none
Extra Delta CRL URLs

    Question

  • Good afternoon,

    I have a 2012 R2 two-tier PKI and am publishing CRLs and Delta CRLs and including extenions in issued certificates to three locations: LDAP and two HTTP. When I export an issued certificate and run the URL retrieval tool on it, I'm seeing that when I retrieve CRLs (from CDP), I see a total of 12 URLs verified (9 Delta and 3 Base). When I check the URLs, there are duplicates for the Delta URLs with the exception of the leftmost of the path; I'm seeing the following:

    [0.0.0]ldap://CN=location...
    [1.0.0]ldap://CN=location...
    [2.0.0]ldap://CN=location...

    [0.0.1]http://Server1/location
    [1.0.1]http://Server1/Location
    [2.0.1]http://Server1/Location

    [0.0.2]http://Server2/location
    [1.0.2]http://Server2/Location
    [2.0.2]http://Server2/Location 

    However, I only see one CRL and one Delta CRL when I check the locations; should I not be seeing six locations (3 for the Base and 3 for the Delta)? If anyone can explain this, I would appreciate it. I also noticed that I have the file:// URLs present in the "CACertPublicationURLs" and "CRLPublicationURLs" registry keys; is this okay? 

    Thanks everyone for your time and expertise.

    Chad

    Thursday, April 20, 2017 10:16 PM

Answers

  • This is all correct. The reason you see so many entries is that the tool is parsing the base CRL locations and finding that there are multiple locations for both the base and the delta CRL. A client pulling a base CRL from LDAP, may look at either LDAP or HTTP for a delta CRL. So the tool looks at the options on where to pull those from and creates several iterations on where to go. So everything is working properly.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    • Marked as answer by CAWarden Tuesday, April 25, 2017 6:52 PM
    Monday, April 24, 2017 4:10 PM

All replies

  • Can you provide the output from your test certificate you are using?

    certutil <your cert here.cer>

    Also, what is the output of this command from your CA:

    certutil -getreg ca\crlpublicationurls

    The file extension is fine, most likely the numerical value at the beginning of the line is 0? If so, it is disabled and unused, but you could just as easily remove that line.


    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    Thursday, April 20, 2017 10:50 PM
  • Thanks very much for your response Mark. The answers to questions 2 and 3 are below (I've omitted certain data; let me know if you need it). For question 1, what if anything would you recommend I leave out of the output?

    2. certutil -getreg ca\crlpublicationurls

    certutil -getreg ca\crlpublicationurls
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA Name\CRLPublicationURLs:

      CRLPublicationURLs REG_MULTI_SZ =
        0: 65:c:\windows\system32\certsrv\certenroll\%3%8%9.crl
        CSURL_SERVERPUBLISH -- 1
        CSURL_SERVERPUBLISHDELTA -- 40 (64)

        1: 79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
        CSURL_SERVERPUBLISH -- 1
        CSURL_ADDTOCERTCDP -- 2
        CSURL_ADDTOFRESHESTCRL -- 4
        CSURL_ADDTOCRLCDP -- 8
        CSURL_SERVERPUBLISHDELTA -- 40 (64)

        2: 6:http://server1/dir/%3%8%9.crl
        CSURL_ADDTOCERTCDP -- 2
        CSURL_ADDTOFRESHESTCRL -- 4

        3: 6:http://server2/dir/%3%8%9.crl
        CSURL_ADDTOCERTCDP -- 2
        CSURL_ADDTOFRESHESTCRL -- 4

        4: 65:file://server1/dir/%3%8%9.crl
        CSURL_SERVERPUBLISH -- 1
        CSURL_SERVERPUBLISHDELTA -- 40 (64)

        5: 65:file://server2/dir/%3%8%9.crl
        CSURL_SERVERPUBLISH -- 1
        CSURL_SERVERPUBLISHDELTA -- 40 (64)

    CertUtil: -getreg command completed successfully.

    3. The numerical value at the beginning for my offline root CA is '1' and '65' for my online enterprise issuing CA

    Thanks,

    Chad


    Friday, April 21, 2017 4:13 PM
  • These keys all look fine. Could you take your test cert and run the following command and share the output:

    certutil -urlfetch -verify <your test cert here>


    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    Friday, April 21, 2017 5:42 PM
  • Here it is:

    c:\temp>certutil -urlfetch -verify c:\newtest.cer

    Here it is:

    c:\temp>certutil -urlfetch -verify c:\newtest.cer
    Issuer:
        CN=CAName
        DC=domain
        DC=bc
        DC=ca
      Name Hash(sha1): 
      Name Hash(md5): 
    Subject:
        EMPTY (DNS Name=PC.domain.bc.ca)
      Name Hash(sha1): 
      Name Hash(md5): 
    Cert Serial Number: 

    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_BASE
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwRevocationFreshnessTime: 20 Days, 20 Hours, 52 Minutes, 46 Seconds

    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwRevocationFreshnessTime: 20 Days, 20 Hours, 52 Minutes, 46 Seconds

    CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
      Issuer: CN=CAName, DC=domain, DC=bc, DC=ca
      NotBefore: 4/19/2017 10:07 AM
      NotAfter: 4/19/2018 10:07 AM
      Subject:
      Serial: 
      SubjectAltName: DNS Name=PC.domain.bc.ca
      Template: Copy of Workstation Authentication
      Cert: 
      Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      ----------------  Certificate AIA  ----------------
      Verified "Certificate (0)" Time: 0
        [0.0] ldap:///CN=CA%20Name%20Here%20Here,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=bc,DC=ca?cACertificate?base?objectClass=certificationAuthority

      Verified "Certificate (0)" Time: 0
        [1.0] http://Server1.domain.bc.ca/Dir/server.domain.bc.ca_CA%20Name%20Here%20Here.crt

      Verified "Certificate (0)" Time: 0
        [2.0] http://Server2.domain.bc.ca/Dir/server.domain.bc.ca_CA%20Name%20Here%20Here.crt

      ----------------  Certificate CDP  ----------------
      Verified "Base CRL (08)" Time: 0
        [0.0] ldap:///CN=CA%20Name%20Here%20Here,CN=server,CN=Dir,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=bc,DC=ca?certificateRevocationList?base?objectClass=cRLDistributionPoint

      Verified "Delta CRL (08)" Time: 0
        [0.0.0] ldap:///CN=CA%20Name%20Here%20Here,CN=server,CN=Dir,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=bc,DC=ca?deltaRevocationList?base?objectClass=cRLDistributionPoint

      Verified "Delta CRL (08)" Time: 0
        [0.0.1] http://Server1.domain.bc.ca/Dir/CA%20Name%20Here%20Here+.crl

      Verified "Delta CRL (08)" Time: 0
        [0.0.2] http://Server2.domain.bc.ca/Dir/CA%20Name%20Here%20Here+.crl

      Verified "Base CRL (08)" Time: 0
        [1.0] http://Server1.domain.bc.ca/Dir/CA%20Name%20Here%20Here.crl

      Verified "Delta CRL (08)" Time: 0
        [1.0.0] ldap:///CN=CA%20Name%20Here%20Here,CN=server,CN=Dir,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=bc,DC=ca?deltaRevocationList?base?objectClass=cRLDistributionPoint

      Verified "Delta CRL (08)" Time: 0
        [1.0.1] http://Server1.domain.bc.ca/Dir/CA%20Name%20Here%20Here+.crl

      Verified "Delta CRL (08)" Time: 0
        [1.0.2] http://Server2.domain.bc.ca/Dir/CA%20Name%20Here%20Here+.crl

      Verified "Base CRL (08)" Time: 0
        [2.0] http://Server2.domain.bc.ca/Dir/CA%20Name%20Here%20Here.crl

      Verified "Delta CRL (08)" Time: 0
        [2.0.0] ldap:///CN=CA%20Name%20Here%20Here,CN=server,CN=Dir,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=bc,DC=ca?deltaRevocationList?base?objectClass=cRLDistributionPoint

      Verified "Delta CRL (08)" Time: 0
        [2.0.1] http://Server1.domain.bc.ca/Dir/CA%20Name%20Here%20Here+.crl

      Verified "Delta CRL (08)" Time: 0
        [2.0.2] http://Server2.domain.bc.ca/Dir/CA%20Name%20Here%20Here+.crl

      ----------------  Base CRL CDP  ----------------
      OK "Delta CRL (08)" Time: 0
        [0.0] ldap:///CN=CA%20Name%20Here%20Here,CN=server,CN=Dir,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=bc,DC=ca?deltaRevocationList?base?objectClass=cRLDistributionPoint

      OK "Delta CRL (08)" Time: 0
        [1.0] http://Server1.domain.bc.ca/Dir/CA%20Name%20Here%20Here+.crl

      OK "Delta CRL (08)" Time: 0
        [2.0] http://Server2.domain.bc.ca/Dir/CA%20Name%20Here%20Here+.crl

      ----------------  Certificate OCSP  ----------------
      Verified "OCSP" Time: 0
        [0.0] http://server.domain.bc.ca/location

      --------------------------------
        CRL 08:
        Issuer: CN=CAName, DC=domain, DC=bc, DC=ca
        ThisUpdate: 4/19/2017 11:12 AM
        NextUpdate: 5/3/2017 11:32 AM
        CRL: 
        Delta CRL 08:
        Issuer: CN=CAName, DC=domain, DC=bc, DC=ca
        ThisUpdate: 4/19/2017 11:12 AM
        NextUpdate: 4/27/2017 11:32 AM
        CRL: 
      Application[0] = Client Authentication

    CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
      Issuer: CN=RootCA
      NotBefore: 3/31/2017 2:08 PM
      NotAfter: 3/31/2027 2:18 PM
      Subject: CN=CAName, DC=domain, DC=bc, DC=ca
      Serial: 
      Template: SubCA
      Cert: 
      Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      ----------------  Certificate AIA  ----------------
      Verified "Certificate (0)" Time: 0
        [0.0] ldap:///CN=Root%20CA%20Here%20Here,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=bc,DC=ca?cACertificate?base?objectClass=certificationAuthority

      Verified "Certificate (0)" Time: 0
        [1.0] http://Server1.domain.bc.ca/Dir/server_Root%20CA%20Here%20Here.crt

      Verified "Certificate (0)" Time: 0
        [2.0] http://Server2.domain.bc.ca/Dir/server_Root%20CA%20Here%20Here.crt

      ----------------  Certificate Dir  ----------------
      Verified "Base CRL (02)" Time: 0
        [0.0] ldap:///CN=Root%20CA%20Here%20Here,CN=server,CN=Dir,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=bc,DC=ca?certificateRevocationList?base?objectClass=cRLDistributionPoint

      Verified "Base CRL (02)" Time: 0
        [1.0] http://Server1.domain.bc.ca/Dir/Root%20CA%20Here%20Here.crl

      Verified "Base CRL (02)" Time: 0
        [2.0] http://Server2.domain.bc.ca/Dir/Root%20CA%20Here%20Here.crl

      ----------------  Base CRL Dir  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate OCSP  ----------------
      No URLs "None" Time: 0
      --------------------------------
        CRL 02:
        Issuer: CN=RootCA
        ThisUpdate: 3/31/2017 1:55 PM
        NextUpdate: 3/30/2037 2:15 PM
        CRL: 
      Issuance[0] = 

    CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
      Issuer: CN=RootCA
      NotBefore: 3/31/2017 1:43 PM
      NotAfter: 3/31/2037 1:53 PM
      Subject: CN=RootCA
      Serial: 
      Cert: 
      Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
      Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      ----------------  Certificate AIA  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate Dir  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate OCSP  ----------------
      No URLs "None" Time: 0
      --------------------------------

    Exclude leaf cert:
      Chain: 
    Full chain:
      Chain: 
    ------------------------------------
    Verified Issuance Policies: None
    Verified Application Policies:
         Client Authentication
    Leaf certificate revocation check passed
    CertUtil: -verify command completed successfully.

    Friday, April 21, 2017 6:01 PM
  • This is all correct. The reason you see so many entries is that the tool is parsing the base CRL locations and finding that there are multiple locations for both the base and the delta CRL. A client pulling a base CRL from LDAP, may look at either LDAP or HTTP for a delta CRL. So the tool looks at the options on where to pull those from and creates several iterations on where to go. So everything is working properly.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    • Marked as answer by CAWarden Tuesday, April 25, 2017 6:52 PM
    Monday, April 24, 2017 4:10 PM
  • That's all I needed. You're the man Mark thanks very much!
    Tuesday, April 25, 2017 6:52 PM