CRL not updating the list of revoked certificates
Hello! I have this problem, that the new CRL have the correct dates, but the list of revoked certificates is not up to date. Investigated the issue, and the problem may be, that 2 certificates are missing on the CA server, they are not in revoked, neither in issued, pending or failed. I only suspect that this can be the root of the problem, because they are number 10 and 11, and the last certificate which shows up in the CRL is number 9. Do you have any ideas what to do? Thank you in advance: Zoltan
July 7th, 2010 12:13pm

Zoltan - If requests 10 and 11 are not in the CA database, then they can't be revoked. Either the certificates were not issued by the CA you're looking at (try matching the Authority Key Identifier in the issued certs with the Subject Key Identifier in the CA certificate; if they don't match, that CA did not issue those certificates) or the CA database has been restored from a backup taken before those certificates were issued. If you confirm that the AKI and SKI matches, then you can import those two certificates into the CA database. On the CA itself, run: certutil -importcert <CertFile> Once they have been imported into the database, you should be able to revoke the certificates. Hope this helps, Jonathan StephensThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 7th, 2010 1:41pm

That is not my problem. I don't know wthat happened to requests 10 and 11. I revoked certificates 4,5,6,8,9,12,13,14,20,22,29 at warious dates, but i have only recently discovered, that they do not show up in the CRL. If i open the CRL, the dates are correct and up to date, but on the list of revoked certificates i see only the serial numbers of certificate 4,5,6,8,9 Of course certificates 7,15,16,17,18,19,21,23,24,25,26,27,28,30,31 are shown as issued, pending and failed request lists are empty. It is even possible, that this is a coincidence, and requests 10 an 11 have nothing to do with the CRL generation problem. Zoltan
July 7th, 2010 3:53pm

Zoltan - If certificates 7,15,16,17,18,19,21,23,24,25,26,27,28,30, and 31 are listed in the Issued Certificates folder in the Certification Authority snap-in, then they have not been revoked. That is why they do not appear on the CRL. You must first revoke the certificates, and verify that the certificate has been moved to the Revoked Certificates folder in the Certification Authority snap-in. Those certificates should appear on the CRL the next time it is published. If you don't want to wait, you can manually publish a new CRL: certutil -crl. Hope this helps, Jonathan StephensThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 7th, 2010 6:24pm

Hi Jonathan! The issued certificates are all right, they are in use by users. My problem is, that if i publish a new CRL, the crl does not have all the revoked certificates. To ilustrate: 1. i revoke a cert. 2. certificate disappears from issued certs 3. certificate shows up in revoked certs 4. I publish a new crl (or i wait till a new crl is published, tried both ways) 5. I look at the newly generated CRL and i don't see the revoked certificate in it 6. This revoked certificate still can log in
July 8th, 2010 1:30pm

Ok, exactly which CRL are you checking? I mean, from where do you retrieve the CRL when you look at it to see if the certificate has been revoked? Run the following command on the CA: certutil -getreg CA\CRLPublicationURLs This will output all the distribution points for the CRL published by this CA. One of the paths should be on the local hard drive, by default: C:\Windows\System32\Certsrv\Certenroll. Does that path exist in this entry? If so, is this the location you're checking? Jonathan StephensThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 8th, 2010 2:34pm

Thank you Jonathan, this information was useful. And now i realize where request number 10 and 11 went ... I assume, these requests was used to renew the CA's certificate. And since there are two certificates in the CA, two CRL is generated. The path you wrote (certenroll) contained both of them. I configured the CDP with a constant file name, like c:\crl\myca.crl. Now i changed it to c:\crl\myca<CRLNameSuffix>.crl and now i got a second CRL with all the revoked certs in that directory. Thank you for your help. Zoltan
July 8th, 2010 3:34pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics