CRL Issues with Win2k3 Cert Svcs

Giganews Newsgroups
Subject: CRL Issues with Win2k3 Cert Svcs
Posted by:  techadmin (BT.Techadm…@gmail.com)
Date: Tue, 8 Jan 2008

We use 802.1x authentication for all of our wireless clients. Recently
wireless authentication in our child domain only (not sure if that has
anything to do with the issue) stopped working.

The error message in the Event log on the (IAS) RADIUS server is
Reason-Code = 259
Reason = The revocation function was unable to check revocation
because the revocation server was offline.

The CA can be reached by short-name as well as FQDN even when the
above is logged.

I have inspected the CA which has two root certificates installed.

When I look at the CDPs (CRL Distribution Points) I see the standard
entries:
C:\windows\system32\certenroll
\<CaName><CRLNameSuffix><DeltaAllowed>.crl
Publish CRLs to this location is set.
Publish Delta CRLs to this location is set.

ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public
Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
All Options Set

http://<ServerDNSName>/Certenroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl
Include in CRLs.  Clients use this to find  Delta CRL Locations is
set.
Include in the CDP extension of issued certificates is set.

File://\\<ServerDNSName>/Certenroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl
No options are set.

I have manually copied and installed (letting windows choose the right
store) the CRL downloaded from the CA to the server running IAS.  This
did not address the issue.

Users requesting certificated from the CA get the message "
The certificate request failed because of one of the following
conditions:
- The certificate request was submitted to a Certificate Authority
(CA) that is not started (CA was verified running)
- You do not have permissions to request certificates from the
available CAs. (This was never an issue before - where can I verify
that permissions are correct here?)

I've also run CAutil and a "-cainfo" returns:
H:\>certutil -cainfo
Exit module count: 1
CA name: BoldTechCA1
Sanitized CA short name (DS name): BoldTechCA1
CA type: 0 -- Enterprise Root CA
    ENUM_ENTERPRISE_ROOTCA -- 0
CA cert count: 2
KRA cert count: 0
KRA cert used count: 0
CA cert[0]: 3 -- Valid
CA cert[1]: 3 -- Valid
CA cert version[0]: 0 -- V0.0
CA cert version[1]: 1 -- V1.0
CA cert verify status[0]: 0
CA cert verify status[1]: 0
CRL[0]: 3 -- Valid
CRL[1]: 1 -- Error: No CRL for this Cert -- Is this an issue?  How can
I create a CRL for the second root certificate?
CRL Publish Status[0]: 0x45 (69)
    CPF_BASE -- 1
    CPF_COMPLETE -- 4
    CPF_MANUAL -- 40 (64)
Delta CRL Publish Status[0]: 0x46 (70)
    CPF_DELTA -- 2
    CPF_COMPLETE -- 4
    CPF_MANUAL -- 40 (64)
DNS Name: FS1.boldtech.internal
Advanced Server: 0
CertUtil: -CAInfo command completed successfully.

Thanks for you time you all!

Replies