Certificate Authority 2008 - Renewed RootCA Certificate crl

Similar Messages

• Certificate Authority - How to issue Certificates without extensions?

  We are operating a Windows 2012 Server PKI with an Enterprise Subordinate Certificate Authority that is issuing Certificates through an AD Certificate Template, however  there are certain certificate extensions that need
  to be excluded.
  We are following the procedure defined in ;
  http: //blogs.technet.com/b/pki/archive/2007/01/03/how-to-exclude-the-certificate-template-name-from-certificates-to-be-issued.aspx
  certutil -setreg policy\DisableExtensionList +1.3.6.1.4.1.311.20.2
  certutil -setreg policy\DisableExtensionList +1.3.6.1.4.1.311.21.7
  net stop certsvc
  net start certsvc
  This does not have any effect as issued certificates continue to have the extensions in them after the change.

  Can you confirm that this command contains EDITF_DISABLEEXTENSIONLIST flag enabled:
  certutil -getreg policy\editflags
  if not, then you should enable it:
  certutil -setreg policy\editflags +EDITF_DISABLEEXTENSIONLIST
  and restart CA service.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Untrusted server cert chain & does not recognize the certificate authority

  I have java code that makes an ssl connection to an HTTPS server.
  The code workes fine when I connect to a server that has a
  certificate that was issued by a recognizable authority.
  But when I try to connect to our test HTTPS server which has a
  certificate that was created by ourselves for debug, I get this
  java exception: "untrusted server cert chain".
  When I connect to our test HTTPS server with a browser, I get
  this message from the browser in a popup window:
  "www.xyz.com is a web site that uses a security certifcate to
  identify itself. However netscape 6 does not recognize the
  certificate authority that issued this certificate."
  At this point I am able to accept the certificate in the popup
  window and continue.
  Question: In my java code how can I accept a certificate
  that was signed by an unrecognizable authority just like the
  browser can. Or during debug, how can I set an override
  to accept ALL certs no matter what.
  Thanks.....Paul

  You will have to import your server test certificate into your client machine keystore. By default the keystore will be the 'cacerts' file in JAVA_HOME/jre/lib/security, get your server certificate in .pem format and use keytool to import it to the client.
  keytool -import -alias <anything> -file <full path of .pem file> -keystore <full path of cacerts file>
  The keystore password is 'changeit' by default, keytool comes with the JDK.
  The reasoning behind this is to prevent the misuse of test certificates, the client has to consciously import an untrusted certificate. When you install a real certificate on your server the client will be automatically validated if bought from a trusted CA (Thawte, Verisign).
  Take a look at the java.security.KeyStore class, you can use it to view your certificate chain.
  Ronny.

• Certificate Authority Windows 2008 to 2012 R2 - Clean up and Migration

  Hello,
      I'm currently dealing with the following scenario:
  1. I've inherited the current infrastructure setup and the plan is to clean things up and setup a new certificate infrastructure using Windows 2012 R2.
  2. The current setup:
      a. Domain Controller, Windows 2008 R2, is/was a Certificate Authority.  It hasn't issued any new certificates (based on the information in Certificate Effective Date) for quite some time.  It also has an expired certificate for
  itself - issued by the domain's issuing CA - and attempts to renew it via MMC give a "Server execution failed" and STATUS: Failed when looking in Certificate enrollment for Domain Controller.  We'll call the server, DC1.
      b. Certificate Authority Server, we'll call it CERT1.  When booting up the machine and/or attempting to restart certificate services on the server, the following errors are in the event log:
  EVENT 7024: Description: The Active Directory Certificate Services service terminated with service-specific error %%-2146885613.
  EVENT 100: Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.  Domainlocal Issuing CA The revocation function was unable to check revocation because the revocation server was offline. 0x80092013
  (-2146885613).
  EVENT 48: Description: Revocation status for a certificate in the chain for CA certificate 0 for Domain.local Issuing CA could not be verified because a server is currently unavailable.  The revocation function was unable to check revocation because
  the revocation server was offline. 0x80092013 (-2146885613).
  Note:  The server's computer certificate has expired and it was issued by the Domain Controller mentioned in point A.  Attempts to renew it fail.
  (The issue on CERT1 is like the one mentioned in this article: https://support.microsoft.com/kb/825061?wa=wsignin1.0  however an upgrade wasn't done and it's not old versions of Windows.)
  c. There is a certificate authority machine - part of what was created for a PKI infrastructure - that was kept shutdown.  I've powered it up and the machine is not part of the domain.
  Any thoughts or feedback on easily repairing the current situation so that I can upgrade everything to a new Windows 2012 R2 Certificate infrastructure would be appreciated.
  Thanks!

  Hi Vadims,
      Basically using certificates in the following manner:
  1. User / Computer enrollment in the AD domain.
  2. Any hardware / web services (internal) that need a certificates.  This is usually hardware that has some form of GUI that is accessed via URL, printers accessed via URL and/or that communicate via LDAP to AD, internal UC (Lync is an example), that
  sort of thing.
      A number of machines currently show certificate errors (ie.. certificate has expired) however that hasn't stopped things from working just functioning differently.  I'm going already on the assumption that if I remove the entire CA
  infrastructure and re-install a new one and have everything point to that new CA server that I should be ok but I'm not 100% certain hence why I asked on this forum.
  Also, you're correct is that there is one more CA.  That CA was the server that was turned off/offline that I powered on.  It is not part of the AD domain that the domain controller and the other CA belong to.  (It is standalone.)  I'm
  currently patching the standalone CA since it's been off for what looks like almost 1.5 years. 

• Windows Server 2008 R2 Standard "Certificate Authority Service" / Exchange Server 2010 EMC not starting and no AD connectivity for authentication.

  Hello,
  I am a new IT Manager at this company and need assistance big time. Their environment looks as follows:
  Server 1. Domain Controller Server (Windows Server 2008 R2 Standard) running active directory.
  Server 2. Email Server (Windows Server 2008 R2 Standard) running Exchange Server 2010 .
  * Note. No back ups to work with aside from whats mentioned below.
  DC had a virus infection causing a lot of issues on the shared network drives 2 days ago locking up all the files with a crypto ransom virus. Running Avast suppressed the infection. Had to recover the file shares which luckily had a back up. 
  The issue is that the Exchange Server 2 post this lost connectivity with the AD Server 1. Exchange Server 2 when launching EMC could not launch the console stating the following:
  "No Exchange servers are available in any Active Directory sites. You can’t connect to remote
  Powershell on a computer that only has the Management Tools role installed."
  Shortly after I found that it is possible the EMC launcher was corrupt and needed to be reinstalled following another blog post. I deleted the exchange management console.msc  per instructions only to discover I couldnt relaunch it because there was
  no way how. So I copied another msc file that happened to be on the DC Server 1  back to Exchange Server 2 and got it to launch again. 
  Another post said that it might be an issue with the Domain Account for the Computer, so to delete it in the AD Server 1 only to find that rejoining it from Exchange Server 2 using Computer>Properties> Chage Settings > Change is greyed out because
  it is using the Certificate Authority Service.
  I tried manually re-adding the computer in AD and modeling permissions after another server in group settings but no go. After this I was unable to login to the Exchange Server 2 with domain accounts but only local admin, receiving the following Alert:
  "The Trust Relationship between this workstation and primary domain failed."
  I tried running the Power Shell tools on Exchange Server 2 to rejoing and to reset passwords for domain accounts as noted in some other blogs but no luck as the Server 2 could not make the connection with Server1 or other errors it kept spitting out.
  I also during the investigation found the DNS settings were all altered on both the Server 1 and Server 2 which I luckily was able to change back to original because of inventorying it in the beginning when I started. 
  I need help figuring out if I need to rejoin the Exchange Server 2 manually by disabling the Certificate Authority Service (or removing the CA as listed here:
  https://social.technet.microsoft.com/Forums/exchange/en-US/fb23deab-0a12-410d-946c-517d5aea7fae/windows-server-2008-r2-with-certificate-authority-service-to-rejoin-domain?forum=winserversecurity
  and getting exchange server to launch again. (Mind you I am relatively fresh to server managing) Please help E-Mail has been down for a whole day now!
  Marty

  I recommend that you open a ticket with Microsoft Support before you break things more.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• Error Starting Certificate Authority after upgrading in place from Server 2003 Enterprise (32 bit) to Server 2008 Enterprise (32 bit).

  Hope this is the place to seek help with Active Directory Certificate Services.  We recently upgraded in place an issuing CA in our lab from 2003 to 2008 and the upgrade of the OS was successful but the CA service now will not start. 
  The error is:
  Error 0xc8000222 (ESE: -546)
  More info.  We did stop the CA service prior to doing the upgrade.

  Answering my own question with the hopes to help someone else. 
  The problem has something to do with the logs for the certificate database.  There is some sort of a format conflict after upgrading to 2008.
  To get around this error, and get the Certificate Authority service to start, remove all the logs from the C:\Windows\system32\CertLog directory that should be where your .edb database file lives, leave the database file there
  This worked for us on three of four of our CA servers, the other one had a database that went down in a dirty state, so we had to use ESEUTIL utility to fix the database.
  NOTE: there is no ESEUTIL utility on the CA servers, so we had to copy our database to an Exchange server in our test lab, then run ESEUTIL /MH to see what the Status is, it may say Dirty or Clean, then we ran ESEUTIL / P (P for Repair, go figure I know
  right) anyway that fixed the database, so we copied it back over to the CA and started the service
  hope this helps some of you out, we have a case opened with Microsoft Technical Support on this issue and will update this thread with their feedback as well once they get back to us (it has been a week already)

• CA Certificate Authority CRL Distribution Points hel

  Hello,
  I am far from an SSL certficate expert but I generally understand how everything works since we have to manually re-key the servers yearly....

  Hi Jozef,
  Thank you for your reply.
  The file CAPolicy.inf should be located in %windir% folder.
  Based on my research, the properties of the new CA certificate are generated by the information in the old CA certificate, if CAPolicy.inf does not exist. Therefore, the CDP extension of the new CA certificate still has the old URL.
  To correct the CDP extension of the root CA certificate, you need to create a CAPolicy.inf file, edit the CAPolicy.inf file to contain the required URL in the CRLDistributionPoint section, such as:
  [CRLDistributionPoint]
  URL= “ldap:///CN=Ad!002fArt%20Slovakia%20CA,CN= EDGE,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ADART,DC=LOCAL?certificateRevocationList?base?objectClass=cRLDistributionPoint”
  URL= “http:// edge.adart.local/CertEnroll/Ad!002fArt%20Slovakia%20CA.crl”
  And then, save the file in the %systemroot% folder, and renew CA certificate. After that, you should see the correct URLs in the CDP extension of the new CA certificate.
  For more information about CAPolicy.inf, please refer to the following articles:
  How CA Certificates Work
  http://technet.microsoft.com/en-us/library/cc737264(WS.10).aspx
  CAPolicy.inf Syntax
  http://technet.microsoft.com/en-us/library/cc728279(WS.10).aspx

• Windows Server 2008 R2 Certificate Authority does write certificates to configured AIA locations

  I have a stand-alone root and enterprise issuing CA hierarchy. Both are configured with and AIA location to write a copy of the CA certificate to C:\Windows\system32\CertSrv\CertEnroll\<CaName><CertificateName>.crt
  REG value below:
  1:C:\Windows\system32\CertSrv\CertEnroll\%3%4.crt
  When the certificate services is restarted, the certificate file written to the location is as if the default configuration was still in place. EG: C:\Windows\system32\CertSrv\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt
  Can this be fixed or do I need to manually create the file?

  Hi,
  Any update?
  Please let us know if you would like further assistance.
  TechNet Subscriber Support
  If you are
  TechNet Subscription
  user and have any feedback on our support quality, please send your feedback
  here.
  Regards, Yan Li

• Certificate Authority cannot find domain controller

  I recently started working for a company that has an offline CAROOT server and an online CASUB server. Prior to my arrival, the old 2008 DCs were replaced with new 2012 DCs, in a proper upgrade. After the new DCs worked, the old ones were demoted, shut down
  and eventually deleted.
  Unfortunately, it looks like one of the things that was missed was the re-jigging of the certificate authority to the new domain controller(s), such that after a few months, the CDP Locations have expired (they point at the correct location, the CASUB server).
  When I check the Manage AD Containers entry, I can see that the RootCA is now showing as "Untrusted Root" and all the entries in the CDP Container show as Expired.
  Is there an easy way to repair this (the old DCs can not be spun up again, they are gone), or will I need to set up an all new certificate infrastructure?
  We use certificates to determine what workstations are allowed on the network infrastructure (the Cisco switch ports exa, while workstations currently have unexpired certificates, they can still access the network, but when they start to expire, we will
  have workstations unable to connect to the network.
  I am fairly new to managing certificates and authorities.

  Hi Michael,
  the CDP Locations have expired (they point at the correct location, the CASUB server).
  You can publish a new CRL by right click on Revoked Certificates container.
  More information for you:
  How to Publish New Certificate Revocation List (CRL) from Offline Root CA to Active Directory and Inetpub
  http://social.technet.microsoft.com/wiki/contents/articles/19160.how-to-publish-new-certificate-revocation-list-crl-from-offline-root-ca-to-active-directory-and-inetpub.aspx
  Specify CRL Distribution Points
  https://technet.microsoft.com/en-us/library/cc753296.aspx
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Certificate Authority is not being seen by windows server 2003 machines

  Good Afternoon,
  We recently installed a certificate authority using windows server 2008 r2. There was an old certificate authority that had went bad and the role could not be uninstalled on the bad server. The new certificate authority works with windows 2008 machines but
  does not work with server 2003 machines. Mainly trying to get the domain controller certificate. At first it was stating that the rpc was unavailable for the CA. I tried to delete the remnants under the sites and services role of the old server. The error
  now it states that it can not find a certificate authority. As stated above the newer machines (Server 2008)  can see the certificate authority and request certificates but older machines cant. Any assistance on what to do next will be greatly appreciated.
  Attached is the error I receive when trying to request a certificate through the CA mmc.
  dmg

  It is possible to change the hash algorithm a CA uses  to support XP and 2003 "out of the box" without the hotfix.
  But it would be better to have two CAs in parallel - one using a more modern algorithm and a CA supporting a "legacy" algorithm - and the latter should only be used as long as there are clients that aren't able to validate the other algorithms.
  On the CA, start regedit and locate the following registry key:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\<Your CA>\CSP
  I am assuming that the Software CNG provider is used with SHA256 or higher (not with SHA1).
  Change CNGHashAlgorithm to SHA1 and restart the CA service.
  The setting can be reverted by changing the value back. All certificates and all CRLs signed by this CA will use the new hash algorithm after the restart.

• Generate SSL cert with stronger signature algorithm such as RSA-SHA 1 or SHA 2 from Certificate Authority Version: 5.2.3790.3959

  We have a Certificate Authority (Version: 5.2.3790.3959) configured on  Windows 2003 R2 server in our environment. How do i generated SSL cert with stronger signature algorithm such as with SHA1 or SHA2
  Currently i am only able to generate SSL cert with md5RSA.

  Hi,
  Since you are using Windows Server 2003 R2 as CA, the hash algorithm cannot be changed, while in Windows 2008 and 2008 R2, changing the hash algorithm is possible.
  Therefore, you need to build a new CA to use a new algorithm.
  More information for you:
  Is it possible to change the hash algorithm when I renew the Root CA
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/91572fee-b455-4495-a298-43f30792357e/is-it-possible-to-change-the-hash-algorithm-when-i-renew-the-root-ca?forum=winserversecurity
  Changing public key algorithm of a CA certificate
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/0fd19577-4b21-4bda-8f56-935e4d360171/changing-public-key-algorithm-of-a-ca-certificate?forum=winserversecurity
  modify CA configuration after Migration
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/0d5bcb76-3a04-4bcf-b317-cc65516e984c/modify-ca-configuration-after-migration?forum=winserversecurity
  Best Regards,
  Amy Wang

• Request Smartcard Logon certificates for more than 2 years from Certificate Authority

  Dear all,
  I have setup a Certificate Services in a Windows Server 2008 R2 domain and I request certificates via the CA webpage
  http://ipofdomainserver/certsrv using the SmartCard logon custom template.
  The problem is that my certificates are only valid for 2 years even though when I created my custom Smartcard logon I selected for validity period 5 years. 
  I read in documentation that issued certificates cannot have a greater validity than the root that signed them.
  What and where I should modify to be able to request certificates from the template for more years than standard 2 ?
  Ps: WINSC-CA is valid for 5 years. Should I generate a new WINSC-CA ? How ?

  I was successfully able to create a root CA for 20 years, issued a certificate and login using smartcard using the following procedure:
  1. I increased the CA lifetime to 20 years by using this link http://www.expta.com/2010/08/how-to-create-certificates-with-longer.html
  Created the file CAPolicy.inf in %SYSTEMROOT% with following content
  [Version]
  Signature=”$Windows NT$”
  [certsrv_server]
  RenewalValidityPeriod=Years
  RenewalValidityPeriodUnits=20
  2. Renew CA root using this guide  https://technet.microsoft.com/en-us/library/cc780374(v=ws.10).aspx
  Console Root -> Certification Authority -> select domain -> Right click -> All Tasks ->
  Renew CA certificate
  3. Delete from Console Root -> Certificates (local computer) -> Trusted Root Certification
  Authority -> Certificates the *WINSC-CA that has the previous lower validity, and from 
  Certificates (local computer) -> Personal, the *WINSC-CA that was lower validity
  4. I performed a reboot here
  5. Change in Console Root -> Certificate Templates -> Smartcard Logon Custom Template (my custom duplicate template) -> Properties -> Validity 10 years
  6. Change in registry HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName>\ValidityPeriod
  to value 10 for 10 years.
  7. Request a new certificate from CA webpage http://ipofdomain/certsrv and let the webpage write it to
  smartcard (I was making sure there is no other certificate on the smartcard)
  8. Try to log in. At this point it should throw an erorr that smartcard logon is not supported for this
  account type. This is becuase we need to enroll it again for domain authentication
  9. Console Root -> Certificates (local Computer) -> Personal -> Right click -> All Tasks ->
  Request new Certificate -> Next -> Active Directory Enrollment -> Next -> Select Domain Controller Authentication -> Enroll -> Finish.
  Now you should be able to login using your smartcard and 10 years generated certificate.
  Though I have a problem at step 3, after CA server reboots the *WINSC-CA certificate with lower
  validity is restored automatically, but the certificates are generated for 10 years.
  What am I doing wrong ? How can I delete the lower validity root CA ?

• Rename Certificate Authority

  I would like to rename my CA server. I know that if you back and restore the CA it has to be the same name (or you have tons of problems), but can you change the name of the server after it is restored? Is there something that will bite me if I do? My current
  CA is on Windows 2008 and I will upgrade to R2 soon, but I wanted to rename before I do, assuming that there is no big deal doing that.
  SnoBoy

  Can somebody help me, I renamed my domain controller without realizing it was a certificate authority. Can I just rename it back??? Now I am getting these errors in the event log:
  Active Directory Certificate Services could not publish a Delta CRL for key 0 to the following location on server mydomain.local:
  ldap:///CN=mydomain-DOMAINCONTROLLE-CA,CN=mydomain,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=mydomain,DC=local.  Directory object not found. 0x8007208d (WIN32: 8333).
  ldap: 0x20: 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
       'CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=mydomain,DC=local'
  The reason we renamed it in the first place was because the original
  host name had more than 15 characters and was breaking Hyper-V integration.
  Note: i am in no way an experienced Windows admin so please be nice:)

• Change domain membership of enterprise certificate authority server

  Hello,
  I'm just wondering if a certificate authority can member a domain controller in another forest. A colleague decided to deploy a new AD forest from scratch and joined all the workstations to a new domain controller, however, he didn't realize they they an
  enterprise certificate authority still running on the old domain controller.
  They are running Windows Server 2008 R2.
  Regards,
  Alberto Reis

  If the question is "Can the clients still enroll for certificates from the CA in the other forest?":
  On principle yes, but you would need to deploy one of these solutions for cross-forest enrollment:
  Certificate Enrollment Web Services in Windows Server 2008 R2
  (AD CS roles, HTTPs based enrollment)
  AD CS: Deploying Cross-forest Certificate Enrollment
  (Powershell scripts syncing objects cross-forest)
  If the question is "Can the CA be migrated to the new forest?"
  It depends on AIA and CDP URLs that had been used in the other forest. The CA still needs to publish current CRLs to the "old" locations that are embedded in already issued certificates. If the default URLs had been used these point to LDAP locations
  in the old forest.
  On principle it can be done if there is still one old DC and clients can access the other forest... and you setup some manual publication to the other forest... but this gets kind of messy.
  It would be easier to install a new CA from scratch in the new forest with new URLs and make sure that all clients enroll for new certificates. But if you aren't 100% you "caught" all applications using the old certificates you would need to keep
  at least on the old old CDP URLs active.
  The CA should also not run on a domain controller - this makes it even more complicated. I am not sure if this is supported.
  Elke

• The affects of removing a certficate template from a Certificate Authority

  I have inherited what I am beginning to believe is a poorly designed PKI Infrastructure. I have 1 root CA and 2 Issuing CAs all 2008 R2. My root certificate authority is expiring in about 2 months so I am planning to renew it and the Subordinate CAs soon.
  I see that the root CA has issued a lot of certificates and that many templates are available. The root is not offline. (I know not best practice).
  I would like to remove these templates from the Root CA and allow the subordinates to do all the issuing. If I do this before I renew the Root CA then all the certs currently issued will expire in 2 months and not be renewed on the Root CA.
  My questions are:
  In the scenario above will the certificates originally issued by the Root CA be renewed on the Subordinate CAs?
  Most of these certs seem to be auto enrolled. Will Auto Enrollment know to go to the Subordinate CA from now on?
  Are there any other concerns with taking this action that I should be aware of?
  Most of the certificate templates on the Root CA are default templates and I believe are Auto Enrolled. (I haven’t manually issued certs for these templates)
  Basic EFS
  Computer (I know this one is auto enroll)
  Domain Controller

  First, you have to renew all CA certificates starting with root (down to hierarchy) before you proceed.
  > In the scenario above will the certificates originally issued by the Root CA be renewed on the Subordinate CAs?
  yes. Clients will use any enterprise CA that supports specified template.
  > Most of these certs seem to be auto enrolled. Will Auto Enrollment know to go to the Subordinate CA from now on?
  again, yes, see above.
  My weblog: http://en-us.sysadmins.lv
  PowerShell PKI Module: http://pspki.codeplex.com
  Check out new:
  PowerShell FCIV tool.