| Author | Messages | |
bwatson
Posts:28
 | | 05/09/2007 5:07 AM |
| I recently upgraded our company’s domain/forest from
Windows 2000 to Windows 2003 R2. Afterwards, I then upgraded our single
CA server (root enterprise CA) from Windows 2000 to Windows 2003 R2 Enterprise
Edition.
The deployment of our limited PKI infrastructure was not my doing
and was put in place years ago before I took this position, and as a result I
took this opportunity to examine the health of the Certificate Authority as
best as I could. And I’ll admit, I’m far from a Microsoft PKI
expert, in fact quite the opposite.
Our PKI infrastructure is used for limited purposes such as
EFS and LDAPS.
When viewing the basic health of our Enterprise PKI through
the PKIVIEW.MSC utility, I find a couple errors. Here is the status when
I am viewing it.
Name
CA Certificate – Status: OK
AIA Location #1 – Status: OK
AIA Location #2 – Status: OK
CDP Location #1 – Status: Expired
CDP Location #2 – Status: OK
DeltaCRL Location #1 – Status: Unable to Download
DeltaCRL Location #2 – Status: OK
The lines with “Expired” and “Unable to
Download” trouble me and I’ve spent the last couple hours trying to
use my best Google skills to come up with some answers on where to go on fixing
this and I find little to nothing on this particular issue. I was hoping
someone out there would be able to provide some advice on where to look to
resolve this issue.
There doesn’t appear to be any related warnings or
errors in the event log of the CA to provide any insight.
Thanks,
Ben | | | |
| deji
Posts:140
| | 05/09/2007 5:24 AM |
| Are you sure that you were actually publishing any CRL before the upgrade?
Try http://technet2.microsoft.com/windowsserver/en/library/56b47110-2ad2-4f66-a2fe-a89373b964251033.mspx?pf=trueand (if you are feeling lucky) http://technet2.microsoft.com/windowsserver/en/library/a4331df0-273b-41a3-95f5-8425d39543c71033.mspx?pf=true
Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: WATSON, BENSent: Wed 5/9/2007 2:07 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] [Semi-OT] PKIVIEW - Expired and Unable to Download
I recently upgraded our company’s domain/forest from Windows 2000 to Windows 2003 R2. Afterwards, I then upgraded our single CA server (root enterprise CA) from Windows 2000 to Windows 2003 R2 Enterprise Edition.
The deployment of our limited PKI infrastructure was not my doing and was put in place years ago before I took this position, and as a result I took this opportunity to examine the health of the Certificate Authority as best as I could. And I’ll admit, I’m far from a Microsoft PKI expert, in fact quite the opposite.
Our PKI infrastructure is used for limited purposes such as EFS and LDAPS.
When viewing the basic health of our Enterprise PKI through the PKIVIEW.MSC utility, I find a couple errors. Here is the status when I am viewing it.
Name
CA Certificate – Status: OK
AIA Location #1 – Status: OK
AIA Location #2 – Status: OK
CDP Location #1 – Status: Expired
CDP Location #2 – Status: OK
DeltaCRL Location #1 – Status: Unable to Download
DeltaCRL Location #2 – Status: OK
The lines with “Expired” and “Unable to Download” trouble me and I’ve spent the last couple hours trying to use my best Google skills to come up with some answers on where to go on fixing this and I find little to nothing on this particular issue. I was hoping someone out there would be able to provide some advice on where to look to resolve this issue.
There doesn’t appear to be any related warnings or errors in the event log of the CA to provide any insight.
Thanks,
Ben | | | |
| bwatson
Posts:28
| | 05/09/2007 5:45 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
Your first link resolved my
issue perfectly Deji. The CA was certainly trying to publish the CRL, but was
running into some rights issues. I resolved that and now life is good.
Thanks Deji!
~Ben
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
Sent: Wednesday, May 09, 2007 2:25 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [Semi-OT] PKIVIEW - Expired and Unable to
Download
Are you sure that you were actually publishing any CRL before the
upgrade?
Try
http://technet2.microsoft.com/windowsserver/en/library/56b47110-2ad2-4f66-a2fe-a89373b964251033.mspx?pf=trueand
(if you are feeling lucky) http://technet2.microsoft.com/windowsserver/en/library/a4331df0-273b-41a3-95f5-8425d39543c71033.mspx?pf=true
Sincerely,
_____
(, / |
/)
/) /)
/---| (/_ ______ ___// _
// _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/)
(/
Microsoft MVP - Directory Services
www.akomolafe.com- we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday?
-anon
From: WATSON, BEN
Sent: Wed 5/9/2007 2:07 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [Semi-OT] PKIVIEW - Expired and Unable to Download
I recently upgraded our company’s domain/forest from Windows
2000 to Windows 2003 R2. Afterwards, I then upgraded our single CA server
(root enterprise CA) from Windows 2000 to Windows 2003 R2 Enterprise Edition.
The deployment of our limited PKI infrastructure was not my
doing and was put in place years ago before I took this position, and as a
result I took this opportunity to examine the health of the Certificate
Authority as best as I could. And I’ll admit, I’m far from a Microsoft
PKI expert, in fact quite the opposite.
Our PKI infrastructure is used for limited purposes such as
EFS and LDAPS.
When viewing the basic health of our Enterprise PKI through
the PKIVIEW.MSC utility, I find a couple errors. Here is the status when
I am viewing it.
Name
CA Certificate – Status: OK
AIA Location #1 – Status: OK
AIA Location #2 – Status: OK
CDP Location #1 – Status: Expired
CDP Location #2 – Status: OK
DeltaCRL Location #1 – Status: Unable to Download
DeltaCRL Location #2 – Status: OK
The lines with “Expired” and “Unable to Download” trouble me
and I’ve spent the last couple hours trying to use my best Google skills to
come up with some answers on where to go on fixing this and I find little to
nothing on this particular issue. I was hoping someone out there would be
able to provide some advice on where to look to resolve this issue.
There doesn’t appear to be any related warnings or errors in
the event log of the CA to provide any insight.
Thanks,
Ben | | | |
|
|