Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Server2k3 PKI - Offline Root CA

311 views
Skip to first unread message

Newb@discussions.microsoft.com PKI Newb

unread,
Aug 7, 2008, 4:00:03 PM8/7/08
to
Hi all,
Please excuse my ignorance if this subject has been covered, but I have had
a heck of a time trying to find an answer. I have been following the
Microsoft Book by Brian Komar Windows Server2k3 PKI and Cert Security. I am
attempting to set up a 3 tier hierarchy with offline Root and Policy CA's. I
have not been able to get the Root CA set up correctly, and im not sure what
the issue is. I am using the default CAPolicy.inf from the book. It has the
CRL and AIA set to 'Empty=True'. I am able to install CA on the offline
Root. The issue I continue to see is that after install of CA, I need to set
some reg keys that apply towards the subordinate CA's. I again use the
example in the book and all seems to go well, until I try to regenerate the
.crl file (certutil -crl). I continue to get an access denied. Im not sure
where this error is coming from. Any direction would be greatly appreciated,
and thanks for reading this long post..

PKI Newb

unread,
Aug 8, 2008, 10:32:01 AM8/8/08
to
Hi Brian,
Thank you for your quick response, I truly appreciate it. Please see below
for answers to your questions.


"Brian Komar (MVP)" wrote:

> Hi Newb.
>
> 1) If you copied and pasted directly, the file has publishing quotes and not
> good old fashioned "" characters, check this first.
a: I didn't copy and paste, so the quotes, should be ok.

> 2) Did you look at the root CA certificate and ensure that there is no AIA
> or CDP extensions in the certificate.

a: I looked at the root .crt file, and there are no entries for AIA or CDP
Extensions. I checked the root .crl file and found under
Published CRL Locations :

URL=ldap:///CN=rootca,CN=server,CN=CDP,CN=Public%20Key%20Services,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPoint.
Does this seem correct?

> 3) The post-configuration scripts contain quotes as well, so you may have to
> verify that they are normal " characters
a: I didnt copy and paste, so the quotes should be ok.

> 4) Was there any errors during the running of the post-configuration script.
a: The only error when running post configuration script was when it got to
Certutil -crl

CertUtil: -setreg command FAILED: 0x80070005 (WIN32: 5)
CerUtil: Access is denied.

> 5) What values are shown for the CDP and AIA extension locations?

a: If i check the properties of the Root CA, the extenstions are:

AIA
C:\WINDOWS\system32\CertSrv\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt

ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key
Services,CN=Services,<ConfigurationContainer><CAObjectClass>

http://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt

file://\\<ServerDNSName>\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt


CDP
C:\WINDOWS\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>

http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

file://\\<ServerDNSName>\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

> 6) Did you update the DSConfigDN value in the script if using LDAP URLs?
a: I updated the first line of the script to show
CN=Configuration,DC=x,DC=y,DC=Org

>
> Brian
>
> "PKI Newb" <PKI Ne...@discussions.microsoft.com> wrote in message
> news:B33BA9B1-F820-4431...@microsoft.com...

Brian Komar (MVP)

unread,
Aug 8, 2008, 3:22:52 PM8/8/08
to
Inline...


"PKI Newb" <PKI...@discussions.microsoft.com> wrote in message
news:45F635B8-041F-4FDD...@microsoft.com...


> Hi Brian,
> Thank you for your quick response, I truly appreciate it. Please see
> below
> for answers to your questions.
>
>
> "Brian Komar (MVP)" wrote:
>
>> Hi Newb.
>>
>> 1) If you copied and pasted directly, the file has publishing quotes and
>> not
>> good old fashioned "" characters, check this first.
> a: I didn't copy and paste, so the quotes, should be ok.
>
>> 2) Did you look at the root CA certificate and ensure that there is no
>> AIA
>> or CDP extensions in the certificate.
>
> a: I looked at the root .crt file, and there are no entries for AIA or CDP
> Extensions. I checked the root .crl file and found under
> Published CRL Locations :
>
> URL=ldap:///CN=rootca,CN=server,CN=CDP,CN=Public%20Key%20Services,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPoint.
> Does this seem correct?

No. Note that it states an UnavailableConfigDN. This means that you did not
define the %%6 variable correctly in the post-configuration script.
There is a line where you must define the Configuration naming context that
has not been set correctly. For example, if your forest root domain is
root.example.com., then you would set the line to be

certutil -setreg ca\DSConfigDN CN=Configuration,DC=root,DC=example,DC=com

>
>> 3) The post-configuration scripts contain quotes as well, so you may have
>> to
>> verify that they are normal " characters
> a: I didnt copy and paste, so the quotes should be ok.

May not be, but you can only see this in notepad.


>
>> 4) Was there any errors during the running of the post-configuration
>> script.
> a: The only error when running post configuration script was when it got
> to
> Certutil -crl
>
> CertUtil: -setreg command FAILED: 0x80070005 (WIN32: 5)
> CerUtil: Access is denied.

Actually, this is doing certutil -setreg. To run this command, you must be a
local admnistrator on the CA.

>
>> 5) What values are shown for the CDP and AIA extension locations?
>
> a: If i check the properties of the Root CA, the extenstions are:
>
> AIA
> C:\WINDOWS\system32\CertSrv\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt
>
> ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key
> Services,CN=Services,<ConfigurationContainer><CAObjectClass>
>
> http://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt
>
> file://\\<ServerDNSName>\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt
>
>
> CDP
> C:\WINDOWS\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
>
> ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public
> Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
>
> http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
>
> file://\\<ServerDNSName>\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
>

These are not set correctly. For the LDAP URLs, the incorrect DSConfigDN is
set.
For the HTTP URL, you need to point to an interally and externally accesible
URL (not the root CA), and then manually copy the CA Certificate and CRL to
the referenced location).

>> 6) Did you update the DSConfigDN value in the script if using LDAP URLs?
> a: I updated the first line of the script to show
> CN=Configuration,DC=x,DC=y,DC=Org
>
>>

It looks like you did not publish a new CRL based ont he previous output you
showed (UnavailableCOnfiguDN)

PKI Newb

unread,
Aug 14, 2008, 10:16:00 AM8/14/08
to
Brian,

Thanks for all your assistance. It is now making sense. I took your
suggestions and I was able to get everything installed. Now comes the
testing...

Thanks Again..

0 new messages