Share via

Windows Active Directory Certification Authority issues post-implementation - CDP and AIA Misconfigured Values

Converge_SAL 20 Reputation points
2023-08-16T19:22:05.9166667+00:00

In a new implementation of Active Directory Certification Authority, the Offline Root CA has bad CDP and AIA extension values. Certificates have been being issued from authorized Subordinate CAs for three weeks as of this writing.

Example of current values on ROOT:

 CDP:  http://www.domain.com/pki/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

 AIA:  http://www.domain.com/pki/<ServerDNSName>_<CaName><CertificateName>.crt

Example of current values on SUBCA:

 CDP:  http://pki.domain.com/pki/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

  AIA:  http://pki.domain.com/pki/<ServerDNSName>_<CaName><CertificateName>.crt

PKIView shows red dots everywhere.

Getting 'Revocation Server Offline' errors.

CA services not starting.

Second (newly installed) SUBCA will not allow Certification Authority Services to even Start!

Guessing there has to be direct correlation of values on Root CA for the Root certs issued to Subordinate CAs.

Also guessing there are some steps to take beyond making the change at the RootCA.

If the Offline Root CA has these values changed, what has to happen at the Subordinate CA servers?

Thanks in advance for the guidance!

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,932 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,902 questions
0 comments
Accepted answer
  1. Daisy Zhou 32,416 Reputation points Microsoft External Staff
    2023-08-17T02:38:56.19+00:00

    Hello Converge_SAL,

    Thank you for posting in our Q&A forum.

    1.Is this a newly built environment or an existing one?

    2.Is this a test or production environment?

    If it is a test PKI environment or a newly built environment. I suggest you can try to rebuild PKI.

    Because we don't know exactly where the error occurred, even if we find the wrong settings, it is difficult to change the wrong settings to the correct settings (based on my experience and testing).

    In your case:

    CDP and AIA on root CA and Sub CA should be located in one location:
    http://pki.domain.com or http://www.domain.com
    Instead of CDP and AIA on root CA in http://www.domain.com, but CDP and AIA on Sub CA in http://pki.domain.com.

    I recommend that you create from scratch (in a test environment) based on the following documentation, trying not to make any mistake at every step (e.g., replace the domain name with the correct domain name, and replace the computer name with the correct computer name).

    And log the important note and steps if needed.

    Reference:
    https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx#:~:text=Install%20a%20new%20forest%20by%20using%20Server%20Manager.,Required%20Features%20and%20then%20click%20Next.%20See%20More.

    Hope the information above is helpful. If you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Converge_SAL 20 Reputation points
    2023-08-21T17:04:33.36+00:00

    I need to update the CDP and AIA values on the ROOT CA.

    I was more concerned about the next steps of:

    • updating SUB CAs
    • updating certificates for all the clients that have been enrolled in the certificates.

    Those steps aren't fully clear to me, but I am gathering info from many sources that appears to correlate.

    I see the following as next steps:

    1. Issue a new revocation list and CA certificate
    2. Get those two files over to the host that is distributing the files (via file copy into the virtual directory used to publish the files)
    3. Also get those two files over to the host that is the SubCA (via file copy into the local folder for certificate services)
    4. Run a CLI that published the new Root Cert to AD, and thus to all devices in the domain—into their Trusted Root Certification Authority cert stores.
    5. Then try to refresh the CAs through cert service restarts
    6. Validate using PKIVIEW utility all things are OK
    7. If I notice a trend of certificate issues all of a sudden, then do the following:
    8. Use ‘Reenroll all Certificate Holders’ option on each template to cause all cert holders to enroll again with new version of certificated
      1. Important – because this causes all current cert holders to get latest versions of certs
        1. Impact – because this causes all cert holders who have old CRL checking references to suddenly not be able to verify revocation and possibly cause cert to not be valid at that very moment. (aka OUTAGE)

    If I have missed anything, please let me know. This production environment needs to be corrected in the very near term.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.