<div dir="ltr">Jason,<div><br></div><div>That first screen shot, can you repeat it with the Certification Path tab selected?</div><div><br></div><div>Assuming they are using Microsoft CA, the <span style="font-family:Calibri,sans-serif;font-size:15px"> </span><span style="font-family:Calibri,sans-serif;font-size:15px">“Private RootCA” is automatically published to every joined computer in the domain. Every computer that has the </span><span style="font-family:Calibri,sans-serif;font-size:15px"> </span><span style="font-family:Calibri,sans-serif;font-size:15px">“Private RootCA” cert, will automatically trust any certificate issued by that CA. The certificates published by that CA do not need to go into active directory, nor do they need to be pushed to every client.</span><br>
</div><div><span style="font-family:Calibri,sans-serif;font-size:15px"><br></span></div><div><span style="font-family:Calibri,sans-serif;font-size:15px">From the limited information you have, I'm guessing.</span></div>
<div><span style="font-family:Calibri,sans-serif;font-size:15px">either the </span><span style="font-family:Calibri,sans-serif;font-size:15px"> </span><span style="font-family:Calibri,sans-serif;font-size:15px">“Private RootCA” they signed your cert with is not the </span><span style="font-family:Calibri,sans-serif;font-size:15px"> </span><span style="font-family:Calibri,sans-serif;font-size:15px">“Private RootCA” they have published in Active Directory</span></div>
<div><span style="font-family:Calibri,sans-serif;font-size:15px">or, the </span><span style="font-family:Calibri,sans-serif;font-size:15px"> </span><span style="font-family:Calibri,sans-serif;font-size:15px">“Private RootCA”is not being published by </span><span style="font-family:Calibri,sans-serif;font-size:15px"> Active Directory.</span></div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jun 10, 2014 at 8:27 PM, Jason Aarons (AM) <span dir="ltr"><<a href="mailto:jason.aarons@dimensiondata.com" target="_blank">jason.aarons@dimensiondata.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="#0563C1" vlink="#954F72">
<div>
<p class="MsoNormal">Is anyone a guru at Microsoft PKI in a Windows Domain and Pushing certs via GPO?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">A customer signed a CallManager Server Certificate with their Private Domain Root CA. They send me back the tomcat.cer and other need .cer and the DomainRootCa.cer that chains them up. I installed them all fine.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">After that I go to any server webpage and I get a warning error in both IE and Firefox and application that it’s not trusted.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Does the server certificates he signed need to get pushed to all the Windows 7 PCs via GPO ? All the PCs supposedly already have the “Private RootCA” but we didn’t push anything else in AD.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">If I manually install his Private Domain Root CA into Windows 7 corporate image the problem goes away and it chains up. In short the chaining up failing but I’m not clear why.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Example screen shots <u></u><u></u></p>
<p class="MsoNormal">Jabber client message after clicking on show;<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><img width="401" height="484" src="cid:image001.png@01CF84E9.97F58490"><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><a href="https://servername.fqnd.com" target="_blank">https://servername.fqnd.com</a> for IMP<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><img border="0" width="668" height="495" src="cid:image002.png@01CF84EA.5EE085A0"><u></u><u></u></p>
</div>
</div>
<br>_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br></blockquote></div><br></div>