A
ATyler - Life Flight Network
Guest
Hello everyone, I wanted to take a moment and discuss an environment where there is a single certificate authority established in an Active Directory environment. There are multiple Active Directory sites and multiple domain controllers. The certificate Authority happens to be installed on one of the domain controllers which is not the primary FSMO role owner.
In this scenario, all domain controllers seem to automatically be receiving a certificate. From what I have read this happens automatically when the CA role is installed on a domain controller. Here is the issue we're running into..
Anything in the environment that does LDAPs authentication against a domain controller with a valid internally issued certificate doesn't work unless the root CA is online. After researching, I believe this is because the root CA was deployed with default settings and the only CRL destination is itself.
The "Extension" settings are as follows..
CRL Distribution Point (CDP)
C:\Windows\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
file://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
Authority Information Access (AIA)
C:\Windows\system32\CertSrv\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt
ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,<ConfigurationContainer><CAObjectClass>
http://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt
file://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt
Question 1: Can anyone confirm I am on the right track, is this likely the cause?
Question 2: Can anyone provide step by step instructions for adding additional CRL destinations? From what I can tell this will also require that new certificates be issued throughout the environment. Currently the internal PKI system is only being used for LDAPs capabilities, so we're only concerned with issuing new certificates to each domain controller.
Question 3: If certificates need to be issued to domain controllers again with new CRL settings, what does this process look like? Do you delete the existing certificate from the local "computer" repository and wait? How long does it take? Can you force the re-issue somehow?
Question 4: If a RootCA was to be established on a member server only, how would you still automatically deploy certificates to domain controllers? I assume this would be via GPO in some way, but please provide step by step instructions.
Question 5: I've also found information that discusses adjusting the "CRL Publishing Parameters" on the RootCA can stop the LDAPs client from checking the CRL as often. Which may allow the only CRL server to be offline for a time and still allow Domain Controllers to authenticate over LDAPs, please confirm? Does this also require that certificates be issued again?
CRL publication interval
Publish Delta CRLs
Continue reading...
In this scenario, all domain controllers seem to automatically be receiving a certificate. From what I have read this happens automatically when the CA role is installed on a domain controller. Here is the issue we're running into..
Anything in the environment that does LDAPs authentication against a domain controller with a valid internally issued certificate doesn't work unless the root CA is online. After researching, I believe this is because the root CA was deployed with default settings and the only CRL destination is itself.
The "Extension" settings are as follows..
CRL Distribution Point (CDP)
C:\Windows\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
file://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
Authority Information Access (AIA)
C:\Windows\system32\CertSrv\CertEnroll\<ServerDNSName>_<CaName><CertificateName>.crt
ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,<ConfigurationContainer><CAObjectClass>
http://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt
file://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt
Question 1: Can anyone confirm I am on the right track, is this likely the cause?
Question 2: Can anyone provide step by step instructions for adding additional CRL destinations? From what I can tell this will also require that new certificates be issued throughout the environment. Currently the internal PKI system is only being used for LDAPs capabilities, so we're only concerned with issuing new certificates to each domain controller.
Question 3: If certificates need to be issued to domain controllers again with new CRL settings, what does this process look like? Do you delete the existing certificate from the local "computer" repository and wait? How long does it take? Can you force the re-issue somehow?
Question 4: If a RootCA was to be established on a member server only, how would you still automatically deploy certificates to domain controllers? I assume this would be via GPO in some way, but please provide step by step instructions.
Question 5: I've also found information that discusses adjusting the "CRL Publishing Parameters" on the RootCA can stop the LDAPs client from checking the CRL as often. Which may allow the only CRL server to be offline for a time and still allow Domain Controllers to authenticate over LDAPs, please confirm? Does this also require that certificates be issued again?
CRL publication interval
Publish Delta CRLs
Continue reading...