Re: Server2k3 PKI - Offline Root CA


Thanks for all your assistance. It is now making sense. I took your
suggestions and I was able to get everything installed. Now comes the

Thanks Again..

"Brian Komar (MVP)" wrote:


"PKI Newb" <PKINewb@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
Hi Brian,
Thank you for your quick response, I truly appreciate it. Please see
for answers to your questions.

"Brian Komar (MVP)" wrote:

Hi Newb.

1) If you copied and pasted directly, the file has publishing quotes and
good old fashioned "" characters, check this first.
a: I didn't copy and paste, so the quotes, should be ok.

2) Did you look at the root CA certificate and ensure that there is no
or CDP extensions in the certificate.

a: I looked at the root .crt file, and there are no entries for AIA or CDP
Extensions. I checked the root .crl file and found under
Published CRL Locations :

Does this seem correct?

No. Note that it states an UnavailableConfigDN. This means that you did not
define the %%6 variable correctly in the post-configuration script.
There is a line where you must define the Configuration naming context that
has not been set correctly. For example, if your forest root domain is, then you would set the line to be

certutil -setreg ca\DSConfigDN CN=Configuration,DC=root,DC=example,DC=com

3) The post-configuration scripts contain quotes as well, so you may have
verify that they are normal " characters
a: I didnt copy and paste, so the quotes should be ok.

May not be, but you can only see this in notepad.

4) Was there any errors during the running of the post-configuration
a: The only error when running post configuration script was when it got
Certutil -crl

CertUtil: -setreg command FAILED: 0x80070005 (WIN32: 5)
CerUtil: Access is denied.

Actually, this is doing certutil -setreg. To run this command, you must be a
local admnistrator on the CA.

5) What values are shown for the CDP and AIA extension locations?

a: If i check the properties of the Root CA, the extenstions are:


ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key




Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>



These are not set correctly. For the LDAP URLs, the incorrect DSConfigDN is
For the HTTP URL, you need to point to an interally and externally accesible
URL (not the root CA), and then manually copy the CA Certificate and CRL to
the referenced location).

6) Did you update the DSConfigDN value in the script if using LDAP URLs?
a: I updated the first line of the script to show

It looks like you did not publish a new CRL based ont he previous output you
showed (UnavailableCOnfiguDN)


"PKI Newb" <PKI Newb@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
Hi all,
Please excuse my ignorance if this subject has been covered, but I have
a heck of a time trying to find an answer. I have been following the
Microsoft Book by Brian Komar Windows Server2k3 PKI and Cert Security.
attempting to set up a 3 tier hierarchy with offline Root and Policy
have not been able to get the Root CA set up correctly, and im not sure
the issue is. I am using the default CAPolicy.inf from the book. It
CRL and AIA set to 'Empty=True'. I am able to install CA on the
Root. The issue I continue to see is that after install of CA, I need
some reg keys that apply towards the subordinate CA's. I again use the
example in the book and all seems to go well, until I try to regenerate
.crl file (certutil -crl). I continue to get an access denied. Im not
where this error is coming from. Any direction would be greatly
and thanks for reading this long post..


Relevant Pages

  • Re: certificates and OWA
    ... >> Outside it is saying the certificate is issued by a company I have not ... In windows 98 it complains of the CRL. ... I install the certificate and even put it in the trusted ... >>> Is the root CA trusted on all the clients? ...
  • Re: Server2k3 PKI - Offline Root CA
    ... or CDP extensions in the certificate. ... I checked the root .crl file and found under ... Published CRL Locations: ... Microsoft Book by Brian Komar Windows Server2k3 PKI and Cert Security. ...
  • Re: certificates and OWA
    ... I am assuming you mean the web certificate I created? ... I do install it in the root but it never actually puts it there. ... In windows 98 it complains of the CRL. ...
  • RE: Location of web root
    ... Subject: Location of web root ... during install) pointing out that a Custom install will allow for a more ... in a different folder off C:. ... were the script kiddie, how would you exploit the machine. ...
  • Re: Certutil error
    ... After I ran cmd as an administrator it published the CRL and CRT file in the AD without error. ... I have your WS 2008 PKI and Certificate Security book. ... These surfaced when trying to publish my root ... CertUtil: A referral was returned from the server. ...