Hi everyone,
banging my head against this one for literally weeks so hoping for some insight form the community. Here goes:
- Enterprise Root CA (Windows Server 2008R2), CA cert is valid until 2024
- Subordinate CA (Windows Server 2008 R2), cert gets renewed every year, the current one is valid until mid-September 2013, it is the 3rd one
- Both CAs are rolled out via GPO: The Root CA into Trusted Root CAs, the subordinate into Intermediate CAs on every machine in the domain
- CRLs are accessible both by LDAP and HTTP; the Subordinate CA's CRL is empty (but has a current time stamp)
- Cert templates are done by the book: SCCM Web Server template duplicated from the original Web Server template, 2003 level, no Autoenrollment, Subject Name in request, SCCM Client template duplicated from the original Workstation template, 2003 level, Autoenrollment enabled.
- The machine gets a client cert by Autoenrollment
- I can request and obtain a web server cert with (Subject Name = "", SAN1 = "DNS=internal.dns.name", SAN2 = "DNS=NETBIOSNAME", SAN3 = "DNS=external.dns.name")
- Those two are the only certs in the computer's personal store
- both certs report certificate chains validated all the way up to the Root CA
- client cert CRL checking is disabled using netsh commands (however, after running them, Store Name shows (null) where it showed My before deleting and re-adding)
- On importing the client cert in IE and calling the URL manually, I get an error page telling me there is an Error 0x800b0109 which, as far as I can tell, amounts to untrusted root... which is trusted, both MMC Certificates Snap-In and SSLDiag tell me so :-(
=========================================
All that done, I still get 403.16 in the IIS logs every time the computer attempts to call itself via HTTPS (no other errors there) and the Management Point fails to initialize. I have re-requested and re-issued both certificates several times
What can I do to diagnose this any further?
Many thanks in advance,
Evgenij Smirnov