PKI - Issue Publishing to AD DS

  • Thread starter Thread starter Orbital
  • Start date Start date
O

Orbital

Hi All!!!

I'm currently implementing 2008 PKI using Brian Komar's excellent book, but
I've run into a few issues. These surfaced when trying to publish my root
and policy CA certs into my AD. On page 133, I'm running an amended piece of
code, with an exert below...
*********************
C:\PKI\USB>certutil -dspublish -f "Test Corporate Policy CA.crl"
ldap:///CN=Test Corporate Policy CA,CN=tb2008pki02,CN=CDP,CN=Public Key
Services
,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=c
RLDistributionPoint?certificateRevocationList

ldap: 0xa: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points
ref 1: 'unavailableconfigdn'

CertUtil: -dsPublish command FAILED: 0x8007202b (WIN32: 8235)
CertUtil: A referral was returned from the server.
*********************
Now, I see the problem here
'CN=Services,DC=UnavailableConfigDN?certificateRevocationList'. The question
is, how do I fix it? I've had a scout around and found the following
http://www.derkeiler.com/Newsgroups/micros...8/msg00047.html

In this article, Brian speaks of an incorrect %%6 value in [presumably] the
root CA post install script. But I don't see how I would change this in this
file? And to what value?

Brian's fix, is to run the following command:

certutil -setreg ca\DSConfigDN CN=Configuration,DC=root,DC=example,DC=com

This is understood, [is the DC=root as it is above a fixed value, or is this
just an example of a possible domain name?] but would I then have to revoke
the currently issued cert, and then go through my setup on my policy box
again with the correct new ones?

I'm COMPLETELY new to PKI, so any help is greatly appreciated
smile.gif


Many thanks in advance,
Orb.
 
You need to replace DC=root,DC=example,DC=com with the LDAP distinguished
name of your forest.
Then it should start working
Brian

"Orbital" wrote in message
news:C7AAB6D7-0010-4BA1-9AD1-A440202167D3@microsoft.com...
> Hi All!!!
>
> I'm currently implementing 2008 PKI using Brian Komar's excellent book,
> but
> I've run into a few issues. These surfaced when trying to publish my root
> and policy CA certs into my AD. On page 133, I'm running an amended piece
> of
> code, with an exert below...
> *********************
> C:PKIUSB>certutil -dspublish -f "Test Corporate Policy CA.crl"
> ldap:///CN=Test Corporate Policy CA,CN=tb2008pki02,CN=CDP,CN=Public Key
> Services
> ,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=c
> RLDistributionPoint?certificateRevocationList
>
> ldap: 0xa: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points
> ref 1: 'unavailableconfigdn'
>
> CertUtil: -dsPublish command FAILED: 0x8007202b (WIN32: 8235)
> CertUtil: A referral was returned from the server.
> *********************
> Now, I see the problem here
> 'CN=Services,DC=UnavailableConfigDN?certificateRevocationList'. The
> question
> is, how do I fix it? I've had a scout around and found the following
> http://www.derkeiler.com/Newsgroups/micros...8/msg00047.html
>
> In this article, Brian speaks of an incorrect %%6 value in [presumably]
> the
> root CA post install script. But I don't see how I would change this in
> this
> file? And to what value?
>
> Brian's fix, is to run the following command:
>
> certutil -setreg caDSConfigDN CN=Configuration,DC=root,DC=example,DC=com
>
> This is understood, [is the DC=root as it is above a fixed value, or is
> this
> just an example of a possible domain name?] but would I then have to
> revoke
> the currently issued cert, and then go through my setup on my policy box
> again with the correct new ones?
>
> I'm COMPLETELY new to PKI, so any help is greatly appreciated
smile.gif

>
> Many thanks in advance,
> Orb.
 
Hi Brian,

Thanks for your response.

When I look in the 'Published CRL Locations' entry of my root CRL, even on
my rootCA, I see this 'UnavailableConfigDN?' entry:

URL=ldap:///CN=TB2008PKI01-CA,CN=tb2008pki01,CN=CDP,CN=Public%20Key%20Services,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPoint

I'm assuming this is incorrect? But short of amending something on my
rootCA and then reissuing my original cert, I don't see what else I can do?
I thought I'd followed each page in the book to the letter, but it seems I
may have missed something here in my rootCA configuration. My
RootCAPostConfiguration.cmd is below if anyone can find anything wrong? I'm
really stuck here, and may have to rip everything to bits and start all over
again if I cannot get this to work.


Many thanks in advance,
Orb.

************************
::Declare Configuration NC
certutil -setreg CA\DSConfigDN CN=Configuration,DC=testad4,DC=test,DC=com

::Define CRL Publication Intervals
certutil -setreg CA\CRLPeriodUnits 26
certutil -setreg CA\CRLPeriod "Weeks"
certutil -setreg CA\CRLDeltaPeriodUnits 0
certutil -setreg CA\CRLDeltaPeriod "Days"
certutil -setreg CA\CRLOverlapPeriod "Weeks"
certutil -setreg CA\CRLOverlapUnits 2

::Apply the required CDP Extension URLs
certutil -setreg CA\CRLPublicationURLs
"1:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public
Key Services,CN=Services,%%6%%10\n 2:http://www.test.com/Certdata/
%%3%%8%%9.crl"

::Apply the required AIA Extension URLs
certutil -setreg CA\CACertPublicationURLs
"1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public
Key Services,CN=Services,%%6%%11\n
2:http://www.test.com/CertData/%%1_%%3%%4.crt"

::Enable all auditing events for the Test Corporate Root CA
certutil -setreg CA\AuditFilter 127

::Set Validity Period for Issued Certificates
certutil -setreg CA\ValidityPeriodUnits 10
certutil -setreg CA\ValidityPeriod "Years"

:: Enable discrete signatures in subordinate CA certificates
Certutil -setreg CA\csp\DiscreteSignatureAlgorithm 1

::Restart Certificate Services
net stop certsvc & net start certsvc
sleep 5
certutil –crl

::Copy the Root CA certificates and CRLs to the C:\USB folder
Echo Copying Root CA certificate and CRL's to the local C:\USB folder
sleep 5
copy /y %windir%\system32\certsrv\certenroll\*.cr? C:\USB

pause



"Brian Komar (MVP)" wrote:

> You need to replace DC=root,DC=example,DC=com with the LDAP distinguished
> name of your forest.
> Then it should start working
> Brian
>
> "Orbital" wrote in message
> news:C7AAB6D7-0010-4BA1-9AD1-A440202167D3@microsoft.com...
> > Hi All!!!
> >
> > I'm currently implementing 2008 PKI using Brian Komar's excellent book,
> > but
> > I've run into a few issues. These surfaced when trying to publish my root
> > and policy CA certs into my AD. On page 133, I'm running an amended piece
> > of
> > code, with an exert below...
> > *********************
> > C:PKIUSB>certutil -dspublish -f "Test Corporate Policy CA.crl"
> > ldap:///CN=Test Corporate Policy CA,CN=tb2008pki02,CN=CDP,CN=Public Key
> > Services
> > ,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=c
> > RLDistributionPoint?certificateRevocationList
> >
> > ldap: 0xa: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points
> > ref 1: 'unavailableconfigdn'
> >
> > CertUtil: -dsPublish command FAILED: 0x8007202b (WIN32: 8235)
> > CertUtil: A referral was returned from the server.
> > *********************
> > Now, I see the problem here
> > 'CN=Services,DC=UnavailableConfigDN?certificateRevocationList'. The
> > question
> > is, how do I fix it? I've had a scout around and found the following
> > http://www.derkeiler.com/Newsgroups/micros...8/msg00047.html
> >
> > In this article, Brian speaks of an incorrect %%6 value in [presumably]
> > the
> > root CA post install script. But I don't see how I would change this in
> > this
> > file? And to what value?
> >
> > Brian's fix, is to run the following command:
> >
> > certutil -setreg caDSConfigDN CN=Configuration,DC=root,DC=example,DC=com
> >
> > This is understood, [is the DC=root as it is above a fixed value, or is
> > this
> > just an example of a possible domain name?] but would I then have to
> > revoke
> > the currently issued cert, and then go through my setup on my policy box
> > again with the correct new ones?
> >
> > I'm COMPLETELY new to PKI, so any help is greatly appreciated
smile.gif

> >
> > Many thanks in advance,
> > Orb.
>
 
I've also just checked the DSConfigDN entry on my offline policy and root
CA's and this entry is correct: CN=Configuration,DC=testad4,DC=test,DC=com

"Orbital" wrote:

> Hi Brian,
>
> Thanks for your response.
>
> When I look in the 'Published CRL Locations' entry of my root CRL, even on
> my rootCA, I see this 'UnavailableConfigDN?' entry:
>
> URL=ldap:///CN=TB2008PKI01-CA,CN=tb2008pki01,CN=CDP,CN=Public%20Key%20Services,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPoint
>
> I'm assuming this is incorrect? But short of amending something on my
> rootCA and then reissuing my original cert, I don't see what else I can do?
> I thought I'd followed each page in the book to the letter, but it seems I
> may have missed something here in my rootCA configuration. My
> RootCAPostConfiguration.cmd is below if anyone can find anything wrong? I'm
> really stuck here, and may have to rip everything to bits and start all over
> again if I cannot get this to work.
>
>
> Many thanks in advance,
> Orb.
>
> ************************
> ::Declare Configuration NC
> certutil -setreg CADSConfigDN CN=Configuration,DC=testad4,DC=test,DC=com
>
> ::Define CRL Publication Intervals
> certutil -setreg CACRLPeriodUnits 26
> certutil -setreg CACRLPeriod "Weeks"
> certutil -setreg CACRLDeltaPeriodUnits 0
> certutil -setreg CACRLDeltaPeriod "Days"
> certutil -setreg CACRLOverlapPeriod "Weeks"
> certutil -setreg CACRLOverlapUnits 2
>
> ::Apply the required CDP Extension URLs
> certutil -setreg CACRLPublicationURLs
> "1:%windir%system32CertSrvCertEnroll%%3%%8%%9.crln10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public
> Key Services,CN=Services,%%6%%10n 2:http://www.test.com/Certdata/
> %%3%%8%%9.crl"
>
> ::Apply the required AIA Extension URLs
> certutil -setreg CACACertPublicationURLs
> "1:%windir%system32CertSrvCertEnroll%%1_%%3%%4.crtn2:ldap:///CN=%%7,CN=AIA,CN=Public
> Key Services,CN=Services,%%6%%11n
> 2:http://www.test.com/CertData/%%1_%%3%%4.crt"
>
> ::Enable all auditing events for the Test Corporate Root CA
> certutil -setreg CAAuditFilter 127
>
> ::Set Validity Period for Issued Certificates
> certutil -setreg CAValidityPeriodUnits 10
> certutil -setreg CAValidityPeriod "Years"
>
> :: Enable discrete signatures in subordinate CA certificates
> Certutil -setreg CAcspDiscreteSignatureAlgorithm 1
>
> ::Restart Certificate Services
> net stop certsvc & net start certsvc
> sleep 5
> certutil –crl
>
> ::Copy the Root CA certificates and CRLs to the C:USB folder
> Echo Copying Root CA certificate and CRL's to the local C:USB folder
> sleep 5
> copy /y %windir%system32certsrvcertenroll*.cr? C:USB
>
> pause
>
>
>
> "Brian Komar (MVP)" wrote:
>
> > You need to replace DC=root,DC=example,DC=com with the LDAP distinguished
> > name of your forest.
> > Then it should start working
> > Brian
> >
> > "Orbital" wrote in message
> > news:C7AAB6D7-0010-4BA1-9AD1-A440202167D3@microsoft.com...
> > > Hi All!!!
> > >
> > > I'm currently implementing 2008 PKI using Brian Komar's excellent book,
> > > but
> > > I've run into a few issues. These surfaced when trying to publish my root
> > > and policy CA certs into my AD. On page 133, I'm running an amended piece
> > > of
> > > code, with an exert below...
> > > *********************
> > > C:PKIUSB>certutil -dspublish -f "Test Corporate Policy CA.crl"
> > > ldap:///CN=Test Corporate Policy CA,CN=tb2008pki02,CN=CDP,CN=Public Key
> > > Services
> > > ,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=c
> > > RLDistributionPoint?certificateRevocationList
> > >
> > > ldap: 0xa: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points
> > > ref 1: 'unavailableconfigdn'
> > >
> > > CertUtil: -dsPublish command FAILED: 0x8007202b (WIN32: 8235)
> > > CertUtil: A referral was returned from the server.
> > > *********************
> > > Now, I see the problem here
> > > 'CN=Services,DC=UnavailableConfigDN?certificateRevocationList'. The
> > > question
> > > is, how do I fix it? I've had a scout around and found the following
> > > http://www.derkeiler.com/Newsgroups/micros...8/msg00047.html
> > >
> > > In this article, Brian speaks of an incorrect %%6 value in [presumably]
> > > the
> > > root CA post install script. But I don't see how I would change this in
> > > this
> > > file? And to what value?
> > >
> > > Brian's fix, is to run the following command:
> > >
> > > certutil -setreg caDSConfigDN CN=Configuration,DC=root,DC=example,DC=com
> > >
> > > This is understood, [is the DC=root as it is above a fixed value, or is
> > > this
> > > just an example of a possible domain name?] but would I then have to
> > > revoke
> > > the currently issued cert, and then go through my setup on my policy box
> > > again with the correct new ones?
> > >
> > > I'm COMPLETELY new to PKI, so any help is greatly appreciated
smile.gif

> > >
> > > Many thanks in advance,
> > > Orb.
> >
 
Sorry to bombard this thread with messages but, running through the cert
publishing to my AD DC via CMD again, I see

Possible Root Certificate: Subject matches Issuer, but Signature check
fails: 80090008

I'm thinking this doesn't help...
 
Hi,
This is definitely an incorrect configuration.
You need to check two separate objects issued by the root CA.
1) The CRL. If the CRL does not have the correct location, you need to
ensure that the post -configuration script on the root CA correctly ran the
certutil -setreg CA\DSConfigDN CN=Configuration,DC=testad4,DC=test,DC=com
command.
One common mistake (seeing that you have copied the text directly from my
book ) is that you copied direct from the PDF and the (-) character is
translated to an m-dash. If you do a certutil -getreg ca\DSConfigDN at the
root CA, what value is shown? Ensure that it matches the defined DN, and
then publish a new CRL. You must publish a new CRL before it will read the
new DN value and replace the %%6 value in the CRLPublicationURLs registry
entry.

2) The subordinate CA certificates. Since you include the LDAP URL in your
subordinate CA certificate issued by the root CA, look at the AIA extension
of the subordinate CA certificate. Does the URL show up as the correct DN or
as UnavailableConfigDN. If it Unavailable ConfigDN, then you will have to
re-issue the subordinate CA certificate (and all other lower certificates).

Brian

"Orbital" wrote in message
news:E1D5706E-4E2C-4F7C-9881-CBB90A47217A@microsoft.com...
> Hi Brian,
>
> Thanks for your response.
>
> When I look in the 'Published CRL Locations' entry of my root CRL, even on
> my rootCA, I see this 'UnavailableConfigDN?' entry:Hi
>
> URL=ldap:///CN=TB2008PKI01-CA,CN=tb2008pki01,CN=CDP,CN=Public%20Key%20Services,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPoint
>
> I'm assuming this is incorrect? But short of amending something on my
> rootCA and then reissuing my original cert, I don't see what else I can
> do?
> I thought I'd followed each page in the book to the letter, but it seems I
> may have missed something here in my rootCA configuration. My
> RootCAPostConfiguration.cmd is below if anyone can find anything wrong?
> I'm
> really stuck here, and may have to rip everything to bits and start all
> over
> again if I cannot get this to work.
>
>
> Many thanks in advance,
> Orb.
>
> ************************
> ::Declare Configuration NC
> certutil -setreg CADSConfigDN CN=Configuration,DC=testad4,DC=test,DC=com
>
> ::Define CRL Publication Intervals
> certutil -setreg CACRLPeriodUnits 26
> certutil -setreg CACRLPeriod "Weeks"
> certutil -setreg CACRLDeltaPeriodUnits 0
> certutil -setreg CACRLDeltaPeriod "Days"
> certutil -setreg CACRLOverlapPeriod "Weeks"
> certutil -setreg CACRLOverlapUnits 2
>
> ::Apply the required CDP Extension URLs
> certutil -setreg CACRLPublicationURLs
> "1:%windir%system32CertSrvCertEnroll%%3%%8%%9.crln10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public
> Key Services,CN=Services,%%6%%10n 2:http://www.test.com/Certdata/
> %%3%%8%%9.crl"
>
> ::Apply the required AIA Extension URLs
> certutil -setreg CACACertPublicationURLs
> "1:%windir%system32CertSrvCertEnroll%%1_%%3%%4.crtn2:ldap:///CN=%%7,CN=AIA,CN=Public
> Key Services,CN=Services,%%6%%11n
> 2:http://www.test.com/CertData/%%1_%%3%%4.crt"
>
> ::Enable all auditing events for the Test Corporate Root CA
> certutil -setreg CAAuditFilter 127
>
> ::Set Validity Period for Issued Certificates
> certutil -setreg CAValidityPeriodUnits 10
> certutil -setreg CAValidityPeriod "Years"
>
> :: Enable discrete signatures in subordinate CA certificates
> Certutil -setreg CAcspDiscreteSignatureAlgorithm 1
>
> ::Restart Certificate Services
> net stop certsvc & net start certsvc
> sleep 5
> certutil –crl
>
> ::Copy the Root CA certificates and CRLs to the C:USB folder
> Echo Copying Root CA certificate and CRL's to the local C:USB folder
> sleep 5
> copy /y %windir%system32certsrvcertenroll*.cr? C:USB
>
> pause
>
>
>
> "Brian Komar (MVP)" wrote:
>
>> You need to replace DC=root,DC=example,DC=com with the LDAP distinguished
>> name of your forest.
>> Then it should start working
>> Brian
>>
>> "Orbital" wrote in message
>> news:C7AAB6D7-0010-4BA1-9AD1-A440202167D3@microsoft.com...
>> > Hi All!!!
>> >
>> > I'm currently implementing 2008 PKI using Brian Komar's excellent book,
>> > but
>> > I've run into a few issues. These surfaced when trying to publish my
>> > root
>> > and policy CA certs into my AD. On page 133, I'm running an amended
>> > piece
>> > of
>> > code, with an exert below...
>> > *********************
>> > C:PKIUSB>certutil -dspublish -f "Test Corporate Policy CA.crl"
>> > ldap:///CN=Test Corporate Policy CA,CN=tb2008pki02,CN=CDP,CN=Public Key
>> > Services
>> > ,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=c
>> > RLDistributionPoint?certificateRevocationList
>> >
>> > ldap: 0xa: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points
>> > ref 1: 'unavailableconfigdn'
>> >
>> > CertUtil: -dsPublish command FAILED: 0x8007202b (WIN32: 8235)
>> > CertUtil: A referral was returned from the server.
>> > *********************
>> > Now, I see the problem here
>> > 'CN=Services,DC=UnavailableConfigDN?certificateRevocationList'. The
>> > question
>> > is, how do I fix it? I've had a scout around and found the following
>> > http://www.derkeiler.com/Newsgroups/micros...8/msg00047.html
>> >
>> > In this article, Brian speaks of an incorrect %%6 value in [presumably]
>> > the
>> > root CA post install script. But I don't see how I would change this
>> > in
>> > this
>> > file? And to what value?
>> >
>> > Brian's fix, is to run the following command:
>> >
>> > certutil -setreg caDSConfigDN
>> > CN=Configuration,DC=root,DC=example,DC=com
>> >
>> > This is understood, [is the DC=root as it is above a fixed value, or is
>> > this
>> > just an example of a possible domain name?] but would I then have to
>> > revoke
>> > the currently issued cert, and then go through my setup on my policy
>> > box
>> > again with the correct new ones?
>> >
>> > I'm COMPLETELY new to PKI, so any help is greatly appreciated
smile.gif

>> >
>> > Many thanks in advance,
>> > Orb.
>>
 
Hi Brian,

Thanks for replying.

I'm positive I've completed everything correctly. It's not even a
copy/paste character problem as I used the examples from the 'Resources'
folder on the CD.

I've actually logged a call with your friends at Microsoft regarding this,
who are equally baffled. We've modified [and even removed] LDAP entries,
reissued, revoked and allsorts, to no effect. My case is being worked on and
I'll wait to hear.

Thanks for your input Brian.


Orb.
 
Hi Orb,
Did you get this fixed becuase i just had the same issue this morning.

The scripts etc.. were correct but i had to manually delete the .crl
from the Windows\System32\CertSrv\CertEnroll folder and then re-generate
it using the certificates management console (right click publish on the
"revoked" node)

Ben.
 

Similar threads

E
Certificate Services - Sub Ca Issue
Replies
3
Views
1K
ICTCity
I
J
Certutil error
Replies
1
Views
335
Peter Foldes
P
E
Windows 2003 Fixing AD CS PKI errors
Replies
0
Views
124
Eric Miller
E
B
Help PKI installation - lots of questions !
Replies
5
Views
241
BZP
B
Back
Top