'Reference: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/589fe93d-c2ec-4075-ad2a-648da0276587 Well, I have the certificate services running on my subordinate CA. The service itself started with no error. However, it looks like the CRL cannot be found in Active Directory, even though the operation completed successfully (using commands noted in link above). This is what I am seeing in Server Manger: https://skydrive.live.com/#cid=6A45A7206EF72D57&id=6A45A7206EF72D57%21416 This is the URL in question: ldap:///CN=MyNet-Root-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,DC=UnavailableConfigDN?cACertificate?base?objectClass=certificationAuthority

so you can take a look at the location by either the Enterprise PKI MMC snap-in, or go directly using ADSI Edit. You can also use CERTUTIL -URL agains an issued certificate. You just need to check what is happening. Also make sure that your CA is really configured to publish CRLs to that path - seeing the path in a certificate does not necessarily mean the CA is configured to publish to the path iself automatically - go into Extensions tab of the AD CS and select the CRL Distribution Points from the drop-down. ondrej.

This is what ADSIEdit shows for the AIA location: Name Class Distinguished Name CN=mynet-issuing-CA certificationAuthority CN=mynet-issuing-CA,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=mynet,DC=int CN=MyNet-Root-CA certificationAuthority CN=MyNet-Root-CA,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=mynet,DC=int And for the CDP location (CA1 is the root CA and CA2 is the issuing CA): Name Class Distinguished Name CN=MyNet-Root-CA cRLDistributionPoint CN=MyNet-Root-CA,CN=CA1,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=mynet,DC=int Name Class Distinguished Name CN=mynet-issuing-CA cRLDistributionPoint CN=mynet-issuing-CA,CN=CA2,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=mynet,DC=int Here are the paths as defined on the CA: ,CN=AIA,CN=Public">ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,<ConfigurationContainer><CAObjectClass> Here is the error message in the App log (Event Viewer): Event ID 66 Active Directory Certificate Services could not publish a Base CRL for key 0 to the following location: ldap:///CN=MyNet-Root-CA,CN=CA1,CN=CDP,CN=Public Key Services,CN=Services,DC=UnavailableConfigDN. The specified server cannot perform the requested operation. 0x8007003a (WIN32: 58). Active Directory Certificate Services could not publish a Delta CRL for key 0 to the following location: ldap:///CN=MyNet-Root-CA,CN=CA1,CN=CDP,CN=Public Key Services,CN=Services,DC=UnavailableConfigDN. Operation aborted 0x80004004 (-2147467260).

When I published the root cert and the CRLs to Active Directory, I got the error below but after adding the NetBIOS name of the server, I thought I was OK: DsPublish commands ldap:///CN=MyNet-Root-CA,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=mynet,DC=int?cACertificate Certificate added to DS store. ldap:///CN=MyNet-Root-CA,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=mynet,DC=int?cACertificate Certificate added to DS store. CertUtil: -dsPublish command completed successfully. If the following error is encountered when publishing the CRL to Active Directory, proceed as follows (indicate the NetBIOS name of the root CA). <br> C:\RootCertnCRL>certutil -dspublish -f MyNet-Root-CA.crl ldap:///CN=MyNet-Root-CA,CN=CA1,CN=CDP,CN=Public Key Services,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPoint ?certificateRevocationList ldap: 0xa: 0000202B: RefErr: DSID-031006E0, data 0, 1 access point ref 1: 'unavailableconfigdn' CertUtil: -dsPublish command FAILED: 0x8007202b (WIN32: 8235) CertUtil: A referral was returned from the server. C:\RootCertnCRL>certutil -dspublish -f MyNet-Root-CA.crl CA1 ldap:///CN=MyNet-Root-CA,CN=CA1,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=mynet,DC=int?certificateRevocationList Base CRL added to DS store. CertUtil: -dsPublish command completed successfully. ############################################################################ This workaround is deceiving! It allows the command to succeed but you end up with the wrong DN! -> DC=UnavailableConfigDN? ############################################################################

I found this and tried what follows: On Tuesday, January 13, 2009 8:24 PM Brian Komar \(MVP\) wrote: Hi,This is definitely an incorrect configuration. Hi, This is definitely an incorrect configuration. You need to check two separate objects issued by the root CA. 1) The CRL. If the CRL does not have the correct location, you need to ensure that the post -configuration script on the root CA correctly ran the certutil -setreg CA\DSConfigDN CN=Configuration,DC=testad4,DC=test,DC=com command. [...] If you do a certutil -getreg ca\DSConfigDN at the root CA, what value is shown? Ensure that it matches the defined DN, and then publish a new CRL. You must publish a new CRL before it will read the new DN value and replace the %%6 value in the CRLPublicationURLs registry entry. 2) The subordinate CA certificates. Since you include the LDAP URL in your subordinate CA certificate issued by the root CA, look at the AIA extension of the subordinate CA certificate. Does the URL show up as the correct DN or as UnavailableConfigDN. If it Unavailable ConfigDN, then you will have to re-issue the subordinate CA certificate (and all other lower certificates). http://www.derkeiler.com/Newsgroups/microsoft.public.security/2010-04/msg00046.html So I did what follows in an attempt to correct the DN: C:\>certutil -getreg ca\DSConfigDN HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\MyNet -Root-CA\DSConfigDN: CertUtil: -getreg command FAILED: 0x80070002 (WIN32: 2) CertUtil: The system cannot find the file specified. C:\>certutil -setreg ca\DSConfigDN CN=Configuration,DC=mynet,DC=int SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\MyNet-Root-CA\DSConfigDN : New Value: DSConfigDN REG_SZ = CN=Configuration,DC=mynet,DC=int CertUtil: -setreg command completed successfully. The CertSvc service may need to be restarted for changes to take effect. C:\>net stop certsvc The Active Directory Certificate Services service is stopping. The Active Directory Certificate Services service was stopped successfully. C:\>net start certsvc The Active Directory Certificate Services service is starting. The Active Directory Certificate Services service was started successfully. C:\>certutil -getreg ca\DSConfigDN HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\MyNet -Root-CA\DSConfigDN: DSConfigDN REG_SZ = CN=Configuration,DC=mynet,DC=int CertUtil: -getreg command completed successfully. ###################################################### But I cannot republish the CRL! I right click on "Revoked Certificates" | All Tasks | Publish Error! "The specified server cannot perform the requested operation. 0x8007003a (WIN32: 58)

Does the URL show up as the correct DN or as UnavailableConfigDN. If it Unavailable ConfigDN, then you will have to re-issue the subordinate CA certificate (and all other lower certificates). UnavailableConfigDN...

OK, it's (past) 1 AM but I finally triumphed. Used certutil -setreg command to correct DN (on root CA I think - getting tired). Then completely redid SubCA with transfer of root CA cert and CRLs and import to Store and AD. STILL ended up with a red error icon because I opted not to install CA Web Enrollment and for some reason there was a Delta CRL at the bottom of the hierarchy that wanted a http distribtion point. So I just added that role service to make it happy - and no more red!

OK, it's (past) 1 AM but I finally triumphed. Used certutil -setreg command to correct DN. Then completely redid SubCA with transfer of root CA cert and CRLs and import to Store and AD. STILL ended up with a red error icon because I opted not to install CA Web Enrollment and for some reason there was a Delta CRL at the bottom of the hierarchy that wanted a http distribtion point. So I just added that role service to make it happy - and no more red!