Installing a Two Tier PKI Hierarchy in Windows Server 2012: Part IV, Publishing the Root CA Certificate and CRL to Active Directory

In parts I-III of this series I covered installing a Root Certification Authority as well as some post configuration steps for the Root CA.  In this blog posting I am going to cover Root CA Certificate and Certificate Revocation List (CRL) Publishing to Active Directory.

In Part III of this series I ran a Post-Configuration script to configure the Root CA.  Here is the entire script:

certutil.exe -setreg ca\DSConfigDN "CN=Configuration,DC=fourthcoffee,DC=com"

certutil -setreg CA\CRLPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2: https://pki.fourthcoffee.com/certenroll/%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"

certutil -setreg CA\CACertPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2: https://pki.fourthcoffee.com/certenroll/%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11"

certutil -setreg CA\CRLPeriodUnits 6

certutil -setreg CA\CRLPeriod "Months"

certutil -setreg CA\CRLDeltaPeriodUnits 0

certutil -setreg ca\ValidityPeriodUnits 10

certutil -setreg ca\ValidityPeriod "Years"

certutil -setreg CA\AuditFilter 127

net stop certsvc & net start certsvc

certutil –CRL

The first line of the script relevant to today’s discussion is:

certutil -setreg CA\CACertPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2: https://pki.fourthcoffee.com/certenroll/%%1\_%%3%%4.crt\\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11"

With this command I configured:

The Root CA to publish the CA Certificate locally to the C:\Windows\System32\CertSrv\CertEnroll directory

“Stamp” an HTTP location in the Authoritative Information Access (AIA) extension of issued certificates (repository where clients can download the Root CA Certificate)

“Stamp” an LDAP location in the Authoritative Information Access (AIA) extension of issued certificates (repository where clients can download the Root CA Certificate)

The second line of the script relevant to today’s discussion is:

certutil -setreg CA\CRLPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2: https://pki.fourthcoffee.com/certenroll/%%3%%8%%9.crl\\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"

With this command I configured:

  • The Root CA to publish a CRL locally to the C:\Windows\System32\CertSrv\CertEnroll directory
  • “Stamp” an HTTP location in the CRL Distribution Points (CDP) extension of issued certificates (repository where clients can download CRLs)
  • “Stamp” an LDAP location in the CDP extension of issued certificates (repository where clients can download CRLs)

So, later on when I install my Issuing CA, it’s certificate will point to the HTTP and LDAP locations that I specified.  So, the next step is to Publish my Root CA Certificate and CRL to these locations, so they are accessible.

AD Publishing

CA Certificate Publishing

The first step I want to take is to publish my Root CA Certificate to AD.  AD is my LDAP repository, so I need to publish the Root CA certificate there.  Also, I need to publish my Root CA Certificate to Active Directory so that it can be trusted by Windows clients.

In order to Publish my Root CA Certificate to Active Directory, I need to be logged into a Domain joined machine as an Enterprise Admin. Once logged in I need to have a copy of the Root CA Certificate which can be copied from the C:\Windows\System32\Certsrv\CertEnroll directory on the Root CA. Once logged in, I run the following command to publish the CA Certificate to Active Directory:

certutil –f –dspublish <CACertFileName> RootCA

This is illustrated in the screenshot below:

image

And as you can see from the following screenshots (of ADSIEDIT.msc), the CA certificate is now published to the AIA Container

image

and the Certification Authorities container.

image

CRL Publishing

Since my CRL will also be accessible via LDAP, I need to publish my Root CA’s CRL to AD as well.  The Root CA’s CRL first needs to be copied from the C:\Windows\System32\Certsrv\CertEnroll directory on the Root CA to the machine where I am performing the publishing.  I then run the following command to publish the CRL to Active Directory:

certutil –f –dspublish <CRLFileName>

This is illustrated in the Screenshot below:

image

And as you can see from the following screenshot (of ADSIEDIT.msc), the CRL is now published to the CDP Container.

image

Wrap-up

So, now I have my Root CA Certificate and CRL published to Active Directory.  I will have to manually update the CA Certificate every time it is renewed.  I will also need to update the CRL before it expires.

I still have not published the Root CA Certificate and CRL to the HTTP repository.  I will be performing this later on, as I am hosting my HTTP repositories on my Issuing CA (not best practice).

Troubleshooting

When publishing the CRL you may receive the following error:  A referral was returned from the server

This is illustrated in the screenshot below:

image

Typically this is due to:

  • Mis-configured DSConfigDN registry key on the Root CA
  • The service was not restarted after configuring the DSConfigDN registry key
  • The CRL was published right after the service was restarted and a timing issue cause the updated DSConfigDN to be updated in the CRL (timing issue)

 

-Chris