none
certutil - crl gives error: The object name has bad syntax. 0x8007208f (WIN32: 8335)

    Question

  • Hi, i followed the details here to decomission my old PKI Root and Issuing CAs http://support.microsoft.com/kb/889250 as i had made the wrong choice of crypto provider. This seemed to go without issue and all DCs were cleaned up as per the instructions.

    I then remade a single Online Enterprise Root CA on a brand new machine after reading Windows Server 2008 PKI and Certificate Security, using the following CAPolicy.inf:

    [Version]
    Signature = $Windows NT$

    [Certsrv_Server]
    RenewalKeyLength = 2048
    RenewalValidityPeriodUnits = 10
    RenewalValidityPeriod = years

    CRLPeriod = days
    CRLPeriodUnits = 2
    CRLDeltaPeriodUnits = 12
    CRLDeltaUnits = hours


    And as post install tasks i ran the following:

    ::Declare Configuration NC
    certutil -setreg CA\DSConfigDN CN=Configuration,DC=rotarymep,DC=com

    ::Define CRL Publication Intervals
    certutil -setreg CA\CRLPeriodUnits 2
    certutil -setreg CA\CRLPeriod "Days"
    certutil -setreg CA\CRLDeltaPeriodUnits 12
    certutil -setreg CA\CRLDeltaPeriod "Hours"

    ::Apply the required CDP Extension URLs
    certutil -setreg CA\CRLPublicationURLs "65:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n79:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10\n6:http://www.rotarymep.com/certdata/%%3%%8%%9.crl"

    ::Apply the required AIA Extension URLs
    certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n3:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11\n2:http://www.rotarymep.com/certdata/%%1_%%3%%4.crt"

    ::Enable all auditing events for the Fabrikam Corporate Root CA
    certutil -setreg CA\AuditFilter 127

    ::Set Validity Period for Issued Certificates
    certutil -setreg CA\ValidityPeriodUnits 2
    certutil -setreg CA\ValidityPeriod "Years"

     ::Restart Certificate Services
    net stop certsvc & net start certsvc
    sleep 5
    certutil –crl

    However, running "certutil -crl" gives me the following error:

    C:\Users\administrator.ROTARYMEP>certutil -crl
    CertUtil: -CRL command FAILED: 0x8007208f (WIN32: 8335)
    CertUtil: The object name has bad syntax.

    On checking the event log i see the following errors:

    Log Name:      Application
    Source:        Microsoft-Windows-CertificationAuthority
    Date:          23/09/2008 16:04:05
    Event ID:      74
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          SYSTEM
    Computer:      RMEP-ENTROOTCA.rotarymep.com
    Description:
    Active Directory Certificate Services could not publish a Base CRL for key 0 to the following location on server RMEP-HQ-SVR001.rotarymep.com:
    ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10.  The object name has bad syntax. 0x8007208f (WIN32: 8335).
    ldap: 0x22: 0000208F: NameErr: DSID-031001D1, problem 2006 (BAD_NAME), data 8350, best match of:
     'CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10']


    Log Name:      Application
    Source:        Microsoft-Windows-CertificationAuthority
    Date:          23/09/2008 16:04:05
    Event ID:      66
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          SYSTEM
    Computer:      RMEP-ENTROOTCA.rotarymep.com
    Description:
    Active Directory Certificate Services could not publish a Delta CRL for key 0 to the following location:
    ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10.  Operation aborted 0x80004004 (-2147467260).

    On checking pkiview.msc there are big red crosses for the CRL locations (website expected as not published there yet) but for LDAP it says "Unable to download".

    Locations for AIA #1 are:

    ldap:///CN=%7,CN=AIA,CN=Public%20Key%20Services,CN=Services,%6%11

    And for CDP #1 are:

    ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public%20Key%20Services,CN=Services,%6%10

    On checking the filesystem i can see the following files:

    C:\Users\administrator.ROTARYMEP>dir C:\Windows\System32\certsrv\CertEnroll
     Volume in drive C has no label.
     Volume Serial Number is D046-E2F6

     Directory of C:\Windows\System32\certsrv\CertEnroll

    23/09/2008  16:18    <DIR>          .
    23/09/2008  16:18    <DIR>          ..
    23/09/2008  16:18               644 %3%8%9.crl
    23/09/2008  15:35               360 nsrev_Rotary International Enterprise Root CA.asp
    23/09/2008  15:35               931 RMEP-ENTROOTCA.rotarymep.com_Rotary International Enterprise Root CA.crt
    23/09/2008  15:35               797 Rotary International Enterprise Root CA+.crl
    23/09/2008  15:35             1,138 Rotary International Enterprise Root CA.crl
                   5 File(s)          3,870 bytes
                   2 Dir(s)  20,894,150,656 bytes free


    The file above named %3%8%9.crl doesnt look right to me, but I'm really stumped. The CA can ping both DCs without any problem. Any ideas as to what I have done wrong?

    Many thanks in advance,

    Chris

    • Edited by g18c Tuesday, September 23, 2008 12:32 PM
    Tuesday, September 23, 2008 12:27 PM

Answers

  • Hi Chris,

    maybe not a full explanation yet... but all the variables do not get replaced by the corresponding values. 

    Therefore the crl file has such a weird name and the LDAP location is not found - the CA is searching for an LDAP container litteraly named %2 for example. As a consequence you see an error in pkiview, because you try to access an object / attrbute that has not been created / populated with the CRL yet.

    The dir view shows that with the previous version of the CDP paths the replacement did work (files dated 15:35).  

    I assume that in the Published CRL Location extension of the CRL you will also see the %... variables instead the real names of objects? If you run certutil -crl the LDAP URL is read from the CRL.

    I am still trying to figure out why the variables would not get replaced - in theory the scripts should work if you mask all these variables them with a % sign in a batch file. If executed directly on the command line the masking % needs to be removed. Wild guess: Some specific setting for command shell?

    Do you have a dump of the output of your script?

    Does it change anything if you execute the command for the CDPs on the command line? I would create the text in notepad by copying it from the script and removing on % for each variable, then pasting in a cmd window.

    Thus finally you should run the following from the command line:

    certutil -setreg CA\CRLPublicationURLs "65:%windir%\system32\CertSrv\CertEnroll\%3%8%9.crl\n79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n6:http://www.rotarymep.com/certdata/%3%8%9.crl"

    Other explanation: Did you copy the script directly from an HTML page? I once had issues with copying these scripts between DOC and TXT, because the dash seemed to have been formatted in a different way (though invisible). Retying the dash solved the issue. I am not sure, if the same thing might happen to % signs....

    BR,
    Elke

    • Marked as answer by g18c Wednesday, September 24, 2008 5:25 PM
    Tuesday, September 23, 2008 8:21 PM

All replies

  • Hi Chris,

    maybe not a full explanation yet... but all the variables do not get replaced by the corresponding values. 

    Therefore the crl file has such a weird name and the LDAP location is not found - the CA is searching for an LDAP container litteraly named %2 for example. As a consequence you see an error in pkiview, because you try to access an object / attrbute that has not been created / populated with the CRL yet.

    The dir view shows that with the previous version of the CDP paths the replacement did work (files dated 15:35).  

    I assume that in the Published CRL Location extension of the CRL you will also see the %... variables instead the real names of objects? If you run certutil -crl the LDAP URL is read from the CRL.

    I am still trying to figure out why the variables would not get replaced - in theory the scripts should work if you mask all these variables them with a % sign in a batch file. If executed directly on the command line the masking % needs to be removed. Wild guess: Some specific setting for command shell?

    Do you have a dump of the output of your script?

    Does it change anything if you execute the command for the CDPs on the command line? I would create the text in notepad by copying it from the script and removing on % for each variable, then pasting in a cmd window.

    Thus finally you should run the following from the command line:

    certutil -setreg CA\CRLPublicationURLs "65:%windir%\system32\CertSrv\CertEnroll\%3%8%9.crl\n79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n6:http://www.rotarymep.com/certdata/%3%8%9.crl"

    Other explanation: Did you copy the script directly from an HTML page? I once had issues with copying these scripts between DOC and TXT, because the dash seemed to have been formatted in a different way (though invisible). Retying the dash solved the issue. I am not sure, if the same thing might happen to % signs....

    BR,
    Elke

    • Marked as answer by g18c Wednesday, September 24, 2008 5:25 PM
    Tuesday, September 23, 2008 8:21 PM
  • Hi Elke, this was inded a copy and paste error - i had copied the lines from the script with the %% elements in and pasted into a command window directly, this indeed caused the error! Silly mistake. Thanks for solving this.

    Regards

    Chris
    • Proposed as answer by Jimbo Wang Thursday, December 17, 2009 3:03 PM
    Wednesday, September 24, 2008 5:25 PM
  • that's right.some people just like me did that,when i copy the script from book,was not even looked the description,so i did the same thing-------add a extra % on to cmd prompt(but if you using batch file,that case you need to add extra % before %elements)

    Thursday, December 17, 2009 3:05 PM