PKI (Public Key Infrastructure) with ADCS, Part 1: Introduction
PKI (Public Key Infrastructure) with ADCS, Part 7: configuration of the subordinate CA
- The client uses the URL indicated in the certificate's AIA extension (Authority Information Access) to download the certificates needed to establish the chain of trust.
- The client uses the URL indicated in the certificate's CDP extension (CRL Distribution Point) to access the list of revoked certificates that can no longer be trusted.
We can access it in various ways.
We can enter pkiview.msc in the run dialog box and open the tool.
We can also open Server Manager, expand the Roles section: ADCS | Enterprise PKI
Note: there is a green check on the icon of the issuing CA as well. This is always a good sign.
But what if there is a problem? Here is another example:
We can see the certificate of the Root CA (which is OK). We can also see that the Root CA certificate (necessary for certificate chaining) is available at both the http and ldap locations. On the other hand, the CRL for the Root CA, while available, has expired. Such an error has serious consequences as we can see when attempting to view the details of the subordinate (issuing) CA:
The issuing CA is offline and our PKI is no longer functional.
The error icons have color codes that reflect (more or less) the severity of the problem:
- Yellow - the CRL is expiring (but not yet expired).
- Red - the CRL has expired or the AIA/CDP location cannot be accessed.
- Red X - the CA is offline.
- Expiring - the certificate or CRL in question is expiring.
- Expired - the certificate or CRL in question is expired.
- Unable to download - the certificate or CRL in question could not be downloaded.
This can be useful for troubleshooting. In the screenshot above, the status is OK for all certificates in the AIA container. In the next blog post, we will see errors for a CRL in the CDP container.
Server Manager - Active Directory Certificate Services role
In the Active Directory Certificate Services role section of Server Manager, we have access to three useful tools:
- Event Viewer (filtered for ADCS related entries).
- System Services (where we can verify that services necessary for ADCS are running). Like for Event Viewer, this is the Services administrative tool (services.msc) filtered for ADCS related entries.
- ADCS Best Practices Analyzer.
Here is a view of the first two tools (yes, "Events" can be expanded):
The ADCS BPA is rather limited (at least in Windows 2008). There are only 8 checks, for example:
- certutil -verify -urlfetch NameOfCert.cer
- certutil -URL NameOfCert.cer
The second command opens a window where we can select various options and verify the URL for the AIA and the CDP (these were presented above):