darrenbell2000
asked on
Problems with offline Root CA
Hi all
I'm trying to implement a two tier PKI. The plan is to implement an offline Root CA then have an Enterprise subordinate CA in our AD domain to issue certificates to our users and computers.
I've been going through some of the documentation pertaining to setting up PKI. So far I have a Windows Server 2003 server set up. It's in it's own workgroup and called gb-ca-1. It has a Standalone Root CA installed on it. Because it will be offline I've specified CRL and AIA locations as
CRLs Published To:
- C:\windows\system32\CertSr v\CertEnro ll\<CaName ><CRLNameS uffix><Del taCRLAllow ed>.crl
- LDAP///CN=<CATruncatedName ><CRLNameS uffix>,CN= <ServerSho rtName>,CN =CDP,CN=Pu blic Key Services,CN=Services,<Conf igurationC ontainer>< CDPObjectC lass>
- http://www.mycompanywebsite.com/pki/<CaName><CRLNameSuffix><De ltaCRLAllo wed>.crl
Authority Information Access (AIA) Published To:
- C:\windows\system32\CertSr v\CertEnro ll\<Server DNSName>_< CaName><Ce rtificateN ame>.crt
- LDAP///CN=<CATruncatedName >,CN=CDP,C N=Public Key Services,CN=Services, <ConfigurationContainer><C DPObjectCl ass>
- http://www.mycompanywebsite.com/pki/<ServerDNSName>_<CaName><C ertificate Name>.crt
I've added the root certificate to the Trusted Root Cert Authorities section of the Default Domain Policy in our root domain. I've done certutil -dspublish for the certificate and the CRL. I've checked in AD Sites and Services and the AIA and CDP records are created as per the hierarchy below.
Public Key Services
- AIA
- GB-CA-1 (Type: certificationAuthority)
- CDP
- GB-CA-1
- GB-CA-1 (Type: cRLDistributionPoint)
The Microsoft notes say that you must verify the CA certificate and CRL have been imported using the CERTUTIL.EXE -URL certificatename.cer command.
I've done this and it picks up the correct Certificate Subject (GB-CA-1) but will not pick up the Certs on CRLs when I click on Retrieve. It just says:
No URLs - None
It all looks like it is set up correctly but I don't want to go ahead and install the Enterprise sub-ordinate CA in our domain until I can be certain that this is working properly.
Thanks for reading this stupidly long post, can anyone point me in the right direction?
thanks
Dave
I'm trying to implement a two tier PKI. The plan is to implement an offline Root CA then have an Enterprise subordinate CA in our AD domain to issue certificates to our users and computers.
I've been going through some of the documentation pertaining to setting up PKI. So far I have a Windows Server 2003 server set up. It's in it's own workgroup and called gb-ca-1. It has a Standalone Root CA installed on it. Because it will be offline I've specified CRL and AIA locations as
CRLs Published To:
- C:\windows\system32\CertSr
- LDAP///CN=<CATruncatedName
- http://www.mycompanywebsite.com/pki/<CaName><CRLNameSuffix><De
Authority Information Access (AIA) Published To:
- C:\windows\system32\CertSr
- LDAP///CN=<CATruncatedName
- http://www.mycompanywebsite.com/pki/<ServerDNSName>_<CaName><C
I've added the root certificate to the Trusted Root Cert Authorities section of the Default Domain Policy in our root domain. I've done certutil -dspublish for the certificate and the CRL. I've checked in AD Sites and Services and the AIA and CDP records are created as per the hierarchy below.
Public Key Services
- AIA
- GB-CA-1 (Type: certificationAuthority)
- CDP
- GB-CA-1
- GB-CA-1 (Type: cRLDistributionPoint)
The Microsoft notes say that you must verify the CA certificate and CRL have been imported using the CERTUTIL.EXE -URL certificatename.cer command.
I've done this and it picks up the correct Certificate Subject (GB-CA-1) but will not pick up the Certs on CRLs when I click on Retrieve. It just says:
No URLs - None
It all looks like it is set up correctly but I don't want to go ahead and install the Enterprise sub-ordinate CA in our domain until I can be certain that this is working properly.
Thanks for reading this stupidly long post, can anyone point me in the right direction?
thanks
Dave
ASKER
Hello
Once I had done certutil -dspublish I checked that the records had been created in the CDP and AIA containers under Public Key Infrastructure and they are listed. Does this mean that they are in fact published to AD? The files are copied up to the web server which, as it's on Linux, is case sensitive. I've double checked that the URL is correct and I can download it by tapping the URL into IE.
I've just opened up the certificate and I don't see any entries in there for the CDP or AIA locations. If I open up the CRL I only see an entry for LDAP, but not the entries for the local copy or the HTTP hosted copy.
I'm guessing this is where I'm going wrong. I have specifed them in the Extensions tabe on the Certificate Authority admin console. I exported the root cert once that was done, but do I have to renew the root certificate for it to take the new locations?
thanks for your help, it really is appreciated!!
Dave
Once I had done certutil -dspublish I checked that the records had been created in the CDP and AIA containers under Public Key Infrastructure and they are listed. Does this mean that they are in fact published to AD? The files are copied up to the web server which, as it's on Linux, is case sensitive. I've double checked that the URL is correct and I can download it by tapping the URL into IE.
I've just opened up the certificate and I don't see any entries in there for the CDP or AIA locations. If I open up the CRL I only see an entry for LDAP, but not the entries for the local copy or the HTTP hosted copy.
I'm guessing this is where I'm going wrong. I have specifed them in the Extensions tabe on the Certificate Authority admin console. I exported the root cert once that was done, but do I have to renew the root certificate for it to take the new locations?
thanks for your help, it really is appreciated!!
Dave
After you declare the information for the CDP and the AIA in the Extensions tab you will need to reissue the root certificate and copy it to the AIA locations. The CDP locations should be unaffected, although you might want to create a new CRL (right-click Revoked Certificates - All Tasks - Publish) just to ensure you have a fresh copy and that the name came out as expected (mainly that it didn't come out as servername(1).crl).
When doing the AIA and CDP locations, also make sure you have the entire address - include c:\path\file.crt or http://www.domain.com/file.crl, etc. not just www.domain.com/file.crl. Note that to verify the LDAP you will need something that can communicate with LDAP - e.g. ADSI Edit.
When doing the AIA and CDP locations, also make sure you have the entire address - include c:\path\file.crt or http://www.domain.com/file.crl, etc. not just www.domain.com/file.crl. Note that to verify the LDAP you will need something that can communicate with LDAP - e.g. ADSI Edit.
ASKER
Hello
I've reissued the certificate then went to download it from the gb-ca-1/certsrv website and it's showing up as:
Current [GB-CA-1(1)]
Previous [GB-CA-1]
Is the (1) indicative of a problem then?
Dave
I've reissued the certificate then went to download it from the gb-ca-1/certsrv website and it's showing up as:
Current [GB-CA-1(1)]
Previous [GB-CA-1]
Is the (1) indicative of a problem then?
Dave
ASKER
Actually, having checked the file name of the CRL, it has remained the same without any additional numbers inserted, so that seems okay. The list of certicates on the web page still show with a 1 in the cert name though.
I've loaded up adsiedit and looked at the DN of the entries that were added. The CDP location is listed as: CN=gb-ca-1,CN=gb-ca-1,CN=C
Output of certutil -getreg ca\CRLPublicationURLs is:
HKEY_LOCAL_MACHINE\SYSTEM\
CRLPublicationURLs REG_MULTI_SZ =
0: 65:C:\WINDOWS\system32\Cer
CSURL_SERVERPUBLISH -- 1
CSURL_SERVERPUBLISHDELTA -- 40 (64)
1: 14:ldap:///CN=%7%8,CN=%2,C
CSURL_ADDTOCERTCDP -- 2
CSURL_ADDTOFRESHESTCRL -- 4
CSURL_ADDTOCRLCDP -- 8
2: 2:http://www.mywebsite.com/pki/%3%8%9.crl
CSURL_ADDTOCERTCDP -- 2
The ldap entry seems to match up okay. The only thing that is a little concerning is that the replacement tokens %7%8 are used in the first part but only %7 seems to be showing as part of the DN as it is in Active Directory. I'm guessing that %8 (the CRLNameSuffix) is actually blank though, which is why it appears to be missing.
It all looks okay but if I load up certutil -URL certname.cer and get it to try to Retriever the Certs or CRLs it returns nothing (No URLs | None). Seeing as it's a standalone machine, I'm considering rebuilding the CA from scratch just in case there is something I missed in the initial setup (or something that I've played with and shouldn't have done!) that could be causing this.
Dave
The (1) means that it is the new version of the same thing - this happens when you reissue the certificate, rekey, etc. It is not really a "problem" but just know that you need to use that one for current certs, crl, etc. The one without that, if you never issued any certs, could be ignored. If you did issue, then just keep that one out there but since there weren't any CDP or AIA points, it doesn't really matter I guess. The (1) is like a version number - do it again and it would be (2) with the same stipulations. This is designed to happen over time - although not needed at the beginning it really isn't a big deal.
Here is an article for how to properly decom the CA if you choose to redo it from scratch:
http://support.microsoft.com/kb/889250
I am just about to head out the door so I just skimmed the last note - do you have the crt and crl files copied to the AIA and CDP locations? You should be able to pull them up in IE address bar fror all but LDAP, although using certutil is valid too. With certutil -URL make sure you click the retrieve button for anything to display - not quite intuitive but hey.
Here is an article for how to properly decom the CA if you choose to redo it from scratch:
http://support.microsoft.com/kb/889250
I am just about to head out the door so I just skimmed the last note - do you have the crt and crl files copied to the AIA and CDP locations? You should be able to pull them up in IE address bar fror all but LDAP, although using certutil is valid too. With certutil -URL make sure you click the retrieve button for anything to display - not quite intuitive but hey.
ASKER
I've a test network at home with a couple of servers running AD so I installed a standalone server and replicated the issue there as well. I've documented exactly what I did to get to this point. The doc is available at http://www.davesdomain.co. uk/pki/not es/install ation-note s.doc
Once I've got all of that sorted I went through a did a few troubleshootings bits. The first is the certutil -URL ddroot.cer command. It loads up, shows the correct Certificate Subject as DDRoot but clicking on Retrieve returns nothing (other than No URLs | None | *blank*).
I don't know whether it is supposed to be but the "Url to download" box is blank. However, if I manually copy and paste the LDAP CDP URL:
ldap:///CN=DDRoot,CN=ca-ro ot,CN=CDP, CN=Public% 20Key%20Se rvices,CN= Services,C N=Configur ation,DC=d avesdomain ,DC=co,DC= uk?certifi cateRevoca tionList?b ase?object Class=cRLD istributio nPoint
into this box and click on Retrieve it is able to retrieve the CRLs (see http://www.davesdomain.co. uk/pki/not es/certuti l2.jpg). It's able to do it if I put in the HTTP URL as well - http://www.davesdomain.co. uk/pki/ddr oot.crl).
So does this mean that my only problem is that the DDRoot.cer file itself doesn't contain the CDP and AIA information for the tool to pick up on? I did certutil.exe -f -split -urlfetch -verify ddroot.cer and this doesn't seem to include any references to the AIA or CDP locations. I've uploaded the output here http://www.davesdomain.co. uk/pki/not es/certuti l-urlfetch .txt
Once I've got all of that sorted I went through a did a few troubleshootings bits. The first is the certutil -URL ddroot.cer command. It loads up, shows the correct Certificate Subject as DDRoot but clicking on Retrieve returns nothing (other than No URLs | None | *blank*).
I don't know whether it is supposed to be but the "Url to download" box is blank. However, if I manually copy and paste the LDAP CDP URL:
ldap:///CN=DDRoot,CN=ca-ro
into this box and click on Retrieve it is able to retrieve the CRLs (see http://www.davesdomain.co.
So does this mean that my only problem is that the DDRoot.cer file itself doesn't contain the CDP and AIA information for the tool to pick up on? I did certutil.exe -f -split -urlfetch -verify ddroot.cer and this doesn't seem to include any references to the AIA or CDP locations. I've uploaded the output here http://www.davesdomain.co.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I've been away for a week so apologies for the late response.
Now I think about it, it does make sense for there to be nothing "CRL worthy" at the moment as I've not installed a sub-CA yet so the root hasn't issued any certificates apart from it's own self-signed root cert. I think I'll go ahead and setup a sub-CA on my test setup and home and see how thing fit together.
thanks for the help
Dave
Now I think about it, it does make sense for there to be nothing "CRL worthy" at the moment as I've not installed a sub-CA yet so the root hasn't issued any certificates apart from it's own self-signed root cert. I think I'll go ahead and setup a sub-CA on my test setup and home and see how thing fit together.
thanks for the help
Dave
Everything turn out okay?
ASKER
Hello
Yes, this is all set up and working fine now. that's for all the help!
Dave
Yes, this is all set up and working fine now. that's for all the help!
Dave
Open up the root cert and verify that the CDP and AIA are actually displaying the correct locations. Note that some web servers may be case sensitive as well - if this is the case make sure it is exactly right in the cert and that you can pull them up manually in IE.