CRL problems with offline root CA

This is a test and not production environment.
Environment consists of (all 2012 R2 Standard on VMWare Workstation 10)
1 Domain controller
1 Offline root CA
1 Issuing CA

Domain is at 2008 level as this is what our current production environment is.

I have been using the following articles as guides, including articles linked within these.
http://blogs.technet.com/b/xdot509/archive/2013/02/25/installing-a-two-tier-pki-hierarchy-in-windows-server-2012-part-iv-publishing-the-root-ca-certificate-and-crl-to-active-directory.aspx"
http://blogs.technet.com/b/xdot509/archive/2012/10/27/installing-a-two-tier-pki-hierarchy-in-windows-server-2012-part-iii-post-configuration-of-root-certification-authority.aspx
http://blogs.technet.com/b/xdot509/archive/2012/10/24/installing-a-two-tier-pki-hierarchy-in-windows-server-2012-part-ii-installing-a-root-certification-authority-with-the-gui.aspx
http://blogs.technet.com/b/xdot509/archive/2012/10/21/installing-a-two-tier-pki-hierarchy-in-windows-server-2012-part-i-installing-a-root-certification-authority-with-powershell.aspx


After installing the root CA (not a domain member) I ran the following post install configuration script
CERTUTIL.EXE -SETREG CA\DSCONFIGDN "CN=CONFIGURATION,DC=ECHOS,DC=COM"
CERTUTIL.EXE -SETREG CA\DSCONFIGDN "DC=ECHOS,DC=COM"
CERTUTIL -SETREG CA\CRLPUBLICATIONURLS "1:%WINDIR%\SYSTEM32\CERTSRV\CERTENROLL\%%3%%8%%9.CRL\N2:http://pki.ECHOs.com/certenroll/%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=PublicKEY SERVICES,CN=SERVICES,%%6%%10"
CERTUTIL -SETREG CA\CACERTPUBLICATIONURLS "1:%WINDIR%\SYSTEM32\CERTSRV\CERTENROLL\%%1_%%3%%4.CRT\N2:http://pki.ECHOs.com/certenroll/%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=PublicKEY SERVICES,CN=SERVICES,%%6%%11"
CERTUTIL -SETREG CA\CRLPERIODUNITS 6
CERTUTIL -SETREG CA\CRLPERIOD "MONTHS"
CERTUTIL -SETREG CA\CRLDELTAPERIODUNITS 0
CERTUTIL -SETREG CA\VALIDITYPERIODUNITS 10
CERTUTIL -SETREG CA\VALIDITYPERIOD "YEARS"
CERTUTIL -SETREG CA\AUDITFILTER 127
NET STOP CERTSVC
NET START CERTSVC
CERTUTIL –CRL

Open in new window


When I go to my DC to publish the root certificate and CRL to AD I star thaving issues.  The root certificate publishies just fine, my problem is with the CRL.

On the DC from an elevated powershell I run

certutil –f –dspublish 'C:\ECHOS ROOT CA.crl'

And receive the following output
ldap:///CN=ECHOS ROOT CA,CN=ECHOs-RootCA,CN=CDP,CN=Public Key Services,CN=Services,DC=UnavailableConfigDN?certificateRev
ocationList?base?objectClass=cRLDistributionPoint?certificateRevocationList

ldap: 0xa: 0000202B: RefErr: DSID-0310082F, data 0, 1 access points
        ref 1: 'unavailableconfigdn'

CertUtil: -dsPublish command FAILED: 0x8007202b (WIN32: 8235 ERROR_DS_REFERRAL)
CertUtil: A referral was returned from the server.


When I look at the CRL I see the problem in the Published CRL location property (see attached)

My guess is the problem is with this line in the script but I do not know enough about this to troubleshoot.
CERTUTIL -SETREG CA\CRLPUBLICATIONURLS "1:%WINDIR%\SYSTEM32\CERTSRV\CERTENROLL\%%3%%8%%9.CRL\N2:http://pki.ECHOs.com/certenroll/%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=PublicKEY SERVICES,CN=SERVICES,%%6%%10"

Open in new window


Thank you,

eb
CRL-Properties.jpg
LVL 23
Erik BjersPrincipal Systems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Erik BjersPrincipal Systems AdministratorAuthor Commented:
UPDAT:

I have found a few typos in the post config script and the new script is
CERTUTIL.EXE -SETREG CA\DSCONFIGDN "CN=CONFIGURATION,DC=ECHOS,DC=COM"
certutil -setreg CA\CACertPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://pki.ECHos.com/certenroll/%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11"
certutil -setreg CA\CRLPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:http://pki.ECHOs.com/certenroll/%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"
CERTUTIL -SETREG CA\CRLPERIODUNITS 6
CERTUTIL -SETREG CA\CRLPERIOD "MONTHS"
CERTUTIL -SETREG CA\CRLDELTAPERIODUNITS 0
CERTUTIL -SETREG CA\VALIDITYPERIODUNITS 10
CERTUTIL -SETREG CA\VALIDITYPERIOD "YEARS"
CERTUTIL -SETREG CA\AUDITFILTER 127
NET STOP CERTSVC
NET START CERTSVC
CERTUTIL –CRL

Open in new window


After fixing the script and re-running the commands with typos I am able to do some testing
certutil –getreg CA\CRLPublicationURLs
Windows PowerShell
Copyright (C) 2014 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> certutil –getreg CA\CRLPublicationURLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\ECHOS ROOT CA\CRLPublicationURLs:

  CRLPublicationURLs REG_MULTI_SZ =
    0: 1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl
    CSURL_SERVERPUBLISH -- 1

    1: 2:http://pki.ECHOs.com/certenroll/%%3%%8%%9.crl
    CSURL_ADDTOCERTCDP -- 2

    2: 10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10
    CSURL_ADDTOCERTCDP -- 2
    CSURL_ADDTOCRLCDP -- 8

CertUtil: -getreg command completed successfully.
PS C:\Windows\system32>[code]

Now when I try to publish my CRL again (either through MMC or from powershell I get an error indicating the directory is not valid
[code]PS C:\Windows\system32> certutil -crl
CertUtil: -CRL command FAILED: 0x8007010b (WIN32/HTTP: 267 ERROR_DIRECTORY)
CertUtil: The directory name is invalid.
PS C:\Windows\system32>

Open in new window


The path exists and the right accounts have the required access per http://social.technet.microsoft.com/wiki/contents/articles/3081.ad-cs-error-the-directory-name-is-invalid-0x8007010b-win32http-267.aspx

eb
arnoldCommented:
If I understand your question correctly, you actually have two CRL lists one from the root CA (offline) that needs to be configured to publish its CRL list to a location that remains on while it is off.  This CRL will deal with the certification of the Issuing CA's certificate.
The second CRL list is published by the Issuing CA.

Are you dealing with Enterprise PKI setup?
Erik BjersPrincipal Systems AdministratorAuthor Commented:
The issuing CA will be an enterprise CA, right now I am focused on getting the offline root configured as I need this to setup the issuing CA.

eb
Erik BjersPrincipal Systems AdministratorAuthor Commented:
I found my own solution.

I was not saving the commands to a script but was just pasting them into the powershell or cmd prompt and letting them run one after another.  It seems when certutil runs this way it does not properly parse the variables (such as %%2) and instead of replacing these with the variable's value it just puts the variable name in the path or file name.

I created a .cmd file and ran it, after that everything was fine.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Erik BjersPrincipal Systems AdministratorAuthor Commented:
I resolved the problem on my own.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.