Export Step CA to AD CS

[FinchRelia]

Hi,
I'd need to have an intermediate CA on a Windows Server machine that would originate from a Step Root CA so I have created a new intermediate CA on my Step server and specified to create RSA keys. Also, I specified my Windows server domain as the certificate subject. Then, I bundled the certificate with the key using step certificate p12 and exported it to the Windows Server machine. However, when I use the bundle to deploy the AD CS role I end up with an empty Windows error. I reproduced this step using Powershell and got CRYPT_E_NOT_FOUND error so I'd guess some fields of the certificates aren't "Windows-CA-friendly". I tried to import the bundle directly in my Windows certificate store which do work correctly though. Any clue?

[maraino]

Hi @FinchRelia, we don't have much ADCS experience, so I can only direct you to a thread in stackoverflow with the same error.

The most voted answer, with 1 vote, says this:

This error indicates that certreq was unable to find related request object in the Certificate Enrollment Requests node in the certificate store.
...

So I guess you need to create a certificate request in AD CS, and we need to sign it. How do you create a certificate request in AD CS, no idea, but there're results on Google about that.

After that, you will have to use step, also known as step-cli on some systems, to sign that CSR with step-ca root. Assuming you're using files for your key, the command would be something like:

step certificate sign --profile intermediate-ca adcs.csr ~/.step/certs/root_ca.crt ~/.step/secrets/root_ca_key

That will print the simplest intermediate certificate from sign by the root ca. If you need to add specific extensions, you can do it with the --template, but that's a little bit more advanced.

You can try to use that intermediate, and see if that one works.

[FinchRelia]

Hi, thanks for the suggestion! Indeed by creating the CSR in Windows Server I was able to sign it and use it as a CA certificate for ADCS