How to publish end entity certificates CA certificates and CRLs to Microsoft Active Directory
Originally Published: 2002-09-23
Article Number
Applies To
Microsoft Windows 2000
Microsoft Active Directory
Issue
Several symptoms might be recorded in the Windows Event Viewer (Application Log) if the certificate publication is not properly configured. Some examples include the following:
1. "CA certificate publication: failed [XrcXUDAUNABLE:unable to contact directory server]"
"<NULL>"
2. "CA certificate publication: failed [XrcLDAPUNABLE:unspecified failure in LDAP operation]"
3. "addEntry: entry creation request failed [unable to contact directory server]"
"confirmEntry: unable to locate or add entry [CN=SubordinateCA, CN=users,DC=somedomain,DC=MyCompany,DC=com]"
The following two symptoms are related, but are listed as two different events by Windows:
1. "CA certificate publication: failed [XrcXUDAUNABLE:unable to contact directory server]"
"<NULL>"
2. "Push certificate: `OU=Tech, DC=somedomain,DC=MyCompany,DC=com', operation: add, attribute: `cACertificate', length: 32656152"
All these symptoms are caused by an incorrect configuration of the External Publishing settings in the CA Jurisdiction. The aim of this solution is to summarize the configuration of KCA and Active Directory to publish certificates from the former to the later. Some information has been excerpted from the "RSA Keon Ready Implementation Guide for Directory Server Products".
Resolution
NOTE: Start your tests without using certificate extensions in order to simplify the scenario and facilitate troubleshooting (particularly of the CDP configuration)
HIERARCHIES USED FOR THIS EXAMPLE
----------------------------------------------------------------
a. KCA:
CN=SubordinateCA,OU=Tech,O=MyCompany,C=MX
b. Active Directory:
OU=Tech, DC=somedomain,DC=MyCompany,DC=com
c. DN hierarchies Mapping:
It is not used in this example and might not be required for simple Active Directory hierarchies
ENABLE CRL PUBLISHING
----------------------------------------------------------------
1. Select CA Operations workbench
2. Select your CA in the left-hand pane
3. In the right-hand pane, click the "CRL Publishing" button under the "CA Configuration:" heading
4. Check "Enable local CRL publishing" and select "Publish to LDAP server"
5. Click "Modify configuration" and then "OK" in the dialog box
6. You will get a message like the following:
"CRLs will be published to LDAP DN:"
"CN=SubordinateCA,OU=Tech,O=MyCompany,C=MX"
NOTE: The message above indicates where in the KCA internal LDAP server's hierarchy the CRL will be published. The CRL is published in DER format in the KCA Secure Directory.
NOTE: From now on, all the end-entity certificates will have a CDP attribute (CRL Distribution Point)
NOTE: In the next section, the KCA Jurisdiction will be configured to publish the CRL into Active Directory as an attribute of the Organizational Unit where the corresponding CA certificate was published
7. Click "OK" to go back to the CA view
ENABLE PUBLISHING AT THE JURISDICTION LEVEL
----------------------------------------------------------------------------------
1. Still in the CA view, under the "Jurisdiction Configuration:" heading:
a. Select the jurisdiction you want to configure
b. Click "Configure"
2. Select "External Publishing" in the "Section" cascading menu
3. Under "Publishing control", enable the 3 following options:
a. Publish CRLs
b. Publish Certificates
c. Publish Authorities
4. Configure the remaining options as follows (see the HIERARCHIES USED FOR THIS EXAMPLE section above):
Host: active_directory_server.domain.com
Port: 389
Bind DN: CN=Administrator,CN=users,DC=somedomain,DC=MyCompany,DC=com
Bind Password: MySecretPassword
Enable SSL: Off
NOTE: The remaining SSL options must be left unchanged. Consult the aforementioned Implementation Guide if you want to use LDAP publishing with SSL.
Create Person Surname from Common Name: Off
Base DN: DC=somedomain,DC=MyCompany,DC=com
Create DN From Certificate DN: Off
Certificate DN: CN,OU
NOTE: This will publish the end-entity certificates to CN=UserName,OU=Tech,DC=somedomain,DC=MyCompany,DC=com. The CN and OU are taken from the DN name inside the end-entity certificate, and the DC's refer to the Active Directory hierarchy defined above in base DN.
Create Authority DN From Certificate DN: Off
Authority DN: OU
NOTE: This will publish the CA certificate to OU=Tech,DC=somedomain,DC=MyCompany,DC=com. The OU is taken from the DN name inside the CA certificate, and the DC's refer to the Active Directory hierarchy defined above in base DN. If the OU does not exist in Active Directory, KCA will create a new one.
NOTE: If you want to use the CN of the CA as the name of the OU that will contain the CA certificate, you must use "Authority DN: CN" and create a mapping from the CN in KCA to the OU in Active Directory (using "DN Mapping")
DN Mapping: Undefined
Use Search to create DN: Off
End Entity Attributes: sAMAccountName=cn
End Entity Class: user
End Entity Certificate Field: userCertificate
Authority Attributes: Undefined
Authority Class: certificationAuthority
Authority Certificate Field: cACertificate
Authority CRL Field: certificaterevocationlist
Aux End Entity Class: Undefined
Aux Authority Class: Undefined
Create End Entity as:
user
person
organizationalPerson
Create Authority as: organizationalUnit
5. Click "Save and Exit" at the top of the screen
CONFIGURE ACTIVE DIRECTORY FOR KCA INTEGRATION
-----------------------------------------------------------------------------------------
NOTE: This solution assumes Active Directory is already enabled on the Windows 2000 Server
1. Enable the Active Directory Schema Manager in Microsoft Management Console (MMC)
a. Install the Windows Administrative Tools from the \Support\Tools\setup.exe directory on the installation CD-ROM
b. From a command prompt window (cmd), execute "regsvr32 schmmgmt.dll" and click "OK"
c. While still in the command prompt window, run "mmc"
d. Click "Console" and select "Add/Remove Snap-in"
e. Select "Console Root" and click "Add"
f. Select "Active Directory Schema" from the "Snap-ins" list and click "Add"
g. Select "ADSI Edit" from the "Snap-ins" list and click "Add"
NOTE: ADSI Edit will not be used in this example. However, this is a powerful tool to Edit the Active Directory hierarchy. A typical case would be to manually create an OU to be used to publish the CA (check the Implementation Guide for additional details).
h. Click "Close" and "OK"
2. Enable "Schema modifications" from the MMC
a. While still in the MMC, right click "Active Directory Schema", select "Operations Master", and check "The Schema may be modified on this Domain Controller"
b. Click "OK"
3. Add the pkiCA object Class to the Active Directory schema
a. In MMC, expand the Active Directory Schema
b. Right click "Classes" and select "Create Class". In the warning dialog box, click "Continue".
c. In the "Create New Schema Class" dialog, enter the following information:
- Common Name pkiCA
- LDAP Display Name pkiCA
- Unique X500 Object ID 2.5.6.22
- Parent Class top
- Class Type Auxiliary
d. Click "Next"
e. Add the attributes "cACertificate" and "certificateRevocationList" in the "Optional" box
f. Click "Finish"
4. Add the pkiCA class as an Auxiliary Class of the organizationalUnit class
a. In the "Active Directory Schema" in MMC, right click the "organizationalUnit" class and select "Properties"
b. Click the "Relationship" tab and click ?Add? next to the "Auxiliary Classes"
c. Select "pkiCA", click "OK", and click "Apply"
d. Click "OK"
PUBLISH INTO ACTIVE DIRECTORY FOR KCA INTEGRATION
-----------------------------------------------------------------------------------------
1. Go back to the view of the CA in the "CA Operations" workbench
2. Click "Publish" under the "CA Certificate Operations:" heading to publish the CA certificate to the OU in Active Directory
3. Click "Generate CRL" under the "CA Operations:" heading
NOTE: There must be Revoked certificates in order to create a valid CRL
4. Click "Publish CRL" under the "CA Operations:" heading
5. Enroll for a new end-entity certificate and issue the certificate. This will be also published to Active Directory using the CN of the DN inside the certificate.
Related Articles
How to replace the RSA Authentication Manager self signed console certificate with a signed certificate from Microsoft Act… Number of Views RSA Identity Governance and Lifecycle SSL connectivity fails and throws 'Certificates does not conform to algorithm constr… Number of Views Guide to Microsoft Active Directory LDAP synchronization with RSA Authentication Manager Number of Views Guide to Microsoft Active Directory LDAP synchronization with RSA Authentication Manager Number of Views How to create an external identity source to Active Directory in RSA Authentication Manager 8.x Number of Views
Trending Articles
Artifacts to gather in RSA Identity Governance & Lifecycle Oracle 12c TEMP_UNDO_ENABLED parameter for managing GTT UNDO activity in RSA Identity Governance & Lifecycle RSA announces the availability of the RSA SecurID Hardware Appliance 230 based on the Dell PowerEdge R240 Server RSA Authentication Manager 8.9 Release Notes (January 2026) RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
Don't see what you're looking for?
