Re: Server2k3 PKI - Offline Root CA
- From: PKI Newb <PKINewb@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 14 Aug 2008 07:16:00 -0700
Thanks for all your assistance. It is now making sense. I took your
suggestions and I was able to get everything installed. Now comes the
"Brian Komar (MVP)" wrote:
"PKI Newb" <PKINewb@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
Thank you for your quick response, I truly appreciate it. Please see
for answers to your questions.
"Brian Komar (MVP)" wrote:
Hi Newb.a: I didn't copy and paste, so the quotes, should be ok.
1) If you copied and pasted directly, the file has publishing quotes and
good old fashioned "" characters, check this first.
2) Did you look at the root CA certificate and ensure that there is no
or CDP extensions in the certificate.
a: I looked at the root .crt file, and there are no entries for AIA or CDP
Extensions. I checked the root .crl file and found under
Published CRL Locations :
Does this seem correct?
No. Note that it states an UnavailableConfigDN. This means that you did not
define the %%6 variable correctly in the post-configuration script.
There is a line where you must define the Configuration naming context that
has not been set correctly. For example, if your forest root domain is
root.example.com., then you would set the line to be
certutil -setreg ca\DSConfigDN CN=Configuration,DC=root,DC=example,DC=com
3) The post-configuration scripts contain quotes as well, so you may havea: I didnt copy and paste, so the quotes should be ok.
verify that they are normal " characters
May not be, but you can only see this in notepad.
4) Was there any errors during the running of the post-configurationa: The only error when running post configuration script was when it got
CertUtil: -setreg command FAILED: 0x80070005 (WIN32: 5)
CerUtil: Access is denied.
Actually, this is doing certutil -setreg. To run this command, you must be a
local admnistrator on the CA.
5) What values are shown for the CDP and AIA extension locations?
a: If i check the properties of the Root CA, the extenstions are:
These are not set correctly. For the LDAP URLs, the incorrect DSConfigDN is
For the HTTP URL, you need to point to an interally and externally accesible
URL (not the root CA), and then manually copy the CA Certificate and CRL to
the referenced location).
6) Did you update the DSConfigDN value in the script if using LDAP URLs?a: I updated the first line of the script to show
It looks like you did not publish a new CRL based ont he previous output you
"PKI Newb" <PKI Newb@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
Please excuse my ignorance if this subject has been covered, but I have
a heck of a time trying to find an answer. I have been following the
Microsoft Book by Brian Komar Windows Server2k3 PKI and Cert Security.
attempting to set up a 3 tier hierarchy with offline Root and Policy
have not been able to get the Root CA set up correctly, and im not sure
the issue is. I am using the default CAPolicy.inf from the book. It
CRL and AIA set to 'Empty=True'. I am able to install CA on the
Root. The issue I continue to see is that after install of CA, I need
some reg keys that apply towards the subordinate CA's. I again use the
example in the book and all seems to go well, until I try to regenerate
.crl file (certutil -crl). I continue to get an access denied. Im not
where this error is coming from. Any direction would be greatly
and thanks for reading this long post..