Joshwright100
asked on
Certificate Revocation List not working
Hi,
I have recently setup a microsoft certificate authority server to issue certificates for mobile devices.
My setup is an offline enterprise root CA that is on the domain and a sub CA that is on the domain. I am able to issue certificates and they are then published in active directory and I can use the certificate on my iPhone to receive email but I am unable to revoke it effectivly.
I have revoked a number of certificates on the sub CA and they have gone into the revoked section, clicking on their properties shows that they are revoked but looking on one of the 4 domain controllers shows that the certificates are still listed in the x.509 section of the users properties and they are still vaild.
The certificate is also installed on a client PC and the PC is still classing the certificate as vaild, my iPhone also still receives emails using this same certificate.
It looks like the CRL list on the Sub CA is not being looked at by the domain controllers. All client Certificates are issued by the sub CA. This was setup a few days ago and I have already tried to publish the CRL from the Sub CA.
Is there something I have missed when setting this up?
Any help will be appreciated as I cannot issue more certificates until I have found a way to revoke them.
Josh
I have recently setup a microsoft certificate authority server to issue certificates for mobile devices.
My setup is an offline enterprise root CA that is on the domain and a sub CA that is on the domain. I am able to issue certificates and they are then published in active directory and I can use the certificate on my iPhone to receive email but I am unable to revoke it effectivly.
I have revoked a number of certificates on the sub CA and they have gone into the revoked section, clicking on their properties shows that they are revoked but looking on one of the 4 domain controllers shows that the certificates are still listed in the x.509 section of the users properties and they are still vaild.
The certificate is also installed on a client PC and the PC is still classing the certificate as vaild, my iPhone also still receives emails using this same certificate.
It looks like the CRL list on the Sub CA is not being looked at by the domain controllers. All client Certificates are issued by the sub CA. This was setup a few days ago and I have already tried to publish the CRL from the Sub CA.
Is there something I have missed when setting this up?
Any help will be appreciated as I cannot issue more certificates until I have found a way to revoke them.
Josh
IIS automatically obtains a new CRL only when the cached one's validity period has passed. You can check the validity period of a CRL by looking at its properties.
ASKER
IIS is not installed on the Root CA or the domain controller... Does this matter ?
Your sub CA certificates should include the Certificate Distribution Point (CDP).
The CRL automatic download is fully dependent on the fact that a CDP in the certificate is available. This means that if a certificate does not contain a CDP then no download of a CRL is possible.
A CDP is the location where you can download the latest CRL. A CDP is typically listed in the CRL Distribution Points field of the Details tab of the certificate. It is common to list multiple CDPs that use different access methods to make sure that programs, such as Web browsers and Web servers, can always obtain the latest CRL.
see the following MS KB:
http://support.microsoft.com/kb/289749 for FAQs on CRL and CDP needs
http://support.microsoft.com/kb/318707 for FAQs on how to publish CRLs
The CRL automatic download is fully dependent on the fact that a CDP in the certificate is available. This means that if a certificate does not contain a CDP then no download of a CRL is possible.
A CDP is the location where you can download the latest CRL. A CDP is typically listed in the CRL Distribution Points field of the Details tab of the certificate. It is common to list multiple CDPs that use different access methods to make sure that programs, such as Web browsers and Web servers, can always obtain the latest CRL.
see the following MS KB:
http://support.microsoft.com/kb/289749 for FAQs on CRL and CDP needs
http://support.microsoft.com/kb/318707 for FAQs on how to publish CRLs
ASKER
Thank you for your help,
This is the listed CDP:
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=ldap:///CN=Example%20E nterprise% 20Sub%20CA ,CN=SubCAs erver,CN=C DP,CN=Publ ic%20Key%2 0Services, CN=Service s,CN=Confi guration,D C=ds,DC=do main,DC=co m?certific ateRevocat ionList?ba se?objectC lass=cRLDi stribution Point
Is there any way of checking that this path exists in the domain?
I have ran the command: Certutil -urlcache CRL on one domain controller and this path is not listed, just the default Microsoft ones however this object is listed on some of the domain controllers is this my problem?
This is on the second DC:
C:\Users\administrator>cer tutil -urlcache crl
ldap:///CN=Example%20Enter prise%20Ro ot,CN=Root CAServer,C N=CDP,CN=P ublic%20Ke y%20Servic es,
CN=Services,CN=Configurati on,DC=ds,D C=domain,D C=com?cert ificateRev ocationLis t?
base?objectClass=cRLDistri butionPoin t
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
http://crl.microsoft.com/pki/crl/products/CSPCA.crl
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/au
throotstl.cab
http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl
ldap:///CN=Example%20Enter prise%20Ro ot,CN=Root CAServer,C N=CDP,CN=P ublic%20Ke y%20Servic es,
CN=Services,CN=Configurati on,DC=ds,D C=domain,D C=com?delt aRevocatio nList?base ?o
bjectClass=cRLDistribution Point
WinHttp Cache entries: 6
CertUtil: -URLCache command completed successfully.
C:\Users\administrator>
The 3rd Domain Controller has no additional entries.
This is the 4th domain controller which looks right:
C:\Users\administrator>cer tutil -urlcache crl
ldap:///CN=Example%20Enter prise%20Ro ot,CN=Root CAServer,C N=CDP,CN=P ublic%20Ke y%20Servic es,
CN=Services,CN=Configurati on,DC=ds,D C=domain,D C=com?cert ificateRev ocationLis t?
base?objectClass=cRLDistri butionPoin t
ldap:///CN=Example%20Enter prise%20Su b%20CA,CN= SubCAServe r,CN=CDP,C N=Public%2 0Key%20Ser
vices,CN=Services,CN=Confi guration,D C=ds,DC=do main,DC=co m?certific ateRevocat io
nList?base?objectClass=cRL Distributi onPoint
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
http://crl.microsoft.com/pki/crl/products/CSPCA.crl
http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl
ldap:///CN=Example%20Enter prise%20Su b%20CA,CN= SubCAServe r,CN=CDP,C N=Public%2 0Key%20Ser
vices,CN=Services,CN=Confi guration,D C=ds,DC=do main,DC=co m?deltaRev ocationLis t?
base?objectClass=cRLDistri butionPoin t
ldap:///CN=Example%20Enter prise%20Ro ot,CN=SubC AServer,CN =CDP,CN=Pu blic%20Key %20Service s,
CN=Services,CN=Configurati on,DC=ds,D C=domain,D C=com?delt aRevocatio nList?base ?o
bjectClass=cRLDistribution Point
WinHttp Cache entries: 7
CertUtil: -URLCache command completed successfully.
C:\Users\administrator>
I have have just noticed that I made some changed to remove some errors on my server and then reissued a certificate a day later on the 4th domain controller. Could these changes be the reason that the CRL was not published to the other domain controllers the first time around?
Do all domain controllers have to have the same CRLs to pick up the changes?
Is it going to cause a problem if I reissue the certificates to the domain controllers? This is a live environment.
Thank you so much for your help!
This is the listed CDP:
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=ldap:///CN=Example%20E
Is there any way of checking that this path exists in the domain?
I have ran the command: Certutil -urlcache CRL on one domain controller and this path is not listed, just the default Microsoft ones however this object is listed on some of the domain controllers is this my problem?
This is on the second DC:
C:\Users\administrator>cer
ldap:///CN=Example%20Enter
CN=Services,CN=Configurati
base?objectClass=cRLDistri
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
http://crl.microsoft.com/pki/crl/products/CSPCA.crl
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/au
throotstl.cab
http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl
ldap:///CN=Example%20Enter
CN=Services,CN=Configurati
bjectClass=cRLDistribution
WinHttp Cache entries: 6
CertUtil: -URLCache command completed successfully.
C:\Users\administrator>
The 3rd Domain Controller has no additional entries.
This is the 4th domain controller which looks right:
C:\Users\administrator>cer
ldap:///CN=Example%20Enter
CN=Services,CN=Configurati
base?objectClass=cRLDistri
ldap:///CN=Example%20Enter
vices,CN=Services,CN=Confi
nList?base?objectClass=cRL
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
http://crl.microsoft.com/pki/crl/products/CSPCA.crl
http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl
ldap:///CN=Example%20Enter
vices,CN=Services,CN=Confi
base?objectClass=cRLDistri
ldap:///CN=Example%20Enter
CN=Services,CN=Configurati
bjectClass=cRLDistribution
WinHttp Cache entries: 7
CertUtil: -URLCache command completed successfully.
C:\Users\administrator>
I have have just noticed that I made some changed to remove some errors on my server and then reissued a certificate a day later on the 4th domain controller. Could these changes be the reason that the CRL was not published to the other domain controllers the first time around?
Do all domain controllers have to have the same CRLs to pick up the changes?
Is it going to cause a problem if I reissue the certificates to the domain controllers? This is a live environment.
Thank you so much for your help!
ASKER
Will manually installing the CRLs on each domain controller fix my issue? Or could this make things worse?
ASKER
It turns of that there is another CA that had been installed years ago and we think that that is effecting where active directory is looking for the CRL.
Does a one know how to clean up this mess?
Does a one know how to clean up this mess?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
no worries. Glad that you were able to get it sorted out.
ASKER
It turns out this is an issue with another Root CA installed which I was not aware of. Thank you for your help.