Certificate CDP misnamed under Enterprise PKI
Recently I discovered that the Certificate Authority CDP is creating the filename as "Server Name".crl, but under Enterprise PKI it will show the CDP status as "Unable to Download". That is because while the server http location is correct, the file name
is "Server FQDN".crl.
I went to the server's properties > Extensions and checked the CDP address. There I have "http://domain_name.com/CertEnroll/<CaName><DeltaCRLAllowed>.crl".
I thought maybe I needed to publish new, so I deleted the existing files under "C:\Windows\System32\certsrv\CertEnroll" and restarted Certificate Authority, rebooted the server, and even tried CLI "certutil
-crl". I should add one significant point and that is the Delta CRL is working, listed under Enterprise PKI correctly.
Don't know at this point where to go next.
November 18th, 2012 7:22pm
Could you provide the results from the following command when you run it on the CA server:
certutil.exe getreg CA\CRLPublicationURLs
/Hasain
Free Windows Admin Tool Kit Click here and download it now
November 22nd, 2012 7:43am
Could you provide the results from the following command when you run it on the CA server:
certutil.exe getreg CA\CRLPublicationURLs
/Hasain
November 22nd, 2012 3:42pm
Hi,
did you check the box making the ca delivering the cdp to local filesystem?
Did you manually try to create a new crl using the mmc?
Regards
Thomas
Free Windows Admin Tool Kit Click here and download it now
November 27th, 2012 1:13am
Hi,
did you check the box making the ca delivering the cdp to local filesystem?
Did you manually try to create a new crl using the mmc?
Regards
Thomas
November 27th, 2012 1:13am
You setting above tells that the CA will automatically publish a CRL file based on the template
%3%8%9.crl but the http url is referring a CRL file based on the template %3%9.crl. You need to either publish another CRL file based on the %3%9.crl template or change the http URL to refer the CRL using the %3%8%9.crl
template!
/Hasain
Free Windows Admin Tool Kit Click here and download it now
November 28th, 2012 2:54am
Could you provide the results from the following command when you run it on the CA server:
certutil.exe getreg CA\CRLPublicationURLs
/Hasain
C:\Users\Administrator>certutil.exe -getreg CA\CRLPublicationURLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\mpls1
\CRLPublicationURLs:
CRLPublicationURLs REG_MULTI_SZ =
0: 65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl
CSURL_SERVERPUBLISH -- 1
CSURL_SERVERPUBLISHDELTA -- 40 (64)
1: 79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
CSURL_SERVERPUBLISH -- 1
CSURL_ADDTOCERTCDP -- 2
CSURL_ADDTOFRESHESTCRL -- 4
CSURL_ADDTOCRLCDP -- 8
CSURL_SERVERPUBLISHDELTA -- 40 (64)
2: 6:http://mpls1.DOMAINNAME.com/CertEnroll/%3%9.crl
CSURL_ADDTOCERTCDP -- 2
CSURL_ADDTOFRESHESTCRL -- 4
CertUtil: -getreg command completed successfully.
C:\Users\Administrator>
Here is the problem, here it lists "%3%9.crl" as the cert name. Under the Enterprise PKI and what is given in any issued certificate is "mpls1.DOMAINNAME.com.crl", yet the delta is named "mpls1+.crl".
November 28th, 2012 7:15am
Could you provide the results from the following command when you run it on the CA server:
certutil.exe getreg CA\CRLPublicationURLs
/Hasain
C:\Users\Administrator>certutil.exe -getreg CA\CRLPublicationURLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\mpls1
\CRLPublicationURLs:
CRLPublicationURLs REG_MULTI_SZ =
0: 65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl
CSURL_SERVERPUBLISH -- 1
CSURL_SERVERPUBLISHDELTA -- 40 (64)
1: 79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
CSURL_SERVERPUBLISH -- 1
CSURL_ADDTOCERTCDP -- 2
CSURL_ADDTOFRESHESTCRL -- 4
CSURL_ADDTOCRLCDP -- 8
CSURL_SERVERPUBLISHDELTA -- 40 (64)
2: 6:http://mpls1.DOMAINNAME.com/CertEnroll/%3%9.crl
CSURL_ADDTOCERTCDP -- 2
CSURL_ADDTOFRESHESTCRL -- 4
CertUtil: -getreg command completed successfully.
C:\Users\Administrator>
Here is the problem, here it lists "%3%9.crl" as the cert name. Under the Enterprise PKI and what is given in any issued certificate is "mpls1.DOMAINNAME.com.crl", yet the delta is named "mpls1+.crl".
Free Windows Admin Tool Kit Click here and download it now
November 28th, 2012 7:15am
You setting above tells that the CA will automatically publish a CRL file based on the template
%3%8%9.crl but the http url is referring a CRL file based on the template %3%9.crl. You need to either publish another CRL file based on the %3%9.crl template or change the http URL to refer the CRL using the %3%8%9.crl
template!
/Hasain
November 28th, 2012 10:44am
First after whatever frantic changes I have made recently, the CRLs are being published in with the correct URL+filename. So certificates issued have a CRL that can be seen (same for AIA). However what is annoying is that under Enterprise PKI it still lists
them as unable to download, and of course that is because the CRL created are SERVERNAME.crl and SERVERNAME+.crl and the URL listed there still shows to be looking for DNSNAME_SERVERNAME.crl.
Right now I am somewhat less concerned as long as certificates being used can see and check the actual CRL. It is still just a concern why there is this discrepancy.
One question I have. I am not familiar with what the %3, %8, %9 corresponds to or means. What is the correct syntax/line I should use to create a CRL with just server name "mpls1" at the URL mpls1.domain.com?
Free Windows Admin Tool Kit Click here and download it now
December 4th, 2012 1:14am
First after whatever frantic changes I have made recently, the CRLs are being published in with the correct URL+filename. So certificates issued have a CRL that can be seen (same for AIA). However what is annoying is that under Enterprise PKI it still lists
them as unable to download, and of course that is because the CRL created are SERVERNAME.crl and SERVERNAME+.crl and the URL listed there still shows to be looking for DNSNAME_SERVERNAME.crl.
Right now I am somewhat less concerned as long as certificates being used can see and check the actual CRL. It is still just a concern why there is this discrepancy.
One question I have. I am not familiar with what the %3, %8, %9 corresponds to or means. What is the correct syntax/line I should use to create a CRL with just server name "mpls1" at the URL mpls1.domain.com?
December 4th, 2012 9:13am
For a complete list of the vairables available and their meanings, please check the "Configure the CA" section in this Technet article http://technet.microsoft.com/en-us/library/hh831574.aspx
/Hasain
Free Windows Admin Tool Kit Click here and download it now
December 5th, 2012 1:49am
For a complete list of the vairables available and their meanings, please check the "Configure the CA" section in this Technet article http://technet.microsoft.com/en-us/library/hh831574.aspx
/Hasain
December 5th, 2012 9:48am