Networking Forums
Home Register Members Search Links
Member Login:

Networking Forums > Computer Networking > Windows Networking > Standalone Root CA

Reply
Thread Tools Display Modes

Standalone Root CA

 
 
Dave Lee
Guest
Posts: n/a

 
      11-25-2008, 01:03 PM
Hi all

Wondering if someone can help me. I'm attempting to set up a PKI which we
can use to automatically give out certs to users and computers. Initially
this is just so that people can use digital signatures but will probably be
extended to cover other application later on. The plan is to have an
offline standalone root CA with an Enterprise subordinate CA in each of our
domains and will issue the certificates.

I've run into trouble configuring the offline root. I've installed
Certificate Authority on the standalone machine, I've changed the CDP and
AIA to a location within our AD and one on a web server. I then renewed the
certificate and published a new CRL. Exported them both, imported the
certificate into the Trust Roots in the Domain Policy. I've used
certutil -dspublish to import the AIA and CDP information into AD. Used
ADSIedit to check that the information is in fact in AD, which it is.

Then the instructions say to use "certutil -URL certname.cer" to check that
a machine can sucessfully locate and download the AIA and CDP info from AD
and the web server. It's at this final point that it falls over. The
little app picks up on the correct Certificate Subject but nothing is filled
in the "Url to Download" section and it won't Retrieve anything. It all
looks okay but I'm loathed to go ahead with configuring the first Enterprise
sub-ordinate CA until I'm certain this is working.

In adsiedit it shows the DN for the CDP as
CN=gb-ca-1,CN=gb-ca-1,CN=CDP,CN=Public Key
Services,CN=Services,CN=Configuration,DC=gms,DC=co m

Output of certutil -getreg ca\CRLPublicationURLs is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\CertSvc\Configuration\GB-CA-1\CRLPublicationURLs:

CRLPublicationURLs REG_MULTI_SZ =
0: 65:C:\WINDOWS\system32\CertSrv\CertEnroll\%3%8%9.c rl
CSURL_SERVERPUBLISH -- 1
CSURL_SERVERPUBLISHDELTA -- 40 (64)

1: 14:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key
Services,CN=Services,%6%10
CSURL_ADDTOCERTCDP -- 2
CSURL_ADDTOFRESHESTCRL -- 4
CSURL_ADDTOCRLCDP -- 8

2: 2:http://www.mywebsite.com/pki/%3%8%9.crl
CSURL_ADDTOCERTCDP -- 2

The ldap entry seems to match up okay. The only thing that is a little
concerning is that the replacement tokens %7%8 are used in the first part
but only %7 seems to be showing as part of the DN as it is in Active
Directory. I'm guessing that %8 (the CRLNameSuffix) is actually blank
though, which is why it appears to be missing.

Does any one have any idea what I might be missing here as I'm at a loss
now!

thanks

Dave
 
Reply With Quote
 
 
 
Reply

« NetBIOS OptionalNames | Static entries: Vista, how to investigate? »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Demote standalone PDC NT4 Ricky Windows Networking 3 10-11-2007 11:35 PM
Standalone DFS SCOTT PIERCE Windows Networking 0 02-20-2006 03:28 PM
PEAP and IAS and Standalone CA maTT Wireless Networks 1 06-06-2005 08:54 PM
WG311T wireless card is showing c.root-server.net and other root-server.net in netstat. Robert Home Networking 1 05-06-2005 08:13 PM
Postfix config - cron messages for root going to root@ISP. Doug Laidlaw Linux Networking 5 02-27-2005 03:21 PM


Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11