Jump to content


Sign in to follow this  
Bridge

PKI View Healthcheck - Root CA - Unable to download CDP Location #1

Recommended Posts

Within PKIView.msc I'm seeing an error for the Root CA -- CDP Location #1, set to LDAP.

Everything else is reporting as healthy except for this. Is there a way to re-publish this, or what would be the best way to start determining where I went wrong with the setup?

Share this post


Link to post
Share on other sites


hi are you seeing this after completing my 8 part lab ?, I've booted mine up, and verified on the IssuingCA as EntAdmin  with pkiview that everything looks good, and it still does after leaving it running for a day, i'd suggest you start at the beginning again and work your way through it, it's a good exercise anyway,

take snapshots after completing each Part, so that you can always revert if there's an issue later.

Share this post


Link to post
Share on other sites

Just want to throw it out there. The exact same behavior happened on my setup. Literally everything was healthy except for the Root CA LDAP CDP location #1.

Share this post


Link to post
Share on other sites

odd, i've just checked my current PKI lab and although my certs were expired (it's a lab and was shut down since march), using

certutil -crl

on the IssuingCA republished my certs and all is ok now. I've tested the PKI lab guides 3 separate times (I built 3 completely unique labs based on my own guides, eg: Lab #9, Lab #10, Lab #11) and all suceeded 100% as you can see below in my #11 lab...

image.png

I would suggest you guys try again and verify each and every step as you go, also, take checkpoints (snapshots) between each part so that you can always go back if you make a mistake, lastly, the pki.windows-noob.com webserver URL, will of course be your 'own' url, and it must be reachable by the issuing CA and others or pkiview.msc will list a bunch of errors/failures.

Troubleshooting Tip: in PKIview.msc, highlight an entry and click on the Refresh button in the ribbon, it should re-verify the highlighted item.

Share this post


Link to post
Share on other sites

also, can you guys post screenshots of your issue(s) so we can try and figure out what the issue really is

Share this post


Link to post
Share on other sites

Hi,

I encountered the same issue, my Root CA CDP location was in error 'Unable To Download' for the offline root

I found this was related to one specific command :

Quote

certutil -f -dspublish "E:\windows noob Root CA.crl" RootCA 

The "RootCA" value in the command above should be adapted to the Hostname of your Root CA Server name

By adapting this to my server hostname, it has solved this issue

Share this post


Link to post
Share on other sites

good point, thanks for sharing

Share this post


Link to post
Share on other sites

Great guide! I initially had the 'CDP Location' and 'unable to download' issue. For me, it was the http entry CDP #2. One thing I did notice is the the path shown using pkiview ended with '.crl%EE%BE%FF' rather than just the '.crl' (I can't remember the exact hex numbers). I could get to the crt via http if I removed the percentage part.

I looked in the registry on RootCA and the CDP #2 path was last entry in the value. I know that each line must end with a return (in the registry), but for this particular line, there was an extra invisible character included before the return. I removed it (but kept the return), then republished from root > issuingca and it started working

Maybe this is due to cut-and-paste from the website? If anyone has a similar issue, check the registry of potentially affected machines for invisible characters. I was scratching my head and looking at other stuff, so I can't be sure that this was the cause, but the %EE%EF%FF didn't seem right.

 

PS - this was on Server 2019

Edited by tenacious

Share this post


Link to post
Share on other sites
Quote

Great guide!

thank you ! I put a ton of effort into creating it.

Quote

 

I initially had the 'CDP Location' and 'unable to download' issue. For me, it was the http entry CDP #2. One thing I did notice is the the path shown using pkiview ended with '.crl%EE%BE%FF' rather than just the '.crl' (I can't remember the exact hex numbers). I could get to the crt via http if I removed the percentage part.

I looked in the registry on RootCA and the CDP #2 path was last entry in the value. I know that each line must end with a return (in the registry), but for this particular line, there was an extra invisible character included before the return. I removed it (but kept the return), then republished from root > issuingca and it started working

 

I've seen this before too, and i thought i fixed all code in the 8 part series, if you could point me to the commands that you copied the code from i'll verify them again (with notepad++)

Share this post


Link to post
Share on other sites

It was in Part 4. There are two sections:

Step 3. Configure the AIA

certutil -setreg CA\CACertPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11\n2:http://pki.windows-noob.com/CertEnroll/%1_%3%4.crt"

Step 4. Configure the CDP

certutil -setreg CA\CRLPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl\n10:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n2:http://pki.windows-noob.com/CertEnroll/%3%8%9.crl"

I triple-clicked to select the text, then copy pasted into notepad so I could change the name of the .crt and .crl

I've just copy-pasted into notepad again, and now I'm looking for it, I can recognise that the invisible characters are there.

I'm using Firefox 68.0.1

Share this post


Link to post
Share on other sites

ok thanks, i'll fix it today, i can see the characters when switching to Ansi in NotePad++, so are these the characters you are referring to ?

I've no idea how they ended up there, maybe it's the forum software...

ansi.png

Share this post


Link to post
Share on other sites

ok this is weird, i've looked at the first command in part 3 of step 4, i copied the text, and pasted it into notepad++ and even in ansi it shows Correctly ! but your paste has the hidden characters...

so what's going on, it looks fine to me now without me making any change, what browser are you using and how are you copying/pasting the text ?

 

here i copy the original command line

copy.png

 

and paste it into notepad ++, and there are no hidden characters !

no error.png

Share this post


Link to post
Share on other sites

ok i've figured it out, the lines with invisible characters have the code set to 'html' where they should be set to 'no syntax highlighting'

image.png

Share this post


Link to post
Share on other sites

I just checked again by copy/paste into notepad. The invisible characters are no longer there, so it looks like whatever you changed worked.

Share this post


Link to post
Share on other sites

great, if you see any more code that needs fixing let me know, thanks for your help.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...