Howdy!

I am by no means a PKI/Windows Certificate Authority expert at the moment but it does seem that I’m starting to go down that route as I’m working on this project to deploy a SharePoint Extranet farm out in Windows Azure. One of the requirements have us setting up and supporting our own internal Certificate Authority. As I was going through some wonderful documentation by Christopher Delay, I came across 2 environment specific errors that were really frustrating.

Environment/Tools:

1 Standalone/Offline Root CA, non-domain joined

1 Enterprise Subordinate Issuing Certificate Authority, domain joined

Both servers are Windows Server 2012 Datacenter Edition (Hosted as a Windows Azure VM)

PowerShell is used to run all commands

The Post-Configuration CertUtil commands:

Copied from Christopher Delay’s blog post:

certutil -setreg CA\CRLPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:http://pki.fourthcoffee.com/certenroll/%%3%%8%%9.crl\n3:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"

certutil -setreg CA\CACertPublicationURLs "1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://pki.fourthcoffee.com/certenroll/%%1_%%3%%4.crt\n3:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11"

certutil -setreg CA\CRLPeriodUnits 3
certutil -setreg CA\CRLPeriod "Days"
certutil -setreg CA\CRLOverlapPeriodUnits 3
certutil -setreg CA\CRLOverlapPeriod "Days"
certutil -setreg CA\CRLDeltaPeriodUnits 0
certutil -setreg ca\ValidityPeriodUnits 5
certutil -setreg ca\ValidityPeriod "Years"
certutil -setreg CA\AuditFilter 127

net stop certsvc
net start certsvc

certutil –CRL

Assuming you update the CertEnroll URLs to match your environment, you may get the following error after you complete the CertUtil -CRL command in PowerShell.

Certutil -CRL
CertUtil: -CRL command FAILED: 0x8007010b (WIN32/HTTP: 267)
CertUtil: The directory name is invalid.

In troubleshooting, I tried to replace all of the variables (%3, %1, etc.) with hard-coded values which worked just fine, but deep down, I knew that that wasn’t the way to go. I eventually switched over to the old school cmd prompt with the same commands to test with and received a different error:


Certutil -CRL
CertUtil: -CRL command FAILED: 0x8007208f (WIN32: 8335)
CertUtil: The object name has bad syntax.

That error message led me to this TechNet forum post which mentions that the extra % sign in front of each variable is actually designed to be used with batch files. So I modified the commands to exclude the extra % sign in front of each variable and voila, it works! Now back to trying it in PowerShell…

Unfortunately, I was still getting the same “The directory name is invalid” error when I try to run the CertUtil -CRL command. Upon investigating the Event Viewer logs, I see a related error that says:

“Active Directory Certificate Services could not publish a Base CRL for key 0 to the following location: WINDIR\system32\CertSrv\CertEnroll\Azure Extranet Issuing Authority 1.crl.  The directory name is invalid. 0x8007010b (WIN32/HTTP: 267).”

Hmmm! That’s weird… PowerShell doesn’t seem to be parsing %WINDIR%! Quick search yields a forum post that says we have to use $env:windir instead of %WINDIR% when using PowerShell. Bada-bing, bada-boom. And the fat lady sings…

Complete updated script for when you are using PowerShell to run the post configuration steps for an Enterprise Subordinate Issuing Certificate Authority:


certutil -setreg CA\CRLPublicationURLs "1:$env:windir\system32\CertSrv\CertEnroll\%3%8%9.crl\n2:http://pki.SubCA.local/certenroll/%3%8%9.crl\n3:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10"

certutil -setreg CA\CACertPublicationURLs "1:$env:windir\system32\CertSrv\CertEnroll\%1_%3%%4.crt\n2:http://pki.SubCA.local/certenroll/%1_%3%4.crt\n3:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11"

certutil -setreg CA\CRLPeriodUnits 3
certutil -setreg CA\CRLPeriod "Days"
certutil -setreg CA\CRLOverlapUnits 3
certutil -setreg CA\CRLOverlapPeriod "Days"
certutil -setreg CA\CRLDeltaPeriodUnits 0
certutil -setreg ca\ValidityPeriodUnits 5
certutil -setreg ca\ValidityPeriod "Years"
certutil -setreg CA\AuditFilter 127
Net stop certsvc
Net start certsvc
Certutil -CRL

Advertisements