August 2008 - Posts

08-22-2008 10:56

Building a CA Hierarchy: Part Oops. How I Screwed Up

This is part Oops of the Building a CA Hierarchy series. If you're just starting, you might want to read the other parts:

Part 1. Building the Root CA
Part 2. Configuring the Root CA
Part 3. Building the Enterprise CA
Part 4. Configuring the Enterprise CA
Part Oops. How I Screwed Up

In the first four parts of my series on configuring Windows 2003 Certificate Authorities I configured the AIA and the CDP as shown here:

 

Turns out there's one major problem with this. When you renew the CA certificate, the AIA and CDP break.

The fix is to change the configuration so that for the AIA, we include the CertificateName variable in each path (in the same place in each file name); for the CDP, we include the CRLNameSuffix variable. Each of these adds the certificate number to the path.

My new AIA paths for Certificate #1 will therefore be:

  • http://pki.pdconsec.net/PDConSec-RootCA(1).CRT for the root CA
  • http://pki.pdconsec.net/PDConSec-CA1(1).CRT for the first CA
  • http://pki.pdconsec.net/PDConSec-CA2(1).CRT for the second CA
The CRL paths will have the same formats:
  • http://pki.pdconsec.net/PDConSec-RootCA(1).CRL for the root CA
  • http://pki.pdconsec.net/PDConSec-PolicyCA1(1).CRL for the first CA
  • http://pki.pdconsec.net/PDConSec-PolicyCA2(1).CRL for the second CA

To get around the need to update old certificates, I continue to publish the old CRL to the old path name (it's just a file copy).
Posted by davidr with no comments
Filed under: , , ,
08-17-2008 0:15

Can't install ISA Server if your username contains a hash (#)

This is one of the stranger issues I've had to troubleshoot. Customer decided they were going to identify their administrative users with a # symbol (which I shall call a hash, rather than repeatedly trying to type octothorpe without laughing out loud).

Here's what happens if your administrative user happens to be called "#djr".

  1. Run Setup.
  2. Install your desired selection of components, include Enhanced Logging (this is where the issue lies).
  3. Core Components installs successfully



  4. Error:



  5. Try again. Same error.
  6. Reboot, try again. Same error.
  7. Search Google for the error. Nothing.
  8. Scratch head
  9. Notice that the hash in the username has been replaced with the folder path to which SQL binaries will be installed.

So it seems that the ISA installer uses the hash internally as a placeholder for something, and the use in the username causes it some confusion.

Renamed the account, installed without error straight away.

Posted by davidr with no comments
Filed under: ,
08-13-2008 23:24

Certificates: The request contains no Certificate Template

But that doesn't stop us.

My previous series of posts on configuring a CA hierarchy led my friends and colleagues to believe I might know a thing or two about running one - so I end up issuing certificates to them. The most recent request came from a web server where a friend was playing with an iPhone and ActiveSync. Yes, this is an IIS Web Server. I'm submitting it to my Enterprise CA.

I load up the Certification Authority console, and attempt to submit the request - no dice. Lo and behold, Microsoft KB 910249 came and bit me.

Certificate Request Processor

The request contains no certificate template information. 0x80094801 (-2146875391)
Denied by Policy Module 0x80094801, the request does not contain a certificate template extension or the Certificate Template request attribute.

Microsoft's resolution: Generate the request some other way.

Stuff that.

Dave's solution:

certreq -submit -attrib "CertificateTemplate: WebServer" WebServerCertReq.txt

The key is the extra attribute we add to force use of the template. The certificate is issued and we can go and import it to the web server.

Posted by davidr with 1 comment(s)
Filed under: , ,