Certification Authority's CRL Distribution Points has wrong servers
Hi, we had Windows SBS 2003 (domainserver.adart.local) in our company with CA installed. We have moved to Win SBS 2008 with Standalone CA (edge.adart.local). Old CA was backuped and restored on new server. New certificates issued by SBS 2008 contains correct CRL Distribution point: http://edge.adart.local But CA's certificate has old URL: http://domainserver.adart.local I tried to Renew CA's certificate but it still has wrong old URL. CA's distribution point is configured in this way: CACertPublicationURLs: 1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt 3:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11 2:http://%1/CertEnroll/%1_%3%4.crt 0:file://%1/CertEnroll/%1_%3%4.crt CRLPublicationURLs: 65:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl 79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10 6:http://%1/CertEnroll/%3%8%9.crl 0:file://%1/CertEnroll/%3%8%9.crl Both CA certificates (old and new one) contains this information: [1]CRL Distribution Point Distribution Point Name: Full Name: URL=ldap:///CN=Ad!002fArt%20Slovakia%20CA,CN=domainserver,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ADART,DC=LOCAL?certificateRevocationList?base?objectClass=cRLDistributionPoint URL=http://domainserver.adart.local/CertEnroll/Ad!002fArt%20Slovakia%20CA.crl I see in Issued certificates list that EDGE$ server issued an Cross Certification Authority (CrossCA) template and this new certificate has correct CDP: [1]CRL Distribution Point Distribution Point Name: Full Name: URL=ldap:///CN=Ad!002fArt%20Slovakia%20CA(1),CN=EDGE,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ADART,DC=LOCAL?certificateRevocationList?base?objectClass=cRLDistributionPoint URL=http://edge.adart.local/CertEnroll/Ad!002fArt%20Slovakia%20CA(1).crl How can I renew CA's certificate so it will have correct CDP? Thanks for your advice. Regards, Jozef.
May 11th, 2009 1:45pm

I think you'll find the following document helpful: http://www.microsoft.com/downloads/details.aspx?FamilyID=C70BD7CD-9F03-484B-8C4B-279BC29A3413&displaylang=enYou will probably be interested in the section: Updating CRL Distribution Point and Authority Information Access ExtensionsAndrew
Free Windows Admin Tool Kit Click here and download it now
May 12th, 2009 2:35am

Hi Jozef, Thank you for posting here. Please also confirm if the CAPolicy.inf file is being used. If a CAPolicy.inf file exists, it supersedes the default configuration that is used to install a CA or renew its CA certificate. I look forward to your response.
May 12th, 2009 1:42pm

Hi Joson, where should I look for CAPolicy.inf? I think it is not used (I've tried to find it in %windir% and subdirs) but I want to be sure where it can be placed. Andrew, thanks for the document. I checked the registry according toPerforming Registry Updates after a Host Name Changebut I can't see any reference of the old server. CDPs are using <ServerDNSName> in templates. After renewing CA cert (it have version 1.1) new certificates are using new CDP called "CN=Ad!002fArt Slovakia CA(1)"for CRLs. (CA name is Ad/Art Slovakia CA and the former cRLDistributionPoint in AD is calledCN=Ad!002fArt Slovakia CA.) I also tried to renew CA's cert again, now it have version 2.1 but its CDP still points to the old server, not the new server or new CDP ending with (1). (I hope still will help a little bit.) Regards, Jozef-- MCPD Web Applications
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2009 1:29am

Hi Jozef, Thank you for your reply. The file CAPolicy.inf should be located in %windir% folder. Based on my research, the properties of the new CA certificate are generated by the information in the old CA certificate, if CAPolicy.inf does not exist. Therefore, the CDP extension of the new CA certificate still has the old URL. To correct the CDP extension of the root CA certificate, you need to create a CAPolicy.inf file, edit the CAPolicy.inf file to contain the required URL in the CRLDistributionPoint section, such as: [CRLDistributionPoint] URL= ldap:///CN=Ad!002fArt%20Slovakia%20CA,CN= EDGE,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ADART,DC=LOCAL?certificateRevocationList?base?objectClass=cRLDistributionPoint URL= http:// edge.adart.local/CertEnroll/Ad!002fArt%20Slovakia%20CA.crl And then, save the file in the %systemroot% folder, and renew CA certificate. After that, you should see the correct URLs in the CDP extension of the new CA certificate. For more information about CAPolicy.inf, please refer to the following articles: How CA Certificates Work http://technet.microsoft.com/en-us/library/cc737264(WS.10).aspx CAPolicy.inf Syntax http://technet.microsoft.com/en-us/library/cc728279(WS.10).aspx
May 13th, 2009 2:19pm

Hi Joson,I'm trying the CAPolicy.inf file but renewed certificates have weird URL generated:First try resulted in this:CAPolicy.inf:[Version]Signature= "$Windows NT$"[CRLDistributionPoint]URL="ldap:///CN=Ad!002fArt%20Slovakia%20CA,CN=EDGE,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ADART,DC=LOCAL?certificateRevocationList?base?objectClass=cRLDistributionPoint"URL="http://edge.adart.local/CertEnroll/Ad!002fArt%20Slovakia%20CA.crl"URL="https://office.adart.sk/CertEnroll/Ad!002fArt%20Slovakia%20CA.crl"[1]CRL Distribution Point Distribution Point Name: Full Name: URL=ldap:///CN=Ad!002fArt(null)Slovakia(null)CA,CN=EDGE,CN=CDP,CN=Public(null)Key(null)Services,CN=Services,CN=Configuration,DC=ADART,DC=LOCAL?certificateRevocationList?base?objectClass=cRLDistributionPoint URL=http://edge.adart.local/CertEnroll/Ad!002fArt(null)Slovakia(null)CA.crl URL=https://office.adart.sk/CertEnroll/Ad!002fArt(null)Slovakia(null)CA.crlNext, I used the replacement token as they are in registry:[Version]Signature= "$Windows NT$"[CRLDistributionPoint]URL="ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11"URL="http://%1/CertEnroll/%1_%3%4.crt"URL="https://office.adart.sk/CertEnroll/%1_%3%4.crt"This resulted in CDP URL's with references to windir:[1]CRL Distribution Point Distribution Point Name: Full Name: URL=ldap:///CN=Ad!002fArt%20Slovakia%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ADART,DC=LOCAL?cACertificate?base?objectClass=certificationAuthority URL=http://edge.adart.local/CertEnroll/EDGE.ADART.LOCAL_C:/Windows/system32/unknown4.crt URL=https://office.adart.sk/CertEnroll/EDGE.ADART.LOCAL_Ad!002fArt%20Slovakia%20CA(4).crtIt's very strange why the same replacement token (%3 - CaName, %4 - CertificateName) was replaced with different values and it the first URL the %4 wasn't even recognized - unknown4.Next time I tried to fix the LDAP path so it uses CN=CDP instead of CN=AIA and the result was also weird:[Version]Signature= "$Windows NT$"[CRLDistributionPoint]URL="ldap:///CN=%7,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%11"URL="http://%1/CertEnroll/%1_%3%4.crt"URL="https://office.adart.sk/CertEnroll/%1_%3%4.crt"[1]CRL Distribution Point Distribution Point Name: Full Name: URL=ldap:///CN=Ad!002fArt%20Slovakia%20CA,CN=EDGE,CN=CDP,CN=Public%20Key%20Services,CN=Services,C:%5CWindows%5Csystem32%5Cunknown11 URL=http://edge.adart.local/CertEnroll/EDGE.ADART.LOCAL_C:/Windows/system32/unknown4.crt URL=https://office.adart.sk/CertEnroll/EDGE.ADART.LOCAL_Ad!002fArt%20Slovakia%20CA(5).crtI have only added CN=%2,CN=CDP in the LDAP path which is correctly replaced but why %6 was replayed by C:%5CWindows%5Csystem32%5C now? And %11 is unknown11.I undestand that it the first try there were %20 escape characters which resulted in (null) and I have to replace them with space so the paths will be correctly generated.But the strange think comes with thouse replacement token. I know that the easy way will be to not use them and hard code the paths. But I'm realy curious why they are not working.Regards,Jozef.-- MCPD Web Applications
Free Windows Admin Tool Kit Click here and download it now
May 15th, 2009 11:27am

Hi Jozef, Thank you for your response. I can reproduce the issue in my environment when I use the replacement tokens. I will discuss the issue with our senior engineers and update you if I get any response. Thanks.
May 18th, 2009 2:12pm

Hi, We have confirmed that some replacement tokens do not work correctly. I suggest that you hard code the paths in the CAPolicy.inf file. I will submit the issue to our product team and inform you here if I get any update. Thank you for your patience and understanding.
Free Windows Admin Tool Kit Click here and download it now
May 19th, 2009 11:15am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics