When building a vanilla Windows 2019 certificate authority as a Enterprise Sub-CA after successful configuration of the certificate authority (with the normal warning about needing to sign the req) the service fails to start with error 27:
Active Directory Certificate Services did not start: Hierarchical setup is incomplete. Use the request file in C:ca-file.req to obtain a certificate for this Certificate Server, and use the Certification Authority administration tool to install the new certificate and complete the installation.
The service is stopped and therefore I cannot connect to the CA admin snap in to complete the setup and load back in the signed cert. Is this a known bug?
Thanks
Since this is subordinate Enterprise CA, it has to trust the root CA to complete the trust chain. The following is an example for a 2-tier CA architecture. Root CA type is standalone and issuing CA type is Enterprise Subordinate CA. Another important point; SubCA must access root CA CRL. The standalone root CA should publish its CRL for the first time event it has no revoked certificates. So from the standalone root CA, its certificate and CRL file should be moved to the subCA and the following commands should be executed on the SubCA to publish and trust the rootCA in Active Directory. This should clear the service start error, and you may continue the setup.
“If a CA cannot find the CRLs of its parent CA, the AD DS service (certsvc) will fail to start on the subordinate CA.”
Ref: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831348(v=ws.11)#step-2-configure-orca1
From the same link above:
“To distribute the root CA certificate
On APP1, sign in using the User1 account, which is a member of both Domain Admins and Enterprise Admins. Open Windows PowerShell as administrator. To do so, right-click the Windows PowerShell icon and then click Run as administrator. When prompted by User Account Control, click Yes.
Insert the removable media containing the offline root CA certificate into APP1.
From Windows PowerShell change to the removable media drive using the cd command (as in run cd a: to change to the root of drive A).
From the Windows PowerShell on the removable media drive, run the following commands: certutil –dspublish –f orca1_ContosoRootCA.crt RootCA certutil –addstore –f root orca1_ContosoRootCA.crt certutil –addstore –f root ContosoRootCA.crl
Note
The first command places the root CA public certificate into the Configuration container of Active Directory. Doing so allows domain client computers to automatically trust the root CA certificate and there is no additional need to distribute that certificate in Group Policy. The second and third commands place the root CA certificate and CRL into the local store of APP1. This provides APP1 immediate trust of root CA public certificate and knowledge of the root CA CRL. APP1 could obtain the certificate from Group Policy and the CRL from the CDP location, but publishing these two items to the local store on APP1 is helpful to speed the configuration of APP1 as a subordinate CA.”