Microsoft PKI Planning and Deploying Certificate Services Part 2

KB ID 0001310 

Problem

In Part One we deployed our offline Root CA Server, now we are going to deploy a ‘Certificate Revocation Location’ server.

Solution

Before you start:

Create a DNS record for ‘pki‘ that points to the IP address, that you will have the CRL web server hosted on.

I’m installing my CRL server on a separate web server because thats good practice. Starting with a domain joined member server, launch Server Manager > Manage > Add Roles and Features.

Role Based > Next > Select the Local Server > Next.

Select Web Server IIS > Add Features > Next > Next.

Next > No additional features are required > Next.

Next > Install > Close.

Create a Folder called PKI on the Root of your web server and share it as PKI$ (The dollar denotes hidden share).

Set the share permissions as follows;

  • SYSTEM: Full Control
  • Domain Admins: Full control
  • Cert Publishers: Change
  • Servers That Will Publish CRLs: Full Control

Launch Internet Information Services (IIS) > Server-name > Sites > Default Web Site > Add Virtual Directory.

  • Alias: PKI
  • Physical Path: C:\PKI

Select your new PKI directory > Edit Permissions.

  • Cert Publishers: Modify.
  • DefaultAppPool: Read and Execute.

Note: You cannot browse to DefaultAppPool > Change the source to local computer-name > type in the username ‘IIS AppPool\DefaultAppPool’.

For your PKI  Virtual Directory select ‘Configuration Editor’.

System.webServer > Security > requestFiltering > allowDoubleEscaping > Change to ‘True’ > Apply.

Now select ‘Directory Browsing’.

Enable.

At this point I copy in the .crl file you exported from your Offline Root CA. (I also copy in the RootCA certificate, so I know where I can get a copy!)

When you setup your CA Servers in the CAPolicy.inf file theres a section of the ‘Legal Policy Statement’ and the URL I used points to this server as well, (it was http://pki.cabench.com/pki/cps.txt). So create the cps.txt file in the same directory. To decide what text will go in the file, read RFC 7382.

The next most logical step depends on whether you are building a two tier, or three tier PKI environment. If it’s a three tier, then you are going to deploy your Intermediate Sub CA server next. If it’s a two tier then you are going to deploy your Issuing CA next.

Microsoft PKI Planning and Deploying Certificate Services Part 3

Related Articles, References, Credits, or External Links

NA

Event ID 1014 and 1002 (Windows IIS Web Server)

KB ID 0000808 

Problem

Seen on Server 2003 running IIS 6, about once a week the website would fail, and the client had to reboot the server to bring things back up again. I took a look at the server and noticed that when the failure happened, we had five Event ID 1014 errors;

Source W3SVC
The World Wide Web Publishing Service encountered an internal error in its process management of worker process ‘<value>’ serving application pool ‘DefaultAppPool’. The data field contains the error number.

And finally we had an Event ID 1002;

Source W3SVC
Application pool ‘DefaultAppPool’ is being automatically disabled due to a series of failures in the process(es) serving that application pool

Solution

1. Before you proceed make sure this is not the problem.

2. Open the Internet Information Services (IIS) Manager > {Servername} > Application Pools > DefaultAppPool (unless your error is for another app pool) > Properties > Health.

3. Rapid-Fail Protection: You may wish to troubleshoot by simply increasing the thresholds, (the frequency of your 1002 events should give you a pointer). Though from what I’ve read this system tends to cause more problems than it cures, in the end I disabled it completely.

Warning: Disabling a system that is designed to protect you inherently has dangers.

If you suddenly get an unstable server, or memory leak problems you might want to reinstate this, and start checking the code in your website!

Related Articles, References, Credits, or External Links

NA