Hi, I'm implementing a brand new PKI. I've been following the MSPress Windows Server 2008 PKI and Certificate Security book intently and have been implementing everything almost verbatim as the situation fits mine very well as I'm deploying a 2 tier PKI, Offline Root and pair of Issuing/Policy CA's and for intents and purposes I'm on page 133 of this book. My Offline root is Standard Edtn\Standalone CA, lets use rootca as it's hostname. My second tier is my DC's in two locations. My Friendly name for my ca is NewRootCA These make it easy to obscure the real identities and keep it consistent throughout this troubelshooting thread. My issue is that when using the commands :- certutil -dspublish -f rootca_NewRootCA.crt RootCA certutil -dspublish -f NewRootCA.crl the second command trying to publish the CRL fails with the following error:- C:\>certutil -dspublish -f NewRootCA.crl ldap:///CN=NewRootCA,CN=rootca,CN=CDP,CN=Public Key Services,CN=Services, DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPoint?certificateRevocationList ldap: 0xa: 0000202B: RefErr: DSID-031007EF, data 0, 1 access points ref 1: 'unavailableconfigdn' CertUtil: -dsPublish command FAILED: 0x8007202b (WIN32: 8235) CertUtil: A referral was returned from the server. If I browse my AD using the sysinternals ADExplorer, I see both CN=NewRootCA,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=internal CN=NewRootCA,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=internal Nothing under CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=internal In my head at least - I believe it's something to do with the naming where the CRL is trying to insert data into : ldap:///CN=NewRootCA,CN=rootca ,CN=CDP,CN=Public Key Services,CN=Services,......... rather than ldap:///CN=NewRootCA,CN=CDP,CN=Public Key Services,CN=Services,.......... though I do see the text (in bold) ldap:///CN=NewRootCA,CN=rootca,CN=CDP,CN=Public Key Services,CN=Services, DC=UnavailableConfigDN ?certificateRevocationList?base?objectClass=cRLDistributionPoint?certificateRevocationList in this part of the error and that doesn't fill me with confidence. Could anyone please help me out with my predicament? Regards Paul.

Hi Paul -- Follow these steps: http://technet.microsoft.com/en-us/library/cc737740%28WS.10%29.aspx After restarting Certificate Services on your CA, manually publish a new CRL, then publish that CRL to Active Directory. Hope this helps, Jonathan StephensThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Jonathan, Thanks for your quick reply. The first command in this article seemed to be duplicating data I already had certutil -setreg ca\DSConfigDN "CN=Configuration, DNpath " The second command was adding data which I DIDN'T have in my RootCA's registry. I've run this command as so: certutil -setreg ca\DSDomainDN "DC=domain,DC=internal " The command succesfully added the extra key into the registry and I'll go through re-issuing the SubCA's cert etc right now and see if I can get it to accept the changes so that running the command certutil -dspublish -f NewRootCA.crl on the Issuing CA doesn't cause errors. I'll be back to you shortly to update on progress. Regards Paul.

Hi Jonathan, The solution you pointed me to definitely worked. Thank you very much. One registry entry and all that bother! Thank you very much for responding so quickly too - I had written that one off as a couple days till I could do something with it! Kind Regards Paul.

It worked for me!!!!! manually delete the .crl from the Windows\System32\CertSrv\CertEnroll folder and then re-generate it using the certificates management console on Root CA (right click publish on the "revoked" node). Then copy the new .crl file to sub ordinate CA and run the command eg: certutil dspublish -f "C:\Windows\System32\CertSrv\CertEnroll\filename.crl" Cheers Jobin

It worked for me!!!!! manually delete the .crl from the Windows\System32\CertSrv\CertEnroll folder and then re-generate it using the certificates management console on Root CA (right click publish on the "revoked" node). Then copy the new .crl file to sub ordinate CA and run the command eg: certutil dspublish -f "C:\Windows\System32\CertSrv\CertEnroll\filename.crl" Cheers Jobin