CRL problems with offline root CA
This is a test and not production environment.
Environment consists of (all 2012 R2 Standard on VMWare Workstation 10)
1 Domain controller
1 Offline root CA
1 Issuing CA
Domain is at 2008 level as this is what our current production environment is.
I have been using the following articles as guides, including articles linked within these.
http://blogs.technet.com/b/xdot509/archive/2013/02/25/installing-a-two-tier-pki-hierarchy-in-windows-server-2012-part-iv-publishing-the-root-ca-certificate-and-crl-to-active-directory.aspx"
http://blogs.technet.com/b/xdot509/archive/2012/10/27/installing-a-two-tier-pki-hierarchy-in-windows-server-2012-part-iii-post-configuration-of-root-certification-authority.aspx
http://blogs.technet.com/b/xdot509/archive/2012/10/24/installing-a-two-tier-pki-hierarchy-in-windows-server-2012-part-ii-installing-a-root-certification-authority-with-the-gui.aspx
http://blogs.technet.com/b/xdot509/archive/2012/10/21/installing-a-two-tier-pki-hierarchy-in-windows-server-2012-part-i-installing-a-root-certification-authority-with-powershell.aspx
After installing the root CA (not a domain member) I ran the following post install configuration script
When I go to my DC to publish the root certificate and CRL to AD I star thaving issues. The root certificate publishies just fine, my problem is with the CRL.
On the DC from an elevated powershell I run
certutil –f –dspublish 'C:\ECHOS ROOT CA.crl'
And receive the following output
ldap:///CN=ECHOS ROOT CA,CN=ECHOs-RootCA,CN=CDP,
ocationList?base?objectCla
ldap: 0xa: 0000202B: RefErr: DSID-0310082F, data 0, 1 access points
ref 1: 'unavailableconfigdn'
CertUtil: -dsPublish command FAILED: 0x8007202b (WIN32: 8235 ERROR_DS_REFERRAL)
CertUtil: A referral was returned from the server.
When I look at the CRL I see the problem in the Published CRL location property (see attached)
My guess is the problem is with this line in the script but I do not know enough about this to troubleshoot.
Thank you,
eb
CRL-Properties.jpg
Environment consists of (all 2012 R2 Standard on VMWare Workstation 10)
1 Domain controller
1 Offline root CA
1 Issuing CA
Domain is at 2008 level as this is what our current production environment is.
I have been using the following articles as guides, including articles linked within these.
http://blogs.technet.com/b/xdot509/archive/2013/02/25/installing-a-two-tier-pki-hierarchy-in-windows-server-2012-part-iv-publishing-the-root-ca-certificate-and-crl-to-active-directory.aspx"
http://blogs.technet.com/b/xdot509/archive/2012/10/27/installing-a-two-tier-pki-hierarchy-in-windows-server-2012-part-iii-post-configuration-of-root-certification-authority.aspx
http://blogs.technet.com/b/xdot509/archive/2012/10/24/installing-a-two-tier-pki-hierarchy-in-windows-server-2012-part-ii-installing-a-root-certification-authority-with-the-gui.aspx
http://blogs.technet.com/b/xdot509/archive/2012/10/21/installing-a-two-tier-pki-hierarchy-in-windows-server-2012-part-i-installing-a-root-certification-authority-with-powershell.aspx
After installing the root CA (not a domain member) I ran the following post install configuration script
CERTUTIL.EXE -SETREG CA\DSCONFIGDN "CN=CONFIGURATION,DC=ECHOS,DC=COM"
CERTUTIL.EXE -SETREG CA\DSCONFIGDN "DC=ECHOS,DC=COM"
CERTUTIL -SETREG CA\CRLPUBLICATIONURLS "1:%WINDIR%\SYSTEM32\CERTSRV\CERTENROLL\%%3%%8%%9.CRL\N2:http://pki.ECHOs.com/certenroll/%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=PublicKEY SERVICES,CN=SERVICES,%%6%%10"
CERTUTIL -SETREG CA\CACERTPUBLICATIONURLS "1:%WINDIR%\SYSTEM32\CERTSRV\CERTENROLL\%%1_%%3%%4.CRT\N2:http://pki.ECHOs.com/certenroll/%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=PublicKEY SERVICES,CN=SERVICES,%%6%%11"
CERTUTIL -SETREG CA\CRLPERIODUNITS 6
CERTUTIL -SETREG CA\CRLPERIOD "MONTHS"
CERTUTIL -SETREG CA\CRLDELTAPERIODUNITS 0
CERTUTIL -SETREG CA\VALIDITYPERIODUNITS 10
CERTUTIL -SETREG CA\VALIDITYPERIOD "YEARS"
CERTUTIL -SETREG CA\AUDITFILTER 127
NET STOP CERTSVC
NET START CERTSVC
CERTUTIL –CRLWhen I go to my DC to publish the root certificate and CRL to AD I star thaving issues. The root certificate publishies just fine, my problem is with the CRL.
On the DC from an elevated powershell I run
certutil –f –dspublish 'C:\ECHOS ROOT CA.crl'
And receive the following output
ldap:///CN=ECHOS ROOT CA,CN=ECHOs-RootCA,CN=CDP,
ocationList?base?objectCla
ldap: 0xa: 0000202B: RefErr: DSID-0310082F, data 0, 1 access points
ref 1: 'unavailableconfigdn'
CertUtil: -dsPublish command FAILED: 0x8007202b (WIN32: 8235 ERROR_DS_REFERRAL)
CertUtil: A referral was returned from the server.
When I look at the CRL I see the problem in the Published CRL location property (see attached)
My guess is the problem is with this line in the script but I do not know enough about this to troubleshoot.
CERTUTIL -SETREG CA\CRLPUBLICATIONURLS "1:%WINDIR%\SYSTEM32\CERTSRV\CERTENROLL\%%3%%8%%9.CRL\N2:http://pki.ECHOs.com/certenroll/%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=PublicKEY SERVICES,CN=SERVICES,%%6%%10"Thank you,
eb
CRL-Properties.jpg
If I understand your question correctly, you actually have two CRL lists one from the root CA (offline) that needs to be configured to publish its CRL list to a location that remains on while it is off. This CRL will deal with the certification of the Issuing CA's certificate.
The second CRL list is published by the Issuing CA.
Are you dealing with Enterprise PKI setup?
The second CRL list is published by the Issuing CA.
Are you dealing with Enterprise PKI setup?
ASKER
The issuing CA will be an enterprise CA, right now I am focused on getting the offline root configured as I need this to setup the issuing CA.
eb
eb
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I resolved the problem on my own.
ASKER
I have found a few typos in the post config script and the new script is
Open in new window
After fixing the script and re-running the commands with typos I am able to do some testing
certutil –getreg CA\CRLPublicationURLs
Open in new window
The path exists and the right accounts have the required access per http://social.technet.microsoft.com/wiki/contents/articles/3081.ad-cs-error-the-directory-name-is-invalid-0x8007010b-win32http-267.aspx
eb