ADCS - Invalid AIA and CDP paths

-

hello,
 i have 2-tier pki infrastructure; 1 offline stand-alone root ca , 1 enterprise subordinate issuing ca. both running windows 2012 r2.  issuing ca member of windows 2008 r2 ad domain , running iis cdp , aia publication iis virtual directory created http://pki.domain.local/certenroll.

when run pkiview.msc tool, aia , cdp locations issuing ca come "ok" aia , cdp locations root ca come "unable download".

here output pkiview.msc root ca:

aia location #1 unable download http://pki.domain.local/certenroll/%1_%3%4.crt
aia location #2 unable download ldap:///cn=%7,cn=aia,cn=public%20key%20services,cn=services,%6%11
cdp location #1 unable download http://pki.domain.local/certenroll/%3%8%9.crl
cdp location #2 unable download ldap:///cn=%7%8,cn=%2,cn=cdp,cn=public%20key%20services,cn=services,%6%10

for issuing ca %# codes translate correctly file name looks failed root ca.

on root ca, have following aia , cdp setting defined in ca tool extensions properties:

authority information access (aia):
windir\system32\certsrv\certenroll\<serverdnsname>_<caname><certificatename>.crt
,cn=aia,cn=public">ldap:///cn=<catruncatedname>,cn=aia,cn=public key services,cn=services,<configurationcontainer><caobjectclass>

crl distribution point (cdp):
windir\system32\certsrv\certenroll\<caname><crlnamesuffix><deltacrlallowed>.crt
<crlnamesuffix>,cn=<servershortname>,cn=cdp,cn=public">ldap:///cn=<catruncatedname><crlnamesuffix>,cn=<servershortname>,cn=cdp,cn=public key services,cn=services,<configurationcontainer><cdpobjectclass>
c:\windows\system32\certenroll\root certification authority.crl
<a href="http://pki.domain.local/certenroll/.crl">http://pki.domain.local/certenroll/<caname>.crl

in registry, cacertpublicationurls value:
1:windir\system32\certsrv\certenroll\%1_%3%4.crt
2:http://pki.domain.local/certenroll/%1_%3%4.crt
2:ldap:///cn=%7,cn=aia,cn=public key services,cn=services,%6%11

and crlpublicationurls value:
1:windir\system32\certsrv\certenroll\%3%8%9.crl
2:http://pki.domain.local/certenroll/%3%8%9.crl
10:ldap:///cn=%7%8,cn=%2,cn=cdp,cn=public key services,cn=services,%6%10
0:c:\windows\system32\certsrv\certenroll\root certification authority.crl
0:http://pki.domain.local/certenroll/%3.crl

 

on iis virtual directory location of issusing/iis server, certenroll folder has following files root ca:

"root cerification authority.crl"
"pki01_root certification authority.crt"  "pki01" name of root ca server

question 1 : big problem these entries wrong root ca?  should correct them?

question 2 : if so, how correct them? can give me correct certutil or other commands correct them right file names?  do these commands on offline root ca?

question 3: need recreate root certificate , issuing server certificate? if so, how , need deploy new certificate clients obtained certificates issuing ca?

question 4: there more steps required resolve issue?

thank you.

steve

hi steve,

the problem percent sign is, must use 2 percent signs if run command in batch if use 2 percent signs on command prompt directly add both of them registry , happens see.

it seems run certutil commands 2 percent signs on root ca in command prompt window. need fix , re-issue issuing ca certificate.

if not need ldap path, remove it. recommendation.

regards,

lutz



Windows Server  >  Security



Comments

Post a Comment

Popular posts from this blog

Group Policy Event ID 1058 Error Code 1326 (The user name or password is incorrect)

-
i seeing odd error on 1 of our domain controllers. have dealt event id 1058 errors whereby policy (or policies) not replicating, receiving error along error code 1326 on server, , apparently happening default domain policy: log name:      system source:        microsoft-windows-grouppolicy date:          8/10/2015 3:09:54 pm event id:      1058 task category: none level:         error keywords:      user:          s-1-5-21-1484152634-2550175353-3916092219-3287 computer:      <dc name>.<domainname> description: processing of group policy failed. windows attempted read file http://schemas.microsoft.com/win/2004/08/events/event ">   <system>     <provi...
Read more

Suspicious event log Event ID: 4905

-
hi thr, could please me understand causing such event logs generate ? as  i understand, vssvc.exe pertains volume shadow copy used backup purpose.  we have third party application used taking backup of servers. the event longs generated following messages: 1) attempt made unregister security event source. 2) attempt made register security event source. these events not regular generated on random days. standard fields: date:               2013/10/19 time:               02:32:19 importance:         critical rule name:          security event monitored machine:  <domain controller> log format:         windows log name:           security event id:           4905 in work hours:      yes dynamic fields: internal timestamp: 2013/10/19 ...
Read more

DCOM received error "2147746132" from...

-
hi everybody, i have dc (my windows essentials 2012 server) , windows 2012 server in network.  the windows server 2012 inside domain. on server, got "non stopping" error says in event logs : ===> dcom received error "2147746132" fromd computer xxxx(my dc computer) while server trying activation : {6df8cb71-153b-4c66-8fc4-e59301b8011b} it never stops, got 11000+ new events :s i found : http://support.microsoft.com/kb/971153/fr i'm not sure should ? does got idea ? matthieu. hi, please try solution mentioned in below link: http://www.eventid.net/display-eventid-10006-source-dcom-eventno-272-phase-1.htm regards, cicely Windows Server  >  Windows Server 2012 General ...
Read more