Windows 2008 Certificate Services

Trying to set up Windows 2008 Certificate Services with 2 servers in same domain. I install a standalone root CA server on a domain member, and Enterprise Issuing CA on the DC. I then generate a request with the Enterprise issuing CA, that is imported by the standalone root CA. The standalone root CA then issues the certificate, and stores it on a shared folder. The Enterprise issuing CA installs the issued certificate, but gets the error message that the revocation server cant be contacted and the certification chain is broken. See the attached picture.

Any tips?
Cant get up the subordinate Enterprise Issuing CA because of this error.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ParanormasticCryptographic EngineerCommented:
You need to open up the properties of the properties of the root CA and go to the Extensions tab and fill out the CDP and AIA locations.  Normally these are http: links (not https) and maybe an LDAP.  Then you need to publish a CRL (revoked certs folder - right click - all tasks - publish) and copy from the system32\certsrv\certenroll folder to each of the CDP locations.  If you add new CDP locations then you will need to revoke the sub CA cert and issue a new one - since you didn't install it you can use the same CSR file.  At least one CDP location needs to be accessible from the sub CA.

Repeat for the AIA only copy the root's server cert to these locations.

Alternatively, you can also view the properties of the sub CA cert (not the root) on the details tab and look for the CRL Distribution Point and Authority Information Access - these will be a little more human readable than the %1 format that you will find in the CA entries by default.

Make sure you do the same with your sub CA when it comes to issuing certs from it.
ParanormasticCryptographic EngineerCommented:
Also make sure that you imported the root cert into the sub CAs trusted root certificate store...
itniflAuthor Commented:
I am pretty new to this all. And this all makes limited sense to me. It would be easier if you divided the text into numbered bits, and explain it as if you were writing to a person with limited knowledge of CA.
I imported the cert via right-clicking on the name of the issuing ca in the certification authority, chose install ca certificate and the location where the certificate was. If that imports the cert into the sub CAs root certificate store or not, is uknown to me.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

ParanormasticCryptographic EngineerCommented:
Sounds like you already have issued the root CA cert and create the cert request for the sub CA and issued the cert for the sub CA from that root - if not, let me know and I will give more info.

Import root ca cert to sub CA:
1. Copy root CA cert to subordinate CA
2. Right click cert - Install Certificate
3. Follow the wizard using defaults.
4. Open Certificates MMC snapin
5. Open Trusted Root Certification Authorities store
6. Verify your root cert is listed here
7. If not in root store, install cert again, this time choosing to manually select the store, browse, checkmark box for 'Show physical stores' and select the Trusted Root Certification AUthorities" store and finish the wizard.  Check certs MMC again.

Determine CRL Distribution Points (CDP):
1. Doubleclick the Sub CA cert to open it up
2. Select Details tab
3. Highlight CRL Distribution Points
4. Take note of each listing in the white box in the bottom half of the window.
5. Open %systemroot%\system32\certsrv\certenroll directory on root
6. Copy *.crl to each of the CDP locations from #4 - you will need to figure out what servers/folders to copy to.
7. If there is an LDAP link, if the root is joined to domain do this from the root, otherwise copy the CRL to any domain joined box (workstation or server) that has certutil.exe installed (present in 2003/Vista/2008, need to install from 2003 adminpak for XP).  Run command 'certutil -dsPublish %filepath%\%CRLFile%'

Copy cert to Authority Information Access (AIA):
1. Doubleclick the Sub CA cert to open it up
2. Select Details tab
3. Highlight Authority Information Access
4. Take note of each listing in the white box in the bottom half of the window.
5. Open %systemroot%\system32\certsrv\certenroll directory on root
6. Copy *.crt to each of the AIA locations from #4 - you will need to figure out what servers/folders to copy to.
7. If there is an LDAP link, if the root is joined to domain do this from the root, otherwise copy the CRL to any domain joined box (workstation or server) that has certutil.exe installed (present in 2003/Vista/2008, need to install from 2003 adminpak for XP).  Run command 'certutil -dsPublish "%filepath%\%RootCertName%.crt" RootCA

*Note: if none of these locations are publicly accessible for the AIA and CDP, you may want to consider adding this now before you get too far.  If this applies, let me know and I can give instructions for that as well.

Install sub CA cert:
1. Copy issued certificate from root to sub.
2. Run command 'certutil -installcert %path%\%subcacertfile.crt%'
3. net start certsvc
4. Open Certificate Authorities MMC
5. If it opens up without warning, you're good.

Enable SAN:
SAN (Subject Alternative Name) allows for multiple names in the same cert.  This is nice so you can include the hostname, dns name, and ip address in the same cert so you can troubleshoot issues and still connect securely.  There are also some situations that using a SAN makes life a lot easier.
*Note: A quirk of SAN certs is that the subject name needs to be entered as one of the SAN values as well, otherwise it will usually not get recognized.  Also note that not all apps support SANs, but most do.  If you use RDP gateway, make sure you are running current version RDP 6.1 to support SAN - this was included in last SP for each OS.
On the sub CA:
1. Open cmd and enter following commands exactly:
2. certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
3. net stop certsvc
4. net start certsvc

Repeat for sub CA to publish CRL and sub CA cert to CDP and AIA locations.
1. Open Issued Certificates folder
2. See if there are any certs that autoenrolled yet.  If not, issue a test cert to view its details to find the CDP and AIA.
3. Repeat above steps.

To issue a cert manually:
1. For direct request, skip to #4.  For an offline request (common for certs that you wish to authorize and process manually -common for web server certs, EFS DRA certs, code signing certs) - Create the Certificate Signing Request (CSR) file from the requesting server.  This is well documented for how to do this in IIS - note different between IIS6 and IIS7 so search your version.
2. Verify the CSR file isn't corrupt - 'cerutil -dump %CSRfile.csr% | more' - you should see the CN=servername.domain.local there.  If it comes out all looking like hex, then it is corrupt.  If it is nested fields then it is fine.
3. Open the CSR file in notepad

4. Go go http://CAServerName/certsrv web page - note you need ASP enabled for this
5. Choose first option to request, then either 1st option for a user to issue their own cert without a CSR, or 2nd option to use the CSR file.
5a. For direct request (1st option/1st option) fill out the form and issue cert, make sure to install at the end.
5b. For offline request (1st option / 2nd option) - copy entire text from CSR in Notepad (from ---begin cert-- to ---end cert--- including those lines) and paste into the first large box, select your template, if you wish to add a SAN use the attribute field.  SAN:DNS=""&DNS="server1"&DNS="alias"&ipaddress=""&email="I use the email field for notes for renewals - will show up in san as RFC822 and doesn't affect anything"

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ParanormasticCryptographic EngineerCommented:
Normally for the CRL stuff, I set up a script and run it as a sceduled task.
1. Open CA MMC
2. Expand CAName
3. Select Revoked Certificates
4. Take note of the CRL publication interval -adjust if desired.  Root can be longer up to a year for offline CAs - since this is online I suggest going for 3 months max, sub CA shouldn't be longer than a month - for higher volume CAs I suggest a week or less.

So you will want to publish your CRL ahead of time to give yourself some overlap in case you have problems you have extra time to troubleshoot instead of a few hours.  Some day you will thank me for this.  My two suggestions are either 1/2 the validity period or one month before publication.

So for the root, if configured for 3 month validity period, issue every 2 months.
For the sub CA, if configured for 1 month, issue every 2 weeks (or first and third Tuesday of each month).

1. Create a new .bat on root CA:
certutil -crl
net use z: /delete
net use z: \\share\to\subCA\certenroll
copy %systemroot%\system32\certsrv\certenroll\*.cr* z:
net use z: /delete
:If root and sub CA AIA & CDPs are the same location, done.  if different, map again to each CDP and AIA location and copy to each.

2. Create a new .bat file on sub CA:
certutil -crl
net use z: /delete
net use z: \\share\for\CDP
copy %systemroot%\system32\certsrv\certenroll\*.cr* z:
net use z: /delete

3. On the sub CA only create a 2nd .bat for issuing delta CRL:
certutil -crl delta
net use z: /delete
net use z: \\share\for\CDP
copy %systemroot%\system32\certsrv\certenroll\*.cr* z:
net use z: /delete

3. Configure scheduled task to run the first batch file according to the timeline determined above.

4. Configure another scheduled taks to run the delta batch file daily or every few hours.  The delta CRL is like a differential CRL - it includes all the updates since last base CRL and is much smaller - if it is not published your PKI will not fail like it will if base isn't published.

Note the *.cr* will copy the .crl files and .crt files - so someday when you reissue your CA certs in a few years you can just run that script and be set if the CDP and AIA are in the same base locations.  The root will copy to the sub CA, the sub CA will copy its own and the roots stuff out.

Lastly - backup your CA.

1. GUI method - do this first time on each CA.  Open CA MMC
2. Right click CAName - All Tasks - Backup CA
3. Follow the wizard, select boxes for include private key and Ca database, do not do incremental.
4. Copy the saved files to a flash drive and keep it in a static bad and locked up.  Whenever you reissue the CA certificates, update this flash drive.  Good idea to have 2 and have one offsited.

Now make a full system backup, including system state.  Do this regularly - the root you can do less frequently since all it issues is the sub CA cert.

For regular backup of the CA database on the sub CA, create another scheduled task:
certutil -backupdb %path%

Lastly, create an outlook calendar reminder to remind you to renew the CA certificates.  Open each cert to determine its validity period, renew the CA cert about a year before it expires.

You should be good to go with the basics now.
ParanormasticCryptographic EngineerCommented:
You will also want to deploy your root cert to your workstation and server boxes via GPO:

For those that are not connected to AD (e.g. external partners, employees working from home) refer to the steps that you used to import the root cert into the sub CA.

In the same area of GPO, you can also set up various autoenrollment settings and such.  You will also need to configure autoenrollment on the templates too.

To create a new template:
1. Open Certificate Templates MMC
2. Locate a similar template - right click - duplicate
3. Configure as desired.
*note: you need to way for next AD replication cycle for template changes to occur

Issue a template to a CA:
*Note: requires Enterprise edition OS set up as an Enterprise CA (root or sub CA)
1. Open CA MMC
2. Expand CAName
3. Right click Certificate Templates - New - Certificate Template to Issue...
4. Select template
*note: you need to way for next AD replication cycle for template to become available on CA

To remove a template from a CA:
1. Open CA MMC
2. Expand CAName
3. Right click Certificate Templates
4. Select template and right click - Delete
*note: deleting a template in CA MMC will only remove it from being issued to the CA, it will still exist in AD to issue again.
*note: to delete a template from AD, remove from CA first, then open Cert Templates MMC and delete it there.
ParanormasticCryptographic EngineerCommented:
Tools to get familiar with over time:
1. Certutil.exe - native to OS after XP
2. Certreq.exe - native to OS after XP
3. MMC snap-ins: Certificates (certmgr.msc), Certification Authority (certsrv.msc), Certificate Templates (certtmpl.msc), PKI Health Tool (2003) / Enterprise PKI (2008) (pkiview.msc - for 2003 is in the resource kit, 2008 its native)
4. OpenSSL - free open source software that comes in very handy for a number of things when you can't figure out a good way to do it with Windows native tools.
Windows download version here:
Documentation here:

If you ever plan to do EFS (encrypted file system) you must take time to really understand it. Period.  There are a lot of caveats.  You can search my previous posts for some help there, and read this:
EFS is good for individual file encryption.  If you are looking for whole-disk encryption (e.g. for laptops), then consider something else like BitLocker (Vista) or some other products like WinMagic or TrueCrypt.  Again, read up on the product so you understand how to recover.

Also a side note for DC certs (Domain controller Authentication and Directory Email Replication) - these are normally good for 1 year and will renew 6 weeks ahead of time.  After a DC renews its cert, you must reboot the DC before the old one expires so it stops using the older cert from cache.

If you get event ID 13 from DC autorenewal, you may need to add the DC group for each domain to the CERTSRV_DCOM_ACCESS group - this is a local group on the sub CA box unless you installed the CA on a DC, then it is an AD group.  Hopefully you didn't install on a DC as that is a bad thing down the road.
itniflAuthor Commented:
This is all good information, but I only get to the point where I have installed the certification in the sub CA, and the sub Ca tells me that the certification chain can not be verified and that the revocation server is offline. Looks like the files for the CDP and AIA are where they are specified, but cant say I fully understand these options.
itniflAuthor Commented:
Seems like my certEnroll files were not in the path of the AIA and CDP locations, like I thought. So your comprehensive guide/solution was correct.
ParanormasticCryptographic EngineerCommented:
If the sub CA tells you that the revocation server is offline, then your root CRL is not where it needs to be (the CDP locations) - or your sub CA cannot access any of the CDP locations to access the CRL.  This is normally a TCP port 80 call (regular http: traffic) to a web server.  If you have the CA in a DMZ, etc. where it cannot access other sites, you may need to add another CDP to the root for a local file path and then copy the root CRL to that location on the sub CA.
ParanormasticCryptographic EngineerCommented:
(would need to re-issue the sub CA cert for it to be updated with the new CDP from the root...)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.