Hello, I've just set up a two tiered CA environment. After running certutil -verify -urlfetch C:\test1.cer from my windows 7 client Pc "Test1" I receive the following error:
---------------- Certificate CDP ----------------
Wrong Issuer "Base CRL (01)" Time: 0
[0.0] ldap:///CN=CAROOT,CN=CAROOT,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=John,DC=JohnDoe,DC=net?certificateRevocat
ionList?base?objectClass=cRLDistributionPoint
Wrong Issuer "Delta CRL (01)" Time: 0
[0.0.0] ldap:///CN=CAROOT,CN=CAROOT,CN=CDP,CN=Public%20Key%20Service
s,CN=Services,CN=Configuration,DC=John,DC=JohnDoe,DC=NET?deltaRevocationL
ist?base?objectClass=cRLDistributionPoint
Verified "Base CRL (02)" Time: 4
[1.0] http://pki.test.JohnDoe.net/CertEnroll/CAROOT.crl
------------------------------------------------------------------------
OK so now I look at the PKI snapin on the SUB CA issuing server and sure enough I see the "Unable to download" errror for CDP Location #1 (and DeltaCRL Loc. #1 ) for the LDAP location. CDP Location #2 is "OK" as it points to a valid http address.
Ok so now I do some research and notice I ran the following command with amn incorrect CN when I first published the crl on the root CA.
certutil -f -dspublish "A:\CARoot.crl" CA01
I pulled the above from the web doc and forgot to change the "CAO1" to "CAROOT".
OK so next I rerun the command with the CORRECT CN:
certutil -f -dspublish "A:\CARoot.crl" CAROOT
The results:
ldap:///CN=CAROOT,CN=CAROOT,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=John,DC=JohnDoe,DC=NET?certificateRevocationList
The info above looks correct as it matches the ldap search location as displayed in PKI and in the "extentions" tab for the Root CA.
I stopped and restarted the certicate services on both the root AND the sub issuing CA. But I'm still getting the "unable to download"error message. What am I missing? Oh yeah, just want to mention that my root CA is not joined to a domain but it is on the network. I will shut it off after I fix this issue.
---------------- Certificate CDP ----------------
Wrong Issuer "Base CRL (01)" Time: 0
[0.0] ldap:///CN=CAROOT,CN=CAROOT,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=John,DC=JohnDoe,DC=net?certificateRevocat
ionList?base?objectClass=cRLDistributionPoint
Wrong Issuer "Delta CRL (01)" Time: 0
[0.0.0] ldap:///CN=CAROOT,CN=CAROOT,CN=CDP,CN=Public%20Key%20Service
s,CN=Services,CN=Configuration,DC=John,DC=JohnDoe,DC=NET?deltaRevocationL
ist?base?objectClass=cRLDistributionPoint
Verified "Base CRL (02)" Time: 4
[1.0] http://pki.test.JohnDoe.net/CertEnroll/CAROOT.crl
------------------------------------------------------------------------
OK so now I look at the PKI snapin on the SUB CA issuing server and sure enough I see the "Unable to download" errror for CDP Location #1 (and DeltaCRL Loc. #1 ) for the LDAP location. CDP Location #2 is "OK" as it points to a valid http address.
Ok so now I do some research and notice I ran the following command with amn incorrect CN when I first published the crl on the root CA.
certutil -f -dspublish "A:\CARoot.crl" CA01
I pulled the above from the web doc and forgot to change the "CAO1" to "CAROOT".
OK so next I rerun the command with the CORRECT CN:
certutil -f -dspublish "A:\CARoot.crl" CAROOT
The results:
ldap:///CN=CAROOT,CN=CAROOT,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=John,DC=JohnDoe,DC=NET?certificateRevocationList
The info above looks correct as it matches the ldap search location as displayed in PKI and in the "extentions" tab for the Root CA.
I stopped and restarted the certicate services on both the root AND the sub issuing CA. But I'm still getting the "unable to download"error message. What am I missing? Oh yeah, just want to mention that my root CA is not joined to a domain but it is on the network. I will shut it off after I fix this issue.