We have a openssl offline root CA with a Windows 2008 R2 AD-integrated SubCA.
The Openssl Root CA was published to ldap
CN=ROOTCANAME,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=DOMAIN using
certutil -dspublish -f root.cer RootCA
Everything works ok, except for one thing. So far two clients (both XP) showed up which did not import the Root CA Cert to the trusted enterprise root certificate authorities store.
On my working workstation, I get the following output:
C:\>certutil -store -enterprise root 402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version ================ Certificate 0 ================ Serial Number: f818516373f917e8 Issuer: E=hostmaster@DOMAIN, CN=ROOTCA, O=Organisation, L=Location, S=State, C=DE Subject: E=hostmaster@DOMAIN, CN=ROOTCA, O=Organisation, L=Location, S=State, C=DE Signature matches Public Key Root Certificate: Subject matches Issuer Cert Hash(sha1): a6 ed 80 59 04 80 c7 1f 4e cb aa e1 8d e7 77 4a 2a 98 43 97 No key provider information No stored keyset property CertUtil: -store command completed successfully.
On a workstation which does not import the root CA cert. The output is:
C:\>certutil -store -enterprise root CertUtil: -store command completed successfully.
Even after importing the certificate manually. This particular machine was even rejoined to the domain. To no avail.
Questions now are:
"I prefer to not use a group policy for simple distribution..."
Why not? That is exactly what GP was designed for - to distribute common settings/configuration to domain PCs. Just import the root cert to a GPO under Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities
A few things to check:
HKLM\Software\Microsoft\Cryptography\AutoEnrollment\AEDirectoryCache, then re-run autoenroll with
User contributions licensed under CC BY-SA 3.0