Solved

Certsvc error

Posted on 2009-04-07
15
3,385 Views
Last Modified: 2012-05-06
I'm getting an error about a certificate on my web server.  The SSL is good but I'm not sure what this is about.  I've attached.  I'm running windows server 03 service pack 2
error.jpg
0
Comment
Question by:tbonehwd
  • 9
  • 6
15 Comments
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24088108
This is written against 2008 but the concepts still apply for 2003:
http://technet.microsoft.com/en-us/library/cc726336.aspx

I see from your message history that it looks like you did or are planning a domain name rename?  Did this happen to the CA server?  Did you reinstall the CA fresh, as the domain name has changed?  There is a good chance that you need to update the permissions to AD as described in the link I just provided.

You can see if it actually made the new CRL at:
%systemroot%\system32\certsrv\certenroll\ directory and look for *.crl and check the file creation date.  If that is new, then you can run:
certutil -dspublish

You may need domain or enterprise admin rights for that to write the new crl to AD.  This won't get rid of the error you are seeing, but it will at least get the CRL out to be used while you are working on the rest of it.
0
 

Author Comment

by:tbonehwd
ID: 24088218
Yes I did a domain migration to a new domain about 1 or 2 months ago.  No I didn't reload the CA.  I will try this and get back to you.

Thanks.
0
 

Author Comment

by:tbonehwd
ID: 24088378
I'm going to try to revoke it and redo it but I can't do it during business hours.  I'll get back to you...

Thanks again.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24088861
How to decom a CA server properly from AD:
http://support.microsoft.com/kb/889250

Alternatively, you could extend the CRL lifetime out to the expiration date of the CA certificate, then run 'certutil -crl' then go to %systemroot%\system32\certsrv\certenroll and copy *.crl to the CRL disitribution points listed.  Then run certutil -dspublish to push to AD as described above.  This should then be imaged and saved or physically stored offline, just in case you need to revoke something else later.  Doing this will keep the existing certs still valid, if there are any that haven't been migrated yet.

When you install new CA, you might consider making a 2 tier PKI (if you don't already) as the root cannot be revoked - this is an issue in case it ever got compromised.  Having a 2 tier PKI would also make scenarios like this a little easier that all your users won't ahve to reinstall the new root CA cert (since the root would be off the domain it would not necessarily be affected) - this is easy for GPO, but VPN users and such will need to update manually.  

Using VM you can install an offline root that isn't joined to domain (03 or 08 std ed. as a standalone CA) and keep that image stored on a removable drive that is locked up normally except to bring up for the occasional CRL publcation.  The 2nd will be jioned to domain if desired and installed as enterprise CA on 03/08 ent ed. OS.  This makes backups and disaster recovery a snap.

Lastly, you might want to install PKI health tool (pkiview.msc) if you have not already - this will give you a quick look to make sure all your CDP and AIA points are updated properly and a few other things at a quick glance.
0
 

Author Comment

by:tbonehwd
ID: 24088941
The certificate I have is valid until 2012.  I have the .crt file on the desktop.  I was going to revoke the current and redo it.  Also, I can't do the dspublish untll i can stop IIS.  Lastly, I do have 2 certs in system32... one for the old domain and one for the new.  Should I delete the old domain one?

This cert is only for the web site cart and nothing else.  In other words for security for the user login in and purchase of our books.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24089546
You can copy the CRL file to any workstation and log in with domain/ent. admin and run certutil -dspublish from there.  For xp boxes you may need to have the 2003 adminpak installed for certutil, vista will have it standard.

It doesn't hurt to have the old cert laying around normally.  Its generally better for potential recovery issues to hold onto them - put it into a backup folder if it eases your mind a little bit.

If you have one for old domain and one for new that sounds like it may have been reinstalled.  you may have a stale CA cert cached that may need to get washed out - try running 'certutil -dcinfo DeleteBad'



So this CA is only used for issuing a public web site certificate?  If that is the case, you might just want to decommission it and put it on the figurative shelf.  You can get a certificate from GoDaddy for $30/year that will already be trusted by your customers - that's probably cheaper than the power bill and maintainence for keeping the CA in business.  And your users won't be offered a security warning until (if) they decide to ignore it or trust it - ie. the godaddy cert will provide a much more comfortable customer experience as well since they won't get errors.
0
 

Author Comment

by:tbonehwd
ID: 24090186
Yes. We only use the cert for the public site however the servers are in house.  but It's something to think about.

 I'm sorry I'm a little confused... I only have 1 crl file when we origionally purchased it had the new domain name attached to it.  When it installed it attached the old domain name to it.  When I reconfigure the domain, it added one with the new and correct domain name.  Here's a picture of the system 32... File. I believe the one in the bracket is the "wrong" one, old...  

So would I copy the old one out and move it to my vista desktop and run the command certutil -dspublish ?

Cert.jpg
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 

Author Comment

by:tbonehwd
ID: 24090405
I ran the command and this is what I got?

C:\Documents and Settings\Administrator.HCIBOOKS>certutil.exe -dspublish hcibook
s.com.crl
DecodeFile returned The system cannot find the file specified. 0x80070002 (WIN32
: 2)
DecodeFile returned The system cannot find the file specified. 0x80070002 (WIN32
: 2)
Could not load Certificate or CRL from file (The system cannot find the file spe
cified. 0x80070002 (WIN32: 2))
CertUtil: -dsPublish command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24090520
Can always use a commercial cert for internal use as well.  If by some weird chance the computer is completely isolated from the internet then you may need to copy the CRL every so often from the vendor and post it in the internal network and modify the hosts file to redirect the CRL distribution point.  Normally this isn't necessary if the clients can just use the internet.  Anyways...

So it sounds like it already reissued the certificate when you joined it to the new domain.  The (1) after the file name means it has incremented the CA certificate on that server.  It effectively starts at (0) but doesn't show it - each time you renew the cert it will increment the number - this is done because normally the name will be the same, and the CA doesn't know the difference it issues to the cert to variables that get translated into names.  The one with the number at the end is the original cert and will no longer be used for new certificates, but will be used to create new CRLs for the old certificates, which might still be valid if they didn't all get revoked during the reinstall (which probably happened due to the renaming).  You can use the CA MMC and in the properties of CAName you can select that listing from a dropdown and change its validity period so you don't have to keep maintainging it.

The new (1) cert will be used for certs issued in the future.  The new CRL will also have a (1) associated with it.

While both CA cert lifetimes are valid (since you can't revoke a root cert) then it will continue publishing two CRLs.  Since the original does not match the name for the new AD, it is likely getting rejected for that reason.  In the CA MMC - CAName properties - Extensions tab - you can select the CDP for the original CA cert and remove the entry for LDAP (still keep the http locations) and then make a new CRL.
0
 

Author Comment

by:tbonehwd
ID: 24090657
I only see the resource cert in the CA MMC.  I'm going to reinstall the hcibooks.com one when I get a chance.
0
 

Author Comment

by:tbonehwd
ID: 24090767
I went to the CA MMC in administrator tools this is what's in there??? And yet in IIS it's the correct one..  
ca.jpg
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 250 total points
ID: 24092058
1) You didn't have the path to the CRL, unless you copied it to your profile..

certutil.exe -dspublish %systemroot%\system32\certsrv\certenroll\hcibooks.com.crl

2) Do you have a filter on your issued certs folder or something?  There should be more than one cert listed there - the CA exchange cert is essentially just a communications certificate for CAs to exchange data with each other - this is not for your web server, exchange server, or anything else.  It shows that the CA is functional, but that's about it.

3) Try checking the Pending Requests and Failed Requests areas and see what you find...
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24092069
Yes, if that's all there is for issued certs, reinstalling the CA should be pretty low risk and a high benefit potential...
0
 

Author Comment

by:tbonehwd
ID: 24096296
OK. Thanks.  I'm going to give it a try.
0
 

Author Closing Comment

by:tbonehwd
ID: 31567515
That worked.  I reinstalled and used the certutil.exe.  Thanks for all your help.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Create desktop shortcuts with GPO 4 54
Framework versus framework 64 in IIS 8.5 5 81
System Analysis 5 41
IIS 7 Log 2 21
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now