Windows 2008 R2 CA Database Hash Value
-
Freitag, 1. Februar 2013 01:25
Hi
I have a stand alone Windows 2008 R2 CA integrated with on board nCipher HSM.
I noticed that the every time I start the certificate services, the CA database hash value gets changed even though there are no certificates issued till now.
I check the CA database hash value via Event Viewer >> Windows >> Security >> Event ID 4880.
My understanding is the CA database hash value should change only when a certificate is issued. I have another Windows 2003 stand alone CA and the CA database hash value does changes only when a certificate is issued.
Is there anything I need to configure in my Windows 2008 R2 CA to update the CA database hash value only when a certificate is issued ?
Can anyone help me to resolve the issue?
Thanks.
Sanurajan
Alle Antworten
-
Freitag, 1. Februar 2013 06:11
> My understanding is the CA database hash value should change only when a certificate is issued
your understanding is incorrect. When CA starts, it checks database integrity and merges log files to database. Also CA database changes each time new CRL is issued.
> Is there anything I need to configure in my Windows 2008 R2 CA to update the CA database hash value only when a certificate is issued ?
there is nothing you can do. Moreover you don't want to do anything here. Leave it as is.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Check out new: PowerShell FCIV tool.- Als Antwort vorgeschlagen Vadims PodansMVP Freitag, 1. Februar 2013 06:11
- Als Antwort markiert K_evin ZhuMicrosoft Contingent Staff, Moderator Donnerstag, 7. Februar 2013 02:35
-
Freitag, 1. Februar 2013 07:21
Hi Vadims
Thanks for your response.
If the CA startup can change the database hash values then I am failing to understand how the CA database hash value never changes in Windows 2003 Certificate services or is this different with the case of Windows 2008 R2 certificate services. Based on the Windows 2003 certificate services, my company has developed an operational procedure to verify the post start up hash value against the previous value before performing any other actions. Idea being to make sure there is no certificate or CRL issued without any records. So when I tried to perform the same procedure on Windows 2008 R2 certificate services, the hash value keeps changing by just starting up certificate services.
I accept that when ever a certificate or a CRL is issued, the database will change. When you say "merges log files into database" does it mean it adds the logs into the database records after checking the integrity. I have created different folder for logs and another one for CertDB, so I am not sure how the certificate services merges files from another folder.
Overall, can I safely presume this merging logic happens only in Windows 2008 R2 certificate services?
Regards
Sanurajan
-
Freitag, 1. Februar 2013 11:18
> how the CA database hash value never changes in Windows 2003 Certificate services
because it is incorrect. Database is changed constantly (each day), so I really don't understanfd why you are concerned in this question.
> Idea being to make sure there is no certificate or CRL issued without any records.
consider to implement your idea based in a different way. Say, subscribe for events via email exit module.
> does it mean it adds the logs into the database records after checking the integrity.
yes.
> can I safely presume this merging logic happens only in Windows 2008 R2 certificate services?
no. This process occurs in all versions of certificate services. In Windows Server 2008 R2 (and newer) the behavior of DB management is a bit different. You need to understand, that your chosen way is wrong and won't work.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Check out new: PowerShell FCIV tool.- Als Antwort vorgeschlagen Brian Komar [MVP]MVP Samstag, 2. Februar 2013 08:39
- Als Antwort markiert K_evin ZhuMicrosoft Contingent Staff, Moderator Donnerstag, 7. Februar 2013 02:35
.png)
.png)
