Hi All, Hopefully this will be somewhat straightforward. I have created a win 2k8 enterprise root server to be my offline root. I built a second issueCA1 server also on win 2k8 enterprise. I made this a subordinate, enterprise ca. All of that seems to have gone pretty well, I was able to request, approve and install the subCA cert and on the issuing CA I was able to request a web server cert, approve and install it. I can see that the Root certificate has been added to the trusted authorities for my domain. However, when I go to the https site on the server, I get a cert error saying that 'This certificate cannot be verified up to a trusted certification authority'. The certificate path shows my cert and my issuer. both say the certificate is ok. My issuingCA cert says it was provisioned by my RootCA but does not show that root in the certification path. I found a note here: http://technet.microsoft.com/en-us/library/cc737481(WS.10).aspx that says Caution You must not publish subordinate (or intermediate) CA certificates through either the trusted root certification authorities in Group Policy or an enterprise trust. If a subordinate CA certificate is part of this list of certificates that is published with Group Policies, a Windows client will not build a certificate chain correctly. Note that this is for windows 2003. I am only assuming it still applies. When I look at my issuer ca i see: Active Directory Certificate Services added the root certificate of certificate chain 0 to the downloaded Trusted Root Certification Authorities Enterprise store on the CA computer. This store will be updated from the Certification Authorities container in Active Directory the next time Group Policy is applied. To verify that the CA certificate is published correctly in Active Directory, run the following command: certutil -viewstore "ldap:///CN=IssuingCA1,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=SNIP,DC=SNIP?cACertificate?base?objectClass=certificationAuthority" (you must include the quotation marks when you run this command). If the root CA certificate is not present, use the Certificates console on the root CA computer to export the certificate to a file, and then run the following command to publish it to Active Directory: Certutil -dspublish %certificatefilename% Root. The command fails but the suggestion seems to contradict the note above. So I am left with a root certificate for my standalone root in my domain. a subordinate issuing enterprise server that seems to not be able to issue valid certs and a bit of confusion. Can anybody point out my error here? should the standalone root or the enterprise root (which is sub to the stand alone root) be in the trusted cert authority? Thanks for your time ej

Ok, this all came back to that my root CA was not actually being published. What I thought was my root CA in the trusted root auths was actually something another admin had put in in an old, failed, pki attempt. it just happened to be named exactly the same as my new one. I finally realized my dates didn't match and the rest fell into place. I would note the fantastic walk through here: http://www.corelan.be:8800/index.php/2008/07/14/windows-2008-pki-certificate-authority-ad-cs-basics/