Sagiman75
asked on
Problem with certificates after Issuing CA move to new server
Currently I'm having an issue with a recently moved certificate services install. The details for this CA are:
-Offline Root with Enterprise CA running Win2K3 R2 Enterprise.
-A simple domain structure with multiple DC's. No trusts involved.
-Several certificate have been issued...all via AutoEnrollment.
-The original issuing CA had to be retired (old server) so I moved the issuing CA to a new server (actually a VM running on ESX).
-Domain controllers and RADIUS servers have also been moved to new hardware. Server have been renamed in all cases to match new naming convention.
-I've followed all published Microsoft procedures for this move.
-Some certificates that were issued contain the name of a an old domain controller in the certificate request attributes cdc.
-It is these certificates that are having a problem authenticated users/devices.
RADIUS is setup and working properly. I think the issue is the certificate request attribute. Is there any way to change this without reissueing a new certificate? What is the recommended or best practice method for resolving this for all issued certificates?
Thanks for your help.
-Offline Root with Enterprise CA running Win2K3 R2 Enterprise.
-A simple domain structure with multiple DC's. No trusts involved.
-Several certificate have been issued...all via AutoEnrollment.
-The original issuing CA had to be retired (old server) so I moved the issuing CA to a new server (actually a VM running on ESX).
-Domain controllers and RADIUS servers have also been moved to new hardware. Server have been renamed in all cases to match new naming convention.
-I've followed all published Microsoft procedures for this move.
-Some certificates that were issued contain the name of a an old domain controller in the certificate request attributes cdc.
-It is these certificates that are having a problem authenticated users/devices.
RADIUS is setup and working properly. I think the issue is the certificate request attribute. Is there any way to change this without reissueing a new certificate? What is the recommended or best practice method for resolving this for all issued certificates?
Thanks for your help.
ASKER
Thanks for the reply.
The issuing CA server was moved to new hardware with a new name. I followed a Microsoft document that explains the process step by step. The CA itself was not named after the server. I backed up the database and registry and was able t successfully restore to the new server with a different host name. I've changed the CRL publication to reflect both the old LDAP location (so existing certs could see it) and the new LDAP location which contains the name of my new issuing CA.
I've fixed the RADIUS issue...that was my mistake. The access point was still configured to look at the old RADIUS servers to authenticate user certificates. The problem I'm seeing now is that autoenrollment of RAS and IAS Server Authentication template certificates are not working properly. I see both new DCs (which are also RADIUS servers) listed in the issued certificates folder in the Certifcate Authority snap-in with all appropriate certificates (Domain Controller, RAS and IAS, and Domain E-mail Replication). When I look at computer certs for my RADIUS servers they do not see the RAS and IAS certs...just the other two. I've selected Automatically Enroll Certificates but the cert is still not listed. As such...I'm getting a lot of errors in my system event log from IAS.
Any ideas how to get my RAS and IAS cert installed on my RADIUS servers?
Thanks again!
The issuing CA server was moved to new hardware with a new name. I followed a Microsoft document that explains the process step by step. The CA itself was not named after the server. I backed up the database and registry and was able t successfully restore to the new server with a different host name. I've changed the CRL publication to reflect both the old LDAP location (so existing certs could see it) and the new LDAP location which contains the name of my new issuing CA.
I've fixed the RADIUS issue...that was my mistake. The access point was still configured to look at the old RADIUS servers to authenticate user certificates. The problem I'm seeing now is that autoenrollment of RAS and IAS Server Authentication template certificates are not working properly. I see both new DCs (which are also RADIUS servers) listed in the issued certificates folder in the Certifcate Authority snap-in with all appropriate certificates (Domain Controller, RAS and IAS, and Domain E-mail Replication). When I look at computer certs for my RADIUS servers they do not see the RAS and IAS certs...just the other two. I've selected Automatically Enroll Certificates but the cert is still not listed. As such...I'm getting a lot of errors in my system event log from IAS.
Any ideas how to get my RAS and IAS cert installed on my RADIUS servers?
Thanks again!
Usually we create a Certificate Signing Request (CSR) file from the server and submit that to the CA using http://caservername/certsrv and selecting the first option twice, then filling out that page to submit the CSR to get the cert, then install that on the server.
We don't do autoenrollment because we want to know what servers are specifically being assigned certs from our certificate operations team.
Anyways, you might want to check out the Certificate Templates MMC and verify the security permissions for that template have read, enroll, and autoenroll for the proper group for your servers. Then doublecheck Certification Authorities MMC - Certificate TEmplates folder to make sure that the template is assigned to the CA, if not then issue the template and wait a few minutes.
You can also try issuing the command from the CA
certutil -pulse
to readvertise autoenrollment notifications
You can also try from the requesting servers:
gpupdate /force
We don't do autoenrollment because we want to know what servers are specifically being assigned certs from our certificate operations team.
Anyways, you might want to check out the Certificate Templates MMC and verify the security permissions for that template have read, enroll, and autoenroll for the proper group for your servers. Then doublecheck Certification Authorities MMC - Certificate TEmplates folder to make sure that the template is assigned to the CA, if not then issue the template and wait a few minutes.
You can also try issuing the command from the CA
certutil -pulse
to readvertise autoenrollment notifications
You can also try from the requesting servers:
gpupdate /force
ASKER
Thanks again.
Our PKI is pretty small. It was setup to allow for Windows Mobile bar code scanners and laptops to access the network as securely as possible. At this time that is all we use it for. The Autoenrollment makes it easy on our very small IT dept. (there are only 3 of us).
Would Autoenrollment be affected by the CRL not being published correctly? In the properties of the issuing CA I have added an ldap location for the old CA server (using the old CA server name) in the extensions tab and selected the location for publishing CRL's and Delta CRL's. There is also a CDP for ldap with the new CA server name, an HTTP location, and the default C:\Windows\System32 location. If I force a publication of the revocation list I see an error in the application log (Event ID 74) which says the certificate could not be published to the ldap directory. If I browse to the ldap location using ADSIEdit I can see the CA and the publish date and time reflect the latest publication. I can see this being a problem for existing certificates since they all point to the old CRL location but I can't see how that would affect Autoenrollment.
I did try your suggestions for getting the certs to autoenroll. Permissions are correct. The RADIUS servers are members of the appropriate group with read, enroll, and autoenroll permissions. The template has been assigned to the CA. I believe that is the case anyway. If I open the CA MMC and browse to Certificate Templates the RAS and IAS Server Authentication template is shown. What is really odd to me is both RADIUS servers have been issued the certificate from the template. I can see both server names in the Issued Certificates folder. But if I open the certificates mmc on the RADIUS server and browse to personal/certificates folder I only see two certs...one from the directory email replication template and the other from the domain controller auth template. I've tried the gpudate /force command on both RADIUS servers. I've rebooted both RADIUS servers. I also tried the certutil -pulse command on the CA server. And still...the RAS and IAS issued certs are not showing up in the certificates mmc on each server.
Our PKI is pretty small. It was setup to allow for Windows Mobile bar code scanners and laptops to access the network as securely as possible. At this time that is all we use it for. The Autoenrollment makes it easy on our very small IT dept. (there are only 3 of us).
Would Autoenrollment be affected by the CRL not being published correctly? In the properties of the issuing CA I have added an ldap location for the old CA server (using the old CA server name) in the extensions tab and selected the location for publishing CRL's and Delta CRL's. There is also a CDP for ldap with the new CA server name, an HTTP location, and the default C:\Windows\System32 location. If I force a publication of the revocation list I see an error in the application log (Event ID 74) which says the certificate could not be published to the ldap directory. If I browse to the ldap location using ADSIEdit I can see the CA and the publish date and time reflect the latest publication. I can see this being a problem for existing certificates since they all point to the old CRL location but I can't see how that would affect Autoenrollment.
I did try your suggestions for getting the certs to autoenroll. Permissions are correct. The RADIUS servers are members of the appropriate group with read, enroll, and autoenroll permissions. The template has been assigned to the CA. I believe that is the case anyway. If I open the CA MMC and browse to Certificate Templates the RAS and IAS Server Authentication template is shown. What is really odd to me is both RADIUS servers have been issued the certificate from the template. I can see both server names in the Issued Certificates folder. But if I open the certificates mmc on the RADIUS server and browse to personal/certificates folder I only see two certs...one from the directory email replication template and the other from the domain controller auth template. I've tried the gpudate /force command on both RADIUS servers. I've rebooted both RADIUS servers. I also tried the certutil -pulse command on the CA server. And still...the RAS and IAS issued certs are not showing up in the certificates mmc on each server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Things are working again but it took me exporting the issued cert from my CA and installing it manually on each of my RADIUS servers. I'm not sure why that is but authentication is working again and that was my main issue. Thanks for the help with this problem.
From CA:
certutil -dcinfo DeleteBad
certutil -pulse
From DC:
gpupdate /force
If still having problems - your new CA has a new name, correct? You didn't try restoring old to this one, this is a new setup, correct (old one was just taken offline and retired)?