Since I have a small environment and I only implemented certs so that I could use IPSec VPN I did not follow best practices and create an offline root ca. Instead I have a single enterprise CA which is also my root CA. But for some reason it is not able to publish CRL's to the LDAP CDP location and I can't see why. The initial base CRL that was first published is there and accessible but it has never been updated. My Delta CRL's are updating however to both the LDAP location and HTTP location I configured for them. I only have the LDAP location for CDP and not an HTTP location. I haven't tried manually updating with certutil yet but I probably will as soon as I work out the exact command but even if that works I would like to know why this isn't happening by itself.

Well as expected I was able to manually publish it using certutil. I also noticed that in the extensions tab on the properties sheet for the CA server, I had failed to check the box for "publish CRL's to this location" for the LDAP URL under CDP. I was using a book when I set this up so I know that I configured the check boxes on those various extensions according to those directions, I wonder now if I used the wrong configuration there. At any rate, after checking that box and restarting the certsrv service it did not update the CRL in AD so I am thinking I still have a problem with this process working by itself but I guess I won't know until the CRL I just published expires in a month or so.

a) how do you check the CRL got/didn't-get updated? please, use the Enterprise PKI MMC console. b) you need to check the permissions on the AD container that you are publishing to. What exactly is the path you have specified in the CDP location? Is that object present in AD (I mean that CDP object exactly, not just its upper container)? c) the permissions on the object should be such that the CA computer's account have full control. ondrej.

a) how do you check the CRL got/didn't-get updated? please, use the Enterprise PKI MMC console. b) you need to check the permissions on the AD container that you are publishing to. What exactly is the path you have specified in the CDP location? Is that object present in AD (I mean that CDP object exactly, not just its upper container)? c) the permissions on the object should be such that the CA computer's account have full control. ondrej. a) Yes I became aware of the problem because the CDP location #1 in the PKI MMC was displaying a status of expired. I could double click it and it appeared to bring up the actual CRL but it was blank since it was dated at the same time I had built the server so it was hard to tell if it was really displaying a CRL or if the fact that it was blank was indicating that there was no CRL published to that location. After I successfully published the CRL using certutil it changed from a status of expired to ok and when I double click now it does show a list of certs that I have revoked so this leads me to believe that it was in fact showing me the CRL before and that it was just blank because that CRL had nothing on it. Now when I say it was blank I am referring to the second tab which says "revocation list" the "general" tab did in fact have information. b) I did check that the container exists and has appropriate permissions in ADSI Edit. It does exist and the cert publishers group has full permissions and the CA server is in that group. In ADSI Edit the container object with class cRLDistributionPoint is present in the location that corrosponds with the CDP location: But I can't see any way to see if the actual CRL is present using that tool. However I can view both the base CRL and the deltaCRL from the PKI MMC so I take that as a good indication that they are actually there. ldap:///CN=<CA Server Name>,CN=<CA Server Name>,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=<My Domain Name>,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint I wonder if when I checked the box for "publish CRL's to this location" under the extensions tab for the LDAP location it actually fixed the problem and that restarting certsrv doesn't actually make it try and re-publish the list. I guess if nothing else I'll know in a month or so when it comes time for the server to try and publish the next base CRL.

Hi, Restarting the service will not update the CRL. To verify if it is working properly, please right-click Revoked Certificate, select All Tasks and click Publish. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Restarting the service will not update the CRL. To verify if it is working properly, please right-click Revoked Certificate, select All Tasks and click Publish. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Excellent info, thank you! Yes it updated, so it appears that I did indeed need to check the tick box for "publish CRL's to this location" under the extensions tab for the LDAP location .

Glad that it helps. Have a nice day. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.