Incorrect CRL/AIA in Root Cert

technochic
technochic used Ask the Experts™
on
Wonder if someone can help.  I've created a PKI infrastructure with an offline Root CA and an Enterprise Subordinate CA.  I notice from the Subordinate CA Certificate that it has a typo in the ldap URLs for both the CRL and AIA locations of the Root CA Certificate.
Consequently the PKIview.msc tool shows that the Subordinate CA is unable to download the CRL details for the Root CA.

The Subordinate CA has subsequently automatically issued certificates to my W2K3 domain controllers so I'm not sure how to go about recitifying this.  I presume that I will have to revoke the DC certificates and subsequently the Subordinate CA certificate but need some guidance on the correct course of action as I'm completely new to the world of PKI and am stuck wit this now!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Besides your DC where else are your certificates?  Are the certificates being used right now?
Can you take a look to see who / what the certificates were issued to?

If this was a pre-production pilot then I would follow MS technotes on removing the CA then adding it back.

I had ran a Certificate server in AD for years and only had one online Enterprise CA - this was for secure ldap ( ldap / ssl) access for 3rd party product that used ldap for authentication.

I felt that the offline CA while recommended was a bit too complex for my solution.  I was the only one that managed the CA.

You can remove the certificate from a DC and reboot, it should try to get another certificate.

Mark

Author

Commented:
HI Mark

The only certificates that have been issued are the Domain Controller ones.   This is  a production setup as I the PKI is set up we need to use EFS to encrypt data on laptops of mobile users.  The issues that the subCA issues have the correct CRL/AIA details its just the subordinate CA certificate which contains the incorrect details as there is a double quote character on the end of the URL by mistake and I didn't pick this up earlier.

I need to get away with undoing as little as possible.  Can you advise on how I can round this problem?

Look at the first link, I would change the CRL then remove the the certs to the DCs, I had my DCs setup to automatically get certs so if I removed a cert and rebooted the DC it would automatically request a new certificate.

Backup the certificate services database first!!!!!!!

Are you using EFS on the laptops yet?

http://technet.microsoft.com/en-us/library/cc773036%28WS.10%29.aspx
Specify certificate revocation list distribution points in issued certificates
"You can add, remove, or modify certificate revocation list distribution points (CDPs) in issued certificates by using the following procedure. However, modifying the URL for a CDP only affects newly issued certificates. Previously issued certificates will continue to reference the original location."



http://support.microsoft.com/kb/232161
Article ID: 232161 - Last Review: November 21, 2006 - Revision: 2.1
Changing the Locations of Your Certificate Revocation List (CRL) in Certificate Services 2.0


http://technet.microsoft.com/en-us/library/cc737834%28WS.10%29.aspx
Checklist: Creating a certification hierarchy with an offline root certification authority

Mark
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Author

Commented:
Thanks for this.  To answer your question, no we haven't begun using EFS yet on the laptops.

As its the Subordinate CA certificate that contains the incorrect LDAP url for the Root CA and not the DC certs issued by the SubCA, do I need to remove the DC certs, then revoke the SUBCA certificate fromt he root and reissue the SubCA certificate?
ParanormasticCryptographic Engineer

Commented:
No need for any of that.  Make the change on the root CA, restart certificate services, publish a new CRL, then renew the SUBORDINATE cert using the same keyset:
certutil -renewcert reusekeys

The DC certs and everything else will still be signed by the same keyset so no need to reissue anything else.  Make sure to copy the new sub CA cert and root CRL out to the appropriate places.

Author

Commented:
I've followed the instructions have submitted the new certificate request to the RootCA and I''ve just thought I'd check the Attributes/Extensions on the Pending Request and see taht my two CRL distribution points seem to be listed as one (as below).

[1]CRL Distribution Point
     Distribution Point Name:
          Full Name:
               URL=http://pki.mydomain.com/MyDomain%20RootCA.crl
               URL=ldap:///CN=MyDomain%20RootCA,CN=dove_ent1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=mydomain,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint

I've double checked the configuration on the Root CA and this seems fine so I'm not sure why the CDP details are shown in this way or what to do to put this right.  Do you have any ideas?

ParanormasticCryptographic Engineer

Commented:
That's normal to have all under [1] for the CDP.  The AIA locations should be listed [1] and [2] but for some reason the CRL doesn't.  I haven't seen a good explanation as to why that is.

As long as the http and ldap paths actually exist you're set.

Author

Commented:
Thanks.  I've publsihed the rootCA crl and the new SubCA certificate but when the following error is being recorded in the event viewer ont he SubCA

Certificate Services could not publish a Base CRL for key 0 to the following location on server servername.MyDomain.local: ldap:///MyDomain IssuingCA,CN=dove_ent2,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=MyDomain,DC=local.  The object name has bad syntax. 0x8007208f (WIN32: 8335).
ldap: 0x22: 0000208F: NameErr: DSID-031001B3, problem 2006 (BAD_NAME), data 8350, best match of:
      'MyDomain IssuingCA,CN=dove_ent2,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=MyDomain,DC=local'


Also, if I try and publish the CRL to the LDAP location manually, I get the following eror:

C:\WINDOWS\system32\certsrv\CertEnroll>certutil -dspublish -f "MyDomain IssuingC
A.crl"
ldap:///MyDomain IssuingCA,CN=dove_ent2,CN=CDP,CN=Public Key Services,CN=Service
s,CN=Configuration,DC=MyDomain,DC=local?certificateRevocationList?base?objectClas
s=cRLDistributionPoint?certificateRevocationList

ldap: 0x40: 0000209E: UpdErr: DSID-030502AC, problem 6001 (NAME_VIOLATION), data
 0

CertUtil: -dsPublish command FAILED: 0x8007209e (WIN32: 8350)
CertUtil: The directory service encountered an error parsing a name.

I've checked the LDAP CRL location in ADSUEdit.msc and it does exist.  In PKIview.msc the Ldap CRL location has a red cross on it for the SubCA and says its unable to download the CRL.

As the location exists in AD, I'm not sure why I'm getting these errors when I try to publish the CRL there automatically or manually.

If you have any ideas on what might be wrong, I would be very very grateful....

ParanormasticCryptographic Engineer
Commented:
There is something wrong with your name in your real entry - double check where your quotes are when submitting, trailing spaces, double spaces, etc.

Here's an old article as a reference, but the information is good enough to point in the right direction if it isn't dead on.
http://support.microsoft.com/kb/296871

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial