Solved

Big...Certificate Services issues

Posted on 2011-03-25
5
831 Views
Last Modified: 2012-05-11
Ill try to make a long story short, and readily I'll admit I did some stupid stuff here..

A few years ago I stood up a new Windows 2008 DC in an existing 2k3 r2 domain.  I dcpromod it without issue from memory, backed up the existing root ca info and exported the keys.  Installed AD CS on that server, imported the root info and from what I remember everything was cool.
About 4 months later I took one of existing two Win2k3 dc's and demoted it, disjoined form domain.  Another 4-6 months later I stood up a new 2k8 dc except this time it was an R2 box, moved all of the FSMO roles as well as AD CS to it. There again, 4-6 months later I demoted and disjoined the last 2k3 DC.

Fast forward to now, 4 days ago I upgraded that first 2k8 DC to R2 (first verifying that none of the FSMO roles were on it), and I've been in the process of watching the event logs since then. Oh BTW the upgrade completed successfully.

So the current issue is that I do not believe I backed up or exported the original Root CA info correctly because in my normal checking this morning I happened to actually click on the "Enterprise PKI" role module in Server Manager and was greeted by a red x. Now I will be totally honest in that i have been working on this for the past 3 hours so far.. with a LARGE helping of Google.  Prior to what you see here, there was initially:
 2 CA Certificates both OK
2 AIA locations both unable to download
3 CDP Locations 2 Unable to download
2 CRL Locations 1 Unable to download

(DISCLAIMER, the real stupidity starts here)

In the properties of the Root CA itself, under Extensions-AIA there were 2 entries that were apparently invalid, both of which were "http" so I removed the longer of the two which began with something like <serverName>.  The other was "http://1st 2k8 servername/ocsp", I changed it to "http://current_2k8r2_server/ocsp" Restarted the CA services then rechecked but that AIA location was still unable to download.  So I removed it totally.

Now Managing the AD Containers under Enterprise PKI, I noticed how there were 2 NTAuthCertificates, I checked the Valid from dates and removed the oldest one. Now what I thought was odd at the time was that both of the existing NTAuthCerts were initially created in 2008, they both had a "CRL Distribution Point" pointing to the old 2k3 DC. I wasn't sure what to think about that so I left it alone.

So then I proceeded to remove entries under AIA Container, CDP Container and Certificate Authorities Container that referenced back to that older of the two RootCA cert's.

After restarting the services again.. I still have a red X for my Enterprise PKI, but now I'm left with the image attached.

So I thought, "Ok I'll just remove all the Role Services except for Certification Authority, and reinstall them.  I probably don't have to say that that did not work either.  So now I'm stuck.. I do not know if I should change that CRL Dist Point, revoke the original root ca cert or what really.

Now we do not use PKI for domain authentication, user or computer encryption not email signing.  I held off on uninstalling CA as a whole just because I am not sure what services or other roles/features depend upon it such as Domain Controller or Exchange certs. And what's more, I don't want cert related messages appearing on user's screens during the middle of the day.  I've tried looking up methods of reinstalling CA and I've found some guides and outlines but nothing that really explains the caveats or risks in an established domain.
 current Ent PKI
0
Comment
Question by:Ben Hart
  • 3
  • 2
5 Comments
 
LVL 7

Accepted Solution

by:
CGretski earned 500 total points
ID: 35293587
Disclaimer: I've not used 2k8's CA, but with the exception of OCSP the behaviour should be similar.

It might be easiest to uninstall & reinstall certificate services,  If all the AIA/CDP locations are inoperable then your domain isn't able to communicate with the CA anyway - unless there are any LDAP AIA/CDP or OCSP locations set.
Reinstalling with a new CA certificate will allow anything that uses a certificate to transition over to the newly installed working CA, eventually any certificates issued by the defunct CA will expire.

Don't revoke the original root, on the off-chance something is able to check certificate validity that will break any issued certiifcates.  Only revoke the root if you've had a security breach and lost ownership of the root.

Updating the AIA/CDP locations within certificate services will not immediately fix anything, as those properties are recorded into certificates as they are issued - the change will not update previously issued certificates.

If you are reinstalling the CA anyway you might want to look at a stand-alone root CA, with a subordinate enterprise CA.  It makes it easier to secure the root CA  (it can be a machine that's off-line), and in the event you do have a repeat issue with the enterprise CA you can just create a new one - because it is signed by the root that everyone already trusts the transition should be seamless.
0
 
LVL 14

Assisted Solution

by:Ben Hart
Ben Hart earned 0 total points
ID: 35296922
Thanks Gretski.. I had assumed after 5 days of no responses that I had probably screwed the pooch good this time.  I took a semi-in-depth inventory around here yesterday and since we do not use Smart card logins, or authentication of any active type using certificate.. I had decided to just remove/reinstall the CA like your suggesting above.  It is scary thinking about it, especially since this CA had been in place a few years before my hiring here, and I believe it was originally created on a Win2k DC I had thought about the possibility of losing newer features importing it into a new OS twice now.

I am going to export a backup of the entire CA, and the system state of this DC just to make sure.  Now since your the most educated person I've been able to speak with about CA's in general.. are there any caveats that you know of in enabling autoenrollment for machines and users?  We still do not currently, nor have future plans on using a domain issued cert for authentication but since that plan can change at any given time I'd like to be ready for whatever comes our way, provided it's not detrimental to have enabled before then.
0
 
LVL 7

Expert Comment

by:CGretski
ID: 35299024
I'm not sure if it is still the case, but on 2k3 you needed enterprise edition to make new certificate templates, which is a prerequisite for user autoenrollment.
Machine enrollment is controlled by policy.

If you're autoenrolling to a lot of people make sure that you set request handling to "enroll subject without requiring any user input" - or you'll get a lot of support calls the next morning.

Make sure your AIA/CDP/OCSP locations are set before you begin issuing certificates, otherwise you'll not be able to revoke them
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 35318538
I have had no users report issues involving certificates, so I think i'm good now.  As the previous DC has been gone for 4 years now I honestly cannot remember if it was Enterprise or not but I do have users and machines auto enrolling now so I might have lucked out on the reinstalling of CE.

Thanks guys!
0
 
LVL 14

Author Closing Comment

by:Ben Hart
ID: 35357018
I'm accepting mine and his responses because while his advice didn't result in the resolution of my issues.. he didn't offer his help.  He must get something for that.
0

Join & Write a Comment

Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now