E
ersin
We have been using Windows smartcard logon functionality using a
third-party CA's certificates. Our DC servers were using Windows 2000
Advanced Server SP4 and our clients were using Windows 2000
Professional SP4. Recently we upgraded our DC servers to Windows 2003
SP1 but client OS didn't change. After this upgrade we are not able to
use smartcard logon.
In our configuration we have a root CA and a sub CA, this sub CA issues
users' certificates.
For troubleshooting I run the following commands
dsstore -checksc
Certutil.exe -scinfo
Both commands showed no errors. Then I tried
Certutil.exe -scinfo -v -urlfetch
In the output of this command I saw the following error:
---------------- Certificate CDP ----------------
419.2349.0: 0x80070002 (WIN32: 2)
419.2349.0: 0x80070002 (WIN32: 2)
Bad Authority Key Id "Base CRL" Time: 0
[0.0]
ldap:///CN=OurCA,CN=DC1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=test,DC=net?certificateRevocationList?base?objectclass=cRLDistributionPoint
Bad Authority Key Id "Base CRL" Time: 0
[1.0] http://web1.test.net/TESTCA.crl
------------------
After this message I checked the CRL. It has a Authority Key ID but the
sub CA that issues this CRL doesn't have a Subject KeyID in its own
certificate.
What may be the cause of this? Does Windows 2003 have different
certificate handling mechanisms?
third-party CA's certificates. Our DC servers were using Windows 2000
Advanced Server SP4 and our clients were using Windows 2000
Professional SP4. Recently we upgraded our DC servers to Windows 2003
SP1 but client OS didn't change. After this upgrade we are not able to
use smartcard logon.
In our configuration we have a root CA and a sub CA, this sub CA issues
users' certificates.
For troubleshooting I run the following commands
dsstore -checksc
Certutil.exe -scinfo
Both commands showed no errors. Then I tried
Certutil.exe -scinfo -v -urlfetch
In the output of this command I saw the following error:
---------------- Certificate CDP ----------------
419.2349.0: 0x80070002 (WIN32: 2)
419.2349.0: 0x80070002 (WIN32: 2)
Bad Authority Key Id "Base CRL" Time: 0
[0.0]
ldap:///CN=OurCA,CN=DC1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=test,DC=net?certificateRevocationList?base?objectclass=cRLDistributionPoint
Bad Authority Key Id "Base CRL" Time: 0
[1.0] http://web1.test.net/TESTCA.crl
------------------
After this message I checked the CRL. It has a Authority Key ID but the
sub CA that issues this CRL doesn't have a Subject KeyID in its own
certificate.
What may be the cause of this? Does Windows 2003 have different
certificate handling mechanisms?