Re: Server2k3 PKI - Offline Root CA



Brian,

Thanks for all your assistance. It is now making sense. I took your
suggestions and I was able to get everything installed. Now comes the
testing...

Thanks Again..

"Brian Komar (MVP)" wrote:

Inline...


"PKI Newb" <PKINewb@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:45F635B8-041F-4FDD-8F36-582D4A918AD1@xxxxxxxxxxxxxxxx
Hi Brian,
Thank you for your quick response, I truly appreciate it. Please see
below
for answers to your questions.


"Brian Komar (MVP)" wrote:

Hi Newb.

1) If you copied and pasted directly, the file has publishing quotes and
not
good old fashioned "" characters, check this first.
a: I didn't copy and paste, so the quotes, should be ok.

2) Did you look at the root CA certificate and ensure that there is no
AIA
or CDP extensions in the certificate.

a: I looked at the root .crt file, and there are no entries for AIA or CDP
Extensions. I checked the root .crl file and found under
Published CRL Locations :

URL=ldap:///CN=rootca,CN=server,CN=CDP,CN=Public%20Key%20Services,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPoint.
Does this seem correct?

No. Note that it states an UnavailableConfigDN. This means that you did not
define the %%6 variable correctly in the post-configuration script.
There is a line where you must define the Configuration naming context that
has not been set correctly. For example, if your forest root domain is
root.example.com., then you would set the line to be

certutil -setreg ca\DSConfigDN CN=Configuration,DC=root,DC=example,DC=com


3) The post-configuration scripts contain quotes as well, so you may have
to
verify that they are normal " characters
a: I didnt copy and paste, so the quotes should be ok.

May not be, but you can only see this in notepad.

4) Was there any errors during the running of the post-configuration
script.
a: The only error when running post configuration script was when it got
to
Certutil -crl

CertUtil: -setreg command FAILED: 0x80070005 (WIN32: 5)
CerUtil: Access is denied.

Actually, this is doing certutil -setreg. To run this command, you must be a
local admnistrator on the CA.


5) What values are shown for the CDP and AIA extension locations?

a: If i check the properties of the Root CA, the extenstions are:

AIA
C:\WINDOWS\system32\CertSrv\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt

ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key
Services,CN=Services,<ConfigurationContainer><CAObjectClass>

http://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt

file://\\<ServerDNSName>\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt


CDP
C:\WINDOWS\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public
Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>

http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

file://\\<ServerDNSName>\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl


These are not set correctly. For the LDAP URLs, the incorrect DSConfigDN is
set.
For the HTTP URL, you need to point to an interally and externally accesible
URL (not the root CA), and then manually copy the CA Certificate and CRL to
the referenced location).

6) Did you update the DSConfigDN value in the script if using LDAP URLs?
a: I updated the first line of the script to show
CN=Configuration,DC=x,DC=y,DC=Org



It looks like you did not publish a new CRL based ont he previous output you
showed (UnavailableCOnfiguDN)

Brian

"PKI Newb" <PKI Newb@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B33BA9B1-F820-4431-A24C-5F719EBBC7E6@xxxxxxxxxxxxxxxx
Hi all,
Please excuse my ignorance if this subject has been covered, but I have
had
a heck of a time trying to find an answer. I have been following the
Microsoft Book by Brian Komar Windows Server2k3 PKI and Cert Security.
I
am
attempting to set up a 3 tier hierarchy with offline Root and Policy
CA's.
I
have not been able to get the Root CA set up correctly, and im not sure
what
the issue is. I am using the default CAPolicy.inf from the book. It
has
the
CRL and AIA set to 'Empty=True'. I am able to install CA on the
offline
Root. The issue I continue to see is that after install of CA, I need
to
set
some reg keys that apply towards the subordinate CA's. I again use the
example in the book and all seems to go well, until I try to regenerate
the
.crl file (certutil -crl). I continue to get an access denied. Im not
sure
where this error is coming from. Any direction would be greatly
appreciated,
and thanks for reading this long post..


.



Relevant Pages

  • Re: certificates and OWA
    ... >> Outside it is saying the certificate is issued by a company I have not ... In windows 98 it complains of the CRL. ... I install the certificate and even put it in the trusted ... >>> Is the root CA trusted on all the clients? ...
    (microsoft.public.win2000.security)
  • Re: Server2k3 PKI - Offline Root CA
    ... or CDP extensions in the certificate. ... I checked the root .crl file and found under ... Published CRL Locations: ... Microsoft Book by Brian Komar Windows Server2k3 PKI and Cert Security. ...
    (microsoft.public.windows.server.security)
  • Re: certificates and OWA
    ... I am assuming you mean the web certificate I created? ... I do install it in the root but it never actually puts it there. ... In windows 98 it complains of the CRL. ...
    (microsoft.public.win2000.security)
  • RE: Location of web root
    ... Subject: Location of web root ... during install) pointing out that a Custom install will allow for a more ... in a different folder off C:. ... were the script kiddie, how would you exploit the machine. ...
    (Security-Basics)
  • Re: Certutil error
    ... After I ran cmd as an administrator it published the CRL and CRT file in the AD without error. ... I have your WS 2008 PKI and Certificate Security book. ... These surfaced when trying to publish my root ... CertUtil: A referral was returned from the server. ...
    (microsoft.public.security)