none
Space in CRL URL - win2012

    Question

  • Just came across this article

    http://support.microsoft.com/kb/2827759

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/eaa94883-3baa-4fb5-bcd1-7f4de629c50a/changes-to-certification-authority-2012-cdp-and-aia-paths

    I have defined space in my CA Name and i have server 2012

    Looking at pkiview my Intermediate CA shows the crl & aia url with %20, delta crl is without %20

    My root ca shows no %20 at all, in crl and aia.

    Looking in an issued certificate i don't see the %20 in my crls & aia but i'm not sure if this is a friendly name?

    So i'm not certain if this bug concerns me?

    This hotfix would only apply to new issued certificates? So i would have to reissue root certificate?

    Tuesday, August 27, 2013 6:31 PM

Answers

  • it is a bug in Windows Server 2012. You should edit all URLs in the CDP and AIA extension settings by replacing spaces with '%20'. If spaces are coming from variables (say, you are using <CAName> and CA name contains spaces), you should explicitly replace variable with it's value and replace spaces with '%20'.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    • Marked as answer by Kerm_IT Thursday, August 29, 2013 7:16 AM
    Wednesday, August 28, 2013 5:06 AM
  • This bug only concerns you if you are working with devices (such as Cisco) that still cannot understand spaces in URLs. You can manually replace the values with the %20 character (as vadims mentions) or simply apply the patch for KB 2827759. Once you have applied the patch, you would have to renew CA certificates (including the root) to ensure that the spaces are replaced with %20 characters. What you will see is the URL first with spaces and then the URL again with the spaces replaced with %20 characters surround with brackets. Something like this:

    http://pki.example.com/certdata/Corporate Root CA.CRL (http://pki.example.com/certdata/Corporate%20Root%20CA.CRL)

    HTH,

    Brian

    • Marked as answer by Kerm_IT Thursday, August 29, 2013 7:16 AM
    Wednesday, August 28, 2013 11:37 AM

All replies

  • it is a bug in Windows Server 2012. You should edit all URLs in the CDP and AIA extension settings by replacing spaces with '%20'. If spaces are coming from variables (say, you are using <CAName> and CA name contains spaces), you should explicitly replace variable with it's value and replace spaces with '%20'.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    • Marked as answer by Kerm_IT Thursday, August 29, 2013 7:16 AM
    Wednesday, August 28, 2013 5:06 AM
  • This bug only concerns you if you are working with devices (such as Cisco) that still cannot understand spaces in URLs. You can manually replace the values with the %20 character (as vadims mentions) or simply apply the patch for KB 2827759. Once you have applied the patch, you would have to renew CA certificates (including the root) to ensure that the spaces are replaced with %20 characters. What you will see is the URL first with spaces and then the URL again with the spaces replaced with %20 characters surround with brackets. Something like this:

    http://pki.example.com/certdata/Corporate Root CA.CRL (http://pki.example.com/certdata/Corporate%20Root%20CA.CRL)

    HTH,

    Brian

    • Marked as answer by Kerm_IT Thursday, August 29, 2013 7:16 AM
    Wednesday, August 28, 2013 11:37 AM
  • I want to enroll to mobile and network devices so i should probably change this, better now then later.

    But why exactly do i have to renew the root cert, the cdp and aia apply only to all issued certificate so sub ca cert and all issued certificates by sub ca should be renewed?

    Thursday, August 29, 2013 7:28 PM
  • Actually, you do not have to renew the root CA.

    You have to apply the patch and fix the URLs on the root CA.

    Then renew the issuing CA

    Sorry for the loose language <G>

    Brian

    Thursday, August 29, 2013 10:22 PM