Hello, I'm facing the same issue here, I'm installing everything with default Administrator account that's already in Enterprise Admins group. This is my homelab infastructure so I think it's fine :) I still have the issue though, I even started rootCA back if it matters but it didn't help. Any ideas? EDIT: I found it! It was DNS, or rather typo in CNAME that pointed to "clr" instead of "crl". Setting this up at 1AM is not the best idea haha

@@mariob4735 Double check your rootca url points to your intermediate, put DNS entries for both, add "Enterprise Admins group" to your Domain Admin account and on the rootca before signing the request set the following: certutil -setreg CA\CRLPeriodUnits 6 certutil -setreg CA\CRLPeriod "Months" certutil -setreg CA\ValidityPeriodUnits 5 certutil -setreg CA\ValidityPeriod "Years"

Same. No one seems to have an answer online. The only thing that makes sense to me is the URL for the root CA in the signed certificate is unreachable or some service that is suppose to respond isn't doing so. Possible solution: The Domain Admin account that you use on the sub/intermediate CA at 4:24 needs to have Enterprise Admins group added. By default Domain Admin accounts are missing the Enterprise Admins membership.