Guest Orbital Posted January 9, 2009 Posted January 9, 2009 Hi All!!! I'm currently implementing 2008 PKI using Brian Komar's excellent book, but I've run into a few issues. These surfaced when trying to publish my root and policy CA certs into my AD. On page 133, I'm running an amended piece of code, with an exert below... C:\PKI\USB>certutil -dspublish -f "Test Corporate Policy CA.crl" ldap:///CN=Test Corporate Policy CA,CN=tb2008pki02,CN=CDP,CN=Public Key Services ,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=c RLDistributionPoint?certificateRevocationList ldap: 0xa: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points ref 1: 'unavailableconfigdn' CertUtil: -dsPublish command FAILED: 0x8007202b (WIN32: 8235) CertUtil: A referral was returned from the server. Now, I see the problem here 'CN=Services,DC=UnavailableConfigDN?certificateRevocationList'. The question is, how do I fix it? I've had a scout around and found the following http://www.derkeiler.com/Newsgroups/micros...8/msg00047.html In this article, Brian speaks of an incorrect %%6 value in [presumably] the root CA post install script. But I don't see how I would change this in this file? And to what value? Brian's fix, is to run the following command: certutil -setreg ca\DSConfigDN CN=Configuration,DC=root,DC=example,DC=com This is understood, [is the DC=root as it is above a fixed value, or is this just an example of a possible domain name?] but would I then have to revoke the currently issued cert, and then go through my setup on my policy box again with the correct new ones? I'm COMPLETELY new to PKI, so any help is greatly appreciated style_emoticons/ Many thanks in advance, Orb. Quote
Guest Brian Komar \(MVP\) Posted January 10, 2009 Posted January 10, 2009 You need to replace DC=root,DC=example,DC=com with the LDAP distinguished name of your forest. Then it should start working Brian "Orbital" <Orbital@discussions.microsoft.com> wrote in message news:C7AAB6D7-0010-4BA1-9AD1-A440202167D3@microsoft.com...<span style="color:blue"> > Hi All!!! > > I'm currently implementing 2008 PKI using Brian Komar's excellent book, > but > I've run into a few issues. These surfaced when trying to publish my root > and policy CA certs into my AD. On page 133, I'm running an amended piece > of > code, with an exert below... > > C:PKIUSB>certutil -dspublish -f "Test Corporate Policy CA.crl" > ldap:///CN=Test Corporate Policy CA,CN=tb2008pki02,CN=CDP,CN=Public Key > Services > ,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=c > RLDistributionPoint?certificateRevocationList > > ldap: 0xa: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points > ref 1: 'unavailableconfigdn' > > CertUtil: -dsPublish command FAILED: 0x8007202b (WIN32: 8235) > CertUtil: A referral was returned from the server. > > Now, I see the problem here > 'CN=Services,DC=UnavailableConfigDN?certificateRevocationList'. The > question > is, how do I fix it? I've had a scout around and found the following > http://www.derkeiler.com/Newsgroups/micros...8/msg00047.html > > In this article, Brian speaks of an incorrect %%6 value in [presumably] > the > root CA post install script. But I don't see how I would change this in > this > file? And to what value? > > Brian's fix, is to run the following command: > > certutil -setreg caDSConfigDN CN=Configuration,DC=root,DC=example,DC=com > > This is understood, [is the DC=root as it is above a fixed value, or is > this > just an example of a possible domain name?] but would I then have to > revoke > the currently issued cert, and then go through my setup on my policy box > again with the correct new ones? > > I'm COMPLETELY new to PKI, so any help is greatly appreciated style_emoticons/ > > Many thanks in advance, > Orb. </span> Quote
Guest Orbital Posted January 12, 2009 Posted January 12, 2009 Hi Brian, Thanks for your response. When I look in the 'Published CRL Locations' entry of my root CRL, even on my rootCA, I see this 'UnavailableConfigDN?' entry: URL=ldap:///CN=TB2008PKI01-CA,CN=tb2008pki01,CN=CDP,CN=Public%20Key%20Services,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPoint I'm assuming this is incorrect? But short of amending something on my rootCA and then reissuing my original cert, I don't see what else I can do? I thought I'd followed each page in the book to the letter, but it seems I may have missed something here in my rootCA configuration. My RootCAPostConfiguration.cmd is below if anyone can find anything wrong? I'm really stuck here, and may have to rip everything to bits and start all over again if I cannot get this to work. Many thanks in advance, Orb. ::Declare Configuration NC certutil -setreg CA\DSConfigDN CN=Configuration,DC=testad4,DC=test,DC=com ::Define CRL Publication Intervals certutil -setreg CA\CRLPeriodUnits 26 certutil -setreg CA\CRLPeriod "Weeks" certutil -setreg CA\CRLDeltaPeriodUnits 0 certutil -setreg CA\CRLDeltaPeriod "Days" certutil -setreg CA\CRLOverlapPeriod "Weeks" certutil -setreg CA\CRLOverlapUnits 2 ::Apply the required CDP Extension URLs certutil -setreg CA\CRLPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10\n 2:http://www.test.com/Certdata/ %%3%%8%%9.crl" ::Apply the required AIA Extension URLs certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11\n 2:http://www.test.com/CertData/%%1_%%3%%4.crt" ::Enable all auditing events for the Test Corporate Root CA certutil -setreg CA\AuditFilter 127 ::Set Validity Period for Issued Certificates certutil -setreg CA\ValidityPeriodUnits 10 certutil -setreg CA\ValidityPeriod "Years" :: Enable discrete signatures in subordinate CA certificates Certutil -setreg CA\csp\DiscreteSignatureAlgorithm 1 ::Restart Certificate Services net stop certsvc & net start certsvc sleep 5 certutil –crl ::Copy the Root CA certificates and CRLs to the C:\USB folder Echo Copying Root CA certificate and CRL's to the local C:\USB folder sleep 5 copy /y %windir%\system32\certsrv\certenroll\ .cr? C:\USB pause "Brian Komar (MVP)" wrote: <span style="color:blue"> > You need to replace DC=root,DC=example,DC=com with the LDAP distinguished > name of your forest. > Then it should start working > Brian > > "Orbital" <Orbital@discussions.microsoft.com> wrote in message > news:C7AAB6D7-0010-4BA1-9AD1-A440202167D3@microsoft.com...<span style="color:green"> > > Hi All!!! > > > > I'm currently implementing 2008 PKI using Brian Komar's excellent book, > > but > > I've run into a few issues. These surfaced when trying to publish my root > > and policy CA certs into my AD. On page 133, I'm running an amended piece > > of > > code, with an exert below... > > > > C:PKIUSB>certutil -dspublish -f "Test Corporate Policy CA.crl" > > ldap:///CN=Test Corporate Policy CA,CN=tb2008pki02,CN=CDP,CN=Public Key > > Services > > ,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=c > > RLDistributionPoint?certificateRevocationList > > > > ldap: 0xa: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points > > ref 1: 'unavailableconfigdn' > > > > CertUtil: -dsPublish command FAILED: 0x8007202b (WIN32: 8235) > > CertUtil: A referral was returned from the server. > > > > Now, I see the problem here > > 'CN=Services,DC=UnavailableConfigDN?certificateRevocationList'. The > > question > > is, how do I fix it? I've had a scout around and found the following > > http://www.derkeiler.com/Newsgroups/micros...8/msg00047.html > > > > In this article, Brian speaks of an incorrect %%6 value in [presumably] > > the > > root CA post install script. But I don't see how I would change this in > > this > > file? And to what value? > > > > Brian's fix, is to run the following command: > > > > certutil -setreg caDSConfigDN CN=Configuration,DC=root,DC=example,DC=com > > > > This is understood, [is the DC=root as it is above a fixed value, or is > > this > > just an example of a possible domain name?] but would I then have to > > revoke > > the currently issued cert, and then go through my setup on my policy box > > again with the correct new ones? > > > > I'm COMPLETELY new to PKI, so any help is greatly appreciated style_emoticons/ > > > > Many thanks in advance, > > Orb. </span> > </span> Quote
Guest Orbital Posted January 12, 2009 Posted January 12, 2009 I've also just checked the DSConfigDN entry on my offline policy and root CA's and this entry is correct: CN=Configuration,DC=testad4,DC=test,DC=com "Orbital" wrote: <span style="color:blue"> > Hi Brian, > > Thanks for your response. > > When I look in the 'Published CRL Locations' entry of my root CRL, even on > my rootCA, I see this 'UnavailableConfigDN?' entry: > > URL=ldap:///CN=TB2008PKI01-CA,CN=tb2008pki01,CN=CDP,CN=Public%20Key%20Services,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPoint > > I'm assuming this is incorrect? But short of amending something on my > rootCA and then reissuing my original cert, I don't see what else I can do? > I thought I'd followed each page in the book to the letter, but it seems I > may have missed something here in my rootCA configuration. My > RootCAPostConfiguration.cmd is below if anyone can find anything wrong? I'm > really stuck here, and may have to rip everything to bits and start all over > again if I cannot get this to work. > > > Many thanks in advance, > Orb. > > > ::Declare Configuration NC > certutil -setreg CADSConfigDN CN=Configuration,DC=testad4,DC=test,DC=com > > ::Define CRL Publication Intervals > certutil -setreg CACRLPeriodUnits 26 > certutil -setreg CACRLPeriod "Weeks" > certutil -setreg CACRLDeltaPeriodUnits 0 > certutil -setreg CACRLDeltaPeriod "Days" > certutil -setreg CACRLOverlapPeriod "Weeks" > certutil -setreg CACRLOverlapUnits 2 > > ::Apply the required CDP Extension URLs > certutil -setreg CACRLPublicationURLs > "1:%windir%system32CertSrvCertEnroll%%3%%8%%9.crln10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public > Key Services,CN=Services,%%6%%10n 2:http://www.test.com/Certdata/ > %%3%%8%%9.crl" > > ::Apply the required AIA Extension URLs > certutil -setreg CACACertPublicationURLs > "1:%windir%system32CertSrvCertEnroll%%1_%%3%%4.crtn2:ldap:///CN=%%7,CN=AIA,CN=Public > Key Services,CN=Services,%%6%%11n > 2:http://www.test.com/CertData/%%1_%%3%%4.crt" > > ::Enable all auditing events for the Test Corporate Root CA > certutil -setreg CAAuditFilter 127 > > ::Set Validity Period for Issued Certificates > certutil -setreg CAValidityPeriodUnits 10 > certutil -setreg CAValidityPeriod "Years" > > :: Enable discrete signatures in subordinate CA certificates > Certutil -setreg CAcspDiscreteSignatureAlgorithm 1 > > ::Restart Certificate Services > net stop certsvc & net start certsvc > sleep 5 > certutil –crl > > ::Copy the Root CA certificates and CRLs to the C:USB folder > Echo Copying Root CA certificate and CRL's to the local C:USB folder > sleep 5 > copy /y %windir%system32certsrvcertenroll .cr? C:USB > > pause > > > > "Brian Komar (MVP)" wrote: > <span style="color:green"> > > You need to replace DC=root,DC=example,DC=com with the LDAP distinguished > > name of your forest. > > Then it should start working > > Brian > > > > "Orbital" <Orbital@discussions.microsoft.com> wrote in message > > news:C7AAB6D7-0010-4BA1-9AD1-A440202167D3@microsoft.com...<span style="color:darkred"> > > > Hi All!!! > > > > > > I'm currently implementing 2008 PKI using Brian Komar's excellent book, > > > but > > > I've run into a few issues. These surfaced when trying to publish my root > > > and policy CA certs into my AD. On page 133, I'm running an amended piece > > > of > > > code, with an exert below... > > > > > > C:PKIUSB>certutil -dspublish -f "Test Corporate Policy CA.crl" > > > ldap:///CN=Test Corporate Policy CA,CN=tb2008pki02,CN=CDP,CN=Public Key > > > Services > > > ,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=c > > > RLDistributionPoint?certificateRevocationList > > > > > > ldap: 0xa: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points > > > ref 1: 'unavailableconfigdn' > > > > > > CertUtil: -dsPublish command FAILED: 0x8007202b (WIN32: 8235) > > > CertUtil: A referral was returned from the server. > > > > > > Now, I see the problem here > > > 'CN=Services,DC=UnavailableConfigDN?certificateRevocationList'. The > > > question > > > is, how do I fix it? I've had a scout around and found the following > > > http://www.derkeiler.com/Newsgroups/micros...8/msg00047.html > > > > > > In this article, Brian speaks of an incorrect %%6 value in [presumably] > > > the > > > root CA post install script. But I don't see how I would change this in > > > this > > > file? And to what value? > > > > > > Brian's fix, is to run the following command: > > > > > > certutil -setreg caDSConfigDN CN=Configuration,DC=root,DC=example,DC=com > > > > > > This is understood, [is the DC=root as it is above a fixed value, or is > > > this > > > just an example of a possible domain name?] but would I then have to > > > revoke > > > the currently issued cert, and then go through my setup on my policy box > > > again with the correct new ones? > > > > > > I'm COMPLETELY new to PKI, so any help is greatly appreciated style_emoticons/ > > > > > > Many thanks in advance, > > > Orb. </span> > > </span></span> Quote
Guest Orbital Posted January 12, 2009 Posted January 12, 2009 Sorry to bombard this thread with messages but, running through the cert publishing to my AD DC via CMD again, I see Possible Root Certificate: Subject matches Issuer, but Signature check fails: 80090008 I'm thinking this doesn't help... Quote
Guest Brian Komar \(MVP\) Posted January 14, 2009 Posted January 14, 2009 Hi, This is definitely an incorrect configuration. You need to check two separate objects issued by the root CA. 1) The CRL. If the CRL does not have the correct location, you need to ensure that the post -configuration script on the root CA correctly ran the certutil -setreg CA\DSConfigDN CN=Configuration,DC=testad4,DC=test,DC=com command. One common mistake (seeing that you have copied the text directly from my book <G>) is that you copied direct from the PDF and the (-) character is translated to an m-dash. If you do a certutil -getreg ca\DSConfigDN at the root CA, what value is shown? Ensure that it matches the defined DN, and then publish a new CRL. You must publish a new CRL before it will read the new DN value and replace the %%6 value in the CRLPublicationURLs registry entry. 2) The subordinate CA certificates. Since you include the LDAP URL in your subordinate CA certificate issued by the root CA, look at the AIA extension of the subordinate CA certificate. Does the URL show up as the correct DN or as UnavailableConfigDN. If it Unavailable ConfigDN, then you will have to re-issue the subordinate CA certificate (and all other lower certificates). Brian "Orbital" <Orbital@discussions.microsoft.com> wrote in message news:E1D5706E-4E2C-4F7C-9881-CBB90A47217A@microsoft.com...<span style="color:blue"> > Hi Brian, > > Thanks for your response. > > When I look in the 'Published CRL Locations' entry of my root CRL, even on > my rootCA, I see this 'UnavailableConfigDN?' entry:Hi > > URL=ldap:///CN=TB2008PKI01-CA,CN=tb2008pki01,CN=CDP,CN=Public%20Key%20Services,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPoint > > I'm assuming this is incorrect? But short of amending something on my > rootCA and then reissuing my original cert, I don't see what else I can > do? > I thought I'd followed each page in the book to the letter, but it seems I > may have missed something here in my rootCA configuration. My > RootCAPostConfiguration.cmd is below if anyone can find anything wrong? > I'm > really stuck here, and may have to rip everything to bits and start all > over > again if I cannot get this to work. > > > Many thanks in advance, > Orb. > > > ::Declare Configuration NC > certutil -setreg CADSConfigDN CN=Configuration,DC=testad4,DC=test,DC=com > > ::Define CRL Publication Intervals > certutil -setreg CACRLPeriodUnits 26 > certutil -setreg CACRLPeriod "Weeks" > certutil -setreg CACRLDeltaPeriodUnits 0 > certutil -setreg CACRLDeltaPeriod "Days" > certutil -setreg CACRLOverlapPeriod "Weeks" > certutil -setreg CACRLOverlapUnits 2 > > ::Apply the required CDP Extension URLs > certutil -setreg CACRLPublicationURLs > "1:%windir%system32CertSrvCertEnroll%%3%%8%%9.crln10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public > Key Services,CN=Services,%%6%%10n 2:http://www.test.com/Certdata/ > %%3%%8%%9.crl" > > ::Apply the required AIA Extension URLs > certutil -setreg CACACertPublicationURLs > "1:%windir%system32CertSrvCertEnroll%%1_%%3%%4.crtn2:ldap:///CN=%%7,CN=AIA,CN=Public > Key Services,CN=Services,%%6%%11n > 2:http://www.test.com/CertData/%%1_%%3%%4.crt" > > ::Enable all auditing events for the Test Corporate Root CA > certutil -setreg CAAuditFilter 127 > > ::Set Validity Period for Issued Certificates > certutil -setreg CAValidityPeriodUnits 10 > certutil -setreg CAValidityPeriod "Years" > > :: Enable discrete signatures in subordinate CA certificates > Certutil -setreg CAcspDiscreteSignatureAlgorithm 1 > > ::Restart Certificate Services > net stop certsvc & net start certsvc > sleep 5 > certutil –crl > > ::Copy the Root CA certificates and CRLs to the C:USB folder > Echo Copying Root CA certificate and CRL's to the local C:USB folder > sleep 5 > copy /y %windir%system32certsrvcertenroll .cr? C:USB > > pause > > > > "Brian Komar (MVP)" wrote: ><span style="color:green"> >> You need to replace DC=root,DC=example,DC=com with the LDAP distinguished >> name of your forest. >> Then it should start working >> Brian >> >> "Orbital" <Orbital@discussions.microsoft.com> wrote in message >> news:C7AAB6D7-0010-4BA1-9AD1-A440202167D3@microsoft.com...<span style="color:darkred"> >> > Hi All!!! >> > >> > I'm currently implementing 2008 PKI using Brian Komar's excellent book, >> > but >> > I've run into a few issues. These surfaced when trying to publish my >> > root >> > and policy CA certs into my AD. On page 133, I'm running an amended >> > piece >> > of >> > code, with an exert below... >> > >> > C:PKIUSB>certutil -dspublish -f "Test Corporate Policy CA.crl" >> > ldap:///CN=Test Corporate Policy CA,CN=tb2008pki02,CN=CDP,CN=Public Key >> > Services >> > ,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=c >> > RLDistributionPoint?certificateRevocationList >> > >> > ldap: 0xa: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points >> > ref 1: 'unavailableconfigdn' >> > >> > CertUtil: -dsPublish command FAILED: 0x8007202b (WIN32: 8235) >> > CertUtil: A referral was returned from the server. >> > >> > Now, I see the problem here >> > 'CN=Services,DC=UnavailableConfigDN?certificateRevocationList'. The >> > question >> > is, how do I fix it? I've had a scout around and found the following >> > http://www.derkeiler.com/Newsgroups/micros...8/msg00047.html >> > >> > In this article, Brian speaks of an incorrect %%6 value in [presumably] >> > the >> > root CA post install script. But I don't see how I would change this >> > in >> > this >> > file? And to what value? >> > >> > Brian's fix, is to run the following command: >> > >> > certutil -setreg caDSConfigDN >> > CN=Configuration,DC=root,DC=example,DC=com >> > >> > This is understood, [is the DC=root as it is above a fixed value, or is >> > this >> > just an example of a possible domain name?] but would I then have to >> > revoke >> > the currently issued cert, and then go through my setup on my policy >> > box >> > again with the correct new ones? >> > >> > I'm COMPLETELY new to PKI, so any help is greatly appreciated style_emoticons/ >> > >> > Many thanks in advance, >> > Orb.</span> >> </span></span> Quote
Guest Orbital Posted January 14, 2009 Posted January 14, 2009 Hi Brian, Thanks for replying. I'm positive I've completed everything correctly. It's not even a copy/paste character problem as I used the examples from the 'Resources' folder on the CD. I've actually logged a call with your friends at Microsoft regarding this, who are equally baffled. We've modified [and even removed] LDAP entries, reissued, revoked and allsorts, to no effect. My case is being worked on and I'll wait to hear. Thanks for your input Brian. Orb. Quote
Guest Ben Posted March 11, 2009 Posted March 11, 2009 Hi Orb, Did you get this fixed becuase i just had the same issue this morning. The scripts etc.. were correct but i had to manually delete the .crl from the Windows\System32\CertSrv\CertEnroll folder and then re-generate it using the certificates management console (right click publish on the "revoked" node) Ben. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.