I'm still new to ADCS so I'm not sure how to troubleshoot this further but looking at the failed request properties for basic constraints it shows:
Subject Type=End Entity
Path Length Constraint=None
And for the issuing CA's cert it shows:
Subject Type=CA
Path Length Constraint=0
How can I debug this further to see what constraint is failing and where? Servers are Windows 2012.
