none
Failing to publish CRL into AD

    Question

  • Hi,

    I'm implementing a brand new PKI.

    I've been following the MSPress Windows Server 2008 PKI and Certificate Security book intently and have been implementing everything almost verbatim as the situation fits mine very well as I'm deploying a 2 tier PKI, Offline Root and pair of Issuing/Policy CA's and for intents and purposes I'm on page 133 of this book.

    My Offline root is Standard Edtn\Standalone CA, lets use rootca as it's hostname. My second tier is my DC's in two locations.

    My Friendly name for my ca is NewRootCA

    These make it easy to obscure the real identities and keep it consistent throughout this troubelshooting thread.

    My issue is that when using the commands :-

    certutil -dspublish -f rootca_NewRootCA.crt RootCA
    certutil -dspublish -f NewRootCA.crl

    the second command trying to publish the CRL fails with the following error:-

    C:\>certutil -dspublish -f NewRootCA.crl
    ldap:///CN=NewRootCA,CN=rootca,CN=CDP,CN=Public Key Services,CN=Services,
    DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPoint?certificateRevocationList

    ldap: 0xa: 0000202B: RefErr: DSID-031007EF, data 0, 1 access points
            ref 1: 'unavailableconfigdn'

    CertUtil: -dsPublish command FAILED: 0x8007202b (WIN32: 8235)
    CertUtil: A referral was returned from the server.

    If I browse my AD using the sysinternals ADExplorer, I see both

    CN=NewRootCA,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=internal
    CN=NewRootCA,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=internal

    Nothing under

    CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=internal

    In my head at least - I believe it's something to do with the naming where the CRL is trying to insert data into :

    ldap:///CN=NewRootCA,CN=rootca ,CN=CDP,CN=Public Key Services,CN=Services,.........

    rather than

    ldap:///CN=NewRootCA,CN=CDP,CN=Public Key Services,CN=Services,..........

    though I do see the text (in bold)

    ldap:///CN=NewRootCA,CN=rootca,CN=CDP,CN=Public Key Services,CN=Services,
    DC=UnavailableConfigDN ?certificateRevocationList?base?objectClass=cRLDistributionPoint?certificateRevocationList

    in this part of the error and that doesn't fill me with confidence.

    Could anyone please help me out with my predicament?

    Regards

    Paul.

    Wednesday, July 07, 2010 8:39 AM

Answers

  • Hi Paul --

    Follow these steps:

    http://technet.microsoft.com/en-us/library/cc737740%28WS.10%29.aspx

    After restarting Certificate Services on your CA, manually publish a new CRL, then publish that CRL to Active Directory.

    Hope this helps,

    Jonathan Stephens


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by PBeyer_WRK Wednesday, July 07, 2010 12:49 PM
    Wednesday, July 07, 2010 10:35 AM

All replies

  • Hi Paul --

    Follow these steps:

    http://technet.microsoft.com/en-us/library/cc737740%28WS.10%29.aspx

    After restarting Certificate Services on your CA, manually publish a new CRL, then publish that CRL to Active Directory.

    Hope this helps,

    Jonathan Stephens


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by PBeyer_WRK Wednesday, July 07, 2010 12:49 PM
    Wednesday, July 07, 2010 10:35 AM
  • Hi Jonathan,

    Thanks for your quick reply.

    The first command in this article seemed to be duplicating data I already had

    certutil -setreg ca\DSConfigDN "CN=Configuration, DNpath "

    The second command was adding data which I DIDN'T have in my RootCA's registry. I've run this command as so:

    certutil -setreg ca\DSDomainDN "DC=domain,DC=internal "

    The command succesfully added the extra key into the registry and I'll go through re-issuing the SubCA's cert etc right now and see if I can get it to accept the changes so that running the command

    certutil -dspublish -f NewRootCA.crl

    on the Issuing CA doesn't cause errors.

    I'll be back to you shortly to update on progress.

    Regards

    Paul.

    Wednesday, July 07, 2010 11:09 AM
  • Hi Jonathan,

     

    The solution you pointed me to definitely worked. Thank you very much. One registry entry and all that bother!

    Thank you very much for responding so quickly too - I had written that one off as a couple days till I could do something with it!

     

    Kind Regards

    Paul.

    Wednesday, July 07, 2010 12:49 PM
  • It worked for me!!!!!

    manually delete the .crl  from the “Windows\System32\CertSrv\CertEnroll “ folder and then re-generate
    it using the certificates management console on Root CA (right click publish on the "revoked" node). Then copy the new .crl file to sub ordinate CA and run the command

    eg: certutil –dspublish -f "C:\Windows\System32\CertSrv\CertEnroll\filename.crl"

    Cheers

    Jobin

    • Proposed as answer by jcyriac Tuesday, July 31, 2012 12:24 AM
    Sunday, July 15, 2012 8:22 PM