Re: Server2k3 PKI - Offline Root CA
- From: PKI Newb <PKINewb@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 14 Aug 2008 07:16:00 -0700
Brian,
Thanks for all your assistance. It is now making sense. I took your
suggestions and I was able to get everything installed. Now comes the
testing...
Thanks Again..
"Brian Komar (MVP)" wrote:
Inline....
"PKI Newb" <PKINewb@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:45F635B8-041F-4FDD-8F36-582D4A918AD1@xxxxxxxxxxxxxxxx
Hi Brian,
Thank you for your quick response, I truly appreciate it. Please see
below
for answers to your questions.
"Brian Komar (MVP)" wrote:
Hi Newb.a: I didn't copy and paste, so the quotes, should be ok.
1) If you copied and pasted directly, the file has publishing quotes and
not
good old fashioned "" characters, check this first.
2) Did you look at the root CA certificate and ensure that there is no
AIA
or CDP extensions in the certificate.
a: I looked at the root .crt file, and there are no entries for AIA or CDP
Extensions. I checked the root .crl file and found under
Published CRL Locations :
URL=ldap:///CN=rootca,CN=server,CN=CDP,CN=Public%20Key%20Services,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPoint.
Does this seem correct?
No. Note that it states an UnavailableConfigDN. This means that you did not
define the %%6 variable correctly in the post-configuration script.
There is a line where you must define the Configuration naming context that
has not been set correctly. For example, if your forest root domain is
root.example.com., then you would set the line to be
certutil -setreg ca\DSConfigDN CN=Configuration,DC=root,DC=example,DC=com
3) The post-configuration scripts contain quotes as well, so you may havea: I didnt copy and paste, so the quotes should be ok.
to
verify that they are normal " characters
May not be, but you can only see this in notepad.
4) Was there any errors during the running of the post-configurationa: The only error when running post configuration script was when it got
script.
to
Certutil -crl
CertUtil: -setreg command FAILED: 0x80070005 (WIN32: 5)
CerUtil: Access is denied.
Actually, this is doing certutil -setreg. To run this command, you must be a
local admnistrator on the CA.
5) What values are shown for the CDP and AIA extension locations?
a: If i check the properties of the Root CA, the extenstions are:
AIA
C:\WINDOWS\system32\CertSrv\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt
ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key
Services,CN=Services,<ConfigurationContainer><CAObjectClass>
http://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt
file://\\<ServerDNSName>\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt
CDP
C:\WINDOWS\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public
Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
file://\\<ServerDNSName>\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
These are not set correctly. For the LDAP URLs, the incorrect DSConfigDN is
set.
For the HTTP URL, you need to point to an interally and externally accesible
URL (not the root CA), and then manually copy the CA Certificate and CRL to
the referenced location).
6) Did you update the DSConfigDN value in the script if using LDAP URLs?a: I updated the first line of the script to show
CN=Configuration,DC=x,DC=y,DC=Org
It looks like you did not publish a new CRL based ont he previous output you
showed (UnavailableCOnfiguDN)
Brian
"PKI Newb" <PKI Newb@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B33BA9B1-F820-4431-A24C-5F719EBBC7E6@xxxxxxxxxxxxxxxx
Hi all,
Please excuse my ignorance if this subject has been covered, but I have
had
a heck of a time trying to find an answer. I have been following the
Microsoft Book by Brian Komar Windows Server2k3 PKI and Cert Security.
I
am
attempting to set up a 3 tier hierarchy with offline Root and Policy
CA's.
I
have not been able to get the Root CA set up correctly, and im not sure
what
the issue is. I am using the default CAPolicy.inf from the book. It
has
the
CRL and AIA set to 'Empty=True'. I am able to install CA on the
offline
Root. The issue I continue to see is that after install of CA, I need
to
set
some reg keys that apply towards the subordinate CA's. I again use the
example in the book and all seems to go well, until I try to regenerate
the
.crl file (certutil -crl). I continue to get an access denied. Im not
sure
where this error is coming from. Any direction would be greatly
appreciated,
and thanks for reading this long post..
- References:
- Server2k3 PKI - Offline Root CA
- From: PKI Newb
- Re: Server2k3 PKI - Offline Root CA
- From: PKI Newb
- Re: Server2k3 PKI - Offline Root CA
- From: Brian Komar \(MVP\)
- Server2k3 PKI - Offline Root CA
- Prev by Date: Open certain port on a Windows2000 server
- Next by Date: Re: Open certain port on a Windows2000 server
- Previous by thread: Re: Server2k3 PKI - Offline Root CA
- Next by thread: A question regarding a protocol
- Index(es):
Relevant Pages
|
