Share via

Log file location to look for messages related to weekly CRL publish

Question

Wednesday, August 30, 2017 4:37 PM

Where will I find messages related to the Revoked Certificates Publish task?  I manually clicked on Publish, but I did not see the file change.

Thank you.

Marge

All replies (7)

Wednesday, August 30, 2017 4:53 PM âś…Answered

I would look in the AD/CS Certification Authority's local application log.

  • 62 - Active Directory Certificate Services had problems loading valid certificate revocation list (CRL) publication values and has reset the CRL publication interval to its default settings.
  • 65 - Active Directory Certificate Services could not publish a base certificate revocation list (CRL) for key %1 to the following location: %2. %3.%5%6
  • 66 - Active Directory Certificate Services could not publish a delta certificate revocation list (CRL) for key %1 to the following location: %2. %3.%5%6
  • 67 - Active Directory Certificate Services made %1 attempts to publish a certificate revocation list (CRL) and will not attempt to publish a CRL until the next CRL is generated.
  • 74 - Active Directory Certificate Services could not publish a base certificate revocation list (CRL) for key %1 to the following location on server %4: %2. %3.%5%6
  • 75 - Active Directory Certificate Services could not publish a delta certificate revocation list (CRL) for key %1 to the following location on server %4: %2. %3.%5%6
  • 130- Active Directory Certificate Services could not create a certificate revocation list (CRL). %1. This may cause applications that need to check the revocation status of certificates issued by this CA to fail. You can recreate the CRL manually by running the following command: "certutil -CRL". If the problem persists, restart Certificate Services.

More info:

https://technet.microsoft.com/en-us/library/cc774545(v=ws.10).aspx

Question, did the dates on the CRL change? or did the contents of the file not change?

-Wayne

Wednesday, August 30, 2017 5:02 PM

Hi, Wayne.

The date on the CRL file (Date Modified in Windows Explorer) did not change.

Marge

Wednesday, August 30, 2017 5:41 PM

What do your CDP Extensions look like? It might be useful to examine what you are trying to do, versus where you are looking.

Run certutil -getreg CA on your CA.

Look for a section called CRLPublicationURLs.

Something like this...

Wednesday, August 30, 2017 10:00 PM

Thank you, Wayne.

Here is the information you requested:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\xxxxxSubCA:

Keys:

  CSP

  EncryptionCSP

  ExitModules

  PolicyModules

Values:

  DSConfigDN               REG_SZ = CN=Configuration,DC=xxxxx,DC=org

  DSDomainDN               REG_SZ = DC=xxxxx,DC=org

  ViewAgeMinutes           REG_DWORD = 10 (16)

  ViewIdleMinutes          REG_DWORD = 8

  CAType                   REG_DWORD = 1

    ENUM_ENTERPRISE_SUBCA -- 1

  UseDS                    REG_DWORD = 1

  ForceTeletex             REG_DWORD = 12 (18)

    ENUM_TELETEX_AUTO -- 2

    ENUM_TELETEX_UTF8 -- 10 (16)

  SignedAttributes         REG_MULTI_SZ =

    0: RequesterName

  EKUOIDsForPublishExpiredCertInCRL REG_MULTI_SZ =

    0: 1.3.6.1.5.5.7.3.3 Code Signing

    1: 1.3.6.1.4.1.311.61.1.1 Kernel Mode Code Signing

  CommonName               REG_SZ = xxxxxSubCA

  Enabled                  REG_DWORD = 1

  PolicyFlags              REG_DWORD = 0

  CertEnrollCompatible     REG_DWORD = 0

  CRLEditFlags             REG_DWORD = 100 (256)

    EDITF_ENABLEAKIKEYID -- 100 (256)

  CRLFlags                 REG_DWORD = 2

    CRLF_DELETE_EXPIRED_CRLS -- 2

  InterfaceFlags           REG_DWORD = 641 (1601)

    IF_LOCKICERTREQUEST -- 1

    IF_NOREMOTEICERTADMINBACKUP -- 40 (64)

    IF_ENFORCEENCRYPTICERTREQUEST -- 200 (512)

    IF_ENFORCEENCRYPTICERTADMIN -- 400 (1024)

  EnforceX500NameLengths   REG_DWORD = 1

  SubjectTemplate          REG_MULTI_SZ =

    0: EMail

    1: CommonName

    2: OrganizationalUnit

    3: Organization

    4: Locality

    5: State

    6: DomainComponent

    7: Country

  ClockSkewMinutes         REG_DWORD = a (10)

  LogLevel                 REG_DWORD = 3

  HighSerial               REG_DWORD = d (13)

  CAServerName             REG_SZ = CAServer.xxxxx.org

  ValidityPeriod           REG_SZ = Years

  ValidityPeriodUnits      REG_DWORD = 5

  KRACertHash              REG_MULTI_SZ =

  KRACertCount             REG_DWORD = 0

  KRAFlags                 REG_DWORD = 0

  CRLPublicationURLs       REG_MULTI_SZ =

    0: 1:C:\Windows\system32\CertSrv\CertEnroll\3%8.crl

    CSURL_SERVERPUBLISH -- 1

    1: 2:http://caserver.xxxxx.org/pki/%3%8.crl

    CSURL_ADDTOCERTCDP -- 2

  CRLPeriod                REG_SZ = Weeks

  CRLPeriodUnits           REG_DWORD = 1

  CRLOverlapPeriod         REG_SZ = Hours

  CRLOverlapUnits          REG_DWORD = 0

  CRLDeltaPeriod           REG_SZ = Days

  CRLDeltaPeriodUnits      REG_DWORD = 1

  CRLDeltaOverlapPeriod    REG_SZ = Minutes

  CRLDeltaOverlapUnits     REG_DWORD = 0

  CAXchgValidityPeriod     REG_SZ = Weeks

  CAXchgValidityPeriodUnits REG_DWORD = 1

  CAXchgOverlapPeriod      REG_SZ = Days

  CAXchgOverlapPeriodUnits REG_DWORD = 1

  MaxIncomingMessageSize   REG_DWORD = 10000 (65536)

  MaxIncomingAllocSize     REG_DWORD = 10000 (65536)

  CACertPublicationURLs    REG_MULTI_SZ =

    0: 2:http://caserver.xxxxx.org/pki%1_%3%4.crt

    CSURL_ADDTOCERTCDP -- 2

    1: 1:file://\CAServer.xxxxx.org\pki\_%3%4.crt

    CSURL_SERVERPUBLISH -- 1

  RequestFileName          REG_SZ = C:\temp\CAServer.req

  SetupStatus              REG_DWORD = 9

    SETUP_SERVER_FLAG -- 1

    SETUP_REQUEST_FLAG -- 8

  Security                 REG_BINARY =

    Allow CA Administrator      BUILTIN\Administrators

    Allow Certificate Manager   BUILTIN\Administrators

    Allow CA Administrator      xxxxx\Domain Admins

    Allow Certificate Manager   xxxxx\Domain Admins

    Allow CA Administrator      xxxxx\Enterprise Admins

    Allow Certificate Manager   xxxxx\Enterprise Admins

    Allow Enroll        NT AUTHORITY\Authenticated Users

  CACertHash               REG_MULTI_SZ =

    0: 30 78 53 87 b3 82 8a c2 d2 64 ad 17 df e0 33 08 e8 66 a2 67

    1: 8c 73 b5 e6 41 cd 1e 6b 88 4e 0d a9 dd db 5c f8 61 14 64 0b

  CRLDeltaNextPublish      REG_BINARY = 8/31/2017 11:49 AM

  CRLAttemptRepublish      REG_DWORD = 0

  CRLOverlapPeriodUnits    REG_DWORD = c (12)

  CNGHashAlgorithm         REG_SZ = SHA256

  CAXchgCertHash           REG_MULTI_SZ =

    0: c7 c0 b6 93 59 fd 0a 08 4d d6 3a c3 e8 6f 20 72 48 89 60 83

  RequestKeyIndex          REG_DWORD = 1

  RequestKeyContainer      REG_SZ = xxxxxSubCA(1)

  CRLNextPublish           REG_BINARY = 9/1/2017 11:49 AM

  AuditFilter              REG_DWORD = 70 (112)

CertUtil: -getreg command completed successfully.

Thursday, August 31, 2017 9:13 PM

Hi again,

I apologize ahead of time, but our engineer that handles AD and the CA, has taken ill, and unavailable for assistance.  

I have looked on our CA server for the log files that you mentioned (Active Directory Certificate Services application logs), and do not find them in the Event Viewer UI.  Does something need to be set for it to write those logs?

The initial problem as I understand it, was that we have a GIS application that is sensitive to the check for the CRL file, and then that call found a CRL file that was not updated.  The application check was the day after the "Next Publish Date", but the CRL had not re-published on that date, at least from the perspective of modified date of the CRL file when I looked using Windows Explorer.  I manually used "certutil -GetCRL" to create a new file, and overwrote the CRL file myself.

The Next Publish Date is now set for tomorrow, and I'd like to have a place I can look to see successful or unsuccessful messages.

Thank you in advance for your assist

Marge

Monday, September 11, 2017 1:16 PM

OK, I see this a couple of things in your log files:

CRLS:

CRLPublicationURLs       REG_MULTI_SZ =

    0: 1:C:\Windows\system32\CertSrv\CertEnroll\3%8.crl

    CSURL_SERVERPUBLISH -- 1

    1: 2:http://caserver.xxxxx.org/pki/%3%8.crl

    CSURL_ADDTOCERTCDP -- 2

I would make that an 8 or a 10.  This  places a URL in the CDP extension of a  certificate issued by the CA to allow the  relying party certificate chaining engine to download the latest CRL version.

certutil -setreg CA\CRLPublicationURLS "1:%WINDIR%\system32\certsrv\CertEnroll\3%8.crl\n10:http://caserver.xxxxx.org/pki/%3%8.crl"

Additionally, you will need to create a process that copies your resulting CRL from the local CA, to the web location.  (assuming they are different servers..)

AIA:

There appears to be a typo in your AIA config. You are missing a "\

 CACertPublicationURLs    REG_MULTI_SZ =

    0: 2:http://caserver.xxxxx.org/pki%1_%3%4.crt

    CSURL_ADDTOCERTCDP -- 2

    1: 1:file://\CAServer.xxxxx.org\pki\_%3%4.crt

    CSURL_SERVERPUBLISH -- 1

certutil -setreg CA\CACertPublicationURLS "2:http://caserver.xxxxx.org/pki/%3%4.crt"

Should be noted that these changes will only affect new certificates issused going forward,and will not affect those already signed. Good Luck.

-Wayne

Monday, September 11, 2017 1:30 PM

With respect to the CA  logs, you will need to enable them.

Go to Tools -> Local Security Policy.
Navigate to Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Object Access 
In the Right panel,  double click Audit Certification Services
Select Configure the following audit events:
Then select Success and Failure 
Select OK

Good Luck, 

-Wayne

  • Last updated on