Share via

PKIview show old AIA and CDP Location on Root

Jean-Valentin 6 Reputation points
2023-04-26T13:38:23.4033333+00:00

Hello all,

 

I need some help here!

I'm now in charge of the PKI in my society and it was in a mess since years. I sucessfully changed the OCSP server, and now created a Windows 2022 CRL server to replace the old 2012. I also have 3 others Severs, 1 ROOTCA and 2 subordinate CA.

 

I followed this microsoft link to configure CDP and AIA on my 3 CA : https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-the-cdp-and-aia-extensions-on-ca1 (So Only with http:// and file:// values).

Then on each republish a crl and copy them to the new CRL server:

certutil –crl

copy C:\Windows\system32\certsrv\certenroll.crt mycrlserver.fr\crlpki

copy C:\Windows\system32\certsrv\certenroll.crl mycrlserver.fr\crlpki

 

I also restarted certsvc. I requested a new cert, revoked it, republished, recopy, verified his crl access, dowloaded it, everything is working fine with the new server.

 

By the way here is my time configuration on the 3 CA :

Certutil -setreg CACRLPeriod Days

Certutil -setreg CACRLPeriodUnits 1

Certutil -setreg CACRLDeltaPeriod Hours

Certutil -setreg CACRLDeltaPeriodUnits 1

 

My only problem is on PKIView.msc, on ROOT I still see the old values of the old AIA and CDP location and the new value. (In Yellow what should be removed) 

User's image

If I develop root and check the subordinate CA, they only show the new values.

User's image

I reverified the extensions tab of the CA properties on each of my 3 CA servers and there is only the new values on CRL and AIA configuration.

 

I spent a lot of time on internet to find a solution to clean these old values from Root on Pkiview without success.

 

Here is what I already tried :

 

Revoke the CA Exchange on the 3 CA and verify there is only the right locations inside (before i did this step they had the wrong values).

 

Republish my crl (and copy them to the CRL Server) restart certsvc. I verified on each CA certutil -getreg ca\crlpublicationurls and it shows the right informations.

 

I renewed the issuing ca certificate on my 2 subordinate CA (Renewed with same key), Now I could see only the new values.

 

I forced an AD réplication.

 

On Active directory site and service, show service node, Services, Public Key Services I verified all the folders permissions (I can't find back the link bur I copied it for myself)

 

Enrollment Services container. The CA computer has Read and Write access to its own object.

AIA container. The Cert Publishers group has Full Control access on the AIA container and the CA computer has Full Control access on its own object within the AIA container.

CDP container. The Cert Publishers group has Full Control access on every CA's container under the CDP container, and the CA computer has Full Control access on every certification revocation list (CRL) object in its own container.

Certification Authorities container. The Cert Publishers group has Full Control access on the objects within this ontainer.

C__ertificate Templates container__. The Enterprise Admins and Domain Admins groups (not the CA computer) have Full Control access or Read and Write access to this container and to most objects within it.

KRA container. The CA computer has Full Control access on its own object.

OID container. The Enterprise Admins and Domain Admins groups, not the CA computer, have Full Control access or Read and Write access to this container and to the containers and objects within it.

NTAuthCertificates object.  The Enterprise Admins and Domain Admins groups, not the CA computer, have Full Control access or Read and Write access.

Domain Computers and Domain Users containers. The Cert Publishers group has Read and Write permissions on the userCertificate property of each user and computer object in the forest in which AD CS is deployed.

 

All seems fine!

 

I also tested the connexion from ROOTCA nltest /sc_verify:mydomain.fr

Answer :  Flags: b0 HAS_IP  HAS_TIMESERV

Trusted DC Name MyDC.mydomain.fr

Trusted DC Connection Status Status = 0 0x0

NERR_Success

Trust Verification Status = 0 0x0

NERR_Success

The command completed successfully

 

Also on cmd Admin :

Export ROOTCA cert :

certutil -ca.cert ROOTCA.cer

certutil -ca.cert ISSUING01.cer

certutil -ca.cert ISSUING02.cer

 

Publish  ROOTCA cert  in AD :

certutil -f -dspublish ROOTCA.cer RootCA

certutil -f -dspublish ISSUING01.cer SubCA

certutil -f -dspublish ISSUING02.cer SubCA

 

Nothing Helps!

PLease, have you got any idea to help me to clean this?

Regards,

 

Windows for business | Windows Server | User experience | Other
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  2. Jean-Valentin 6 Reputation points
    2023-04-27T16:04:46.0933333+00:00

    Hello,

    Thank you for answering.

    On the 3 CA server, Authenticated users got the request certificate checkbox checked.

    As suggested I added may admin account and allowed me Read/Issue and Manage Certificates/ManageCA/Request Certificates on the 3 CA.

    I revoked on each the CAExchange certificate, then on revoke folder I published a new crl.

    Then on each I run certutil -cainfo xchg.

    On each I restarted certsrv services

    But I've always the same issue. I could see on PKIVIEW.msc only on the Root CA the old AIA and CDP path.

    This is my last CA exchange with the good values

    User's image

    But I've found something. On each CA, I see the CA Certificate (Here on Root doesn't contail CRL Values)

    User's image

    But on each of the issuing I see this same CA Certificate containing the old values.

    I renew on my 2 Issuing server the Subodinate certification cert but I saw it's a subCA template (containing the good values) when i'm on certlm.msc.

    That mean the last subca certificate i can see in certlm.msc is not the one I see in pkiview.msc-> one of my Issuing -> Ca cerificate.

    How can I refresh that please?

  3. Jean-Valentin 6 Reputation points
    2023-05-31T08:18:45.05+00:00

    Hello All,

    For anyone having the same trouble as me that topic can help, that was the right way to do.

    To do on both of my 2 issuing servers

    Connected directly on the issuing server ,

    I used the Certification authority, Right click on your Issuing CA > All Tasks -> Renew CA Certificate.  

    Press Yes to Stop AD Certificate Services 

    Press No to Generate a new Public/Private Pair 

    Make Sure the Computer Name is the FQDN of your Root CA and select your Root CA as your Parent CA 

    Press Ok 

    Verify connected to your Root Ca and open the Certificate Authority MMC 

    Select issued Certificate, Now go to issued certificates 

    Double click the certificate you have just issued and go the details tab to verify the CRL and AIA are now correct.

    After renewal on each of the issuing CA servers,  

    I expired my CA exchange certificate,  

    repubish a CRL and copy my Issuing CRT and CRL files to the CRL Server.  

    I restarted the certsvc service. 

    Once don I verified on pkiview.msc and all were fixed with the correct informations

    User's image

    PS : No need to renew the root CA certificate in my case.

    Regards,

    JV

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.