Tuesday, December 9, 2014

Notes when working with Microsoft CA (Certificate Authority) services

I recently had to work with a Microsoft support engineer to troubleshoot an Active Directory Certificate Services issue and managed to write down a few commands he used during the troubleshooting process and thought I’d write a blog post so I can refer to them in the future since I’m bound to forget.

Command to collect CA information CRL:

Before starting the troubleshooting, the engineer ran the following commands to collect base information.

The following certutil command lists the Enterprise Root or Subordinate CAs found in Active Directory:

C:\>certutil

Entry 0:

Name: `test'

Organizational Unit: `'

Organization: `'

Locality: `'

State: `'

Country/region: `'

Config: `conspschsrv.contoso\test'

Exchange Certificate: `'

Signature Certificate: `'

Description: `'

Server: `conspschsrv.contoso'

Authority: `test'

Sanitized Name: `test'

Short Name: `test'

Sanitized Short Name: `test'

Flags: `1'

Web Enrollment Servers: `'

Entry 1:

Name: `CONTOSO ROOT CA'

Organizational Unit: `'

Organization: `'

Locality: `'

State: `'

Country/region: `'

Config: `conCERTSRV.contoso\Contoso ROOT CA'

Exchange Certificate: `'

Signature Certificate: `'

Description: `'

Server: `conCERTSRV.contoso'

Authority: `CONTOSO ROOT CA'

Sanitized Name: `CONTOSO ROOT CA'

Short Name: `CONTOSO ROOT CA'

Sanitized Short Name: `CONTOSO ROOT CA'

Flags: `1'

Web Enrollment Servers: `'

Entry 2: (Local)

Name: `CONTOSO-Sub-CA'

Organizational Unit: `'

Organization: `'

Locality: `'

State: `'

Country/region: `'

Config: `conSCASRV01.contoso\CONTOSO-Sub-CA'

Exchange Certificate: `'

Signature Certificate: `conSCASRV01.contoso_CONTOSO-Sub-CA.crt'

Description: `'

Server: `conSCASRV01.contoso'

Authority: `CONTOSO-Sub-CA'

Sanitized Name: `CONTOSO-Sub-CA'

Short Name: `CONTOSO-Sub-CA'

Sanitized Short Name: `CONTOSO-Sub-CA'

Flags: `13'

Web Enrollment Servers: `'

CertUtil: -dump command completed successfully.

Note that the above output shows that there are currently 3 Enterprise CAs that is found in Active Directory.

-------------------------------------------------------------------------------------------------------------------------------------------------------

The net config rdr command shows how the redirector or workstation is currently configured on your computer.  The following output is from a command prompt on the Enterprise Subordinate CA:

C:\>net config rdr

Computer name \\conSCASRV01

Full Computer name conSCASRV01.contoso

User name TLuk

Workstation active on

NetBT_Tcpip_{4C336E8C-128B-4B8F-99EC-BFD21F1B9E6D} (005056A10F07)

Software version Windows Server 2012 Standard

Workstation domain con-CONTOSO

Workstation Domain DNS Name contoso

Logon domain con-CONTOSO

COM Open Timeout (sec) 0

COM Send Count (byte) 16

COM Send Timeout (msec) 250

The command completed successfully.

-------------------------------------------------------------------------------------------------------------------------------------------------------

The following nltest /dclist:contoso command lists the domain controllers found in Active Directory:

C:\>nltest /dclist:contoso

Get list of DCs in domain 'contoso' from '\\DC2.contoso'.

DC2.contoso [DS] Site: Default-First-Site-Name

DC3.contoso [DS] Site: Default-First-Site-Name

DC1.contoso [PDC] [DS] Site: Default-First-Site-Name

The command completed successfully

C:\>

-------------------------------------------------------------------------------------------------------------------------------------------------------

Command to dump certificate information CRL:

The support engineer suspected that there was something wrong with the published CRL so the following command was executed to check the start and end validity date of the file (I’ve highlighted this information in red:

C:\>certutil -dump Contoso-Root-CA.crl
X509 Certificate Revocation List:
Version: 2
Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.10 RSASSA-PSS
    Algorithm Parameters:
    30 00
Issuer:
    CN=Contoso-Root-CA
  Name Hash(sha1): b8e12ef9872c9e93d65fbd132a2402fa4b0d0dde
  Name Hash(md5): 9fe720a14c52866f8ffb9819659eb114

ThisUpdate: 11/30/2013 3:12 PM
NextUpdate: 11/30/2014 3:32 AM
CRL Entries: 0
CRL Extensions: 5
    2.5.29.35: Flags = 0, Length = 18
    Authority Key Identifier
        KeyID=b2 be 9e 66 df 55 a8 33 b7 72 00 77 a5 2a e5 19 68 6a d9 90

    1.3.6.1.4.1.311.21.1: Flags = 0, Length = 3
    CA Version
        V0.0

    2.5.29.20: Flags = 0, Length = 3
    CRL Number
        CRL Number=02

    1.3.6.1.4.1.311.21.4: Flags = 0, Length = f
    Next CRL Publish
        Saturday, November 29, 2014 3:22:16 PM

    1.3.6.1.4.1.311.21.14: Flags = 0, Length = cb
    Published CRL Locations
        [1]Locations
             Distribution Point Name:
                  Full Name:
                       URL=ldap:///CN=Contoso-Root-CA,CN=BHLRCASRV01,CN=CDP,CN=Pub
lic Key Services,CN=Services,CN=Configuration,DC=contoso,DC=domain,DC=bm?certificateR
evocationList?base?objectClass=cRLDistributionPoint (ldap:///CN=Contoso-Root-CA,CN
=BHLRCASRV01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=contoso
,DC=domain,DC=bm?certificateRevocationList?base?objectClass=cRLDistributionPoin
t)

Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.10 RSASSA-PSS
    Algorithm Parameters:
    30 00
Signature: UnusedBits=0
    0000  cb e3 84 68 86 fc af 5c  83 6a 1d 5a ef f8 74 11
    0010  ae d8 33 c3 0f cf 99 f9  24 d7 47 d6 90 09 24 a9
    0020  c9 06 c0 4b 3e 91 bc 96  5b cc ba 87 d5 72 68 1c
    0030  60 a7 fc a3 a1 6c 00 b5  5a 76 23 a4 29 89 fe bf
    0040  0d 9c 0f 74 57 15 9a 05  39 0f a3 05 39 a5 08 33
    0050  c5 b2 31 3d 16 b2 69 dd  16 62 09 db d3 d0 37 db
    0060  65 77 bc 4e 06 84 40 0d  e9 35 7c 03 c3 a0 36 4a
    0070  57 6c c8 3f 9b 07 b2 16  f1 16 43 46 de 27 96 7e
    0080  5b 32 e9 6d 24 eb 58 8d  1f 0f e5 ea 41 e4 64 e7
    0090  66 8d 46 f0 0c 4c 3c ab  13 12 da 3a f3 ac 2f cb
    00a0  37 80 9f a5 1d 6d bf db  cc 2e 48 ae 00 b1 56 83
    00b0  e3 0e 02 9a 29 e4 55 58  22 4b a1 ba 0f 1f bd 14
    00c0  3e 0b 37 dc af b3 35 33  48 ba 1c bc b5 6f 22 47
    00d0  49 99 d5 ac e5 68 fd 4f  30 7e ba 63 25 d9 6f 3e
    00e0  0c 3e 26 84 0b 29 6c d4  76 7c 44 8f 2b 71 a0 e9
    00f0  80 71 e0 2f 11 ec e7 02  62 3e 60 05 3a 27 bb 3d
CRL Hash(md5): 40 65 78 62 9a 86 fa 9f fb 77 57 43 e1 bc 23 66
CRL Hash(sha1): 26 92 02 b6 8e ab 26 41 b3 17 18 76 3f c5 41 45 a6 75 54 5e
CRL Hash(sha256): 6da08e776a532e6b92d1ebe7ffd477606f37b7d3659361661c50b8be9919cc
c3
Signature Hash: 438535ec7850261962dff88f6b73c487ae45633c
CertUtil: -dump command completed successfully.

The CRL file this command references can be found in the following directory:

C:\Windows\System32\certsrv\CertEnroll

Note that if this is too short, the period can be extended by launching the Certificate Authority administration console:

image

… right clicking on the Revoked Certificates and selecting properties:

image

… then changing the CRL publication interval to the desired duration:

image

-------------------------------------------------------------------------------------------------------------------------------------------------------

Command to publish certificate to LDAP

Updating the CRL file for http access is simply copying the CRL file from the Root CA’s C:\Windows\System32\certsrv\CertEnroll folder to the same folder on the Subordinate CA but to update the one published through LDAP, the command certuitl -dspublish <Your-Root-CA>.crl <YourSubOrdinateCAServerName is ran on the subordinate CA:

C:\>certutil -dspublish Contoso-Root-CA.crl CONSCASRV01
ldap:///CN=Contoso-Root-CA,CN=BHLSCASRV01,CN=CDP,CN=Public Key Services,CN=Service
s,CN=Configuration,DC=contoso,DC=bhl,DC=bm?certificateRevocationList

Base CRL added to DS store.

CertUtil: -dsPublish command completed successfully.

----------------------------------------------------------------------------------------------------------------------------------------------------------

Verifying published CRL paths:

To verify the published CRL paths, simply export the subordinate CA’s certificate without the private key to a DER format file:

image

Then launch the URL Retrieval Tool by executing certuilt -url <exportedCA>.cer and use the Retrieve button with CRLs (from CDP) selected to verify the accessibility and validity of the files:

image

-------------------------------------------------------------------------------------------------------------------------------------------------------

Determining which certificate the current CA is using:

If the certificate for the CA has been renewed several times, you may end up seeing a list similar to the following:

image

While most of us would probably just look for the certificate with the latest expiry date, another way to do it is to open up the Registry Editor and navigate to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<YourCAName>

The CACertHash key can be used to identify which certificate is currently in use:

image

… by comparing it to the certificate’s Thumbprint as such:

image

No comments: