Offline root CA, Horizon View and Revocation check issues
It happens that you log on to your environment and that the dashboard is red, all certificate signed servers are red. This happened to me this morning, returned to a project at a customer and logging on to the VMware Horizon View dashboard all servers coloured red. Investigating the debug log (copy the file before you can open it) showed that the revocation check failed.
At first I was baffled as it had been working fine for days already, the only thing we changed was that we added VMware NSX to the backend.. how can that be intrusive 😉 . It was not of any importance to the issue, the real problem was a configuration fault, very simple but very annoying when you don’t expect it. Let me explain.
We run a internal Microsoft CA and we run a rootCA and a intermediateCA. The rootCA is offline for security reasons so the intermediate is the one doing all the work. Because of the root being offline the revocation check is not possible when it is expired, the root CA is handling this and he or she is offline not able to renew.
So if you look at the Enterprise PKI console you might see something like this, something is wrong you can’t miss that. So at first I didn’t know that the revocation check was expired and I checked the URL but soon after I noted the expiration date, the revocation check is expired. So why is it not renewing itself, it can’t as the root CA is offline. So if you have an offline root CA you might run into this, follow my steps below to fix it.
So now we know it is expired, let’s fix it. First of course you fire up the offline root CA and open the certificate authority there. Right click on revoked certificates and look at the CRL publication interval, it will say until what date and time it is valid. Make sure the period of validation for the revocation check is long enough so you don’t need to do this procedure every week,
One this is checked and perhaps changed to what you want you have to publish the CRL file so you can use it on your intermediate CA. Close the properties screen and do the following
- Right click on revoked certificates,
- Pick All Tasks
- Select Publish.
The CRL file is published to C:\Windows\System32\CertSRV\CertEntroll. Copy this file the the location on the intermediate CA where the old one was also located. Replace the file that was on the intermediate CA, it will ask of course but you need to replace it.
Once you’ve done that the sky will clear, in the Enterprise PKI you can do a refresh and you will see that the status will be fine. The Horizon view website will be showing that the certificate is fine. looking at the Horizon view administration console all servers are returning to green also.
So now everything is working again, yeeee. But wait with an offline root CA the same issue will re-occur in a year. So to prevent doing the same troubleshooting every year create an agenda item for 1 year minus 1 day for yourself and republish the CRL file again. Hope this blog helps you.