CA Issues End Entity Certificates with Bad CDP and Revocation Fails Remotely (817015)
The information in this article applies to:
- Microsoft Windows Server 2003, Datacenter Edition
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Standard Edition
- Microsoft Windows Server 2003, Web Edition
- Microsoft Windows Small Business Server 2003, Premium Edition
- Microsoft Windows Small Business Server 2003, Standard Edition
SYMPTOMS When you create a domain that has a Public Key
Infrastructure (PKI) hierarchy and you use only HTTP Universal Resource
Identifiers (URIs) for Certificate Revocation List (CRL) Distribution Points,
you may find that the certification authority (CA) uses an incorrect path in
the CRL Distribution Point (CDP) extension to issue End Entity (EE)
certificates. The revocation works on the CA, but fails remotely.CAUSE This issue may occur if the CA contains an incorrect
reference path in the registry. An incorrect reference path can cause
auto-enrollment to fail for V2 certificates on client computers.
This
issue may also occur if a bad CDP URI was used at one time, but was later
repaired. WORKAROUND To work around this issue, repair the CDP URI. To do this,
follow these steps:
- Use the CA snap-in to repair the HTTP CDP path used by the
CA to embed the CDP extension of the issued certificates.
- Revoke the current CA Exchange certificate, and then
publish a new Base CRL.
- Issue a new CA Exchange certificate. To do so, start
Internet Explorer and open the advanced enrollment pages of the certificate.
For example,
http://machine_name/certsrv/certrqma.asp
Enrollment for V2 template certificates should now succeed
remotely. STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that are
listed at the beginning of this article.
| Modification Type: | Major | Last Reviewed: | 12/18/2003 |
|---|
| Keywords: | kbpending kbbug KB817015 |
|---|
|