I think i have a strange problem. My enterprise CA seems to run fine, although it does give a CRL offline error sometimes. When I run PKIView, it can access the http CRL but not the ldap ones (using default location). However, if I right click on "Enterprise PKI", select AD containers, select CDP container, i can see all the CRLs and can view them. Running server 008 dc. I exported a certificate it created and ran it through certutil. output below. the cdp and aia containers exist in adsiedit/adss. I uninstalled the CA and reinstalled, no difference. any ideas (other than fresh install) would be greatly appreciated...
Issuer: CN=zat-CA1 DC=zat DC=com Subject: CN=2008server1.zat.com Cert Serial Number: 618d348f000600000061
Failed "CDP" Time: 0 Error retrieving URL: The system cannot open the device or file specified. 0x8007006e (WIN32/HTTP: 110) [0.1.0] ldap:///CN=zat-CA1(6),CN=2008server1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=zat,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint
Failed "CDP" Time: 0 Error retrieving URL: The system cannot open the device or file specified. 0x8007006e (WIN32/HTTP: 110) ldap:///CN=zat-CA1(6),CN=2008server1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=zat,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
---------------- Base CRL CDP ---------------- OK "Delta CRL (45)" Time: 0 [0.0] http://2008server1.zat.com/CertEnroll/zat-CA1(6)+.crl
Failed "CDP" Time: 0 Error retrieving URL: The system cannot open the device or file specified. 0x8007006e (WIN32/HTTP: 110) ldap:///CN=zat-CA1(6),CN=2008server1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=zat,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint
---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- CRL 45: Issuer: CN=zat-CA1, DC=zat, DC=com 0a 79 25 f6 35 bc 99 ea e8 94 ce 22 c6 92 7a a1 ae ec aa cd Delta CRL 45: Issuer: CN=zat-CA1, DC=zat, DC=com 04 07 b1 13 cc 97 50 04 56 80 4c b4 3e 3c 15 bd 9f 12 95 f7 Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
This issue may be caused by corrupt date stored in AD. Open ADSIEDIT.MSC, connect to Configuration partition, navigate to CN=Public Key Services,CN=Services,CN=Configuration,DC=Domain,DC=com.
Check CN = 2008server1 under CN=CDP and CN=AIA. If there is any error or abnormal behavior, please let us know.
Try to run the following commands to collect information for research.
yes there is probably some corruption somewhere - i just cant figure out where.
i havent used skydrive before, so hope it works http://cid-27c67029fca14da6.skydrive.live.com/self.aspx/PKI%20Problem
the machine is virtualised i restored a snapshot since the original post, but the error's still there and the files on skydrive are current.
when i tried uninstalling/re-installing, i wiped stuff from the containers in ADSS. Anyway if you have any ideas on how to remove any corruption i'll give it a try. got another ca in another forest its working fine if thats any help
Based on my test, TAZ-CA1(1)- TAZ-CA1(5) should not appear in Adsi Edit. How did you did "when i tried uninstalling/re-installing, i wiped stuff from the containers in ADSS"? Please let us know the detailed steps.
Also, please capture a screenshot of the CA Properties:
Open CA console, right-click TAZ-CA1(5), choose Properties, switch to Extensions tab, choose "ldap:///…." In the CRL list. Capture a screenshot and upload to SkyDrive.
Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.
the crl publishes ok no errors. here are the steps i took. screenshots at http://cid-27c67029fca14da6.skydrive.live.com/browse.aspx/PKI2?authkey=p2KsIbDCvLY%24 i just uninstalled-reinstalled. check out the bit in bold at the end on re-installing, especially the access denied error.
1/ certutil -shutdown 2/ certutil -key C:\Users\Administrator>certutil -key Microsoft Strong Cryptographic Provider: le-DomainControllerAuthentication-70bbce24-84a0-4a96-ae7d-214322198916 0204d6dc1aef68b82a75ca9e82e3571b_82c9b055-d375-4e08-94c0-12ba1b223d65 AT_KEYEXCHANGE *** could not find any root certificate key to delete
3/ remove CA role (remove tick from CA) and restart computer 4/ ADSS, expand services
public key services\aia - wipe everything public key services\cdp - wipe everything public key services\certificate authorities - wipe everything public key services\enrolment services - wipe everything public key services\kra - wipe everything
5/ C:\Users\Administrator>ldifde -r "cn=taz-ca1" -d "CN=Public KeyServices,CN=Services,CN=Configuration,DC=taz,DC=com" -f output.ldf Connecting to "2008server1.taz.com" Logging in as current user using SSPI Exporting directory to file output.ldf Searching for entries... Writing out entries No Entries found
******** access denied??? Am logged in as enterprise admin, and enterprise admin has full control on NTAuthCertificates (according to adsiedit)
12/ certutil -viewdelstore DEL all certificates issued to Taz-CA1
13/ regsvr32 /i:i /n /s certcli.dll 14/ run certificates mmc for local computer, wipe all certificates in personal computer store, all taz-ca1 certificates in trusted root ca, intermediate ca, kra/certificates and enrolment requests
================================================= 1/ install CA role, using same name taz-ca1 * enterprise CA, root, default key (2048), + web enrolment service role * pkiview, delete old "untrusted root" certificates from NTAuthCerticates (AD Containers), leaving new one only. (still shows errors on ldap CRL but not http)
2/ gpupdate /force
3/ Checked event viewier - 1 warning: Active Directory Certificate Services added the root certificate of certificate chain 0 to the downloaded Trusted Root Certification Authorities Enterprise store on the CA computer. This store will be updated from the Certification Authorities container in Active Directory the next time Group Policy is applied. To verify that the CA certificate is published correctly in Active Directory, run the following command: certutil -viewstore "ldap:///CN=taz-CA1,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=taz,DC=com?cACertificate?base?objectClass=certificationAuthority" (you must include the quotation marks when you run this command). If the root CA certificate is not present, use the Certificates console on the root CA computer to export the certificate to a file, and then run the following command to publish it to Active Directory: Certutil -dspublish %certificatefilename% Root.
ldap:///CN=taz-CA1,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=taz,DC=com?cACertificate?base?objectClass=certificationAuthority CertUtil: -viewstore command FAILED: 0x8007006e (WIN32/HTTP: 110) CertUtil: The system cannot open the device or file specified.
5/ export root ca, then C:\Users\Administrator>Certutil -dspublish c:\root.cer ldap:///CN=taz-CA1,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=taz,DC=com?cACertificate
It seems you shouldn’t delete "public key services\aia" and other subtree under "public key services". After deleting them, there is error when trying to reinstall my testing CA role. It may take a long time to find the root cause of this issue, I suggest you don’t delete them when uninstalling. Just stop the service, uninstall/reinstall the role.
Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.
Hi Mervyn, Just to throw a spanner in the works, whilst i get errors on pkiview on 2008server1, if I run it from nps1 (which at one stage had a standalone subordinate for ipsec nap), pkiview is able to get the ldap crls.
pkiview1.jpg is from nps1. (the error on taz-nps1-ca is because the root/subordinate trust is broken; that's ok). BUT it shows full access to CRLs. pkiview2.jpg is from 2008server1. when run here, is unable to access CRLs through ldap.
The CA certificate on both computers shows the same thumbprint. weird.....
