Hello. I have a problem. The root and subordinate certificate authorities had problems some years back. So we re-created a new root CA, however, it was named the same as the ORIGINAL root ca. Then made up and commissioned a new subordinate CA, This sub did NOT share the same name as the old one. The *new* root CA is not on the domain and it's powered off all the time, according to best practice. It's only job is to authenticate the *new* subordinate CA, which does all the cert work. By the way I can't seem to see any certificate authority or PKI information when I use ASDI to look at my schema. I can only see it using AD sites and services, service node, and Public Key Services. When I run pkiview . m sc on my subordinate, i gets red x on both the root and sub. Looking at the root, there's an "Error" listing the subordinate CA. The AIA location 1 and 2 and CDP Location all show as Unable to Download, even after I power up the root ca computer. The listing it's trying to pull LOOKS ok to me, but not sure why it won't react if the machine is up. Except perhaps the root ca is not joined to the domain? Anyway I think I have to sort out my pkiview being unhappy before my REAL problems which are these. The *old* root CA which expired in 2018, is present on ALL my domain joined machines, because it was IN the pki architecture back when it was made. the *new* root ca is nowhere to be found, and must be manually cert loaded into trusted root authority on any machine that I want it to go on. To be honest I'm not sure what certs are working where if everyone only knows about the *old* root ca and not the new one, same name.\
My problem that revealed all this, I'm trying to request a certificate on my subordinate CA, and it will not even let me try to paste in a CSR, as it gives me the error - "No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory"
Can you help me untangle this mess? Advice appreciated, thank you!