Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1632
  • Last Modified:

Microsoft PKI - Incorrect CDP's

Hello experts,
one little question.
I've a  offline root ca and an sub issuing CA.
I now saw, that the URL's to the revocation list in the certificate of the issuning CA points to an incorrect location.

Means: The locations for the .crl and .crt files to validate the certificates against revocation are configured incorrect in the offline root ca.
If i issue an certificate from the issung ca for any computer, the correct paths are included, cause i've changed them.

I've now also changed the paths on the offline root ca, but my issung ca does not recognice these changes made on the root ca.
How can i force this "replication"?

If i i open pkiview.msc on the issung ca, the offline root ca is shown as offline...but with ping on it's ip address it's reachable.

thanks in advance
0
merowinger
Asked:
merowinger
  • 5
  • 3
1 Solution
 
ParanormasticCryptographic EngineerCommented:
You need to renew the sub CA's certificate for the new CDP from the root to propagate.  This is not a dynamic process.  You will also note that any of the certs issued from the sub CA to users/devices before updating that will have the same issue.

You can make things a little easier on yourself by reusing the same keyset since I'm assuming this is a pretty new CA installation if you have this kind of issue.

Here's the general instructions - since your root is offline you will need to just go about that the same way you did when you set up the sub CA in the first place (copy the csr file to the root).
http://technet.microsoft.com/en-us/library/cc962077.aspx
0
 
merowingerAuthor Commented:
Yeah it's a 3 weeks old installation.
No certificates for clients or users have this issue, as this certificates were issued from the sub ca with the correct crl and crt locations.
Is there any i've to do with existing certificates for clients and users when using the "reuse key option"?


What i not understand is when i now execute this steps on the sub ca (renew certificate with reuse key option) how does the sub ca recognize the new crl paths which i've configured on the offline root ca ... as there seems to be no connection?!?

Could you please explain step by step what do execute were? Thanks a lot guy!!!!!

mero
0
 
ParanormasticCryptographic EngineerCommented:
When you reuse the keys, the signature stays the same, just the certificate is updated.  No affect to the users for that.

I mentioned the user certs before due to it sounded like the sub CA may have had the same problem?  The end user certs would need to be reissued to get teh correct CDP from the sub CA, just like the sub CA needs to be reissued from the root CA.  However, it only affects that tier as long as the keys are the same - renewing the sub CA will not affect the user certs issued after the sub CA CDP was fixed (if I'm reading you message right).

I need to get going for the night so will keep this a little short.  You create a CSR on the sub CA, sneakernet it via floppy/flashdrive to the offline and process it there, then sneakernet the signed cert back to the sub CA.

Always best to use CA MMC - right click CAName - All Tasks - Backup CA and backup the cert database and private key before doing any of this.  A full backup including system state is nice too.  This is a pretty safe process, but just adding this in for reminder of good practice.

Here's a better link for the renewal process, this time referencing an offline root:
http://technet.microsoft.com/en-us/library/cc776691.aspx#BKMK_NOTAVAIL
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
merowingerAuthor Commented:
Ok i've now renewed the certificate with the same key, saved the request to a file.
Imported the request on the offline root ca -> Approved it -> Exported it -> And imported it on the sub ca with the menu option install certificate.
Now in pkiview there are listed the new paths for the crl and aia points of the offline root ca.
One final question: Should the revocation list and the crt list of the offline root ca also be published on the same path as those lists are published from the sub ca? Or shouldn't those list be public?
0
 
merowingerAuthor Commented:
eeehm now i have two certificates listed
<sub ca name>.(1).crt
<sub ca name>.(1).crt
0
 
merowingerAuthor Commented:
clicked too fast :)

there are two certificates listed now in the certenroll folder of the sub ca and in the settings of the sub ca
<sub ca name>.crt
<sub ca name>(1).crt

Is ihis correct? Shell i delete some of them?
0
 
ParanormasticCryptographic EngineerCommented:
It is normal to have the (1) after the new one.  The old one is technically still valid (so you don't need to rush to renew the old ones) but the new one will be used for new cert requests.  Keep them both.

It is common for all CA CDP and AIA locations to share a common path, although technically not required.  As long as the trusting party (end user) can reach the CDP and AIA for both that is what matters.  If you use them for external use (e.g. home users, business partners) then there should be a public link in addition to an internal link.
0
 
merowingerAuthor Commented:
thank you very much!!!! =)
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now