| Author | Messages | |
AlRose
Posts:24
 | | 05/28/2010 1:05 PM |
| HI all,
I am taking over my company's PKI management and i have a problem figuring
out how things work. We have an online CA server that is used to issue
certificates (only for Wireless authentication i believe) and 2 offline CA.
The 2 offline CAs had to be powered on last week because we noticed that the
WIFI clients that use certificates were not able to login.
I resigned the certificates on the offline servers using certutil -resign
and republished them using certutil -DSPublish. WIFI is working again but
when clicking PKIview.msc our PKI shows Red crosses. One thing that
surprises me is that a certificate is located at
http://webmail.acme.com/CertData i dont see why certificates are stored on
an IIS location? Is that best practice?
Please see screenshot attached, i have tried to resign the certificate
located on the IIS server but when i try to publish it it cannot find any
certificates...
certutil -sign "Policy CA.crl" "Policy CA_resigned.crl"
ThisUpdate: 2009-05-25 12:06
NextUpdate: 2011-05-28 02:10
CRL Entries: 3
Then a windows pops-up to select a certificate but none certificates show
up.
Any help greatly appreciated, thanks.
| | | |
| ken
Posts:140
| | 05/28/2010 1:31 PM |
| Hi,
Just quickly, as on the run:
Strongly recommend picking up Brian Komar's PKI book, as that will explain a lot of the basics here.
CDP - CRL Distribution Point. It's not a place where you publish certs - it's where you publish your CRL (cert revocation list), so that people/devices can check what certificates you've revoked.
If you are bring prompted for a certificate in IE, when connecting to a website, then it means that IIS has been configured to require client authentication certs. If you don't see one available in the pop-up, it means that your user profile on the machine you are using doesn't have a user authN cert from a CA that IIS trusts. If this if your IIS server, you could issue yourself an appropriate client-authN cert to allow you to connect.
Cheers
Ken
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Al Rose
Sent: Friday, 28 May 2010 10:04 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] [OT] PKI infrastructure and webmail
HI all,
I am taking over my company's PKI management and i have a problem figuring out how things work. We have an online CA server that is used to issue certificates (only for Wireless authentication i believe) and 2 offline CA.
The 2 offline CAs had to be powered on last week because we noticed that the WIFI clients that use certificates were not able to login.
I resigned the certificates on the offline servers using certutil -resign and republished them using certutil -DSPublish. WIFI is working again but when clicking PKIview.msc our PKI shows Red crosses. One thing that surprises me is that a certificate is located at http://webmail.acme.com/CertData i dont see why certificates are stored on an IIS location? Is that best practice?
Please see screenshot attached, i have tried to resign the certificate located on the IIS server but when i try to publish it it cannot find any certificates...
certutil -sign "Policy CA.crl" "Policy CA_resigned.crl"
ThisUpdate: 2009-05-25 12:06
NextUpdate: 2011-05-28 02:10
CRL Entries: 3
Then a windows pops-up to select a certificate but none certificates show up.
Any help greatly appreciated, thanks.
| | | |
| AlRose
Posts:24
| | 05/28/2010 2:55 PM |
| Hi Ken,
Actually i dont get the pop-up window trying to access a website i get the
pop-up window trying to sign the crl.
I am trying to resign a crl on a server, the cdp is htpp://...so the crl is
located on an IIS box that has a web folder where crl files are. I picked
the expired one and try to run certutil -sign but i dont understand why it
cant resigned it (why this box is empty)
Thanks for the book mention i will try to get it.
On Fri, May 28, 2010 at 2:28 PM, Ken Schaefer <Ken@adopenstatic.com> wrote:
> Hi,
>
>
>
> Just quickly, as on the run:
>
>
>
> Strongly recommend picking up Brian Komar’s PKI book, as that will explain
> a lot of the basics here.
>
>
>
> CDP – CRL Distribution Point. It’s not a place where you publish certs –
> it’s where you publish your CRL (cert revocation list), so that
> people/devices can check what certificates you’ve revoked.
>
>
>
> If you are bring prompted for a certificate in IE, when connecting to a
> website, then it means that IIS has been configured to require client
> authentication certs. If you don’t see one available in the pop-up, it means
> that your user profile on the machine you are using doesn’t have a user
> authN cert from a CA that IIS trusts. If this if your IIS server, you could
> issue yourself an appropriate client-authN cert to allow you to connect.
>
>
>
> Cheers
>
> Ken
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Al Rose
> *Sent:* Friday, 28 May 2010 10:04 PM
> *To:* activedir@mail.activedir.org
> *Subject:* [ActiveDir] [OT] PKI infrastructure and webmail
>
>
>
> HI all,
>
>
>
> I am taking over my company's PKI management and i have a problem figuring
> out how things work. We have an online CA server that is used to issue
> certificates (only for Wireless authentication i believe) and 2 offline CA.
>
> The 2 offline CAs had to be powered on last week because we noticed that
> the WIFI clients that use certificates were not able to login.
>
> I resigned the certificates on the offline servers using certutil -resign
> and republished them using certutil -DSPublish. WIFI is working again but
> when clicking PKIview.msc our PKI shows Red crosses. One thing that
> surprises me is that a certificate is located at
> http://webmail.acme.com/CertData i dont see why certificates are stored on
> an IIS location? Is that best practice?
>
> Please see screenshot attached, i have tried to resign the certificate
> located on the IIS server but when i try to publish it it cannot find any
> certificates...
>
>
>
> certutil -sign "Policy CA.crl" "Policy CA_resigned.crl"
> ThisUpdate: 2009-05-25 12:06
> NextUpdate: 2011-05-28 02:10
> CRL Entries: 3
>
>
>
> Then a windows pops-up to select a certificate but none certificates show
> up.
>
>
>
> Any help greatly appreciated, thanks.
>
>
>
| | | |
|
|