Windows 10: CA Intermediate certificate deployment in organization

Hi,what is the best practices for intermediate certificate renewal and deployment with the same key pair.required to deploy renewed intermediate certificate in organization before to install them on Issuing CA.may it correct to add new AIA location before to install on issuing CA.is it required to remove old certificate AIA location after install certificat on Issuing CA.@Maninder Singh

:)

 

6680 CA certificates

The CA certificate for SSL connections that I use is untrusted by the phone. How do I add the CA to the list of existing trusted certificates?

 

Web Client Authentication via SSL Certificate

Yes, the certificate has been loaded as a personal certificate.

We typically only use a CA and a client - no intermediate.

When I first installed the certificates, the CA cert was ok, but the client cert installed as an intermediate.

Last night I figured out that if I produce the CA and client as a pfx, the pfx will install the certs correctly - CA and Personal (with no intermediate)

My last ditch effort will be to go back and produce a CA - Intermediate - Client chain, but was really hoping I wouldn't have to do that because it will really require a complete redo of all of our certificates across the board...

Here is more detail of what's going on (just example - no secure info given here)...

Three SSLRequire parameters are validated by Apache as follows:

SSLRequire %{SSL_CLIENT_S_DN_O} eq "Our Organization"

SSLRequire %{SSL_CLIENT_S_DN_CN} eq "User Division Level"

SSLRequire %{SSL_CLIENT_S_DN_OU} eq "User Level"

The only parameter that Apache is able to validate from the device is DN_O and that is coming from the CA certificate.

DN_CN & DN_OU are contained in the user certificate but it is not able to validate those.

 

Go Daddy's intermediate CA certificate missing

An unaffected PC (Windows 10 Pro connected to AD DS domain)










Affected PCs (Windows 10 Pro standalones)













What could cause intermediate but not root CA certificates to be missing?

I've verified that local policy Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Automatic Root Certificates Update isn't configured.

I've verified that Windows service Cryptographic Services / CryptSvc is running and restarting it didn't make a difference.

I've found that no relevant events are logged, as far as I can see.

Support for urgent Trusted Root updates for Windows Root Certificate Program in Windows - Microsoft Support says:

How do you manually force an update?