none
Windows 2008 R2 Certificate Services - New CDP location RRS feed

  • Question

  • Hi

    I have been installing a 2 tier certificate services PKI setup, with a non domain standalone root CA , and a domain joined subordinate CA which will be issuing the certificates. I have created a CSR on the standalone root CA which has been issued to the subordinate CA.  The certicate has been imported and the following command run.

    certutil -dspubblish -f rootcafilename.crt RootCA

    Unfortunately I forgot to change the CDP location. I have since updated this and re-issued a new certificate.  When I run the above command again it doesn't appear to overwrite the old certficate. It comes up the with message "Certificate already in DS store" ( I assume this is active directory ).

    My question is how do I overwrite this certificate or ideally delete it so that my new http location for CDP is found.

    Any assistance would be greatly appreciated.  Let me know if you need further information.

    Thanks Nick

    Wednesday, March 7, 2012 12:31 PM

Answers

  • Make sure you follow the CA decommission documentation as written by Microsoft.  There are objects in Active Directory that need to be cleaned up after the CA is decommissioned.

    As for the new CA, install ADCS on the new sub and during the installation you will be prompted to create a create a new certificate or using an existing one.  Choose create a new certificate and generate a CSR.  Take the CSR that is generated during the installation to the Root CA and issue it by using the CA mmc.  Copy the Certificate response back to the Sub CA and import it through the CA mmc.  Then after the Sub CA is up you can make the necessary changes to the Sub CA's AIA and CDP locations before using it to issue certificates.  Then use pkiview to verify your settings.

    • Marked as answer by MrUnderhill2 Monday, March 19, 2012 9:49 PM
    Wednesday, March 7, 2012 5:46 PM

All replies

  • First, I am guessing that there is a typo in this thread.  Your Standalone Root CA should not have a certificate issued from the domain joined sub.  This should be the other way around.  The Domain Joined sub should get a certificate issued from the Standalone Root.

    Second, are you logged in with Enterprise Admin rights?  Being this is the second certificate it should be added to the existing object in AD.  Thus when you look at it in PKIVIEW you will see 2 certificates, the first on issued and the second one from when you fixed the CDP location.

    Wednesday, March 7, 2012 1:01 PM
  • Hi NeoZero

    Appreciate the very quick reply. Yes you are correct, a typo on my part.  My account is a domain and enterprise administrator.  Can you explain a bit more in detail regarding "adding the new certificate to the existing object in A.D" please. In PKIview where do you check the certificates.

    I was having trouble getting the subordinate CA started, however I used the command below which started the CA

    certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE

    I still have the issue with the CDP crl not being updated for the new http location. If I change the CDP crl specifics on the root standalone CA, how do you propogate those changes.

    Apologies, as you can guess I am a PKI novice.

    Many Thanks Nick

    Wednesday, March 7, 2012 1:22 PM
  • To check in PKIview, right click the Enterprise PKI node and click "Manage AD Containers".  Click on the AIA Container Tab and this will display which certificates are already in the Directory.

    As for the CA service not starting... The CA needs to be able to contact one of the CDP locations in order for it to start.  Like you stated the CRLF_REVCHECK_IGNORE_OFFLINE flag will ignore this and start the service however this is a workaround and not really a fix.  If it cannot it will not start, check that the CA can contact the CDP locations.

    Lastly, be careful when looking at PKIView as is can be deceiving.  It looks at the environment from the first time you opened it and will keep those settings in a sort of cache for 7 days.  In order to kill the cache you have to perform the following.

    1. Close PKI view 
    2. Open the Issued certificates store on the CA where you are trying to run PKIview, look for a certificate issued from a template called "CA Exchange".  Revoke it!  * don't worry these certificates are only valid for 7 days and you are going to reissue it 
    3. Open command prompt and issue command > 
    certutil -cainfo xchg *this reissues the CA Exchange certificate
    4. Open PKIview and see if the CDP locations are updated.

    Let me know your findings!


    • Edited by NeoZer0 Wednesday, March 7, 2012 2:58 PM typo
    Wednesday, March 7, 2012 2:57 PM
  • Hi

    I have been installing a 2 tier certificate services PKI setup, with a non domain standalone root CA , and a domain joined subordinate CA which will be issuing the certificates. I have created a CSR on the standalone root CA which has been issued to the subordinate CA.  The certicate has been imported and the following command run.

    certutil -dspubblish -f rootcafilename.crt RootCA

    Unfortunately I forgot to change the CDP location. I have since updated this and re-issued a new certificate.  When I run the above command again it doesn't appear to overwrite the old certficate. It comes up the with message "Certificate already in DS store" ( I assume this is active directory ).

    My question is how do I overwrite this certificate or ideally delete it so that my new http location for CDP is found.

    Any assistance would be greatly appreciated.  Let me know if you need further information.

    Thanks Nick

    your problem is that root CA certificate doesn't contains any CDP/AIA fields. They appear only in issued certificate. Therefore if you change CDP/AIA extensions on root CA, you need to re-issue subordinate CA certificate only.

    Also, file:// protocol is not supported for CRT/CRL file retrieval.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    Wednesday, March 7, 2012 3:50 PM
  • Hi NeoZero and Vadims

    My thanks to you both for you help.  As I wasnt really getting anywhere with the subordinate CA I did the following.

    I uninstalled Certificate services and removed all the server certs from PKIVIEW ( Manage AD Containers ).  The Root CA is still on online.  I have re-deployed a new server ( with a new name ) as the subordinate CA, this time I have updated one of the CDP locations to our web server. This is showing as ok in PKIVIEW.  I created a new csr request on the standalone root CA as normal. I attempted to import this as normal, however the certificate services is still failing to start.

    I'm getting an error "The Revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)

    I have removed the file protocol as suggested. If change root CA settings do I need to issue the certificate from the root or the subordinate, what is the process for this.

    I have been trying to follow the document below. Unfortunately my boss is driving me crazy to get this fixed asap.

    http://itbloggen.se/cs/blogs/kristoferohman/archive/2009/04/24/setting-up-a-tier-2-pki-structure.aspx

    Its kind of difficult when im just learning.  Any other suggestions would be much appreciated.

    Thanks Nick

    Wednesday, March 7, 2012 5:01 PM
  • Make sure you follow the CA decommission documentation as written by Microsoft.  There are objects in Active Directory that need to be cleaned up after the CA is decommissioned.

    As for the new CA, install ADCS on the new sub and during the installation you will be prompted to create a create a new certificate or using an existing one.  Choose create a new certificate and generate a CSR.  Take the CSR that is generated during the installation to the Root CA and issue it by using the CA mmc.  Copy the Certificate response back to the Sub CA and import it through the CA mmc.  Then after the Sub CA is up you can make the necessary changes to the Sub CA's AIA and CDP locations before using it to issue certificates.  Then use pkiview to verify your settings.

    • Marked as answer by MrUnderhill2 Monday, March 19, 2012 9:49 PM
    Wednesday, March 7, 2012 5:46 PM
  • I would advice to check AskDS weblog (instead of mentione) for AD CS deployment guidance: http://blogs.technet.com/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx

    I don't know what you incorrectly do, but I'll put some things:

    1) if your root CA is offline (will issue certificates to subordinate CAs only), you may consider to use long-living CRL. About 6-12 months.

    2) configure only local path (for file publishing) and one or two HTTP URLs for CRL retrieval. Note, that you will have to manually move CRLs to CRL distribution points. Make sure if your selected HTTP URLs are accessible from inside and outside of your network (as a CRL distribution point you can use corporate web server). Do the same for AIA extension.

    3) publish root CA's certificate to Active Diretory: certutil -dspublish -f rootcacert.crt RootCA (it may take a time until all domain clients download and install it to their local stores). Distribute CRT and CRL files to all designated locations.

    4) install subordinate CA (Enterprise CA type). During installation select an option to save request to a file. (by default, request file is saved to system drive root).

    5) submit request file to your root CA. Move issued certificate from root CA server to subordinate CA server.

    6) install certificate by using the command: certutil -installcert subcacert.cer

    7) perform subordinate CA configuration.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    Wednesday, March 7, 2012 5:46 PM
  • Good morning guys

    Thanks again for the for information. I have now managed to get the subordinate CA started with a new certificate ( I must be learning something slowly), my next challenge is get "network device enrollment" working in order to use SCEP with our Cisco Anyconnect device. Can you recommend any easy setup guides.  The Microsoft information is a bit daunting .

    At present I have the "network device enrollment" role service installed on the subordinate CA. According to the Microsoft docs the information suggest duplicating the following templates. 

    CepEncryption and Exchange Enrollment Agent (Offline) - I have duplicated these templates, however they dont appear as an option on the subordinate CA "New\Certificate Template to issue", I can see them in A.D and replication should be fine as its all in a local lan site.

    Cheers

    Nick

    Thursday, March 8, 2012 12:39 PM