|
Posted by Brian Komar on April 26, 2007, 6:09 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Root certificate has no CRL and AIA extensions. They are both empty since I
> saw that on few other root certificates and you mention same thing in your
> great book btw. But I don't know where to specify root certificate location.
>
If you look at the book, there is a batch file that you need to run that
sets the paths for the CRL and the AIA URLs. This needs to be edited and
run at the root CA before you issue the subCA certificate.
>
>
>
> And I pushed root certificate and subordinate certificate with GPO so
> internally I have no problems with that since all domain computers have
> those two certificates in local store as trusted certificates.
>
>
OK, so your problem is with external computers? Again, they should build a
chain as long as you publish the Root CA certificate and CRL to an
externally available location (pki.company.com/certdata/files...)
>
>
> And this PKI is pretty much in testing phase so any redeploy of PKI is
> acceptable. Currently we are using on certificate for published site to
> access mail and other is on IAS server for wireless authentication.
The mail one is probably better served by purchasing a certificate from a
commercial provider. Otherwise, all people that connect must add your root
to their trusted store, and may not be willing to do that.
>
>
>
>
>
>
>
> And another thing I noticed is that I somehow configured CRL and AIA
> extensions on subordinate certificate to empty too. Only certificate that
> are issued by subordinate gets one CRL path. On that path is currently no
> crl file but I think I will change that path to internal since we have self
> signet root certificate.
>
>
This is handled by that batch file. Sounds like you removed all URLs from
the Extensions tab at the root CA. There must be URLs there to add the
locations to the subCA certificate. This is definitely why your chaining is
broken
>
>
>
> Miha
| 
XML site map