Solved

Certificate Revocation List not working

Posted on 2013-01-27
10
1,333 Views
Last Modified: 2013-02-20
Hi,

I have recently setup a microsoft certificate authority server to issue certificates for mobile devices.

My setup is an offline enterprise root CA that is on the domain and a sub CA that is on the domain. I am able to issue certificates and they are then published in active directory and I can use the certificate on my iPhone to receive email but I am unable to revoke it effectivly.

I have revoked a number of certificates on the sub CA and they have gone into the revoked section, clicking on their properties shows that they are revoked but looking on one of the 4 domain controllers shows that the certificates are still listed in the x.509 section of the users properties and they are still vaild.
The certificate is also installed on a client PC and the PC is still classing the certificate as vaild, my iPhone also still receives emails using this same certificate.

It looks like the CRL list on the Sub CA is not being looked at by the domain controllers. All client Certificates are issued by the sub CA. This was setup a few days ago and I have already tried to publish the CRL from the Sub CA.

Is there something I have missed when setting this up?
Any help will be appreciated as I cannot issue more certificates until I have found a way to revoke them.

Josh
0
Comment
Question by:Joshwright100
  • 6
  • 4
10 Comments
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 38824176
IIS automatically obtains a new CRL only when the cached one's validity period has passed. You can check the validity period of a CRL by looking at its properties.
0
 
LVL 1

Author Comment

by:Joshwright100
ID: 38824228
IIS is not installed on the Root CA or the domain controller... Does this matter ?
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 38824401
Your sub CA certificates should include the Certificate Distribution Point (CDP).

The CRL automatic download is fully dependent on the fact that a CDP in the certificate is available. This means that if a certificate does not contain a CDP then no download of a CRL is possible.

A CDP is the location where you can download the latest CRL. A CDP is typically listed in the CRL Distribution Points field of the Details tab of the certificate. It is common to list multiple CDPs that use different access methods to make sure that programs, such as Web browsers and Web servers, can always obtain the latest CRL.

see the following MS KB:
http://support.microsoft.com/kb/289749 for FAQs on CRL and CDP needs

http://support.microsoft.com/kb/318707 for FAQs on how to publish CRLs
0
 
LVL 1

Author Comment

by:Joshwright100
ID: 38824942
Thank you for your help,

This is the listed CDP:
[1]CRL Distribution Point
     Distribution Point Name:
          Full Name:
URL=ldap:///CN=Example%20Enterprise%20Sub%20CA,CN=SubCAserver,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ds,DC=domain,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

Is there any way of checking that this path exists in the domain?
I have ran the command: Certutil -urlcache CRL on one domain controller and this path is not listed, just the default Microsoft ones however this object is listed on some of the domain controllers is this my problem?

This is on the second DC:

C:\Users\administrator>certutil -urlcache crl


ldap:///CN=Example%20Enterprise%20Root,CN=RootCAServer,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=ds,DC=domain,DC=com?certificateRevocationList?
base?objectClass=cRLDistributionPoint

http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl

http://crl.microsoft.com/pki/crl/products/CSPCA.crl

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/au
throotstl.cab

http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl

ldap:///CN=Example%20Enterprise%20Root,CN=RootCAServer,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=ds,DC=domain,DC=com?deltaRevocationList?base?o
bjectClass=cRLDistributionPoint

WinHttp Cache entries: 6

CertUtil: -URLCache command completed successfully.

C:\Users\administrator>

The 3rd Domain Controller has no additional entries.

This is the 4th domain controller which looks right:


C:\Users\administrator>certutil -urlcache crl


ldap:///CN=Example%20Enterprise%20Root,CN=RootCAServer,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=ds,DC=domain,DC=com?certificateRevocationList?
base?objectClass=cRLDistributionPoint


ldap:///CN=Example%20Enterprise%20Sub%20CA,CN=SubCAServer,CN=CDP,CN=Public%20Key%20Ser
vices,CN=Services,CN=Configuration,DC=ds,DC=domain,DC=com?certificateRevocatio
nList?base?objectClass=cRLDistributionPoint


http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl

http://crl.microsoft.com/pki/crl/products/CSPCA.crl

http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl

ldap:///CN=Example%20Enterprise%20Sub%20CA,CN=SubCAServer,CN=CDP,CN=Public%20Key%20Ser
vices,CN=Services,CN=Configuration,DC=ds,DC=domain,DC=com?deltaRevocationList?
base?objectClass=cRLDistributionPoint


ldap:///CN=Example%20Enterprise%20Root,CN=SubCAServer,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=ds,DC=domain,DC=com?deltaRevocationList?base?o
bjectClass=cRLDistributionPoint

WinHttp Cache entries: 7

CertUtil: -URLCache command completed successfully.

C:\Users\administrator>



I have have just noticed that I made some changed to remove some errors on my server and then reissued a certificate a day later on the 4th domain controller. Could these changes be the reason that the CRL was not published to the other domain controllers the first time around?
Do all domain controllers have to have the same CRLs to pick up the changes?

Is it going to cause a problem if I reissue the certificates to the domain controllers? This is a live environment.

Thank you so much for your help!
0
 
LVL 1

Author Comment

by:Joshwright100
ID: 38824999
Will manually installing the CRLs on each domain controller fix my issue? Or could this make things worse?
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Author Comment

by:Joshwright100
ID: 38834699
It turns of that there is another CA that had been installed years ago and we think that that is effecting where active directory is looking for the CRL.

Does a one know how to clean up this mess?
0
 
LVL 13

Assisted Solution

by:Ugo Mena
Ugo Mena earned 250 total points
ID: 38835681
This appears to be the correct CDP for your sub CA that is on the domain:

URL=ldap:///CN=Example%20Enterprise%20Sub%20CA,CN=SubCAserver,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ds,DC=domain,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

Is this distribution point an address that can be reached by clients externally?

In order to update the CRL from the CDP, your client computers need access to the CDP. So you need to configure a virtual directory to allow for directory browsing. To do this, use one of the following methods:
        -Modify the current CertEnroll directory in IIS to allow for directory browsing.
        -Create a new virtual directory that points to the same physical directory. For example, create %SystemRoot%\System32\Certsrv\CertEnroll.

         -Publish the virtual directory with an address that is configured in Certificate Services and that can be reached externally.

Each CRL has an effective date. The effective date is also referred to as the "next update" or the "validity period"; essentially an expiration date.

While you cannot force the cached CRL to update.  You can delete the CRL from the cache to force the retrieval of a new CRL.  However, the new CRL will still have the same validity period.

When the CRL expires, the CRL is renewed. IIS will use the CRL until it expires. The lowest validity period for a CRL that is published by Microsoft Certificate Services is one hour.

IIS retrieves a CRL only if one of the following conditions is true:

    The CRL of the certificate is not contained in the IIS cache.
    The effective date of the CRL in the IIS cache has passed.


If an effective CRL cannot be obtained or the CRL is obtained and the certificate is revoked. You should receive the following error message in both scenarios:
         
        HTTP 403.13 Forbidden: Client certificate revoked

           The page requires a valid client certificate



However since you are not getting an error on the client and still experiencing the following symptoms:

    -You make the CRL unavailable. However, IIS does not retrieve a new CRL and does not appear to fail.
    -You revoke a certificate and republish the CRL. However, IIS still lets users locate a Web site by using the revoked certificate.


I would assume that the CRL's effective date is still valid and the CDP is not externally available.
0
 
LVL 1

Accepted Solution

by:
Joshwright100 earned 0 total points
ID: 38892998
Thank you for your help it seems that this issue is because of another root CA installed in the domain.
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 38893462
no worries. Glad that you were able to get it sorted out.
0
 
LVL 1

Author Closing Comment

by:Joshwright100
ID: 38908669
It turns out this is an issue with another Root CA installed which I was not aware of. Thank you for your help.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

OfficeMate Freezes on login or does not load after login credentials are input.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now