Solved

Microsoft PKI - Incorrect CDP's

Posted on 2009-04-14
8
1,594 Views
Last Modified: 2013-12-04
Hello experts,
one little question.
I've a  offline root ca and an sub issuing CA.
I now saw, that the URL's to the revocation list in the certificate of the issuning CA points to an incorrect location.

Means: The locations for the .crl and .crt files to validate the certificates against revocation are configured incorrect in the offline root ca.
If i issue an certificate from the issung ca for any computer, the correct paths are included, cause i've changed them.

I've now also changed the paths on the offline root ca, but my issung ca does not recognice these changes made on the root ca.
How can i force this "replication"?

If i i open pkiview.msc on the issung ca, the offline root ca is shown as offline...but with ping on it's ip address it's reachable.

thanks in advance
0
Comment
Question by:merowinger
  • 5
  • 3
8 Comments
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24140960
You need to renew the sub CA's certificate for the new CDP from the root to propagate.  This is not a dynamic process.  You will also note that any of the certs issued from the sub CA to users/devices before updating that will have the same issue.

You can make things a little easier on yourself by reusing the same keyset since I'm assuming this is a pretty new CA installation if you have this kind of issue.

Here's the general instructions - since your root is offline you will need to just go about that the same way you did when you set up the sub CA in the first place (copy the csr file to the root).
http://technet.microsoft.com/en-us/library/cc962077.aspx
0
 
LVL 31

Author Comment

by:merowinger
ID: 24142441
Yeah it's a 3 weeks old installation.
No certificates for clients or users have this issue, as this certificates were issued from the sub ca with the correct crl and crt locations.
Is there any i've to do with existing certificates for clients and users when using the "reuse key option"?


What i not understand is when i now execute this steps on the sub ca (renew certificate with reuse key option) how does the sub ca recognize the new crl paths which i've configured on the offline root ca ... as there seems to be no connection?!?

Could you please explain step by step what do execute were? Thanks a lot guy!!!!!

mero
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24142644
When you reuse the keys, the signature stays the same, just the certificate is updated.  No affect to the users for that.

I mentioned the user certs before due to it sounded like the sub CA may have had the same problem?  The end user certs would need to be reissued to get teh correct CDP from the sub CA, just like the sub CA needs to be reissued from the root CA.  However, it only affects that tier as long as the keys are the same - renewing the sub CA will not affect the user certs issued after the sub CA CDP was fixed (if I'm reading you message right).

I need to get going for the night so will keep this a little short.  You create a CSR on the sub CA, sneakernet it via floppy/flashdrive to the offline and process it there, then sneakernet the signed cert back to the sub CA.

Always best to use CA MMC - right click CAName - All Tasks - Backup CA and backup the cert database and private key before doing any of this.  A full backup including system state is nice too.  This is a pretty safe process, but just adding this in for reminder of good practice.

Here's a better link for the renewal process, this time referencing an offline root:
http://technet.microsoft.com/en-us/library/cc776691.aspx#BKMK_NOTAVAIL
0
 
LVL 31

Author Comment

by:merowinger
ID: 24145430
Ok i've now renewed the certificate with the same key, saved the request to a file.
Imported the request on the offline root ca -> Approved it -> Exported it -> And imported it on the sub ca with the menu option install certificate.
Now in pkiview there are listed the new paths for the crl and aia points of the offline root ca.
One final question: Should the revocation list and the crt list of the offline root ca also be published on the same path as those lists are published from the sub ca? Or shouldn't those list be public?
0
Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

 
LVL 31

Author Comment

by:merowinger
ID: 24145445
eeehm now i have two certificates listed
<sub ca name>.(1).crt
<sub ca name>.(1).crt
0
 
LVL 31

Author Comment

by:merowinger
ID: 24145455
clicked too fast :)

there are two certificates listed now in the certenroll folder of the sub ca and in the settings of the sub ca
<sub ca name>.crt
<sub ca name>(1).crt

Is ihis correct? Shell i delete some of them?
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24147470
It is normal to have the (1) after the new one.  The old one is technically still valid (so you don't need to rush to renew the old ones) but the new one will be used for new cert requests.  Keep them both.

It is common for all CA CDP and AIA locations to share a common path, although technically not required.  As long as the trusting party (end user) can reach the CDP and AIA for both that is what matters.  If you use them for external use (e.g. home users, business partners) then there should be a public link in addition to an internal link.
0
 
LVL 31

Author Comment

by:merowinger
ID: 24147764
thank you very much!!!! =)
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now