Solved

Microsoft PKI - Incorrect CDP's

Posted on 2009-04-14
8
1,606 Views
Last Modified: 2013-12-04
Hello experts,
one little question.
I've a  offline root ca and an sub issuing CA.
I now saw, that the URL's to the revocation list in the certificate of the issuning CA points to an incorrect location.

Means: The locations for the .crl and .crt files to validate the certificates against revocation are configured incorrect in the offline root ca.
If i issue an certificate from the issung ca for any computer, the correct paths are included, cause i've changed them.

I've now also changed the paths on the offline root ca, but my issung ca does not recognice these changes made on the root ca.
How can i force this "replication"?

If i i open pkiview.msc on the issung ca, the offline root ca is shown as offline...but with ping on it's ip address it's reachable.

thanks in advance
0
Comment
Question by:merowinger
  • 5
  • 3
8 Comments
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24140960
You need to renew the sub CA's certificate for the new CDP from the root to propagate.  This is not a dynamic process.  You will also note that any of the certs issued from the sub CA to users/devices before updating that will have the same issue.

You can make things a little easier on yourself by reusing the same keyset since I'm assuming this is a pretty new CA installation if you have this kind of issue.

Here's the general instructions - since your root is offline you will need to just go about that the same way you did when you set up the sub CA in the first place (copy the csr file to the root).
http://technet.microsoft.com/en-us/library/cc962077.aspx
0
 
LVL 31

Author Comment

by:merowinger
ID: 24142441
Yeah it's a 3 weeks old installation.
No certificates for clients or users have this issue, as this certificates were issued from the sub ca with the correct crl and crt locations.
Is there any i've to do with existing certificates for clients and users when using the "reuse key option"?


What i not understand is when i now execute this steps on the sub ca (renew certificate with reuse key option) how does the sub ca recognize the new crl paths which i've configured on the offline root ca ... as there seems to be no connection?!?

Could you please explain step by step what do execute were? Thanks a lot guy!!!!!

mero
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24142644
When you reuse the keys, the signature stays the same, just the certificate is updated.  No affect to the users for that.

I mentioned the user certs before due to it sounded like the sub CA may have had the same problem?  The end user certs would need to be reissued to get teh correct CDP from the sub CA, just like the sub CA needs to be reissued from the root CA.  However, it only affects that tier as long as the keys are the same - renewing the sub CA will not affect the user certs issued after the sub CA CDP was fixed (if I'm reading you message right).

I need to get going for the night so will keep this a little short.  You create a CSR on the sub CA, sneakernet it via floppy/flashdrive to the offline and process it there, then sneakernet the signed cert back to the sub CA.

Always best to use CA MMC - right click CAName - All Tasks - Backup CA and backup the cert database and private key before doing any of this.  A full backup including system state is nice too.  This is a pretty safe process, but just adding this in for reminder of good practice.

Here's a better link for the renewal process, this time referencing an offline root:
http://technet.microsoft.com/en-us/library/cc776691.aspx#BKMK_NOTAVAIL
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 31

Author Comment

by:merowinger
ID: 24145430
Ok i've now renewed the certificate with the same key, saved the request to a file.
Imported the request on the offline root ca -> Approved it -> Exported it -> And imported it on the sub ca with the menu option install certificate.
Now in pkiview there are listed the new paths for the crl and aia points of the offline root ca.
One final question: Should the revocation list and the crt list of the offline root ca also be published on the same path as those lists are published from the sub ca? Or shouldn't those list be public?
0
 
LVL 31

Author Comment

by:merowinger
ID: 24145445
eeehm now i have two certificates listed
<sub ca name>.(1).crt
<sub ca name>.(1).crt
0
 
LVL 31

Author Comment

by:merowinger
ID: 24145455
clicked too fast :)

there are two certificates listed now in the certenroll folder of the sub ca and in the settings of the sub ca
<sub ca name>.crt
<sub ca name>(1).crt

Is ihis correct? Shell i delete some of them?
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24147470
It is normal to have the (1) after the new one.  The old one is technically still valid (so you don't need to rush to renew the old ones) but the new one will be used for new cert requests.  Keep them both.

It is common for all CA CDP and AIA locations to share a common path, although technically not required.  As long as the trusting party (end user) can reach the CDP and AIA for both that is what matters.  If you use them for external use (e.g. home users, business partners) then there should be a public link in addition to an internal link.
0
 
LVL 31

Author Comment

by:merowinger
ID: 24147764
thank you very much!!!! =)
0

Featured Post

Backup Solution for AWS

Read about how CloudBerry Backup fully integrates your backups with Amazon S3 and Amazon Glacier to provide military-grade encryption and dramatically cut storage costs on any platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question