Solved

Certificate Revocation List not working

Posted on 2013-01-27
10
1,323 Views
Last Modified: 2013-02-20
Hi,

I have recently setup a microsoft certificate authority server to issue certificates for mobile devices.

My setup is an offline enterprise root CA that is on the domain and a sub CA that is on the domain. I am able to issue certificates and they are then published in active directory and I can use the certificate on my iPhone to receive email but I am unable to revoke it effectivly.

I have revoked a number of certificates on the sub CA and they have gone into the revoked section, clicking on their properties shows that they are revoked but looking on one of the 4 domain controllers shows that the certificates are still listed in the x.509 section of the users properties and they are still vaild.
The certificate is also installed on a client PC and the PC is still classing the certificate as vaild, my iPhone also still receives emails using this same certificate.

It looks like the CRL list on the Sub CA is not being looked at by the domain controllers. All client Certificates are issued by the sub CA. This was setup a few days ago and I have already tried to publish the CRL from the Sub CA.

Is there something I have missed when setting this up?
Any help will be appreciated as I cannot issue more certificates until I have found a way to revoke them.

Josh
0
Comment
Question by:Joshwright100
  • 6
  • 4
10 Comments
 
LVL 13

Expert Comment

by:Ugo Mena
Comment Utility
IIS automatically obtains a new CRL only when the cached one's validity period has passed. You can check the validity period of a CRL by looking at its properties.
0
 
LVL 1

Author Comment

by:Joshwright100
Comment Utility
IIS is not installed on the Root CA or the domain controller... Does this matter ?
0
 
LVL 13

Expert Comment

by:Ugo Mena
Comment Utility
Your sub CA certificates should include the Certificate Distribution Point (CDP).

The CRL automatic download is fully dependent on the fact that a CDP in the certificate is available. This means that if a certificate does not contain a CDP then no download of a CRL is possible.

A CDP is the location where you can download the latest CRL. A CDP is typically listed in the CRL Distribution Points field of the Details tab of the certificate. It is common to list multiple CDPs that use different access methods to make sure that programs, such as Web browsers and Web servers, can always obtain the latest CRL.

see the following MS KB:
http://support.microsoft.com/kb/289749 for FAQs on CRL and CDP needs

http://support.microsoft.com/kb/318707 for FAQs on how to publish CRLs
0
 
LVL 1

Author Comment

by:Joshwright100
Comment Utility
Thank you for your help,

This is the listed CDP:
[1]CRL Distribution Point
     Distribution Point Name:
          Full Name:
URL=ldap:///CN=Example%20Enterprise%20Sub%20CA,CN=SubCAserver,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ds,DC=domain,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

Is there any way of checking that this path exists in the domain?
I have ran the command: Certutil -urlcache CRL on one domain controller and this path is not listed, just the default Microsoft ones however this object is listed on some of the domain controllers is this my problem?

This is on the second DC:

C:\Users\administrator>certutil -urlcache crl


ldap:///CN=Example%20Enterprise%20Root,CN=RootCAServer,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=ds,DC=domain,DC=com?certificateRevocationList?
base?objectClass=cRLDistributionPoint

http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl

http://crl.microsoft.com/pki/crl/products/CSPCA.crl

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/au
throotstl.cab

http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl

ldap:///CN=Example%20Enterprise%20Root,CN=RootCAServer,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=ds,DC=domain,DC=com?deltaRevocationList?base?o
bjectClass=cRLDistributionPoint

WinHttp Cache entries: 6

CertUtil: -URLCache command completed successfully.

C:\Users\administrator>

The 3rd Domain Controller has no additional entries.

This is the 4th domain controller which looks right:


C:\Users\administrator>certutil -urlcache crl


ldap:///CN=Example%20Enterprise%20Root,CN=RootCAServer,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=ds,DC=domain,DC=com?certificateRevocationList?
base?objectClass=cRLDistributionPoint


ldap:///CN=Example%20Enterprise%20Sub%20CA,CN=SubCAServer,CN=CDP,CN=Public%20Key%20Ser
vices,CN=Services,CN=Configuration,DC=ds,DC=domain,DC=com?certificateRevocatio
nList?base?objectClass=cRLDistributionPoint


http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl

http://crl.microsoft.com/pki/crl/products/CSPCA.crl

http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl

ldap:///CN=Example%20Enterprise%20Sub%20CA,CN=SubCAServer,CN=CDP,CN=Public%20Key%20Ser
vices,CN=Services,CN=Configuration,DC=ds,DC=domain,DC=com?deltaRevocationList?
base?objectClass=cRLDistributionPoint


ldap:///CN=Example%20Enterprise%20Root,CN=SubCAServer,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=ds,DC=domain,DC=com?deltaRevocationList?base?o
bjectClass=cRLDistributionPoint

WinHttp Cache entries: 7

CertUtil: -URLCache command completed successfully.

C:\Users\administrator>



I have have just noticed that I made some changed to remove some errors on my server and then reissued a certificate a day later on the 4th domain controller. Could these changes be the reason that the CRL was not published to the other domain controllers the first time around?
Do all domain controllers have to have the same CRLs to pick up the changes?

Is it going to cause a problem if I reissue the certificates to the domain controllers? This is a live environment.

Thank you so much for your help!
0
 
LVL 1

Author Comment

by:Joshwright100
Comment Utility
Will manually installing the CRLs on each domain controller fix my issue? Or could this make things worse?
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 1

Author Comment

by:Joshwright100
Comment Utility
It turns of that there is another CA that had been installed years ago and we think that that is effecting where active directory is looking for the CRL.

Does a one know how to clean up this mess?
0
 
LVL 13

Assisted Solution

by:Ugo Mena
Ugo Mena earned 250 total points
Comment Utility
This appears to be the correct CDP for your sub CA that is on the domain:

URL=ldap:///CN=Example%20Enterprise%20Sub%20CA,CN=SubCAserver,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ds,DC=domain,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

Is this distribution point an address that can be reached by clients externally?

In order to update the CRL from the CDP, your client computers need access to the CDP. So you need to configure a virtual directory to allow for directory browsing. To do this, use one of the following methods:
        -Modify the current CertEnroll directory in IIS to allow for directory browsing.
        -Create a new virtual directory that points to the same physical directory. For example, create %SystemRoot%\System32\Certsrv\CertEnroll.

         -Publish the virtual directory with an address that is configured in Certificate Services and that can be reached externally.

Each CRL has an effective date. The effective date is also referred to as the "next update" or the "validity period"; essentially an expiration date.

While you cannot force the cached CRL to update.  You can delete the CRL from the cache to force the retrieval of a new CRL.  However, the new CRL will still have the same validity period.

When the CRL expires, the CRL is renewed. IIS will use the CRL until it expires. The lowest validity period for a CRL that is published by Microsoft Certificate Services is one hour.

IIS retrieves a CRL only if one of the following conditions is true:

    The CRL of the certificate is not contained in the IIS cache.
    The effective date of the CRL in the IIS cache has passed.


If an effective CRL cannot be obtained or the CRL is obtained and the certificate is revoked. You should receive the following error message in both scenarios:
         
        HTTP 403.13 Forbidden: Client certificate revoked

           The page requires a valid client certificate



However since you are not getting an error on the client and still experiencing the following symptoms:

    -You make the CRL unavailable. However, IIS does not retrieve a new CRL and does not appear to fail.
    -You revoke a certificate and republish the CRL. However, IIS still lets users locate a Web site by using the revoked certificate.


I would assume that the CRL's effective date is still valid and the CDP is not externally available.
0
 
LVL 1

Accepted Solution

by:
Joshwright100 earned 0 total points
Comment Utility
Thank you for your help it seems that this issue is because of another root CA installed in the domain.
0
 
LVL 13

Expert Comment

by:Ugo Mena
Comment Utility
no worries. Glad that you were able to get it sorted out.
0
 
LVL 1

Author Closing Comment

by:Joshwright100
Comment Utility
It turns out this is an issue with another Root CA installed which I was not aware of. Thank you for your help.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now