Certs and CRLs download from AIA and CDP paths fails.

Attila 21 Reputation points
2020-11-01T16:19:04.933+00:00

Hello everyone!

Preface:

I’m in a process of setting up a test / demo environment to our development team. This test network must include and utilize among other servers and services a working 3 tier PKI topology. For this purpose I’m using the “Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure” white paper. I’m using Windows Server 2019 Datacenter editions for all servers’ operating system.

The process done so far:

I’m following the whitepaper, and I’m done with “Example Scenario for Contoso” chapter to install and configure the Stand-alone Offline Root CA.

I have also finished the “Stand-alone Offline Intermediate CA (IntermediateCA1)” chapter. At this point everything seems fine.

I’m skipping the “CorporateSub2CA” installation, because it will be not needed for our testing purposes.

Currently I’m at the “Import ParentCA Certificates and CRLs into Active Directory” section of the Online Enterprise Issuing CAs (CorporateEnt1CA) chapter.

The problem:

I got the following result:

36683-figure1.png

  1. Figure My result: Failed download from CDP

36637-figure2.png
2. Figure My result: Failed download from AIA

Although I should get the following result, if I complete the steps in this chapter:

36586-cc7374819b62e25f-6e43-405f-865b-48dda57858b6ws10.gif
3. Figure “Figure 8: URL Retrival Tool” - from the white paper

I Created a copy from the Default Domain Policy and added the RootCA’s certificate to the Trusted Root Certification Authorities and the IntermediateCA’s certificate to the Intermediate Certification Authorities.

36596-figure4.png
4. Figure GPO setting for RootCA’s cert distribution

36638-figure5.png
5. Figure GPO setting for intermediate CA's cert distribution

I ran the following commands:

PS C:\Users\Rendszergazda\Documents> certutil -f -dspublish '.\CONTOSOROOTCA_Contoso Arany !0028Class Gold!0029 F!0151tan!00fas!00edtv!00e1ny.crt'  
ldap:///CN=Contoso Arany !0028Class Gold!0029 F!0151tan!00fas-49548,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=hu?cACertificate  
  
Certificate already in DS store.  
  
ldap:///CN=Contoso Arany !0028Class Gold!0029 F!0151tan!00fas-49548,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=hu?cACertificate  
  
Certificate already in DS store.  
  
CertUtil: -dsPublish command completed successfully.  
PS C:\Users\Rendszergazda\Documents> certutil -f -dspublish '.\CONTOSOINTCA1_Contoso Ez!00fcst !0028Class Silver!0029 K!00f6zbens!0151 Tan!00fas!00edtv!00e1ny.crt'  
ldap:///CN=Contoso Ez!00fcst !0028Class Silver!0029 K!00f6zben-35707,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=hu?cACertificate  
  
Certificate already in DS store.  
  
CertUtil: -dsPublish command completed successfully.  
PS C:\Users\Rendszergazda\Documents> certutil -f -dspublish '.\Contoso Arany !0028Class Gold!0029 F!0151tan!00fas!00edtv!00e1ny.crl' contosorootca  
ldap:///CN=Contoso Arany !0028Class Gold!0029 F!0151tan!00fas-49548,CN=contosorootca,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=hu?certificateRevocationList  
  
Base CRL already in DS store.  
  
CertUtil: -dsPublish command completed successfully.  
PS C:\Users\Rendszergazda\Documents> certutil -f -dspublish '.\Contoso Ez!00fcst !0028Class Silver!0029 K!00f6zbens!0151 Tan!00fas!00edtv!00e1ny.crl' contosointca1  
ldap:///CN=Contoso Ez!00fcst !0028Class Silver!0029 K!00f6zben-35707,CN=contosointca1,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=hu?certificateRevocationList  
  
Base CRL added to DS store.  
  
CertUtil: -dsPublish command completed successfully.  
  

After these commands, I checked the AD DS console for the AIA and CDP nodes:

36646-figure6.png
6. Figure The AIA node contains the two Certification Authority

36547-figure7.png
7. Figure The RootCAs' CRL Distribution Point

36597-figure8.png
8. Figure The Intermediate CAs' CRL Distribution Point

Here is the intermediate CAs’ certutil.exe -urlfetch -verify output:

PS C:\Users\Rendszergazda\Documents> certutil.exe -urlfetch -verify '.\CONTOSOINTCA1_Contoso Ez!00fcst !0028Class Silver!0029 K!00f6zbens!0151 Tan!00fas!00edtv!00e1ny.crt'  
  
  
Issuer:  
    CN=Contoso Arany (Class Gold) Főtanúsítvány  
    DC=contosorootca  
    DC=contoso  
    DC=hu  
    OU=Tanúsítványkiadók (Certification Services)  
    O=Contoso Kft.  
    L=Budapest  
    C=HU  
  Name Hash(sha1): 81902e03b1bda55156c42f55123d5067552fd41e  
  Name Hash(md5): 0477e38ad67ae0ec046950a5acb7f985  
Subject:  
    CN=Contoso Ezüst (Class Silver) Közbenső Tanúsítvány  
    OU=Tanúsítványkiadók (Certification Services)  
    O=Contoso Kft.  
    L=Budapest  
    DC=contosointca1  
    DC=contoso  
    DC=hu  
    C=HU  
  Name Hash(sha1): 7086737ac01a7fb916796b4c29399e1c2620d2c0  
  Name Hash(md5): 6031e780d142a025573bfd052a54dff6  
Cert Serial Number: 280000000216e88751d5893e67000000000002  
  
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)  
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)  
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)  
HCCE_LOCAL_MACHINE  
CERT_CHAIN_POLICY_BASE  
-------- CERT_CHAIN_CONTEXT --------  
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)  
ChainContext.dwRevocationFreshnessTime: 61 Days, 25 Minutes, 53 Seconds  
  
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)  
SimpleChain.dwRevocationFreshnessTime: 61 Days, 25 Minutes, 53 Seconds  
  
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0  
  Issuer: CN=Contoso Arany (Class Gold) Főtanúsítvány, DC=contosorootca, DC=contoso, DC=hu, OU=Tanúsítványkiadók (Certification Services), O=Contoso Kft., L=Budapest, C=HU  
  NotBefore: 2019. 12. 09. 17:15  
  NotAfter: 2029. 12. 09. 17:25  
  Subject: CN=Contoso Ezüst (Class Silver) Közbenső Tanúsítvány, OU=Tanúsítványkiadók (Certification Services), O=Contoso Kft., L=Budapest, DC=contosointca1, DC=contoso, DC=hu, C=HU  
  Serial: 280000000216e88751d5893e67000000000002  
  Template: SubCA  
  Cert: 64084ec5ddcaea610182ca37f3344d13be037fd2  
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)  
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)  
  ----------------  Certificate AIA  ----------------  
  Verified "Certificate (0)" Time: 0 b7263457736504319e1da84b24bea1aff84b98da  
    [0.0] http://***.******.***/pki/CONTOSOROOTCA_Contoso%20Arany%20!0028Class%20Gold!0029%20F!0151tan!00fas!00edtv!00e1ny.crt  
  
  Failed "AIA" Time: 0 (null)  
    Error retrieving URL: A rendszer nem találja a megadott fájlt. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)  
    ldap:///CN=Contoso%20Arany%20!0028Class%20Gold!0029%20F!0151tan!00fas-49548,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=contosorootca,DC=contoso,DC=hu?cACertificate?base?objectClass=certificationAuthority  
  
  ----------------  Certificate CDP  ----------------  
  Verified "Base CRL (06)" Time: 0 dd934cbbb2449f22b40baa68960db8d1e9e22033  
    [0.0] http://***.******.***/pki/Contoso%20Arany%20!0028Class%20Gold!0029%20F!0151tan!00fas!00edtv!00e1ny.crl  
  
  Failed "CDP" Time: 0 (null)  
    Error retrieving URL: A rendszer nem találja a megadott fájlt. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)  
    ldap:///CN=Contoso%20Arany%20!0028Class%20Gold!0029%20F!0151tan!00fas-49548,CN=CONTOSOROOTCA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=contosorootca,DC=contoso,DC=hu?certificateRevocationList?base?objectClass=cRLDistributionPoint  
  
  ----------------  Base CRL CDP  ----------------  
  No URLs "None" Time: 0 (null)  
  ----------------  Certificate OCSP  ----------------  
  No URLs "None" Time: 0 (null)  
  --------------------------------  
    CRL 06:  
    Issuer: CN=Contoso Arany (Class Gold) Főtanúsítvány, DC=contosorootca, DC=contoso, DC=hu, OU=Tanúsítványkiadók (Certification Services), O=Contoso Kft., L=Budapest, C=HU  
    ThisUpdate: 2020. 09. 01. 14:42  
    NextUpdate: 2021. 09. 02. 3:02  
    CRL: dd934cbbb2449f22b40baa68960db8d1e9e22033  
  
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0  
  Issuer: CN=Contoso Arany (Class Gold) Főtanúsítvány, DC=contosorootca, DC=contoso, DC=hu, OU=Tanúsítványkiadók (Certification Services), O=Contoso Kft., L=Budapest, C=HU  
  NotBefore: 2019. 12. 08. 22:38  
  NotAfter: 2039. 12. 08. 22:48  
  Subject: CN=Contoso Arany (Class Gold) Főtanúsítvány, DC=contosorootca, DC=contoso, DC=hu, OU=Tanúsítványkiadók (Certification Services), O=Contoso Kft., L=Budapest, C=HU  
  Serial: 258d42a413a714884737f0cb909f9207  
  Cert: b7263457736504319e1da84b24bea1aff84b98da  
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)  
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)  
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)  
  ----------------  Certificate AIA  ----------------  
  No URLs "None" Time: 0 (null)  
  ----------------  Certificate CDP  ----------------  
  No URLs "None" Time: 0 (null)  
  ----------------  Certificate OCSP  ----------------  
  No URLs "None" Time: 0 (null)  
  --------------------------------  
  
Exclude leaf cert:  
  Chain: b048fa5fe1a3e410f77f5881e714aaa9eb403216  
Full chain:  
  Chain: f002a6b69975f9ca3411ac1fd74839f6c38f6b8e  
------------------------------------  
Verified Issuance Policies: All  
Verified Application Policies: All  
Cert is a CA certificate  
Leaf certificate revocation check passed  
CertUtil: -verify command completed successfully.  

So, this is the story so far.

Can anyone give me any idea how to solve this problem? I have no clue.

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,275 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,806 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vadims Podāns 9,121 Reputation points MVP
    2020-11-01T17:56:57.747+00:00

    The problem is with your Root CA configuration. Your domain is contoso.hu (DC=contoso, DC=hu), however root CA has the following configuration in DSDomainDN: DC=contosorootca,DC=contoso,DC=hu. There is no such domain in your environment. Re-configure your root CA to have the following values:

    DSConfigDN = CN=Configuration, DC=contoso, DC=hu
    DSDomainDN = DC=contoso, DC=hu
    

    and renew all intermediate CA certificates with new key pair.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.