Windows 2008 R2 CA Database Hash Value
-
Friday, February 01, 2013 1:25 AM
Hi
I have a stand alone Windows 2008 R2 CA integrated with on board nCipher HSM.
I noticed that the every time I start the certificate services, the CA database hash value gets changed even though there are no certificates issued till now.
I check the CA database hash value via Event Viewer >> Windows >> Security >> Event ID 4880.
My understanding is the CA database hash value should change only when a certificate is issued. I have another Windows 2003 stand alone CA and the CA database hash value does changes only when a certificate is issued.
Is there anything I need to configure in my Windows 2008 R2 CA to update the CA database hash value only when a certificate is issued ?
Can anyone help me to resolve the issue?
Thanks.
Sanurajan
All Replies
-
Friday, February 01, 2013 6:11 AM
> My understanding is the CA database hash value should change only when a certificate is issued
your understanding is incorrect. When CA starts, it checks database integrity and merges log files to database. Also CA database changes each time new CRL is issued.
> Is there anything I need to configure in my Windows 2008 R2 CA to update the CA database hash value only when a certificate is issued ?
there is nothing you can do. Moreover you don't want to do anything here. Leave it as is.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Check out new: PowerShell FCIV tool.- Proposed As Answer by Vadims PodansMVP Friday, February 01, 2013 6:11 AM
- Marked As Answer by K_evin ZhuMicrosoft Contingent Staff, Moderator Thursday, February 07, 2013 2:35 AM
-
Friday, February 01, 2013 7:21 AM
Hi Vadims
Thanks for your response.
If the CA startup can change the database hash values then I am failing to understand how the CA database hash value never changes in Windows 2003 Certificate services or is this different with the case of Windows 2008 R2 certificate services. Based on the Windows 2003 certificate services, my company has developed an operational procedure to verify the post start up hash value against the previous value before performing any other actions. Idea being to make sure there is no certificate or CRL issued without any records. So when I tried to perform the same procedure on Windows 2008 R2 certificate services, the hash value keeps changing by just starting up certificate services.
I accept that when ever a certificate or a CRL is issued, the database will change. When you say "merges log files into database" does it mean it adds the logs into the database records after checking the integrity. I have created different folder for logs and another one for CertDB, so I am not sure how the certificate services merges files from another folder.
Overall, can I safely presume this merging logic happens only in Windows 2008 R2 certificate services?
Regards
Sanurajan
-
Friday, February 01, 2013 11:18 AM
> how the CA database hash value never changes in Windows 2003 Certificate services
because it is incorrect. Database is changed constantly (each day), so I really don't understanfd why you are concerned in this question.
> Idea being to make sure there is no certificate or CRL issued without any records.
consider to implement your idea based in a different way. Say, subscribe for events via email exit module.
> does it mean it adds the logs into the database records after checking the integrity.
yes.
> can I safely presume this merging logic happens only in Windows 2008 R2 certificate services?
no. This process occurs in all versions of certificate services. In Windows Server 2008 R2 (and newer) the behavior of DB management is a bit different. You need to understand, that your chosen way is wrong and won't work.
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Check out new: PowerShell FCIV tool.- Proposed As Answer by Brian Komar [MVP]MVP Saturday, February 02, 2013 8:39 AM
- Marked As Answer by K_evin ZhuMicrosoft Contingent Staff, Moderator Thursday, February 07, 2013 2:35 AM
.png)
