1

I have setup a new server and installed Remote Access and Certificate Authority services so I can configure it as a VPN. I have created my own certificate through http://localhost/certsvr, and have imported into the Trusted Certificate Store.

My VPN works, but only if I disable revocation checking on the client via the registry, and what I have found is that the CRL for my certificate doesn't exist. The name of my certificate is dcom-dc01.dcomproductions.com, but when I check the CertEnroll folder in IIS the CRL for it is not listed. Only the CRL for the original created during Certificate Authority setup exists (DCOM-DC01-CA). I tried to do Actions -> Publish but it still does not publish the CRL.

How can I correct this?

My CRL distribution points are configured to:

C:\Windows\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
file://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
http://EXTERNALIP/CertEnroll/<CaName>/<CRLNameSuffix>/<DeltaCRLAllowed>.crl

Where EXTERNALIP is of course the publicly accessible IP for the server. The only one I changed was HTTP, because my understanding is that this is where clients check for the CRL.

David Anderson
  • 111
  • 1
  • 4
  • What CRL distribution points are configured in the Certificate Authority MMC? – Shane Madden Dec 30 '12 at 21:34
  • Updated my answer. – David Anderson Dec 30 '12 at 21:37
  • Which boxes are checked on those? Specifically, the "include in CDP extension" and "publish to this location" options. Can you check if it's successfully publishing to other locations, like the LDAP one? – Shane Madden Dec 30 '12 at 21:41
  • I checked `C:\System32\CertSrv\CertEnroll`, and its not published there either. The `Publish CRL's to this location` box is checked only for the first of the four options (the physical file path), but not for the others. It's greyed out for HTTP. The two `Include` options (CRL and CDP) are both checked for `file://` and `http://` – David Anderson Dec 30 '12 at 21:53
  • Interesting. Check for any errors in the event log? Try running `certutil -crl` in a command prompt (in admin mode, if you have UAC enabled)? – Shane Madden Dec 30 '12 at 23:41
  • I tried running certutil -crl to no avail. I checked the event viewer and found this: `A connection between the VPN server and the VPN client has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47).` I don't control the router for the VPN server, but according to my host they don't block any ports. On my personal computer, I tried using just the modem directly, and still received the err – David Anderson Jan 01 '13 at 04:58

1 Answers1

1

First you have an 2 extra "/" in the http address, it should be:

http://EXTERNALIP/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

Second, you need to issue another certificate to be used in your IIS (AND) on the VPN 3rd, you need port 80 open on your IIS

slm
  • 7,615
  • 16
  • 56
  • 76
wit1
  • 11
  • 1