Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Friday, October 8, 2010 11:20 AM
I install offline root CA and enterprise subordinate CA.
On Root CA I change CDP and AIA locations, and leave only local i http:\SubordinateCA\..
locations.
On enterprise subordinate CA I also have local and http locations for CDP i AIA. - Becouse when I put ldap locations for CDP and AIA on Subrodinate Enterprise CA, Enterprise PKI tool says that is "unable to downlaod".
Path which I put:
CRL
ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
AIA
ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,<ConfigurationContainer><CAObjectClass>
When I check on DC in "AD Sites and Services" I have these locations...
Why I am not able to access these locations? pls any information or help ...
thank you for your time,
Keli
keli
Friday, October 8, 2010 4:02 PM ✅Answered
try to manually publish these files:
certutil -dspublish -f CRLFileName.CRL CAName
replace 'CAName' with actual CA name. And:
certutil -dspublish -f CACertFileName.crt SubCA
Sunday, October 10, 2010 12:05 AM
Vadims, thank you very much for reply.
do I have to do this publish on Domain Controller, or only on Sub Ent CA ?
I hope that will resolve my problem. Becouse in one moment I did revoke Sub ENt CA Certificate...
(when I change crl and AIA lists on Offline Root CA, I didnt do renew, my mistake)
after that I publish crt and crl of Offline Root CA on Domain Controller, but I didnt publish new certificate and crl list of Sub Ent CA.
Also in my Application log of Sub Ent CA, while restarting Sub Ent CA there is Information:
..certificate is revoked...
and after that Sub Ent CA is started. And what is realy confuses me is that I revoked Sub Ent CA certificates - two times (don't ask my why, offline CA and changing CDP and AIA, and my mistakes ...) And when I look on properties of Sub Ent CA - only first certificate is revoked, another is not (on first tab of properties ...) ?
and pls if you can explain me:
As I understood hierarchy of CA:
- on offline root CA - only local and http locations for CDP and AIA
- on online, domain enterprise sub CA local, http and LDAP.
Is this correct? Can I have only local and http locations for CDP and AIA on Enterprise Sub CA?
If I don't have it, would I have some problems in use of User, Computer certificates nad etc. ...
thank you for your time,
Keli
keli
Sunday, October 10, 2010 7:00 AM
as a best practice, you should use only the HTTP locations in all certs. The HTTP path should be using a public FQDN, so that you are able to make it accessible from outside your network.
If you like, you can also include LDAP location as well. It is always best to have the HTTP path appear first in the certificates, so that when the clients are not able to connect to the LDAP, they do not try at all.
Also do not include more than one location of any kind - once HTTP, once LDAP, ... Some clients try only the first location of any kind.
Putting local/file location into issued certs is nonsense, because you need to understand, the path must be accessible from clients perspective - so not accessible on the CA's local file system. The local file system path is used only to publish the certs there.
In case, you have the root CA, yes, the LDAP is not available, because you are probably running the root on a standalone workgroup computer without LDAP access. Although you can alway publish the certs into AD yourself manually.
ondrej.
Sunday, October 10, 2010 8:16 AM
> do I have to do this publish on Domain Controller, or only on Sub Ent CA ?
you may run these commands on any domain computer. You just need to have Enterprise Admins permissions.
Sunday, October 10, 2010 6:42 PM
Ok, thank you all for reply.
Ondrej thanks for explanation. I use local locations to publish crl and crt, but only http locations include in certificates.
Tomorrow I will try to publish certificates - to check LDAP locations. I need to check that everthing is ok.
thank you for you time,
Keli
keli
Monday, October 11, 2010 8:15 AM
I did publis crl i crt files in AD, for Root CA i Sub CA, but LDAP entry still dont work. - "Unable to download"
I publish last certificates and crl list (clr and delta).
As I wrote I issued new certificates once for Root CA, and three times for Sub CA.
Probably I made some mistake here. And one more error:
In PKI tool on Sub CA, when I click on "Certificate Templates (domaincontroller.domainname.local)" I have information:
"Windows could not create the object identifier list. The computer is not joined to a domain. Certifiace templates are not avaliable."
And after "refresh" it shows templates.
Templates for which is "Minimum supported CAs" is Windows Server 2003 Ent I can change, the rest templates I cant.
I realy dont know what is going on. Sub CA is in domain. Forest and functional level of domain is 2003. I have two DC, one DC 2008 R2 Std Edt i one DC 2003 R2 Std Edt.
If you have any idea pls let me know, I am realy confused ...
thak you for your time,
Keli
keli
Monday, October 11, 2010 11:08 AM
I can't belive, but I tryied to setup LDAP and access domain templates while I was login as local administrator ...
(i didn't chek it, and didn't look at remote desktop properties ... )
When I log on on Sub CA as enterprise domain administrator on domain - LDAP works and I can access templates withouth warrning!
Great! (two days I spent on it, I can't belive, stupid - but great knowledge :) )
Thank you Vadims and Ondrej for support, and link with same problem : http://www.techsupportforum.com/networking-forum/networking-support/298207-solved-certificate-templates.html
best regards,
Keli
keli
Friday, October 23, 2015 10:33 PM
Keli, I was logged in as Local Admin too.... Thanks for the tip... I can't believe I wasted half a day on this...