000019848 - How to publish end entity certificates  CA certificates  and CRLs to Microsoft Active Directory

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000019848
Applies ToKeon Certificate Authority 6.0.2
Microsoft Windows 2000
Microsoft Active Directory
IssueHow to publish end entity certificates, CA certificates, and CRLs to Microsoft Active Directory
Several symptoms might be recorded in the Windows Event Viewer (Application Log) if the certificate publication is not properly configured. Some examples include the following:

1. "CA certificate publication: failed [XrcXUDAUNABLE:unable to contact directory server]"
   "<NULL>"
2. "CA certificate publication: failed [XrcLDAPUNABLE:unspecified failure in LDAP operation]"
3. "addEntry: entry creation request failed [unable to contact directory server]"
   "confirmEntry: unable to locate or add entry [CN=SubordinateCA, CN=users,DC=somedomain,DC=MyCompany,DC=com]"

The following two symptoms are related, but are listed as two different events by Windows:

1. "CA certificate publication: failed [XrcXUDAUNABLE:unable to contact directory server]"
   "<NULL>"
2. "Push certificate: `OU=Tech, DC=somedomain,DC=MyCompany,DC=com', operation: add, attribute: `cACertificate', length: 32656152"

All these symptoms are caused by an incorrect configuration of the External Publishing settings in the CA Jurisdiction. The aim of this solution is to summarize the configuration of KCA and Active Directory to publish certificates from the former to the later. Some information has been excerpted from the "RSA Keon Ready Implementation Guide for Directory Server Products".
ResolutionThe solution is divided in several stages. Some stages can be ignored if you are not using all the publishing options. The solution uses fixed Active Directory and KCA hierarchies throughout all the examples. When necessary, the configuration will map one to the other.

NOTE: Start your tests without using certificate extensions in order to simplify the scenario and facilitate troubleshooting (particularly of the CDP configuration)

HIERARCHIES USED FOR THIS EXAMPLE
----------------------------------------------------------------
a. KCA:
CN=SubordinateCA,OU=Tech,O=MyCompany,C=MX

b. Active Directory:
OU=Tech, DC=somedomain,DC=MyCompany,DC=com

c. DN hierarchies Mapping:
It is not used in this example and might not be required for simple Active Directory hierarchies


ENABLE CRL PUBLISHING
----------------------------------------------------------------
1. Select CA Operations workbench
2. Select your CA in the left-hand pane
3. In the right-hand pane, click the "CRL Publishing" button under the "CA Configuration:" heading
4. Check "Enable local CRL publishing" and select "Publish to LDAP server"
5. Click "Modify configuration" and then "OK" in the dialog box
6. You will get a message like the following:

        "CRLs will be published to LDAP DN:"
        "CN=SubordinateCA,OU=Tech,O=MyCompany,C=MX"

NOTE: The message above indicates where in the KCA internal LDAP server's hierarchy the CRL will be published. The CRL is published in DER format in the KCA Secure Directory.

NOTE: From now on, all the end-entity certificates will have a CDP attribute (CRL Distribution Point)

NOTE: In the next section, the KCA Jurisdiction will be configured to publish the CRL into Active Directory as an attribute of the Organizational Unit where the corresponding CA certificate was published

7. Click "OK" to go back to the CA view


ENABLE PUBLISHING AT THE JURISDICTION LEVEL
----------------------------------------------------------------------------------
1. Still in the CA view, under the "Jurisdiction Configuration:" heading:
 a. Select the jurisdiction you want to configure
 b. Click "Configure"
2. Select "External Publishing" in the "Section" cascading menu
3. Under "Publishing control", enable the 3 following options:
 a. Publish CRLs
 b. Publish Certificates
 c. Publish Authorities
4. Configure the remaining options as follows (see the HIERARCHIES USED FOR THIS EXAMPLE section above):

        Host: active_directory_server.domain.com
        Port: 389
        Bind DN: CN=Administrator,CN=users,DC=somedomain,DC=MyCompany,DC=com
        Bind Password: MySecretPassword
        Enable SSL: Off

NOTE: The remaining SSL options must be left unchanged. Consult the aforementioned Implementation Guide if you want to use LDAP publishing with SSL.

        Create Person Surname from Common Name: Off
        Base DN: DC=somedomain,DC=MyCompany,DC=com
        Create DN From Certificate DN: Off
        Certificate DN: CN,OU

NOTE: This will publish the end-entity certificates to CN=UserName,OU=Tech,DC=somedomain,DC=MyCompany,DC=com. The CN and OU are taken from the DN name inside the end-entity certificate, and the DC's refer to the Active Directory hierarchy defined above in base DN.

        Create Authority DN From Certificate DN: Off
        Authority DN: OU

NOTE: This will publish the CA certificate to OU=Tech,DC=somedomain,DC=MyCompany,DC=com. The OU is taken from the DN name inside the CA certificate, and the DC's refer to the Active Directory hierarchy defined above in base DN. If the OU does not exist in Active Directory, KCA will create a new one.

NOTE: If you want to use the CN of the CA as the name of the OU that will contain the CA certificate, you must use "Authority DN: CN" and create a mapping from the CN in KCA to the OU in Active Directory (using "DN Mapping")

        DN Mapping: Undefined
        Use Search to create DN: Off
        End Entity Attributes: sAMAccountName=cn
        End Entity Class: user
        End Entity Certificate Field: userCertificate
        Authority Attributes: Undefined
        Authority Class: certificationAuthority
        Authority Certificate Field: cACertificate
        Authority CRL Field: certificaterevocationlist
        Aux End Entity Class: Undefined
        Aux Authority Class: Undefined
        Create End Entity as:
                user
                person
                organizationalPerson
        Create Authority as: organizationalUnit
5. Click "Save and Exit" at the top of the screen


CONFIGURE ACTIVE DIRECTORY FOR KCA INTEGRATION
-----------------------------------------------------------------------------------------
NOTE: This solution assumes Active Directory is already enabled on the Windows 2000 Server

1. Enable the Active Directory Schema Manager in Microsoft Management Console (MMC)
 a. Install the Windows Administrative Tools from the \Support\Tools\setup.exe directory on the installation CD-ROM
 b. From a command prompt window (cmd), execute "regsvr32 schmmgmt.dll" and click "OK"
 c. While still in the command prompt window, run "mmc"
 d. Click "Console" and select "Add/Remove Snap-in"
 e. Select "Console Root" and click "Add"
 f. Select "Active Directory Schema" from the "Snap-ins" list and click "Add"
 g. Select "ADSI Edit" from the "Snap-ins" list and click "Add"

NOTE: ADSI Edit will not be used in this example. However, this is a powerful tool to Edit the Active Directory hierarchy. A typical case would be to manually create an OU to be used to publish the CA (check the Implementation Guide for additional details).

 h. Click "Close" and "OK"

2. Enable "Schema modifications" from the MMC
 a. While still in the MMC, right click "Active Directory Schema", select "Operations Master", and check "The Schema may be modified on this Domain Controller"
 b. Click "OK"

3. Add the pkiCA object Class to the Active Directory schema
 a. In MMC, expand the Active Directory Schema
 b. Right click "Classes" and select "Create Class". In the warning dialog box, click "Continue".
 c. In the "Create New Schema Class" dialog, enter the following information:

        - Common Name                pkiCA
        - LDAP Display Name        pkiCA
        - Unique X500                Object ID 2.5.6.22
        - Parent Class                top
        - Class Type                        Auxiliary

 d. Click "Next"
 e. Add the attributes "cACertificate" and "certificateRevocationList" in the "Optional" box
 f. Click "Finish"

4. Add the pkiCA class as an Auxiliary Class of the organizationalUnit class
 a. In the "Active Directory Schema" in MMC, right click the "organizationalUnit" class and select "Properties"
 b. Click the "Relationship" tab and click ?Add? next to the "Auxiliary Classes"
 c. Select "pkiCA", click "OK", and click "Apply"
 d. Click "OK"

PUBLISH INTO ACTIVE DIRECTORY FOR KCA INTEGRATION
-----------------------------------------------------------------------------------------
1. Go back to the view of the CA in the "CA Operations" workbench
2. Click "Publish" under the "CA Certificate Operations:" heading to publish the CA certificate to the OU in Active Directory
3. Click "Generate CRL" under the "CA Operations:" heading

NOTE: There must be Revoked certificates in order to create a valid CRL

4. Click "Publish CRL" under the "CA Operations:" heading
5. Enroll for a new end-entity certificate and issue the certificate. This will be also published to Active Directory using the CN of the DN inside the certificate.
Legacy Article IDa12956

Attachments

    Outcomes