Certsvc error

I'm getting an error about a certificate on my web server.  The SSL is good but I'm not sure what this is about.  I've attached.  I'm running windows server 03 service pack 2
error.jpg
tbonehwdAsked:
Who is Participating?
 
ParanormasticConnect With a Mentor Cryptographic EngineerCommented:
1) You didn't have the path to the CRL, unless you copied it to your profile..

certutil.exe -dspublish %systemroot%\system32\certsrv\certenroll\hcibooks.com.crl

2) Do you have a filter on your issued certs folder or something?  There should be more than one cert listed there - the CA exchange cert is essentially just a communications certificate for CAs to exchange data with each other - this is not for your web server, exchange server, or anything else.  It shows that the CA is functional, but that's about it.

3) Try checking the Pending Requests and Failed Requests areas and see what you find...
0
 
ParanormasticCryptographic EngineerCommented:
This is written against 2008 but the concepts still apply for 2003:
http://technet.microsoft.com/en-us/library/cc726336.aspx

I see from your message history that it looks like you did or are planning a domain name rename?  Did this happen to the CA server?  Did you reinstall the CA fresh, as the domain name has changed?  There is a good chance that you need to update the permissions to AD as described in the link I just provided.

You can see if it actually made the new CRL at:
%systemroot%\system32\certsrv\certenroll\ directory and look for *.crl and check the file creation date.  If that is new, then you can run:
certutil -dspublish

You may need domain or enterprise admin rights for that to write the new crl to AD.  This won't get rid of the error you are seeing, but it will at least get the CRL out to be used while you are working on the rest of it.
0
 
tbonehwdAuthor Commented:
Yes I did a domain migration to a new domain about 1 or 2 months ago.  No I didn't reload the CA.  I will try this and get back to you.

Thanks.
0
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

 
tbonehwdAuthor Commented:
I'm going to try to revoke it and redo it but I can't do it during business hours.  I'll get back to you...

Thanks again.
0
 
ParanormasticCryptographic EngineerCommented:
How to decom a CA server properly from AD:
http://support.microsoft.com/kb/889250

Alternatively, you could extend the CRL lifetime out to the expiration date of the CA certificate, then run 'certutil -crl' then go to %systemroot%\system32\certsrv\certenroll and copy *.crl to the CRL disitribution points listed.  Then run certutil -dspublish to push to AD as described above.  This should then be imaged and saved or physically stored offline, just in case you need to revoke something else later.  Doing this will keep the existing certs still valid, if there are any that haven't been migrated yet.

When you install new CA, you might consider making a 2 tier PKI (if you don't already) as the root cannot be revoked - this is an issue in case it ever got compromised.  Having a 2 tier PKI would also make scenarios like this a little easier that all your users won't ahve to reinstall the new root CA cert (since the root would be off the domain it would not necessarily be affected) - this is easy for GPO, but VPN users and such will need to update manually.  

Using VM you can install an offline root that isn't joined to domain (03 or 08 std ed. as a standalone CA) and keep that image stored on a removable drive that is locked up normally except to bring up for the occasional CRL publcation.  The 2nd will be jioned to domain if desired and installed as enterprise CA on 03/08 ent ed. OS.  This makes backups and disaster recovery a snap.

Lastly, you might want to install PKI health tool (pkiview.msc) if you have not already - this will give you a quick look to make sure all your CDP and AIA points are updated properly and a few other things at a quick glance.
0
 
tbonehwdAuthor Commented:
The certificate I have is valid until 2012.  I have the .crt file on the desktop.  I was going to revoke the current and redo it.  Also, I can't do the dspublish untll i can stop IIS.  Lastly, I do have 2 certs in system32... one for the old domain and one for the new.  Should I delete the old domain one?

This cert is only for the web site cart and nothing else.  In other words for security for the user login in and purchase of our books.
0
 
ParanormasticCryptographic EngineerCommented:
You can copy the CRL file to any workstation and log in with domain/ent. admin and run certutil -dspublish from there.  For xp boxes you may need to have the 2003 adminpak installed for certutil, vista will have it standard.

It doesn't hurt to have the old cert laying around normally.  Its generally better for potential recovery issues to hold onto them - put it into a backup folder if it eases your mind a little bit.

If you have one for old domain and one for new that sounds like it may have been reinstalled.  you may have a stale CA cert cached that may need to get washed out - try running 'certutil -dcinfo DeleteBad'



So this CA is only used for issuing a public web site certificate?  If that is the case, you might just want to decommission it and put it on the figurative shelf.  You can get a certificate from GoDaddy for $30/year that will already be trusted by your customers - that's probably cheaper than the power bill and maintainence for keeping the CA in business.  And your users won't be offered a security warning until (if) they decide to ignore it or trust it - ie. the godaddy cert will provide a much more comfortable customer experience as well since they won't get errors.
0
 
tbonehwdAuthor Commented:
Yes. We only use the cert for the public site however the servers are in house.  but It's something to think about.

 I'm sorry I'm a little confused... I only have 1 crl file when we origionally purchased it had the new domain name attached to it.  When it installed it attached the old domain name to it.  When I reconfigure the domain, it added one with the new and correct domain name.  Here's a picture of the system 32... File. I believe the one in the bracket is the "wrong" one, old...  

So would I copy the old one out and move it to my vista desktop and run the command certutil -dspublish ?

Cert.jpg
0
 
tbonehwdAuthor Commented:
I ran the command and this is what I got?

C:\Documents and Settings\Administrator.HCIBOOKS>certutil.exe -dspublish hcibook
s.com.crl
DecodeFile returned The system cannot find the file specified. 0x80070002 (WIN32
: 2)
DecodeFile returned The system cannot find the file specified. 0x80070002 (WIN32
: 2)
Could not load Certificate or CRL from file (The system cannot find the file spe
cified. 0x80070002 (WIN32: 2))
CertUtil: -dsPublish command FAILED: 0x80070002 (WIN32: 2)
CertUtil: The system cannot find the file specified.
0
 
ParanormasticCryptographic EngineerCommented:
Can always use a commercial cert for internal use as well.  If by some weird chance the computer is completely isolated from the internet then you may need to copy the CRL every so often from the vendor and post it in the internal network and modify the hosts file to redirect the CRL distribution point.  Normally this isn't necessary if the clients can just use the internet.  Anyways...

So it sounds like it already reissued the certificate when you joined it to the new domain.  The (1) after the file name means it has incremented the CA certificate on that server.  It effectively starts at (0) but doesn't show it - each time you renew the cert it will increment the number - this is done because normally the name will be the same, and the CA doesn't know the difference it issues to the cert to variables that get translated into names.  The one with the number at the end is the original cert and will no longer be used for new certificates, but will be used to create new CRLs for the old certificates, which might still be valid if they didn't all get revoked during the reinstall (which probably happened due to the renaming).  You can use the CA MMC and in the properties of CAName you can select that listing from a dropdown and change its validity period so you don't have to keep maintainging it.

The new (1) cert will be used for certs issued in the future.  The new CRL will also have a (1) associated with it.

While both CA cert lifetimes are valid (since you can't revoke a root cert) then it will continue publishing two CRLs.  Since the original does not match the name for the new AD, it is likely getting rejected for that reason.  In the CA MMC - CAName properties - Extensions tab - you can select the CDP for the original CA cert and remove the entry for LDAP (still keep the http locations) and then make a new CRL.
0
 
tbonehwdAuthor Commented:
I only see the resource cert in the CA MMC.  I'm going to reinstall the hcibooks.com one when I get a chance.
0
 
tbonehwdAuthor Commented:
I went to the CA MMC in administrator tools this is what's in there??? And yet in IIS it's the correct one..  
ca.jpg
0
 
ParanormasticCryptographic EngineerCommented:
Yes, if that's all there is for issued certs, reinstalling the CA should be pretty low risk and a high benefit potential...
0
 
tbonehwdAuthor Commented:
OK. Thanks.  I'm going to give it a try.
0
 
tbonehwdAuthor Commented:
That worked.  I reinstalled and used the certutil.exe.  Thanks for all your help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.