Tuesday, October 4, 2016

Expired Offline Root CA CRL Causes Warnings

Today at a client site I noticed an error in the System log of all the domain controllers:
Source: Kerberos-Key-Distribution-Center
Event ID: 29
Level: Warning
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons....

This client isn't using smart cards, but there has been some certificate strangeness is the past. So, it's worth investigating.

The most common reason for this error is a missing or invalid domain controller certificate. If the organization has an internal CA then it should automatically get a domain controller certificate from that CA. If the organization does not have an internal CA, then you can consider the warning cosmetic and ignore it.

In this case, the organization does have an internal CA. In fact, they have an offline root CA and an enterprise issuing CA.

Each domain controller has a certificate that is issued from an LDAPoverSSL certificate template. This certificate ensures that all of the domain controllers are properly configured to respond to LDAPS queries from applications.

When I look at the LDAPoverSSL certificate on a couple of servers, they are not expired. And when I view them in the Certificates MMC snap-in they are identified as valid. So, all looks good

I also verified that these certificate did have the necessary options enabled for smart card authentication. In the Enhanced Key Usage field, the following were listed:
  • KDC Authentication
  • Smart Card Logon
  • Server Authentication
  • Client Authentication
The Event ID text mentions verifying the certificate by using certutil.exe. So, I find a couple of web sites that recommend running certutil -verify, but this requires you to have the certificate in a file. Instead, you can run the following command on the server containing the certificate you want to check:
certutil.exe -verifystore MY > cert.txt
This command verifies all of the certificates in the local certificate store of the computer. Note that you can also verify user certificates by adding the -user option, but computer certificates are check without any option. The output from the command is quite long and I'm dumping it to a text file for easier reading.

The output contains information for each certificate in the store. In my case, I identified the LDAPoverSSL certificate in the output and found the following at the end of the data:
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
Revocation check skipped -- server offline
Certificate is valid
Finally, a clue. So, I opened up the certificate and looked at the CRL Distribution Points field. This provided both an HTTP URL and an LDAP URL. When I accessed the HTTP URL, I was able to download and view the CRL without issue.

Certificate trust requires that the entire certification path is valid. So, next I looked at the issuing CA certificate in the chain. This certificate was also valid but pointed at a different CRL (same server, but different CRL file name for the offline root CA). When I downloaded this file I saw that Next Update field was two days ago. This corresponds within 30 minutes of when the warning began appearing in the event log.

To verify the validity of the certificate, the CRL for all certification authorities in the certification chain must be valid. Because the CRL from the offline root CA was expired, the certificate was not being trusted for all purposes. The fix is to update the CRL from the offline root.

We completed the following process to update the CRL:
  1. Power on the offline root CA
  2. Verify that the offline root CA updated the CRL at startup
  3. Copied the new CRL from the offline root CA to the CRL distribution point
  4. Published the new CRL to AD for availability via LDAP
To publish the CRL to Active Directory use the following command:
certutil -f -dspublish "CRL Path"
After this process was complete I verified the certificate again and did not get an error about skipping the revocation check.

Two important lessons:
  1. The Certificates MMC snap-in does not check the CRL for a certificate. So, to check certificate validity, use certutil.exe.
  2. If you have an offline root CA, you need to have a process in place to update the CRL from it.
Links with more information:

No comments:

Post a Comment