PKI - Issue Publishing to AD DS
Orbital
I'm currently implementing 2008 PKI using Brian Komar's excellent book, but
I've run into a few issues. These surfaced when trying to publish my root
and policy CA certs into my AD. On page 133, I'm running an amended piece of
code, with an exert below...
*********************
C:\PKI\USB>certutil -dspublish -f "Test Corporate Policy CA.crl"
ldap:///CN=Test Corporate Policy CA,CN=tb2008pki02,CN=CDP,CN=Public Key
Services
,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=c
RLDistributionPoint?certificateRevocationList
ldap: 0xa: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points
ref 1: 'unavailableconfigdn'
CertUtil: -dsPublish command FAILED: 0x8007202b (WIN32: 8235)
CertUtil: A referral was returned from the server.
*********************
Now, I see the problem here
'CN=Services,DC=UnavailableConfigDN?certificateRevocationList'. The question
is, how do I fix it? I've had a scout around and found the following
http://www.derkeiler.com/Newsgroups/microsoft.public.windows.server.security/2008-08/msg00047.html
In this article, Brian speaks of an incorrect %%6 value in [presumably] the
root CA post install script. But I don't see how I would change this in this
file? And to what value?
Brian's fix, is to run the following command:
certutil -setreg ca\DSConfigDN CN=Configuration,DC=root,DC=example,DC=com
This is understood, [is the DC=root as it is above a fixed value, or is this
just an example of a possible domain name?] but would I then have to revoke
the currently issued cert, and then go through my setup on my policy box
again with the correct new ones?
I'm COMPLETELY new to PKI, so any help is greatly appreciated :)
Many thanks in advance,
Orb.
Brian Komar (MVP)
name of your forest.
Then it should start working
Brian
"Orbital" <Orb...@discussions.microsoft.com> wrote in message
news:C7AAB6D7-0010-4BA1...@microsoft.com...
Orbital
Thanks for your response.
When I look in the 'Published CRL Locations' entry of my root CRL, even on
my rootCA, I see this 'UnavailableConfigDN?' entry:
URL=ldap:///CN=TB2008PKI01-CA,CN=tb2008pki01,CN=CDP,CN=Public%20Key%20Services,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPoint
I'm assuming this is incorrect? But short of amending something on my
rootCA and then reissuing my original cert, I don't see what else I can do?
I thought I'd followed each page in the book to the letter, but it seems I
may have missed something here in my rootCA configuration. My
RootCAPostConfiguration.cmd is below if anyone can find anything wrong? I'm
really stuck here, and may have to rip everything to bits and start all over
again if I cannot get this to work.
Many thanks in advance,
Orb.
************************
::Declare Configuration NC
certutil -setreg CA\DSConfigDN CN=Configuration,DC=testad4,DC=test,DC=com
::Define CRL Publication Intervals
certutil -setreg CA\CRLPeriodUnits 26
certutil -setreg CA\CRLPeriod "Weeks"
certutil -setreg CA\CRLDeltaPeriodUnits 0
certutil -setreg CA\CRLDeltaPeriod "Days"
certutil -setreg CA\CRLOverlapPeriod "Weeks"
certutil -setreg CA\CRLOverlapUnits 2
::Apply the required CDP Extension URLs
certutil -setreg CA\CRLPublicationURLs
"1:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public
Key Services,CN=Services,%%6%%10\n 2:http://www.test.com/Certdata/
%%3%%8%%9.crl"
::Apply the required AIA Extension URLs
certutil -setreg CA\CACertPublicationURLs
"1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public
Key Services,CN=Services,%%6%%11\n
2:http://www.test.com/CertData/%%1_%%3%%4.crt"
::Enable all auditing events for the Test Corporate Root CA
certutil -setreg CA\AuditFilter 127
::Set Validity Period for Issued Certificates
certutil -setreg CA\ValidityPeriodUnits 10
certutil -setreg CA\ValidityPeriod "Years"
:: Enable discrete signatures in subordinate CA certificates
Certutil -setreg CA\csp\DiscreteSignatureAlgorithm 1
::Restart Certificate Services
net stop certsvc & net start certsvc
sleep 5
certutil –crl
::Copy the Root CA certificates and CRLs to the C:\USB folder
Echo Copying Root CA certificate and CRL's to the local C:\USB folder
sleep 5
copy /y %windir%\system32\certsrv\certenroll\*.cr? C:\USB
pause
Orbital
CA's and this entry is correct: CN=Configuration,DC=testad4,DC=test,DC=com
Orbital
publishing to my AD DC via CMD again, I see
Possible Root Certificate: Subject matches Issuer, but Signature check
fails: 80090008
I'm thinking this doesn't help...
Brian Komar (MVP)
This is definitely an incorrect configuration.
You need to check two separate objects issued by the root CA.
1) The CRL. If the CRL does not have the correct location, you need to
ensure that the post -configuration script on the root CA correctly ran the
One common mistake (seeing that you have copied the text directly from my
book <G>) is that you copied direct from the PDF and the (-) character is
translated to an m-dash. If you do a certutil -getreg ca\DSConfigDN at the
root CA, what value is shown? Ensure that it matches the defined DN, and
then publish a new CRL. You must publish a new CRL before it will read the
new DN value and replace the %%6 value in the CRLPublicationURLs registry
entry.
2) The subordinate CA certificates. Since you include the LDAP URL in your
subordinate CA certificate issued by the root CA, look at the AIA extension
of the subordinate CA certificate. Does the URL show up as the correct DN or
as UnavailableConfigDN. If it Unavailable ConfigDN, then you will have to
re-issue the subordinate CA certificate (and all other lower certificates).
Brian
"Orbital" <Orb...@discussions.microsoft.com> wrote in message
news:E1D5706E-4E2C-4F7C...@microsoft.com...
> Hi Brian,
>
> Thanks for your response.
>
> When I look in the 'Published CRL Locations' entry of my root CRL, even on
> my rootCA, I see this 'UnavailableConfigDN?' entry:Hi
Orbital
Thanks for replying.
I'm positive I've completed everything correctly. It's not even a
copy/paste character problem as I used the examples from the 'Resources'
folder on the CD.
I've actually logged a call with your friends at Microsoft regarding this,
who are equally baffled. We've modified [and even removed] LDAP entries,
reissued, revoked and allsorts, to no effect. My case is being worked on and
I'll wait to hear.
Thanks for your input Brian.
Orb.
Ben
Did you get this fixed becuase i just had the same issue this morning.
The scripts etc.. were correct but i had to manually delete the .crl
from the Windows\System32\CertSrv\CertEnroll folder and then re-generate
it using the certificates management console (right click publish on the
"revoked" node)
Ben.
amagm
I install Root and Policy Ca's. Then I add CRT and CRL in AD store and receive error.
command:
certutil -dspublish -f "ThirdCAroot.crl"
output:
ldap:///CN=ThirdCAroot,CN=thirdcaroot,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=mydomain,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint?certificateRevocationList
ldap: 0x20: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=mydomain,DC=com'
There are two domains in one forest in two trees.
The root domain (in the first tree) named ROOTdomain.com, for example.
I installing issued CA in second domain named mydomain (when i get this error) not in root of the forest (first of the forest).
It is very strange that when I added CRT before, there are no errors, but in output ldap is listed the ROOTdomain, not mydomain!
command:
certutil -dspublish -f "thirdcaroot_ThirdCAroot.crt" RootCA
output:
ldap:///CN=ThirdCAroot,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=ROOTdomain,DC=com?cACertificate
Certificate added to DS store.
I log on in mydomain.com and CA server is join to mydomain.com
What is it possible to do with this error:
ldap: 0x20: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT)
Big Thanks!
Brian Komar \(MVP\) wrote:
Hi,This is definitely an incorrect configuration.
13-Jan-09
Hi,
This is definitely an incorrect configuration.
You need to check two separate objects issued by the root CA.
1) The CRL. If the CRL does not have the correct location, you need to
ensure that the post -configuration script on the root CA correctly ran the
certutil -setreg CA\DSConfigDN CN=Configuration,DC=testad4,DC=test,DC=com
command.
One common mistake (seeing that you have copied the text directly from my
book <G>) is that you copied direct from the PDF and the (-) character is
translated to an m-dash. If you do a certutil -getreg ca\DSConfigDN at the
root CA, what value is shown? Ensure that it matches the defined DN, and
then publish a new CRL. You must publish a new CRL before it will read the
new DN value and replace the %%6 value in the CRLPublicationURLs registry
entry.
2) The subordinate CA certificates. Since you include the LDAP URL in your
subordinate CA certificate issued by the root CA, look at the AIA extension
of the subordinate CA certificate. Does the URL show up as the correct DN or
as UnavailableConfigDN. If it Unavailable ConfigDN, then you will have to
re-issue the subordinate CA certificate (and all other lower certificates).
Brian
"Orbital" <Orb...@discussions.microsoft.com> wrote in message
news:E1D5706E-4E2C-4F7C...@microsoft.com...
Previous Posts In This Thread:
On Friday, January 09, 2009 5:05 PM
Orbita wrote:
PKI - Issue Publishing to AD DS
Hi All!!!
On Friday, January 09, 2009 11:25 PM
Brian Komar \(MVP\) wrote:
You need to replace DC=root,DC=example,DC=com with the LDAP distinguished name
You need to replace DC=root,DC=example,DC=com with the LDAP distinguished
name of your forest.
Then it should start working
Brian
On Monday, January 12, 2009 3:51 PM
Orbita wrote:
Hi Brian,Thanks for your response.
Hi Brian,
Thanks for your response.
When I look in the 'Published CRL Locations' entry of my root CRL, even on
my rootCA, I see this 'UnavailableConfigDN?' entry:
URL=ldap:///CN=TB2008PKI01-CA,CN=tb2008pki01,CN=CDP,CN=Public%20Key%20Services,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPoint
I'm assuming this is incorrect? But short of amending something on my
rootCA and then reissuing my original cert, I don't see what else I can do?
I thought I'd followed each page in the book to the letter, but it seems I
may have missed something here in my rootCA configuration. My
RootCAPostConfiguration.cmd is below if anyone can find anything wrong? I'm
really stuck here, and may have to rip everything to bits and start all over
again if I cannot get this to work.
Many thanks in advance,
Orb.
************************
certutil -setreg CA\DSConfigDN CN=Configuration,DC=testad4,DC=test,DC=com
certutil -setreg CA\CRLPeriodUnits 26
certutil -setreg CA\CRLPeriod "Weeks"
certutil -setreg CA\CRLDeltaPeriodUnits 0
certutil -setreg CA\CRLDeltaPeriod "Days"
certutil -setreg CA\CRLOverlapPeriod "Weeks"
certutil -setreg CA\CRLOverlapUnits 2
certutil -setreg CA\CRLPublicationURLs
"1:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public
Key Services,CN=Services,%%6%%10\n 2:http://www.test.com/Certdata/
%%3%%8%%9.crl"
certutil -setreg CA\CACertPublicationURLs
"1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public
Key Services,CN=Services,%%6%%11\n
2:http://www.test.com/CertData/%%1_%%3%%4.crt"
certutil -setreg CA\AuditFilter 127
certutil -setreg CA\ValidityPeriodUnits 10
certutil -setreg CA\ValidityPeriod "Years"
Certutil -setreg CA\csp\DiscreteSignatureAlgorithm 1
::Restart Certificate Services
net stop certsvc & net start certsvc
sleep 5
certutil ???crl
Echo Copying Root CA certificate and CRL's to the local C:\USB folder
sleep 5
copy /y %windir%\system32\certsrv\certenroll\*.cr? C:\USB
pause
"Brian Komar (MVP)" wrote:
On Monday, January 12, 2009 5:01 PM
Orbita wrote:
I've also just checked the DSConfigDN entry on my offline policy and root CA's
I have also just checked the DSConfigDN entry on my offline policy and root
CA's and this entry is correct: CN=Configuration,DC=testad4,DC=test,DC=com
"Orbital" wrote:
On Monday, January 12, 2009 5:43 PM
Orbita wrote:
On Tuesday, January 13, 2009 8:24 PM
Brian Komar \(MVP\) wrote:
Hi,This is definitely an incorrect configuration.
Hi,
This is definitely an incorrect configuration.
You need to check two separate objects issued by the root CA.
1) The CRL. If the CRL does not have the correct location, you need to
ensure that the post -configuration script on the root CA correctly ran the
certutil -setreg CA\DSConfigDN CN=Configuration,DC=testad4,DC=test,DC=com
command.
One common mistake (seeing that you have copied the text directly from my
book <G>) is that you copied direct from the PDF and the (-) character is
translated to an m-dash. If you do a certutil -getreg ca\DSConfigDN at the
root CA, what value is shown? Ensure that it matches the defined DN, and
then publish a new CRL. You must publish a new CRL before it will read the
new DN value and replace the %%6 value in the CRLPublicationURLs registry
entry.
2) The subordinate CA certificates. Since you include the LDAP URL in your
subordinate CA certificate issued by the root CA, look at the AIA extension
of the subordinate CA certificate. Does the URL show up as the correct DN or
as UnavailableConfigDN. If it Unavailable ConfigDN, then you will have to
re-issue the subordinate CA certificate (and all other lower certificates).
Brian
"Orbital" <Orb...@discussions.microsoft.com> wrote in message
news:E1D5706E-4E2C-4F7C...@microsoft.com...
On Tuesday, January 13, 2009 9:50 PM
Orbita wrote:
Hi Brian,Thanks for replying.I'm positive I've completed everything correctly.
Hi Brian,
Thanks for replying.
Orb.
On Wednesday, March 11, 2009 9:21 AM
Ben wrote:
Hi Orb,Did you get this fixed becuase i just had the same issue this morning.
Ben.
Submitted via EggHeadCafe - Software Developer Portal of Choice
Easy "NO SCRIPT" DataGrid Tooltips in ASP.NET
http://www.eggheadcafe.com/tutorials/aspnet/c0d39393-80fe-481f-af5c-0e18fa4e2e43/easy-no-script--datagri.aspx
Peter Foldes
Repost this issue that you are experiencing to the windows.server.security newsgroup
news://msnews.microsoft.com/microsoft.public.windows.server.security
--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
<Amag M> wrote in message news:20091223112...@ya.ru...
Dirk
I have your WS 2008 PKI and Certificate Security book. Its a great book and is helping this noob with PKI. :)
I am getting the same error. I did try one thing that seemed to fix it, but not sure if what I did messed something else up.
In your book you give a script to publish the CA certs and CRLs into AD. The ones for the CRLs don't have the "RootCA" or "SubCA" at the end of the lines to give a store for the CRLs to go into.... Don't those have to be there? I added those on my script and didn't get the error. Like I said, did this cause unwanted problems?
Thanks!
Dirk
Brian Komar \(MVP\) wrote:
You need to replace DC=root,DC=example,DC=com with the LDAP distinguished name
09-Jan-09
You need to replace DC=root,DC=example,DC=com with the LDAP distinguished
name of your forest.
Then it should start working
Brian
Previous Posts In This Thread:
On Friday, January 09, 2009 5:05 PM
Orbita wrote:
PKI - Issue Publishing to AD DS
Hi All!!!
On Friday, January 09, 2009 11:25 PM
Brian Komar \(MVP\) wrote:
You need to replace DC=root,DC=example,DC=com with the LDAP distinguished name
You need to replace DC=root,DC=example,DC=com with the LDAP distinguished
name of your forest.
Then it should start working
Brian
On Monday, January 12, 2009 3:51 PM
Orbita wrote:
Hi Brian,Thanks for your response.
Hi Brian,
Thanks for your response.
When I look in the 'Published CRL Locations' entry of my root CRL, even on
my rootCA, I see this 'UnavailableConfigDN?' entry:
URL=ldap:///CN=TB2008PKI01-CA,CN=tb2008pki01,CN=CDP,CN=Public%20Key%20Services,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPoint
I'm assuming this is incorrect? But short of amending something on my
rootCA and then reissuing my original cert, I don't see what else I can do?
I thought I'd followed each page in the book to the letter, but it seems I
may have missed something here in my rootCA configuration. My
RootCAPostConfiguration.cmd is below if anyone can find anything wrong? I'm
really stuck here, and may have to rip everything to bits and start all over
again if I cannot get this to work.
Many thanks in advance,
Orb.
************************
pause
"Brian Komar (MVP)" wrote:
"Orbital" wrote:
Brian
"Orbital" <Orb...@discussions.microsoft.com> wrote in message
news:E1D5706E-4E2C-4F7C...@microsoft.com...
Thanks for replying.
Orb.
Ben.
On Wednesday, December 23, 2009 11:24 AM
Amag M wrote:
ldap: 0x20: 0000208D: NameErr: DSID-031001CD, problem 2001
Hi. I have the same problem.
I install Root and Policy Ca's. Then I add CRT and CRL in AD store and receive error.
command:
certutil -dspublish -f "ThirdCAroot.crl"
output:
ldap:///CN=ThirdCAroot,CN=thirdcaroot,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=mydomain,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint?certificateRevocationList
ldap: 0x20: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=mydomain,DC=com'
There are two domains in one forest in two trees.
The root domain (in the first tree) named ROOTdomain.com, for example.
I installing issued CA in second domain named mydomain (when i get this error) not in root of the forest (first of the forest).
It is very strange that when I added CRT before, there are no errors, but in output ldap is listed the ROOTdomain, not mydomain!
command:
certutil -dspublish -f "thirdcaroot_ThirdCAroot.crt" RootCA
output:
ldap:///CN=ThirdCAroot,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=ROOTdomain,DC=com?cACertificate
Certificate added to DS store.
I log on in mydomain.com and CA server is join to mydomain.com
What is it possible to do with this error:
ldap: 0x20: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT)
Big Thanks!
Submitted via EggHeadCafe - Software Developer Portal of Choice
Making Silverlight Emulate Synchronous Requests
http://www.eggheadcafe.com/tutorials/aspnet/91f69224-3da5-4959-9901-c5c717c9b184/making-silverlight-emulat.aspx
janbache
After I ran cmd as an administrator it published the CRL and CRT file in the AD without error.
Dirk wrote:
Error
24-Mar-10
Brian,
I have your WS 2008 PKI and Certificate Security book. Its a great book and is helping this noob with PKI. :)
I am getting the same error. I did try one thing that seemed to fix it, but not sure if what I did messed something else up.
In your book you give a script to publish the CA certs and CRLs into AD. The ones for the CRLs don't have the "RootCA" or "SubCA" at the end of the lines to give a store for the CRLs to go into.... Don't those have to be there? I added those on my script and didn't get the error. Like I said, did this cause unwanted problems?
Thanks!
Dirk
Previous Posts In This Thread:
Thanks for your response.
URL=ldap:///CN=TB2008PKI01-CA,CN=tb2008pki01,CN=CDP,CN=Public%20Key%20Services,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPoint
pause
"Brian Komar (MVP)" wrote:
"Orbital" wrote:
Brian
Thanks for replying.
Orb.
Ben.
Big Thanks!
On Wednesday, March 24, 2010 1:34 PM
Dirk wrote:
Error
Brian,
I have your WS 2008 PKI and Certificate Security book. Its a great book and is helping this noob with PKI. :)
I am getting the same error. I did try one thing that seemed to fix it, but not sure if what I did messed something else up.
In your book you give a script to publish the CA certs and CRLs into AD. The ones for the CRLs don't have the "RootCA" or "SubCA" at the end of the lines to give a store for the CRLs to go into.... Don't those have to be there? I added those on my script and didn't get the error. Like I said, did this cause unwanted problems?
Thanks!
Dirk
Submitted via EggHeadCafe - Software Developer Portal of Choice
BizTalk: Conditional looping incorporating the Greater Than functoid.
http://www.eggheadcafe.com/tutorials/aspnet/e4334816-d106-40f2-812d-043c18df964c/biztalk-conditional-loop.aspx
Peter Foldes
Post this to the microsoft.public.windows.server.security newsgroup
--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
<Jan Bache> wrote in message news:2010412915...@hotmail.com...