Certificate Services - Win 2003 , Enterprise
Do ur Standalone Root CA and Standalone Subordinate CA needs to be online in order to confirm Trust Root Path for our users .... if yesor no ... why ... any technical references URL for the same ... Mine testing Setup ... Main Goal > AutoEnrollment for End Users Standalone Root CA > Standalone Subordinate CA > Enterprise Subordinate Issuing CA > End Users ... CA Servers and End Users are on same Network Segments CA Servers : 10.x.x.x. End Users : 10.x.x.x As mentioned i had setup all the systems , and tried autoenrollment With 2k3 Sp2 PKI and Win Xp Sp2 Clients ... The interca and rootca ( both standalone ) are offline ... When a client system tried to autoenroll,d for the first time ... it does,nt got autoenrolled ... Wireshark trace depicts that the client ( xp_sp2_01 ) was looking for interca ( which is offline ) ... why is it looking for Interca system ( doing NBNS broadcasts ... and suppose if our INTERCA is on completely different Network Negment where it can,t be reached via a NBNS name broadcast ... how would clients know abt Interca ... [ leaving the clients LMHOSTS as a valid option ] ... ) Wireshark trace URL mentioned ... If our InterCA is online ( rootca is still offline ) , everything works fine ... Now do our Standalone InterCA needs to online forever to complete AutoEnrollment for our clients ... or any other way to handle this out ... Trace01.zip - Windows Sky drive
May 30th, 2009 3:39pm

i had read Technet articles ... fetched following useful info Autoenrollment always performs a revocation check of the entire certificate chain starting with the issuing certification authority to ensure that the CA offering enrollment services is not revoked before performing enrollment . If the CA is revoked, autoenrollment will not send requests to that certification authority. However, autoenrollment will ignore revocation errors if a CDP (CRL Distribution Point) extension does not exist in the CA certificate or if the revocation status is offline . Now how to do the above marked in Bold chars ... Autoenrollment Failures Autoenrollment will warn the user with a warning dialog box when an autoenrollment failure occurs. This feature is only enabled when user interaction is required on the certificate template. To enable the warning feature for an autoenrollment failure 1. Open the specified template in the Certificate Templates MMC snap-in. 2. Click the Request Handling tab. 3. Click Prompt the user during enrollment on the Request Handling tab of the certificate template properties. here is error screenshot ... Now this means that the Certificate that interCA enrolled to issuingCA had CRL defined on it ... with the time when to check for an updation of the CRL ... new clients who try to autoenroll check CRL list of entire tree ... is this same appliciable for DeltaCRL ... now how to get the clients not to check CRL CDP ... via GPO,s ... ? trace 1 -01.jpg - imgX
Free Windows Admin Tool Kit Click here and download it now
May 30th, 2009 4:38pm

Hi Haarmandeep,I guess your problem is that you have not changede the AIA and CRL paths. So they proberly points to the local file on the intermediate server.Have you tried to run "pkiview.msc" to see if you can connect to all AIA and CRL paths?Normale you configure either a http distribution points where clients can look up AIA and CRL information for validation of the certificate chain. You can also use AD as a distribution point or both.Best Regards,Benjamin
June 5th, 2009 12:45am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics