Microsoft KB Archive/817015

= CA Issues End Entity Certificates with Bad CDP and Revocation Fails Remotely =

Article ID: 817015

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition

-



SYMPTOMS
When you create a domain that has a Public Key Infrastructure (PKI) hierarchy and you use only HTTP Universal Resource Identifiers (URIs) for Certificate Revocation List (CRL) Distribution Points, you may find that the certification authority (CA) uses an incorrect path in the CRL Distribution Point (CDP) extension to issue End Entity (EE) certificates. The revocation works on the CA, but fails remotely.



CAUSE
This issue may occur if the CA contains an incorrect reference path in the registry. An incorrect reference path can cause auto-enrollment to fail for V2 certificates on client computers.

This issue may also occur if a bad CDP URI was used at one time, but was later repaired.



WORKAROUND
To work around this issue, repair the CDP URI. To do this, follow these steps:
 * 1) Use the CA snap-in to repair the HTTP CDP path used by the CA to embed the CDP extension of the issued certificates.
 * 2) Revoke the current CA Exchange certificate, and then publish a new Base CRL.
 * 3) Issue a new CA Exchange certificate. To do so, start Internet Explorer and open the advanced enrollment pages of the certificate. For example, http:// /certsrv/certrqma.asp

Enrollment for V2 template certificates should now succeed remotely.



STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.

Keywords: kbpending kbbug KB817015

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.