Expired offline crl
My offline crl expired and of course certificate validation fails. I generated a new offline crl and copied it to the url location CertEnroll. I used the pkiview tool to check the CDP locations. The url location verifies. The ldap location does not because the new crl has not been copied to AD. Here is the problem. I attempted to copy the new crl using the command certutil -dspublish name.crl -f. The command completes successfullyand says "the base crl is added to the store". However the PKIview tool still says that the ldap CDP location still is expired or contains an expired crl.Robert Porter
July 29th, 2009 11:41pm

Hi, Thank you for your post. If understand correctly, there are two CDP locations for downloading the offline CRL: one LDAP location and one HTTP location. You have publish the latest CRL to the AD (LDAP location). However, the PKIview tool still says that the status of the ldap CDP location is expired. I tested the command you used to publish the CRL and noticed that the command created a new container (CN=-f) and published the CRL to that container instead of the original container. For example, if the LDAP CDP location is CN=OfflineCA,CN=CA,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=Test,DC=Local, the command certutil -dspublish name.crl f will store the CRL in CN=OfflineCA,CN=-f (not CN=CA),CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=Test,DC=Local. That could be the cause of the issue. To publish the CRL to the expected location, please run certutil -dspublish -f name.crl (we need to input the f parameter before the file name). You can verify that the location is correct after you type the command and press Enter. After that, please refresh the PKIview and check the result. If the issue persists, I suggest that we checking the following: Please check the latest CRL in the CertEnroll folder and make sure that it is valid (Effective date, Next update). Please check the cRLDistributionPoint object in AD (the LDAP CDP location) and make sure that it has been updated (whenChanged) Thanks. I look forward to your response.
Free Windows Admin Tool Kit Click here and download it now
July 30th, 2009 6:23am

Hi, Hows everything going? I'm wondering if the suggestion has helped or if you have any further questions. If there is anything unclear, please feel free to let me know. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com
August 4th, 2009 2:29pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics