Jump to content


  • 0
Bridge

PKI View Healthcheck - Root CA - Unable to download CDP Location #1

Question

Within PKIView.msc I'm seeing an error for the Root CA -- CDP Location #1, set to LDAP.

Everything else is reporting as healthy except for this. Is there a way to re-publish this, or what would be the best way to start determining where I went wrong with the setup?

Share this post


Link to post
Share on other sites

Recommended Posts

  • 0

hi are you seeing this after completing my 8 part lab ?, I've booted mine up, and verified on the IssuingCA as EntAdmin  with pkiview that everything looks good, and it still does after leaving it running for a day, i'd suggest you start at the beginning again and work your way through it, it's a good exercise anyway,

take snapshots after completing each Part, so that you can always revert if there's an issue later.

Share this post


Link to post
Share on other sites

  • 0

odd, i've just checked my current PKI lab and although my certs were expired (it's a lab and was shut down since march), using

certutil -crl

on the IssuingCA republished my certs and all is ok now. I've tested the PKI lab guides 3 separate times (I built 3 completely unique labs based on my own guides, eg: Lab #9, Lab #10, Lab #11) and all suceeded 100% as you can see below in my #11 lab...

image.png

I would suggest you guys try again and verify each and every step as you go, also, take checkpoints (snapshots) between each part so that you can always go back if you make a mistake, lastly, the pki.windows-noob.com webserver URL, will of course be your 'own' url, and it must be reachable by the issuing CA and others or pkiview.msc will list a bunch of errors/failures.

Troubleshooting Tip: in PKIview.msc, highlight an entry and click on the Refresh button in the ribbon, it should re-verify the highlighted item.

Share this post


Link to post
Share on other sites

  • 0

also, can you guys post screenshots of your issue(s) so we can try and figure out what the issue really is

Share this post


Link to post
Share on other sites

  • 0

Hi,

I encountered the same issue, my Root CA CDP location was in error 'Unable To Download' for the offline root

I found this was related to one specific command :

Quote

certutil -f -dspublish "E:\windows noob Root CA.crl" RootCA 

The "RootCA" value in the command above should be adapted to the Hostname of your Root CA Server name

By adapting this to my server hostname, it has solved this issue

Share this post


Link to post
Share on other sites

  • 0

Great guide! I initially had the 'CDP Location' and 'unable to download' issue. For me, it was the http entry CDP #2. One thing I did notice is the the path shown using pkiview ended with '.crl%EE%BE%FF' rather than just the '.crl' (I can't remember the exact hex numbers). I could get to the crt via http if I removed the percentage part.

I looked in the registry on RootCA and the CDP #2 path was last entry in the value. I know that each line must end with a return (in the registry), but for this particular line, there was an extra invisible character included before the return. I removed it (but kept the return), then republished from root > issuingca and it started working

Maybe this is due to cut-and-paste from the website? If anyone has a similar issue, check the registry of potentially affected machines for invisible characters. I was scratching my head and looking at other stuff, so I can't be sure that this was the cause, but the %EE%EF%FF didn't seem right.

 

PS - this was on Server 2019

Edited by tenacious

Share this post


Link to post
Share on other sites

  • 0
Quote

Great guide!

thank you ! I put a ton of effort into creating it.

Quote

 

I initially had the 'CDP Location' and 'unable to download' issue. For me, it was the http entry CDP #2. One thing I did notice is the the path shown using pkiview ended with '.crl%EE%BE%FF' rather than just the '.crl' (I can't remember the exact hex numbers). I could get to the crt via http if I removed the percentage part.

I looked in the registry on RootCA and the CDP #2 path was last entry in the value. I know that each line must end with a return (in the registry), but for this particular line, there was an extra invisible character included before the return. I removed it (but kept the return), then republished from root > issuingca and it started working

 

I've seen this before too, and i thought i fixed all code in the 8 part series, if you could point me to the commands that you copied the code from i'll verify them again (with notepad++)

Share this post


Link to post
Share on other sites

  • 0

It was in Part 4. There are two sections:

Step 3. Configure the AIA

certutil -setreg CA\CACertPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11\n2:http://pki.windows-noob.com/CertEnroll/%1_%3%4.crt"

Step 4. Configure the CDP

certutil -setreg CA\CRLPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl\n10:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n2:http://pki.windows-noob.com/CertEnroll/%3%8%9.crl"

I triple-clicked to select the text, then copy pasted into notepad so I could change the name of the .crt and .crl

I've just copy-pasted into notepad again, and now I'm looking for it, I can recognise that the invisible characters are there.

I'm using Firefox 68.0.1

Share this post


Link to post
Share on other sites

  • 0

ok thanks, i'll fix it today, i can see the characters when switching to Ansi in NotePad++, so are these the characters you are referring to ?

I've no idea how they ended up there, maybe it's the forum software...

ansi.png

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.