If you use an intermediate certificate authority on sfo01.rainpole.local as certificate signer, CertGenVVD utility only retrieves the intermediate Base 64 certificate from the Microsoft CA. You must create a certificate chain file that also includes the root CA certificate.
- Log in to the site for certificate request on the sfo01.rainpole.local AD server.
- Open a Web browser and go to https://dc01sfo.sfo01.rainpole.local/certsrv.
- Log in using the following credentials.
- Download and export the certificates of the intermediate and root CAs.
- Click Download a CA certificate, certificate chain, or CRL.
- Select Current[sfo01-DC01SFO-CA in the CA certificate list, select Base 64 and click Download CA certificate chain.
- Save the file as chainroot.p7b.
- Open chainroot.p7b.
The certmgr utility appears.
- Navigate to Certificates folder
- Right-click sfo01-DC01SfO-CA and select .
The Certificate Export Wizard appears.
- On the Welcome page, click Next.
- Select Base-64 encoded X.509 (.CER) and click Next
- On the File to Export page, browse to the C:\CertGenVVD-version\SignedByMSCACerts\sfo01-intermediate-ca.cer, click Next and click Finish.
- Click Okay when you see a message about successful export.
- In the certmgr utility, right click rainpole-DC01RPL-CA and select and repeat the steps to save the rainpole.local root CA certificate as C:\CertGenVVD-version\SignedByMSCACerts\rainpole-root-ca.cer.
- Create the chainRoot64.cer file that includes both root and intermediate CA certificates.
- Open rainpole-root-ca.cer in a text editor.
- Copy the entire content and close the file.
- Open sfo01-intermediate-ca.cer in a text editor, press Enter to insert a new line at the end of the file, paste the rainpole-root-ca.cer content.
- Save the file as chainRoot64.cer to the C:\CertGenVVD-version\SignedByMSCACerts\.
- Close all files.
- Verify that the new file C:\CertGenVVD-version\SignedByMSCACerts\chainRoot64.cer exists and contains the content of both sfo01-intermediate-ca.cer and rainpole-root-ca.cer.
- Refresh all MSCA-signed certificates with new intermediate and root CAs.
- Open the C:\CertGenVVD-version folder.
- Make a copy of the SignedByMSCACerts folder and name is as SignedByMSCACerts-backup.
- Rename the SignedByMSCACerts folder to CSRCerts.
- Open the C:\CSRCerts\RootCA\ folder.
- Delete the Root64.cer file
- Create a copy of chainRoot64.cer as Root64.cer.
- Open a Windows PowerShell prompt and navigate to the CertGenVVD folder.
- Run the following command to regenerate all certificate files and packages using the new Root64.cer.
.\CertGenVVD-version.ps1 -CSR -extra
- Rename the CSRCerts folder back to SignedByMSCACerts.