Standalone Root CA
- From: "Dave Lee" <dave.lee@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 25 Nov 2008 14:03:06 -0000
Hi all
Wondering if someone can help me. I'm attempting to set up a PKI which we
can use to automatically give out certs to users and computers. Initially
this is just so that people can use digital signatures but will probably be
extended to cover other application later on. The plan is to have an
offline standalone root CA with an Enterprise subordinate CA in each of our
domains and will issue the certificates.
I've run into trouble configuring the offline root. I've installed
Certificate Authority on the standalone machine, I've changed the CDP and
AIA to a location within our AD and one on a web server. I then renewed the
certificate and published a new CRL. Exported them both, imported the
certificate into the Trust Roots in the Domain Policy. I've used
certutil -dspublish to import the AIA and CDP information into AD. Used
ADSIedit to check that the information is in fact in AD, which it is.
Then the instructions say to use "certutil -URL certname.cer" to check that
a machine can sucessfully locate and download the AIA and CDP info from AD
and the web server. It's at this final point that it falls over. The
little app picks up on the correct Certificate Subject but nothing is filled
in the "Url to Download" section and it won't Retrieve anything. It all
looks okay but I'm loathed to go ahead with configuring the first Enterprise
sub-ordinate CA until I'm certain this is working.
In adsiedit it shows the DN for the CDP as
CN=gb-ca-1,CN=gb-ca-1,CN=CDP,CN=Public Key
Services,CN=Services,CN=Configuration,DC=gms,DC=com
Output of certutil -getreg ca\CRLPublicationURLs is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\GB-CA-1\CRLPublicationURLs:
CRLPublicationURLs REG_MULTI_SZ =
0: 65:C:\WINDOWS\system32\CertSrv\CertEnroll\%3%8%9.crl
CSURL_SERVERPUBLISH -- 1
CSURL_SERVERPUBLISHDELTA -- 40 (64)
1: 14:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key
Services,CN=Services,%6%10
CSURL_ADDTOCERTCDP -- 2
CSURL_ADDTOFRESHESTCRL -- 4
CSURL_ADDTOCRLCDP -- 8
2: 2:http://www.mywebsite.com/pki/%3%8%9.crl
CSURL_ADDTOCERTCDP -- 2
The ldap entry seems to match up okay. The only thing that is a little
concerning is that the replacement tokens %7%8 are used in the first part
but only %7 seems to be showing as part of the DN as it is in Active
Directory. I'm guessing that %8 (the CRLNameSuffix) is actually blank
though, which is why it appears to be missing.
Does any one have any idea what I might be missing here as I'm at a loss
now!
thanks
Dave
.
- Prev by Date: Re: NetBIOS OptionalNames
- Next by Date: Re: Master Browser Errors
- Previous by thread: Re: NetBIOS OptionalNames
- Next by thread: Static entries: Vista, how to investigate?
- Index(es):
Relevant Pages
|
Loading
