Solved

Certificate Revocation List not working

Posted on 2013-01-27
10
1,349 Views
Last Modified: 2013-02-20
Hi,

I have recently setup a microsoft certificate authority server to issue certificates for mobile devices.

My setup is an offline enterprise root CA that is on the domain and a sub CA that is on the domain. I am able to issue certificates and they are then published in active directory and I can use the certificate on my iPhone to receive email but I am unable to revoke it effectivly.

I have revoked a number of certificates on the sub CA and they have gone into the revoked section, clicking on their properties shows that they are revoked but looking on one of the 4 domain controllers shows that the certificates are still listed in the x.509 section of the users properties and they are still vaild.
The certificate is also installed on a client PC and the PC is still classing the certificate as vaild, my iPhone also still receives emails using this same certificate.

It looks like the CRL list on the Sub CA is not being looked at by the domain controllers. All client Certificates are issued by the sub CA. This was setup a few days ago and I have already tried to publish the CRL from the Sub CA.

Is there something I have missed when setting this up?
Any help will be appreciated as I cannot issue more certificates until I have found a way to revoke them.

Josh
0
Comment
Question by:Joshwright100
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
10 Comments
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 38824176
IIS automatically obtains a new CRL only when the cached one's validity period has passed. You can check the validity period of a CRL by looking at its properties.
0
 
LVL 1

Author Comment

by:Joshwright100
ID: 38824228
IIS is not installed on the Root CA or the domain controller... Does this matter ?
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 38824401
Your sub CA certificates should include the Certificate Distribution Point (CDP).

The CRL automatic download is fully dependent on the fact that a CDP in the certificate is available. This means that if a certificate does not contain a CDP then no download of a CRL is possible.

A CDP is the location where you can download the latest CRL. A CDP is typically listed in the CRL Distribution Points field of the Details tab of the certificate. It is common to list multiple CDPs that use different access methods to make sure that programs, such as Web browsers and Web servers, can always obtain the latest CRL.

see the following MS KB:
http://support.microsoft.com/kb/289749 for FAQs on CRL and CDP needs

http://support.microsoft.com/kb/318707 for FAQs on how to publish CRLs
0
Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

 
LVL 1

Author Comment

by:Joshwright100
ID: 38824942
Thank you for your help,

This is the listed CDP:
[1]CRL Distribution Point
     Distribution Point Name:
          Full Name:
URL=ldap:///CN=Example%20Enterprise%20Sub%20CA,CN=SubCAserver,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ds,DC=domain,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

Is there any way of checking that this path exists in the domain?
I have ran the command: Certutil -urlcache CRL on one domain controller and this path is not listed, just the default Microsoft ones however this object is listed on some of the domain controllers is this my problem?

This is on the second DC:

C:\Users\administrator>certutil -urlcache crl


ldap:///CN=Example%20Enterprise%20Root,CN=RootCAServer,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=ds,DC=domain,DC=com?certificateRevocationList?
base?objectClass=cRLDistributionPoint

http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl

http://crl.microsoft.com/pki/crl/products/CSPCA.crl

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/au
throotstl.cab

http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl

ldap:///CN=Example%20Enterprise%20Root,CN=RootCAServer,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=ds,DC=domain,DC=com?deltaRevocationList?base?o
bjectClass=cRLDistributionPoint

WinHttp Cache entries: 6

CertUtil: -URLCache command completed successfully.

C:\Users\administrator>

The 3rd Domain Controller has no additional entries.

This is the 4th domain controller which looks right:


C:\Users\administrator>certutil -urlcache crl


ldap:///CN=Example%20Enterprise%20Root,CN=RootCAServer,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=ds,DC=domain,DC=com?certificateRevocationList?
base?objectClass=cRLDistributionPoint


ldap:///CN=Example%20Enterprise%20Sub%20CA,CN=SubCAServer,CN=CDP,CN=Public%20Key%20Ser
vices,CN=Services,CN=Configuration,DC=ds,DC=domain,DC=com?certificateRevocatio
nList?base?objectClass=cRLDistributionPoint


http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl

http://crl.microsoft.com/pki/crl/products/CSPCA.crl

http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl

ldap:///CN=Example%20Enterprise%20Sub%20CA,CN=SubCAServer,CN=CDP,CN=Public%20Key%20Ser
vices,CN=Services,CN=Configuration,DC=ds,DC=domain,DC=com?deltaRevocationList?
base?objectClass=cRLDistributionPoint


ldap:///CN=Example%20Enterprise%20Root,CN=SubCAServer,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=ds,DC=domain,DC=com?deltaRevocationList?base?o
bjectClass=cRLDistributionPoint

WinHttp Cache entries: 7

CertUtil: -URLCache command completed successfully.

C:\Users\administrator>



I have have just noticed that I made some changed to remove some errors on my server and then reissued a certificate a day later on the 4th domain controller. Could these changes be the reason that the CRL was not published to the other domain controllers the first time around?
Do all domain controllers have to have the same CRLs to pick up the changes?

Is it going to cause a problem if I reissue the certificates to the domain controllers? This is a live environment.

Thank you so much for your help!
0
 
LVL 1

Author Comment

by:Joshwright100
ID: 38824999
Will manually installing the CRLs on each domain controller fix my issue? Or could this make things worse?
0
 
LVL 1

Author Comment

by:Joshwright100
ID: 38834699
It turns of that there is another CA that had been installed years ago and we think that that is effecting where active directory is looking for the CRL.

Does a one know how to clean up this mess?
0
 
LVL 13

Assisted Solution

by:Ugo Mena
Ugo Mena earned 250 total points
ID: 38835681
This appears to be the correct CDP for your sub CA that is on the domain:

URL=ldap:///CN=Example%20Enterprise%20Sub%20CA,CN=SubCAserver,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ds,DC=domain,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

Is this distribution point an address that can be reached by clients externally?

In order to update the CRL from the CDP, your client computers need access to the CDP. So you need to configure a virtual directory to allow for directory browsing. To do this, use one of the following methods:
        -Modify the current CertEnroll directory in IIS to allow for directory browsing.
        -Create a new virtual directory that points to the same physical directory. For example, create %SystemRoot%\System32\Certsrv\CertEnroll.

         -Publish the virtual directory with an address that is configured in Certificate Services and that can be reached externally.

Each CRL has an effective date. The effective date is also referred to as the "next update" or the "validity period"; essentially an expiration date.

While you cannot force the cached CRL to update.  You can delete the CRL from the cache to force the retrieval of a new CRL.  However, the new CRL will still have the same validity period.

When the CRL expires, the CRL is renewed. IIS will use the CRL until it expires. The lowest validity period for a CRL that is published by Microsoft Certificate Services is one hour.

IIS retrieves a CRL only if one of the following conditions is true:

    The CRL of the certificate is not contained in the IIS cache.
    The effective date of the CRL in the IIS cache has passed.


If an effective CRL cannot be obtained or the CRL is obtained and the certificate is revoked. You should receive the following error message in both scenarios:
         
        HTTP 403.13 Forbidden: Client certificate revoked

           The page requires a valid client certificate



However since you are not getting an error on the client and still experiencing the following symptoms:

    -You make the CRL unavailable. However, IIS does not retrieve a new CRL and does not appear to fail.
    -You revoke a certificate and republish the CRL. However, IIS still lets users locate a Web site by using the revoked certificate.


I would assume that the CRL's effective date is still valid and the CDP is not externally available.
0
 
LVL 1

Accepted Solution

by:
Joshwright100 earned 0 total points
ID: 38892998
Thank you for your help it seems that this issue is because of another root CA installed in the domain.
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 38893462
no worries. Glad that you were able to get it sorted out.
0
 
LVL 1

Author Closing Comment

by:Joshwright100
ID: 38908669
It turns out this is an issue with another Root CA installed which I was not aware of. Thank you for your help.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question