Certutil error

J

Jan Bache

I had this sam error and it turned out to be the UAC in Windows server 2008.



After I ran cmd as an administrator it published the CRL and CRT file in the AD without error.







Dirk wrote:



Error

24-Mar-10



Brian,



I have your WS 2008 PKI and Certificate Security book. Its a great book and is helping this noob with PKI. :)



I am getting the same error. I did try one thing that seemed to fix it, but not sure if what I did messed something else up.



In your book you give a script to publish the CA certs and CRLs into AD. The ones for the CRLs don't have the "RootCA" or "SubCA" at the end of the lines to give a store for the CRLs to go into.... Don't those have to be there? I added those on my script and didn't get the error. Like I said, did this cause unwanted problems?



Thanks!



Dirk



Previous Posts In This Thread:



On Friday, January 09, 2009 5:05 PM

Orbita wrote:



PKI - Issue Publishing to AD DS

Hi All!!!



I'm currently implementing 2008 PKI using Brian Komar's excellent book, but

I've run into a few issues. These surfaced when trying to publish my root

and policy CA certs into my AD. On page 133, I'm running an amended piece of

code, with an exert below...

*********************

C:\PKI\USB>certutil -dspublish -f "Test Corporate Policy CA.crl"

ldap:///CN=Test Corporate Policy CA,CN=tb2008pki02,CN=CDP,CN=Public Key

Services

,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=c

RLDistributionPoint?certificateRevocationList



ldap: 0xa: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points

ref 1: 'unavailableconfigdn'



CertUtil: -dsPublish command FAILED: 0x8007202b (WIN32: 8235)

CertUtil: A referral was returned from the server.

*********************

Now, I see the problem here

'CN=Services,DC=UnavailableConfigDN?certificateRevocationList'. The question

is, how do I fix it? I've had a scout around and found the following

http://www.derkeiler.com/Newsgroups/microsoft.public.windows.server.security/2008-08/msg00047.html



In this article, Brian speaks of an incorrect %%6 value in [presumably] the

root CA post install script. But I don't see how I would change this in this

file? And to what value?



Brian's fix, is to run the following command:



certutil -setreg ca\DSConfigDN CN=Configuration,DC=root,DC=example,DC=com



This is understood, [is the DC=root as it is above a fixed value, or is this

just an example of a possible domain name?] but would I then have to revoke

the currently issued cert, and then go through my setup on my policy box

again with the correct new ones?



I'm COMPLETELY new to PKI, so any help is greatly appreciated :)



Many thanks in advance,

Orb.



On Friday, January 09, 2009 11:25 PM

Brian Komar \(MVP\) wrote:



You need to replace DC=root,DC=example,DC=com with the LDAP distinguished name

You need to replace DC=root,DC=example,DC=com with the LDAP distinguished

name of your forest.

Then it should start working

Brian



On Monday, January 12, 2009 3:51 PM

Orbita wrote:



Hi Brian,Thanks for your response.

Hi Brian,



Thanks for your response.



When I look in the 'Published CRL Locations' entry of my root CRL, even on

my rootCA, I see this 'UnavailableConfigDN?' entry:



URL=ldap:///CN=TB2008PKI01-CA,CN=tb2008pki01,CN=CDP,CN=Public%20Key%20Services,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPoint



I'm assuming this is incorrect? But short of amending something on my

rootCA and then reissuing my original cert, I don't see what else I can do?

I thought I'd followed each page in the book to the letter, but it seems I

may have missed something here in my rootCA configuration. My

RootCAPostConfiguration.cmd is below if anyone can find anything wrong? I'm

really stuck here, and may have to rip everything to bits and start all over

again if I cannot get this to work.





Many thanks in advance,

Orb.



************************

certutil -setreg CA\DSConfigDN CN=Configuration,DC=testad4,DC=test,DC=com



certutil -setreg CA\CRLPeriodUnits 26

certutil -setreg CA\CRLPeriod "Weeks"

certutil -setreg CA\CRLDeltaPeriodUnits 0

certutil -setreg CA\CRLDeltaPeriod "Days"

certutil -setreg CA\CRLOverlapPeriod "Weeks"

certutil -setreg CA\CRLOverlapUnits 2



certutil -setreg CA\CRLPublicationURLs

"1:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public

Key Services,CN=Services,%%6%%10\n 2:http://www.test.com/Certdata/

%%3%%8%%9.crl"



certutil -setreg CA\CACertPublicationURLs

"1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public

Key Services,CN=Services,%%6%%11\n

2:http://www.test.com/CertData/%%1_%%3%%4.crt"



certutil -setreg CA\AuditFilter 127



certutil -setreg CA\ValidityPeriodUnits 10

certutil -setreg CA\ValidityPeriod "Years"



Certutil -setreg CA\csp\DiscreteSignatureAlgorithm 1



::Restart Certificate Services

net stop certsvc & net start certsvc

sleep 5

certutil ???crl



Echo Copying Root CA certificate and CRL's to the local C:\USB folder

sleep 5

copy /y %windir%\system32\certsrv\certenroll\*.cr? C:\USB



pause







"Brian Komar (MVP)" wrote:



On Monday, January 12, 2009 5:01 PM

Orbita wrote:



I've also just checked the DSConfigDN entry on my offline policy and root CA's

I have also just checked the DSConfigDN entry on my offline policy and root

CA's and this entry is correct: CN=Configuration,DC=testad4,DC=test,DC=com



"Orbital" wrote:



On Monday, January 12, 2009 5:43 PM

Orbita wrote:



Sorry to bombard this thread with messages but, running through the cert

Sorry to bombard this thread with messages but, running through the cert

publishing to my AD DC via CMD again, I see



Possible Root Certificate: Subject matches Issuer, but Signature check

fails: 80090008



I'm thinking this doesn't help...



On Tuesday, January 13, 2009 8:24 PM

Brian Komar \(MVP\) wrote:



Hi,This is definitely an incorrect configuration.

Hi,

This is definitely an incorrect configuration.

You need to check two separate objects issued by the root CA.

1) The CRL. If the CRL does not have the correct location, you need to

ensure that the post -configuration script on the root CA correctly ran the

certutil -setreg CA\DSConfigDN CN=Configuration,DC=testad4,DC=test,DC=com

command.

One common mistake (seeing that you have copied the text directly from my

book ) is that you copied direct from the PDF and the (-) character is

translated to an m-dash. If you do a certutil -getreg ca\DSConfigDN at the

root CA, what value is shown? Ensure that it matches the defined DN, and

then publish a new CRL. You must publish a new CRL before it will read the

new DN value and replace the %%6 value in the CRLPublicationURLs registry

entry.



2) The subordinate CA certificates. Since you include the LDAP URL in your

subordinate CA certificate issued by the root CA, look at the AIA extension

of the subordinate CA certificate. Does the URL show up as the correct DN or

as UnavailableConfigDN. If it Unavailable ConfigDN, then you will have to

re-issue the subordinate CA certificate (and all other lower certificates).



Brian



"Orbital" wrote in message

news:E1D5706E-4E2C-4F7C-9881-CBB90A47217A@microsoft.com...



On Tuesday, January 13, 2009 9:50 PM

Orbita wrote:



Hi Brian,Thanks for replying.I'm positive I've completed everything correctly.

Hi Brian,



Thanks for replying.



I'm positive I've completed everything correctly. It's not even a

copy/paste character problem as I used the examples from the 'Resources'

folder on the CD.



I've actually logged a call with your friends at Microsoft regarding this,

who are equally baffled. We've modified [and even removed] LDAP entries,

reissued, revoked and allsorts, to no effect. My case is being worked on and

I'll wait to hear.



Thanks for your input Brian.





Orb.



On Wednesday, March 11, 2009 9:21 AM

Ben wrote:



Hi Orb,Did you get this fixed becuase i just had the same issue this morning.

Hi Orb,

Did you get this fixed becuase i just had the same issue this morning.



The scripts etc.. were correct but i had to manually delete the .crl

from the Windows\System32\CertSrv\CertEnroll folder and then re-generate

it using the certificates management console (right click publish on the

"revoked" node)



Ben.



On Wednesday, December 23, 2009 11:24 AM

Amag M wrote:



ldap: 0x20: 0000208D: NameErr: DSID-031001CD, problem 2001

Hi. I have the same problem.



I install Root and Policy Ca's. Then I add CRT and CRL in AD store and receive error.



command:

certutil -dspublish -f "ThirdCAroot.crl"



output:

ldap:///CN=ThirdCAroot,CN=thirdcaroot,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=mydomain,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint?certificateRevocationList



ldap: 0x20: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:

'DC=mydomain,DC=com'



There are two domains in one forest in two trees.



The root domain (in the first tree) named ROOTdomain.com, for example.



I installing issued CA in second domain named mydomain (when i get this error) not in root of the forest (first of the forest).



It is very strange that when I added CRT before, there are no errors, but in output ldap is listed the ROOTdomain, not mydomain!



command:

certutil -dspublish -f "thirdcaroot_ThirdCAroot.crt" RootCA



output:

ldap:///CN=ThirdCAroot,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=ROOTdomain,DC=com?cACertificate

Certificate added to DS store.



I log on in mydomain.com and CA server is join to mydomain.com



What is it possible to do with this error:

ldap: 0x20: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT)



Big Thanks!



On Wednesday, March 24, 2010 1:34 PM

Dirk wrote:



Error

Brian,



I have your WS 2008 PKI and Certificate Security book. Its a great book and is helping this noob with PKI. :)



I am getting the same error. I did try one thing that seemed to fix it, but not sure if what I did messed something else up.



In your book you give a script to publish the CA certs and CRLs into AD. The ones for the CRLs don't have the "RootCA" or "SubCA" at the end of the lines to give a store for the CRLs to go into.... Don't those have to be there? I added those on my script and didn't get the error. Like I said, did this cause unwanted problems?



Thanks!



Dirk





Submitted via EggHeadCafe - Software Developer Portal of Choice

BizTalk: Conditional looping incorporating the Greater Than functoid.

http://www.eggheadcafe.com/tutorial...2d-043c18df964c/biztalk-conditional-loop.aspx
 
P

Peter Foldes

Jan



Post this to the microsoft.public.windows.server.security newsgroup



--

Peter



Please Reply to Newsgroup for the benefit of others

Requests for assistance by email can not and will not be acknowledged.



wrote in message news:201041291528jan.bache@hotmail.com...

>I had this sam error and it turned out to be the UAC in Windows server 2008.

>

> After I ran cmd as an administrator it published the CRL and CRT file in the AD

> without error.

>

>

>

> Dirk wrote:

>

> Error

> 24-Mar-10

>

> Brian,

>

> I have your WS 2008 PKI and Certificate Security book. Its a great book and is

> helping this noob with PKI. :)

>

> I am getting the same error. I did try one thing that seemed to fix it, but not

> sure if what I did messed something else up.

>

> In your book you give a script to publish the CA certs and CRLs into AD. The ones

> for the CRLs don't have the "RootCA" or "SubCA" at the end of the lines to give a

> store for the CRLs to go into.... Don't those have to be there? I added those on

> my script and didn't get the error. Like I said, did this cause unwanted problems?

>

> Thanks!

>

> Dirk

>

> Previous Posts In This Thread:

>

> On Friday, January 09, 2009 5:05 PM

> Orbita wrote:

>

> PKI - Issue Publishing to AD DS

> Hi All!!!

>

> I'm currently implementing 2008 PKI using Brian Komar's excellent book, but

> I've run into a few issues. These surfaced when trying to publish my root

> and policy CA certs into my AD. On page 133, I'm running an amended piece of

> code, with an exert below...

> *********************

> C:\PKI\USB>certutil -dspublish -f "Test Corporate Policy CA.crl"

> ldap:///CN=Test Corporate Policy CA,CN=tb2008pki02,CN=CDP,CN=Public Key

> Services

> ,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=c

> RLDistributionPoint?certificateRevocationList

>

> ldap: 0xa: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points

> ref 1: 'unavailableconfigdn'

>

> CertUtil: -dsPublish command FAILED: 0x8007202b (WIN32: 8235)

> CertUtil: A referral was returned from the server.

> *********************

> Now, I see the problem here

> 'CN=Services,DC=UnavailableConfigDN?certificateRevocationList'. The question

> is, how do I fix it? I've had a scout around and found the following

> http://www.derkeiler.com/Newsgroups/microsoft.public.windows.server.security/2008-08/msg00047.html

>

> In this article, Brian speaks of an incorrect %%6 value in [presumably] the

> root CA post install script. But I don't see how I would change this in this

> file? And to what value?

>

> Brian's fix, is to run the following command:

>

> certutil -setreg ca\DSConfigDN CN=Configuration,DC=root,DC=example,DC=com

>

> This is understood, [is the DC=root as it is above a fixed value, or is this

> just an example of a possible domain name?] but would I then have to revoke

> the currently issued cert, and then go through my setup on my policy box

> again with the correct new ones?

>

> I'm COMPLETELY new to PKI, so any help is greatly appreciated :)

>

> Many thanks in advance,

> Orb.

>

> On Friday, January 09, 2009 11:25 PM

> Brian Komar \(MVP\) wrote:

>

> You need to replace DC=root,DC=example,DC=com with the LDAP distinguished name

> You need to replace DC=root,DC=example,DC=com with the LDAP distinguished

> name of your forest.

> Then it should start working

> Brian

>

> On Monday, January 12, 2009 3:51 PM

> Orbita wrote:

>

> Hi Brian,Thanks for your response.

> Hi Brian,

>

> Thanks for your response.

>

> When I look in the 'Published CRL Locations' entry of my root CRL, even on

> my rootCA, I see this 'UnavailableConfigDN?' entry:

>

> URL=ldap:///CN=TB2008PKI01-CA,CN=tb2008pki01,CN=CDP,CN=Public%20Key%20Services,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPoint

>

> I'm assuming this is incorrect? But short of amending something on my

> rootCA and then reissuing my original cert, I don't see what else I can do?

> I thought I'd followed each page in the book to the letter, but it seems I

> may have missed something here in my rootCA configuration. My

> RootCAPostConfiguration.cmd is below if anyone can find anything wrong? I'm

> really stuck here, and may have to rip everything to bits and start all over

> again if I cannot get this to work.

>

>

> Many thanks in advance,

> Orb.

>

> ************************

> certutil -setreg CA\DSConfigDN CN=Configuration,DC=testad4,DC=test,DC=com

>

> certutil -setreg CA\CRLPeriodUnits 26

> certutil -setreg CA\CRLPeriod "Weeks"

> certutil -setreg CA\CRLDeltaPeriodUnits 0

> certutil -setreg CA\CRLDeltaPeriod "Days"

> certutil -setreg CA\CRLOverlapPeriod "Weeks"

> certutil -setreg CA\CRLOverlapUnits 2

>

> certutil -setreg CA\CRLPublicationURLs

> "1:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public

> Key Services,CN=Services,%%6%%10\n 2:http://www.test.com/Certdata/

> %%3%%8%%9.crl"

>

> certutil -setreg CA\CACertPublicationURLs

> "1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public

> Key Services,CN=Services,%%6%%11\n

> 2:http://www.test.com/CertData/%%1_%%3%%4.crt"

>

> certutil -setreg CA\AuditFilter 127

>

> certutil -setreg CA\ValidityPeriodUnits 10

> certutil -setreg CA\ValidityPeriod "Years"

>

> Certutil -setreg CA\csp\DiscreteSignatureAlgorithm 1

>

> ::Restart Certificate Services

> net stop certsvc & net start certsvc

> sleep 5

> certutil ???crl

>

> Echo Copying Root CA certificate and CRL's to the local C:\USB folder

> sleep 5

> copy /y %windir%\system32\certsrv\certenroll\*.cr? C:\USB

>

> pause

>

>

>

> "Brian Komar (MVP)" wrote:

>

> On Monday, January 12, 2009 5:01 PM

> Orbita wrote:

>

> I've also just checked the DSConfigDN entry on my offline policy and root CA's

> I have also just checked the DSConfigDN entry on my offline policy and root

> CA's and this entry is correct: CN=Configuration,DC=testad4,DC=test,DC=com

>

> "Orbital" wrote:

>

> On Monday, January 12, 2009 5:43 PM

> Orbita wrote:

>

> Sorry to bombard this thread with messages but, running through the cert

> Sorry to bombard this thread with messages but, running through the cert

> publishing to my AD DC via CMD again, I see

>

> Possible Root Certificate: Subject matches Issuer, but Signature check

> fails: 80090008

>

> I'm thinking this doesn't help...

>

> On Tuesday, January 13, 2009 8:24 PM

> Brian Komar \(MVP\) wrote:

>

> Hi,This is definitely an incorrect configuration.

> Hi,

> This is definitely an incorrect configuration.

> You need to check two separate objects issued by the root CA.

> 1) The CRL. If the CRL does not have the correct location, you need to

> ensure that the post -configuration script on the root CA correctly ran the

> certutil -setreg CA\DSConfigDN CN=Configuration,DC=testad4,DC=test,DC=com

> command.

> One common mistake (seeing that you have copied the text directly from my

> book ) is that you copied direct from the PDF and the (-) character is

> translated to an m-dash. If you do a certutil -getreg ca\DSConfigDN at the

> root CA, what value is shown? Ensure that it matches the defined DN, and

> then publish a new CRL. You must publish a new CRL before it will read the

> new DN value and replace the %%6 value in the CRLPublicationURLs registry

> entry.

>

> 2) The subordinate CA certificates. Since you include the LDAP URL in your

> subordinate CA certificate issued by the root CA, look at the AIA extension

> of the subordinate CA certificate. Does the URL show up as the correct DN or

> as UnavailableConfigDN. If it Unavailable ConfigDN, then you will have to

> re-issue the subordinate CA certificate (and all other lower certificates).

>

> Brian

>

> "Orbital" wrote in message

> news:E1D5706E-4E2C-4F7C-9881-CBB90A47217A@microsoft.com...

>

> On Tuesday, January 13, 2009 9:50 PM

> Orbita wrote:

>

> Hi Brian,Thanks for replying.I'm positive I've completed everything correctly.

> Hi Brian,

>

> Thanks for replying.

>

> I'm positive I've completed everything correctly. It's not even a

> copy/paste character problem as I used the examples from the 'Resources'

> folder on the CD.

>

> I've actually logged a call with your friends at Microsoft regarding this,

> who are equally baffled. We've modified [and even removed] LDAP entries,

> reissued, revoked and allsorts, to no effect. My case is being worked on and

> I'll wait to hear.

>

> Thanks for your input Brian.

>

>

> Orb.

>

> On Wednesday, March 11, 2009 9:21 AM

> Ben wrote:

>

> Hi Orb,Did you get this fixed becuase i just had the same issue this morning.

> Hi Orb,

> Did you get this fixed becuase i just had the same issue this morning.

>

> The scripts etc.. were correct but i had to manually delete the .crl

> from the Windows\System32\CertSrv\CertEnroll folder and then re-generate

> it using the certificates management console (right click publish on the

> "revoked" node)

>

> Ben.

>

> On Wednesday, December 23, 2009 11:24 AM

> Amag M wrote:

>

> ldap: 0x20: 0000208D: NameErr: DSID-031001CD, problem 2001

> Hi. I have the same problem.

>

> I install Root and Policy Ca's. Then I add CRT and CRL in AD store and receive

> error.

>

> command:

> certutil -dspublish -f "ThirdCAroot.crl"

>

> output:

> ldap:///CN=ThirdCAroot,CN=thirdcaroot,CN=CDP,CN=Public Key

> Services,CN=Services,CN=Configuration,DC=mydomain,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint?certificateRevocationList

>

> ldap: 0x20: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0,

> best match of:

> 'DC=mydomain,DC=com'

>

> There are two domains in one forest in two trees.

>

> The root domain (in the first tree) named ROOTdomain.com, for example.

>

> I installing issued CA in second domain named mydomain (when i get this error) not

> in root of the forest (first of the forest).

>

> It is very strange that when I added CRT before, there are no errors, but in

> output ldap is listed the ROOTdomain, not mydomain!

>

> command:

> certutil -dspublish -f "thirdcaroot_ThirdCAroot.crt" RootCA

>

> output:

> ldap:///CN=ThirdCAroot,CN=Certification Authorities,CN=Public Key

> Services,CN=Services,CN=Configuration,DC=ROOTdomain,DC=com?cACertificate

> Certificate added to DS store.

>

> I log on in mydomain.com and CA server is join to mydomain.com

>

> What is it possible to do with this error:

> ldap: 0x20: 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT)

>

> Big Thanks!

>

> On Wednesday, March 24, 2010 1:34 PM

> Dirk wrote:

>

> Error

> Brian,

>

> I have your WS 2008 PKI and Certificate Security book. Its a great book and is

> helping this noob with PKI. :)

>

> I am getting the same error. I did try one thing that seemed to fix it, but not

> sure if what I did messed something else up.

>

> In your book you give a script to publish the CA certs and CRLs into AD. The ones

> for the CRLs don't have the "RootCA" or "SubCA" at the end of the lines to give a

> store for the CRLs to go into.... Don't those have to be there? I added those on

> my script and didn't get the error. Like I said, did this cause unwanted problems?

>

> Thanks!

>

> Dirk

>

>

> Submitted via EggHeadCafe - Software Developer Portal of Choice

> BizTalk: Conditional looping incorporating the Greater Than functoid.

> http://www.eggheadcafe.com/tutorial...2d-043c18df964c/biztalk-conditional-loop.aspx
 
Back
Top Bottom