M
Mawik
Hi
I have problem with CDP in Active Directory.
Situation:
Root CA - server PKI1,Windows 2003, Standalone, offline
Enterprise CA - server PKI2,Windows 2003, enterprise subordinate, online
Domain Controllers - domain name: domain.com (not true of course),
Windows 2000 SP4, schema updated to Windows 2003.
Configuration CDP for Enterprise CA
certutil -setreg CA\CRLPublicationURLs
"65:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n6:http://pki.domain.com/pki/%%3%%8%%9.crl\n79:ldap://dc001/CN=%%7%%8,CN=%%2,CN=CDP,CN=Public
Key Services,CN=Services,%%6%%10"
Configuration AIA for Enterprise CA
ertutil -setreg CA\CACertPublicationURLs
"1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://pki.domain.com/pki/%%1_%%3%%4.crt\n2:ldap://dc001/CN=%%7,CN=AIA,CN=Public
Key Services,CN=Services,%%6%%11"
I have tried to verify CDP i AIA points.
certutil -url administrator.cer
Status
AIA - LDAP and HTTP points - verified
CDP - HTTP - verified
- LDAP - failed (The system cannot find file specified. 0x80070002)
I captured network traffic using network monitor
Reguest do DC from certutil
LDAP: ProtocolOp: SearchRequest (3)
LDAP: MessageID = 10 (0xA)
LDAP: ProtocolOp = SearchRequest
LDAP: Base Object =CN=Enterprise CA,CN=PKI2,CN=CDP,CN=Public
Key Services,CN=Services,CN=Configuration,DC=domain,DC=com
LDAP: Scope = Base Object
LDAP: Deref Aliases = Never Deref Aliases
LDAP: Size Limit = No Limit
LDAP: Time Limit = 0x0000000F
LDAP: Attrs Only = 0 (0x0)
LDAP: Filter
LDAP: Filter Type = Present
LDAP: Attribute Type =objectClass
Answer from DC
LDAP: ProtocolOp: SearchResponse (simple) (5)
LDAP: MessageID = 10 (0xA)
LDAP: ProtocolOp = SearchResponse (simple)
LDAP: Result Code = No Such Object
LDAP: Matched DN =DC=domain,DC=com
LDAP: Error Message =0000208D: NameErr: DSID-031001B8, problem
2001 (NO_OBJECT), data 0, best match of:..'dc=domain,dc=com'
I have tried use certutil (windows 2003) to publish CRL na DC (windows
2000).
ldap:///CN=Enterprise CA,CN=PKI2,CN=CDP,CN=Public Key
Services,CN=Services,dc=domain,dc=com?certificateRevocationList
ldap: 0x20: 0000208D: NameErr: DSID-031001B8, problem 2001 (NO_OBJECT),
data 0, best match of:
'DC=domain,DC=com'
CertUtil: -dsPublish command FAILED: 0x8007208d (WIN32: 8333)
CertUtil: Directory object not found.
Have anybody idea what is wrong ??
Regards
Mawik
I have problem with CDP in Active Directory.
Situation:
Root CA - server PKI1,Windows 2003, Standalone, offline
Enterprise CA - server PKI2,Windows 2003, enterprise subordinate, online
Domain Controllers - domain name: domain.com (not true of course),
Windows 2000 SP4, schema updated to Windows 2003.
Configuration CDP for Enterprise CA
certutil -setreg CA\CRLPublicationURLs
"65:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n6:http://pki.domain.com/pki/%%3%%8%%9.crl\n79:ldap://dc001/CN=%%7%%8,CN=%%2,CN=CDP,CN=Public
Key Services,CN=Services,%%6%%10"
Configuration AIA for Enterprise CA
ertutil -setreg CA\CACertPublicationURLs
"1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://pki.domain.com/pki/%%1_%%3%%4.crt\n2:ldap://dc001/CN=%%7,CN=AIA,CN=Public
Key Services,CN=Services,%%6%%11"
I have tried to verify CDP i AIA points.
certutil -url administrator.cer
Status
AIA - LDAP and HTTP points - verified
CDP - HTTP - verified
- LDAP - failed (The system cannot find file specified. 0x80070002)
I captured network traffic using network monitor
Reguest do DC from certutil
LDAP: ProtocolOp: SearchRequest (3)
LDAP: MessageID = 10 (0xA)
LDAP: ProtocolOp = SearchRequest
LDAP: Base Object =CN=Enterprise CA,CN=PKI2,CN=CDP,CN=Public
Key Services,CN=Services,CN=Configuration,DC=domain,DC=com
LDAP: Scope = Base Object
LDAP: Deref Aliases = Never Deref Aliases
LDAP: Size Limit = No Limit
LDAP: Time Limit = 0x0000000F
LDAP: Attrs Only = 0 (0x0)
LDAP: Filter
LDAP: Filter Type = Present
LDAP: Attribute Type =objectClass
Answer from DC
LDAP: ProtocolOp: SearchResponse (simple) (5)
LDAP: MessageID = 10 (0xA)
LDAP: ProtocolOp = SearchResponse (simple)
LDAP: Result Code = No Such Object
LDAP: Matched DN =DC=domain,DC=com
LDAP: Error Message =0000208D: NameErr: DSID-031001B8, problem
2001 (NO_OBJECT), data 0, best match of:..'dc=domain,dc=com'
I have tried use certutil (windows 2003) to publish CRL na DC (windows
2000).
ldap:///CN=Enterprise CA,CN=PKI2,CN=CDP,CN=Public Key
Services,CN=Services,dc=domain,dc=com?certificateRevocationList
ldap: 0x20: 0000208D: NameErr: DSID-031001B8, problem 2001 (NO_OBJECT),
data 0, best match of:
'DC=domain,DC=com'
CertUtil: -dsPublish command FAILED: 0x8007208d (WIN32: 8333)
CertUtil: Directory object not found.
Have anybody idea what is wrong ??
Regards
Mawik