Windows 2008 Certificate Services
Trying to set up Windows 2008 Certificate Services with 2 servers in same domain. I install a standalone root CA server on a domain member, and Enterprise Issuing CA on the DC. I then generate a request with the Enterprise issuing CA, that is imported by the standalone root CA. The standalone root CA then issues the certificate, and stores it on a shared folder. The Enterprise issuing CA installs the issued certificate, but gets the error message that the revocation server cant be contacted and the certification chain is broken. See the attached picture.
Any tips?
Cant get up the subordinate Enterprise Issuing CA because of this error.
error.bmp
Any tips?
Cant get up the subordinate Enterprise Issuing CA because of this error.
error.bmp
Also make sure that you imported the root cert into the sub CAs trusted root certificate store...
ASKER
I am pretty new to this all. And this all makes limited sense to me. It would be easier if you divided the text into numbered bits, and explain it as if you were writing to a person with limited knowledge of CA.
I imported the cert via right-clicking on the name of the issuing ca in the certification authority, chose install ca certificate and the location where the certificate was. If that imports the cert into the sub CAs root certificate store or not, is uknown to me.
I imported the cert via right-clicking on the name of the issuing ca in the certification authority, chose install ca certificate and the location where the certificate was. If that imports the cert into the sub CAs root certificate store or not, is uknown to me.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Normally for the CRL stuff, I set up a script and run it as a sceduled task.
1. Open CA MMC
2. Expand CAName
3. Select Revoked Certificates
4. Take note of the CRL publication interval -adjust if desired. Root can be longer up to a year for offline CAs - since this is online I suggest going for 3 months max, sub CA shouldn't be longer than a month - for higher volume CAs I suggest a week or less.
So you will want to publish your CRL ahead of time to give yourself some overlap in case you have problems you have extra time to troubleshoot instead of a few hours. Some day you will thank me for this. My two suggestions are either 1/2 the validity period or one month before publication.
So for the root, if configured for 3 month validity period, issue every 2 months.
For the sub CA, if configured for 1 month, issue every 2 weeks (or first and third Tuesday of each month).
1. Create a new .bat on root CA:
certutil -crl
net use z: /delete
net use z: \\share\to\subCA\certenrol
copy %systemroot%\system32\cert
net use z: /delete
:If root and sub CA AIA & CDPs are the same location, done. if different, map again to each CDP and AIA location and copy to each.
2. Create a new .bat file on sub CA:
certutil -crl
net use z: /delete
net use z: \\share\for\CDP
copy %systemroot%\system32\cert
net use z: /delete
3. On the sub CA only create a 2nd .bat for issuing delta CRL:
certutil -crl delta
net use z: /delete
net use z: \\share\for\CDP
copy %systemroot%\system32\cert
net use z: /delete
3. Configure scheduled task to run the first batch file according to the timeline determined above.
4. Configure another scheduled taks to run the delta batch file daily or every few hours. The delta CRL is like a differential CRL - it includes all the updates since last base CRL and is much smaller - if it is not published your PKI will not fail like it will if base isn't published.
Note the *.cr* will copy the .crl files and .crt files - so someday when you reissue your CA certs in a few years you can just run that script and be set if the CDP and AIA are in the same base locations. The root will copy to the sub CA, the sub CA will copy its own and the roots stuff out.
Lastly - backup your CA.
1. GUI method - do this first time on each CA. Open CA MMC
2. Right click CAName - All Tasks - Backup CA
3. Follow the wizard, select boxes for include private key and Ca database, do not do incremental.
4. Copy the saved files to a flash drive and keep it in a static bad and locked up. Whenever you reissue the CA certificates, update this flash drive. Good idea to have 2 and have one offsited.
Now make a full system backup, including system state. Do this regularly - the root you can do less frequently since all it issues is the sub CA cert.
For regular backup of the CA database on the sub CA, create another scheduled task:
certutil -backupdb %path%
Lastly, create an outlook calendar reminder to remind you to renew the CA certificates. Open each cert to determine its validity period, renew the CA cert about a year before it expires.
You should be good to go with the basics now.
1. Open CA MMC
2. Expand CAName
3. Select Revoked Certificates
4. Take note of the CRL publication interval -adjust if desired. Root can be longer up to a year for offline CAs - since this is online I suggest going for 3 months max, sub CA shouldn't be longer than a month - for higher volume CAs I suggest a week or less.
So you will want to publish your CRL ahead of time to give yourself some overlap in case you have problems you have extra time to troubleshoot instead of a few hours. Some day you will thank me for this. My two suggestions are either 1/2 the validity period or one month before publication.
So for the root, if configured for 3 month validity period, issue every 2 months.
For the sub CA, if configured for 1 month, issue every 2 weeks (or first and third Tuesday of each month).
1. Create a new .bat on root CA:
certutil -crl
net use z: /delete
net use z: \\share\to\subCA\certenrol
copy %systemroot%\system32\cert
net use z: /delete
:If root and sub CA AIA & CDPs are the same location, done. if different, map again to each CDP and AIA location and copy to each.
2. Create a new .bat file on sub CA:
certutil -crl
net use z: /delete
net use z: \\share\for\CDP
copy %systemroot%\system32\cert
net use z: /delete
3. On the sub CA only create a 2nd .bat for issuing delta CRL:
certutil -crl delta
net use z: /delete
net use z: \\share\for\CDP
copy %systemroot%\system32\cert
net use z: /delete
3. Configure scheduled task to run the first batch file according to the timeline determined above.
4. Configure another scheduled taks to run the delta batch file daily or every few hours. The delta CRL is like a differential CRL - it includes all the updates since last base CRL and is much smaller - if it is not published your PKI will not fail like it will if base isn't published.
Note the *.cr* will copy the .crl files and .crt files - so someday when you reissue your CA certs in a few years you can just run that script and be set if the CDP and AIA are in the same base locations. The root will copy to the sub CA, the sub CA will copy its own and the roots stuff out.
Lastly - backup your CA.
1. GUI method - do this first time on each CA. Open CA MMC
2. Right click CAName - All Tasks - Backup CA
3. Follow the wizard, select boxes for include private key and Ca database, do not do incremental.
4. Copy the saved files to a flash drive and keep it in a static bad and locked up. Whenever you reissue the CA certificates, update this flash drive. Good idea to have 2 and have one offsited.
Now make a full system backup, including system state. Do this regularly - the root you can do less frequently since all it issues is the sub CA cert.
For regular backup of the CA database on the sub CA, create another scheduled task:
certutil -backupdb %path%
Lastly, create an outlook calendar reminder to remind you to renew the CA certificates. Open each cert to determine its validity period, renew the CA cert about a year before it expires.
You should be good to go with the basics now.
You will also want to deploy your root cert to your workstation and server boxes via GPO:
http://technet.microsoft.com/en-us/library/cc738131.aspx
For those that are not connected to AD (e.g. external partners, employees working from home) refer to the steps that you used to import the root cert into the sub CA.
In the same area of GPO, you can also set up various autoenrollment settings and such. You will also need to configure autoenrollment on the templates too.
To create a new template:
1. Open Certificate Templates MMC
2. Locate a similar template - right click - duplicate
3. Configure as desired.
*note: you need to way for next AD replication cycle for template changes to occur
Issue a template to a CA:
*Note: requires Enterprise edition OS set up as an Enterprise CA (root or sub CA)
1. Open CA MMC
2. Expand CAName
3. Right click Certificate Templates - New - Certificate Template to Issue...
4. Select template
*note: you need to way for next AD replication cycle for template to become available on CA
To remove a template from a CA:
1. Open CA MMC
2. Expand CAName
3. Right click Certificate Templates
4. Select template and right click - Delete
*note: deleting a template in CA MMC will only remove it from being issued to the CA, it will still exist in AD to issue again.
*note: to delete a template from AD, remove from CA first, then open Cert Templates MMC and delete it there.
http://technet.microsoft.com/en-us/library/cc738131.aspx
For those that are not connected to AD (e.g. external partners, employees working from home) refer to the steps that you used to import the root cert into the sub CA.
In the same area of GPO, you can also set up various autoenrollment settings and such. You will also need to configure autoenrollment on the templates too.
To create a new template:
1. Open Certificate Templates MMC
2. Locate a similar template - right click - duplicate
3. Configure as desired.
*note: you need to way for next AD replication cycle for template changes to occur
Issue a template to a CA:
*Note: requires Enterprise edition OS set up as an Enterprise CA (root or sub CA)
1. Open CA MMC
2. Expand CAName
3. Right click Certificate Templates - New - Certificate Template to Issue...
4. Select template
*note: you need to way for next AD replication cycle for template to become available on CA
To remove a template from a CA:
1. Open CA MMC
2. Expand CAName
3. Right click Certificate Templates
4. Select template and right click - Delete
*note: deleting a template in CA MMC will only remove it from being issued to the CA, it will still exist in AD to issue again.
*note: to delete a template from AD, remove from CA first, then open Cert Templates MMC and delete it there.
Tools to get familiar with over time:
1. Certutil.exe - native to OS after XP
2. Certreq.exe - native to OS after XP
3. MMC snap-ins: Certificates (certmgr.msc), Certification Authority (certsrv.msc), Certificate Templates (certtmpl.msc), PKI Health Tool (2003) / Enterprise PKI (2008) (pkiview.msc - for 2003 is in the resource kit, 2008 its native)
4. OpenSSL - free open source software that comes in very handy for a number of things when you can't figure out a good way to do it with Windows native tools.
Windows download version here:
http://gnuwin32.sourceforge.net/packages/openssl.htm
Documentation here:
http://www.openssl.org/docs/
If you ever plan to do EFS (encrypted file system) you must take time to really understand it. Period. There are a lot of caveats. You can search my previous posts for some help there, and read this:
http://technet.microsoft.com/en-us/library/cc162806.aspx
EFS is good for individual file encryption. If you are looking for whole-disk encryption (e.g. for laptops), then consider something else like BitLocker (Vista) or some other products like WinMagic or TrueCrypt. Again, read up on the product so you understand how to recover.
Also a side note for DC certs (Domain controller Authentication and Directory Email Replication) - these are normally good for 1 year and will renew 6 weeks ahead of time. After a DC renews its cert, you must reboot the DC before the old one expires so it stops using the older cert from cache.
If you get event ID 13 from DC autorenewal, you may need to add the DC group for each domain to the CERTSRV_DCOM_ACCESS group - this is a local group on the sub CA box unless you installed the CA on a DC, then it is an AD group. Hopefully you didn't install on a DC as that is a bad thing down the road.
1. Certutil.exe - native to OS after XP
2. Certreq.exe - native to OS after XP
3. MMC snap-ins: Certificates (certmgr.msc), Certification Authority (certsrv.msc), Certificate Templates (certtmpl.msc), PKI Health Tool (2003) / Enterprise PKI (2008) (pkiview.msc - for 2003 is in the resource kit, 2008 its native)
4. OpenSSL - free open source software that comes in very handy for a number of things when you can't figure out a good way to do it with Windows native tools.
Windows download version here:
http://gnuwin32.sourceforge.net/packages/openssl.htm
Documentation here:
http://www.openssl.org/docs/
If you ever plan to do EFS (encrypted file system) you must take time to really understand it. Period. There are a lot of caveats. You can search my previous posts for some help there, and read this:
http://technet.microsoft.com/en-us/library/cc162806.aspx
EFS is good for individual file encryption. If you are looking for whole-disk encryption (e.g. for laptops), then consider something else like BitLocker (Vista) or some other products like WinMagic or TrueCrypt. Again, read up on the product so you understand how to recover.
Also a side note for DC certs (Domain controller Authentication and Directory Email Replication) - these are normally good for 1 year and will renew 6 weeks ahead of time. After a DC renews its cert, you must reboot the DC before the old one expires so it stops using the older cert from cache.
If you get event ID 13 from DC autorenewal, you may need to add the DC group for each domain to the CERTSRV_DCOM_ACCESS group - this is a local group on the sub CA box unless you installed the CA on a DC, then it is an AD group. Hopefully you didn't install on a DC as that is a bad thing down the road.
ASKER
This is all good information, but I only get to the point where I have installed the certification in the sub CA, and the sub Ca tells me that the certification chain can not be verified and that the revocation server is offline. Looks like the files for the CDP and AIA are where they are specified, but cant say I fully understand these options.
ASKER
Seems like my certEnroll files were not in the path of the AIA and CDP locations, like I thought. So your comprehensive guide/solution was correct.
If the sub CA tells you that the revocation server is offline, then your root CRL is not where it needs to be (the CDP locations) - or your sub CA cannot access any of the CDP locations to access the CRL. This is normally a TCP port 80 call (regular http: traffic) to a web server. If you have the CA in a DMZ, etc. where it cannot access other sites, you may need to add another CDP to the root for a local file path and then copy the root CRL to that location on the sub CA.
(would need to re-issue the sub CA cert for it to be updated with the new CDP from the root...)
Repeat for the AIA only copy the root's server cert to these locations.
Alternatively, you can also view the properties of the sub CA cert (not the root) on the details tab and look for the CRL Distribution Point and Authority Information Access - these will be a little more human readable than the %1 format that you will find in the CA entries by default.
Make sure you do the same with your sub CA when it comes to issuing certs from it.