Solved

Cannot start certificate services - server is offline

Posted on 2014-04-03
18
741 Views
Last Modified: 2014-04-18
I have a subordinate ca. The root was uninstalled from the network by accident and then migrated to a new box using the same key. It worked for a few days and now the subordinate has two DeltaCRL locations and one is expired with an incorrect location pointing at an incorrect domain controller.  How can I resolve this?  The service will not start.  

Thanks
0
Comment
Question by:wayy2be
  • 9
  • 8
18 Comments
 
LVL 4

Expert Comment

by:Dash Amr
ID: 39977243
Decommissioning an Old Certification Authority without affecting Previously Issued Certificates and then Switching Operations to a New One

The following assumptions have to be met before proceeding with these steps:

1- There is a new valid Certification Authority configured

2- There is a new distribution point configured for AIA and CDP locations named http://crl.contoso.com/CertData
Steps:

1- Logon to the old Enterprise Certification Authority as an Enterprise Administrator.

2- Identify the AIA and CDP distribution points

    a. Open the Certification Authority Console
    b. Right click the Certification Authority name and click Properties
    c. Click the “Extensions” tab
    d. Document the distribution points configured for CRL Distribution Point (CDP) – as an example http://<serverDNSnname>/CertEnroll/<CANAME>CRLNameSuffix><DeltaCRLAllowed>.crl which refers to local IIS installed on the server, or http://pki.contoso.com/Certenroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl

Note: Ignore the LDAP and C:\%windir% locations

    e. In the “Extensions” tab, select Authority Information Access (AIA) from the drop down menu
    f.  Document the distribution points configured for the AIA extensions – as an example http://<ServerDNSName>/Certenroll/<ServerDNSName>_<CAName><CertificateName>.crt  which refers to the local IIS installed on the server or http://pki.Domainename.com/Certenroll/<ServerDNSName>_<CAName><CertificateName>.crt

Note: Ignore the LDAP and C:\%windir% locations

3- Disable Delta CRL and Issue a long Certificate Revocation List (CRL)

    a. Open the Certification Authority Console
    b. Right click “Revoked Certificates”, and then click “Properties”
    c. Uncheck “Publish Delta CRL”
    d. Change the “CRL publication Interval” to 99 years and then click OK
    e. Open the command line with elevated privileges
    f.  Run Certutil –crl  to issue a new Certificate Revocation List (CRL)

4- Copy the old Certification Authority’s certificate (CRT) and certificate revocation list (CRL) files to the server hosting website http://crl.contoso.com/CertData

    a. On the old Certification Authority, navigate to %windir%\System32\CertSrv\CertEnroll
    b. Copy the Certification Authority’s certificate (CRT) and certificate revocation list (CRL) to the directory hosting http://crl.contoso.com/CertData

5- Redirect the Authority Information Access (AIA) and Certificate Revocation List (CRL) distribution points  of the old Certification Authority to http://crl.contoso.com/certdata

    a. This can be done using an IIS redirect, or a DNS CNAME redirect to redirect Authority information Access (AIA) and Certificate Revocation List (CRL) of the old Certification Authority documented in steps 2.d and 2.f to the new web server http://crl.contoso.com/certdata

6- Document and remove all  certificate templates available on the old Certification Authority to prevent it from issuing new certificates

    a. Open the command line with elevated privileges
    b. Run Certutil –catemplates > c:\catemplates.txt  to document all available certificate templates at the old Certification Authority
    c. Launch the Certification Authority console
    d. Navigate to “Certificate Templates”
    e. Highlight all templates in the right pane, right click and then click “Delete”

At this point, the old Certification Authority can’t issue any certificates, and has all of its Authority Information Access (AIA) and Certificate Revocation List (CRL) redirected to a new web site http://crl.contoso.com/CertData The next steps will detail how to document the certificates issued by templates from the old Certification Authority and how to make them available at the new Certification Authority.

7- Identify and document the certificates issued based on certificate templates by sorting the Certification Authority database

    a. Highlight “Issued Certificates”
    b. Navigate to the right, and sort by “Certificate Templates”
    c. Identify the certificates issued by default certificate template types
    d. Identify the certificates issued by custom certificate templates – any template other than the default certificate templates mentioned earlier

8- Dump the certificates based on the default certificate template types:

    a. Open the command line with elevated privileges
    b. Run Certutil -view -restrict "Certificate Template=Template" -out "SerialNumber,NotAfter,DistinguishedName,CommonName" > c:\TemplateType.txt
    c. Examine the output of c:\TemplateType.txt and document all the certificates needing immediate action – i.e. requiring issuance from the new CA infrastructure if needed such as Web SSL.
    d. Consult with the application administrator using the certificates to determine the best approach to replace the certificates if needed

Note: Replace Template with the correct template name.

9- Dump the certificates based on the custom certificate template types:

    a. Open the Certification Authority Console
    b. Right click “Certificate Templates” and click “Manage”
    c. Double click the certificate template and click on “Extensions” tab
    d. Click on “Certificate Template Information”
    e. Copy the Object Identifier (OID) number – the number will look similar to 1.3.6.1.4.1.311.21.8.12531710.13924440.6111642.16676639.10714343.69.16212521.10022553
    f. Open the command line with elevated privileges
    g. Run Certutil -view -restrict "Certificate Template=OIDNumber" -out "SerialNumber,NotAfter,DistinguishedName,CommonName" > c:\CustomTemplateType.txt

Note: Replace OIDNumber with the number identified in step 9.e

    h. Examine the output of c:\CustomTemplateType.txt and document all the certificates needing immediate action – i.e. requiring issuance from the new CA infrastructure if needed such as custom SSL certificates.
    i. Consult with the application administrator using the certificates to determine the best approach to replace the certificates if needed

Note: You don’t need to take any action if the certificate was auto-enrolled because the certificate holder will renew the certificate when it expires from the new CA infrastructure.

10- Enable the Certificate Templates needed based on the results of steps 7-9 on the new Certification Authority

    a. Logon to the new Certification Authority as an Enterprise Administrator
    b. Right Click “Certificate Templates”, click “New” and then click “Certificate Template to Issue”
    c. Choose all the certificate templates needed in the “Enable Certificate Templates” window and click “OK”

11- <Optional> At this point you can uninstall the Certification Authority Role on the old Certification Authority

    a. Backup the old Certification Authority using the steps outlined in Disaster Recovery Procedures for Active Directory Certificate Services (ADCS)
    b. Uninstall Certificate Services from the old Certification Authority
    c. Decommission the server unless it is running other applications

12- Once all certificates are issued by the new infrastructure, you can safely remove all the Authority Information Access (AIA) and Certificate Revocation List (CRL) files from you infrastructure by following the steps in How to Decommission a Windows Enterprise Certification Authority and How to Remove All Related Objects and from the web server hosting
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39977470
When you migrated root ca certification authority to new server, have you kept new CA server name same as old one

I think you have restored CA on server with different hostname and that is why you are experiencing issues
Because CA server name will be hardcoded in issued certificates and if after reinstalling CA server name got changed, you will face issues as old CA server is not able to contacted

If above is true, the simple solution I can see, uninstall root CA server, change its hostname same as old one and reinstall CA with existing certificate (Same key) which you used last time

Mahesh.
0
 

Author Comment

by:wayy2be
ID: 39978721
I thought that with Windows 2008 you can change the host name but you still can use the certificate from the old host with a different name.  That's what the MS docs say.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39978899
You can use new hostname but then certificates issued by old CA server (Subordinate CA certificate) will point to old CA server name for CRL and AIA and you would do all steps mentioned in 1st comment by Dash

As opposed if you renewed Subordinate CA certificate from root CA, then you have to renew all issued certificates by that subordinate CA, otherwise already issued certificates on all clients, the certificate chain will keep pointing to subordinate CA old certificate (Thumbprint) which in turn pointing to non existent server name (Due to host name rename)

If your issued certificates quantity is very less or can be manageable, you can simply revoke all existing certificate issued by subordinate CA and then renew subordinate CA server certificate followed by renew client certificates as well
This will help you to avoid IIS redirection, DS changes and so on.

But if your issued certificate quantity is more \ huge, the simplest way is to restore root certificate authority on new server with same hostname and same key as previous which will help you to mitigate all IIS and DNS and CRL related work

Choice is yours

Mahesh.
0
 

Author Comment

by:wayy2be
ID: 39979338
Well the services will not start on the subordinate. I only have about 30 certificates.  What can I try to get this thing up and running as fast as I can?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39979672
Ok
Now you already have root ca restored on new server with new server name
Just bring another new machine online and build another brand new AD integrated subordinate CA and issue all client certificate with that new subordinate ca

Once you done that, just revoke all issued certificates by old subordinate CA and uninstall old subordinate CA server

Mahesh.
0
 

Author Comment

by:wayy2be
ID: 39981364
I cannot. I need to use the existing subordinate ca. So how can we do that?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39981543
Ok, I thought you are ready to deploy new CA server.

So, in order to work with existing CA server,

do you have any sub ordinate CA backup already taken with subordinate CA sever certificate ?
If you don't have then my earlier comment is the only solution I can see.

If you have one, you can simply uninstall subordinate CA server role and reinstall Subordinate CA server role with existing certificate option and then need to restore CA server database

This will make subordinate CA server functional again and your CA service will be started again

But since you have root CA reinstalled on server with different name than previous, your subordinate CA will fail to look for CRL and AIA as it is hard coded in his existing certificate and it is pointing to old CA root server name which is not available now

So in that case redirect CRL and AIA that is present on existing subordinate CA server to new root CA server CRL and AIA to make it valid
OR
uninstall and reinstall root CA server from old CA backup to new server \ same server with same host name as previous

Mahesh.
0
 

Author Comment

by:wayy2be
ID: 39982035
And how do I redirect it?  Why can't I just do a cname entry in DNS or the host file to point to the old root CA name?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 35

Expert Comment

by:Mahesh
ID: 39982279
Yes, you can create CNAME with pleasure

What I mean you have to have some kind of DNS mechanism to resolve old servername to correct CRL and AIA points
0
 

Author Comment

by:wayy2be
ID: 39982788
or I can use a hosts file, yes?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39982846
I am not aware with Hosts file method.

The best way to achieve this is with DNS CNAME
0
 

Author Comment

by:wayy2be
ID: 39983812
No that didn't work
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39983910
Hosts file or CNAME what didn't work ?
You need to create CNAME record pointing old CA server hostname and need to point it to new CA hostname (CRL)
You may use IIS redirect method where your old CRL and AIA points will get redirect to new CRL and AIA

This can be achieved by creating fake web site and providing that same host name as previous CRL url in DNS and set redirect on that web site which will point it to new real CRL and AIA URL

Mahesh.
0
 

Author Comment

by:wayy2be
ID: 39984010
We created a CNAME for the old server pointing to the new server. So we said server1 points to server2. It didn't work, still the same error.
0
 

Accepted Solution

by:
wayy2be earned 0 total points
ID: 39997279
This was fixed by Microsoft Support.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39997629
Not sure if you tried to reinstall subordinate CA server as suggested in my earlier comment ?

Simply creating CNAME will not solve the issue
0
 

Author Closing Comment

by:wayy2be
ID: 40008416
This was fixed by Microsoft Support.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now