Publishing my CRL in AD via LDAP
Hi, I have an off line root CA and a sub-CA (Server 2008 R2). Recently the certificate issued by the root CA to the Sub-CA expired. Before that happened I was able to renew the certificate, however I didn't complete the installation of the new cert until after the old one had expired. The Sub-CA is able to issue certs, but when I try to publish the CRL I have a problem. The Sub-CA is configured to publish the CRL to both a web address and AD. Using pkiview.msc I can see that publishing to the web address is working fine, but the LDAP query fails. In the event log for the AD Certificate Services I see an error "Event ID 74" and the text "Directory object not found". Lastly if I look at the Properties for 'Revoked Certificates" in certsrv.msc then on the "View CRLs" tab there are two lines: one for "key Index" 0 (with Publish Status = OK) the other for 1 (with Publish Status = Failed). When I installed the new Sub-CA cert I didn't remove the expired cert so on the Properties for the server in certsrv.msc on the General tab I can see the two certificates #0 and #1 (#0 is listed as expired). My question then is should I remove the expired certificate, and if so how? Otherwise any advice on how to find out what the DN is for the container in AD that will hold the CRL would be greatly appreciated. Regards, Iain P.S. I have looked up "Event 74" on Tech Net and have followed the advice there to no avail.
January 10th, 2012 8:50pm

Check this http://technet.microsoft.com/en-us/library/cc758448(WS.10).aspx
Free Windows Admin Tool Kit Click here and download it now
January 12th, 2012 8:08pm

Hi. Hmm can you push the CRL manually? Publish the CRL to the customary location in Active Directory. To do this, use certutil.exe. You can also use this command to put the CRL from a third-party root CA into Active Directory. From the command line, type: certutil-dspublish-f.Crl File Name Also have you updated the CRL of the Root CA if that has an LDAP path? Oscar Virot
January 14th, 2012 7:44am

Oscar, Thanks for your help. I tried "certutil -dspublish EVENG02.crl SubCA" on my Sub CA and it "completed successfully", however when I look using pkiview.msc it continues to report that the DCP location is "Unable to Download". I noticed that the LDAP path from the certutil command was slightly different from that I have configured in certcrv.msc, so I added the path(from certutil), restarted the cert service and checked in pkiview.msc and both the original CDP location and the new one report "Unable to Download". Any more ideas? The root CA is and offline CA so I don't publish a CRL from it. Lastly I tried a "certutil -CAinfo" and it shows what I mean about two certs. I don't know if the expired cert it a problem. Regards, Iain Exit module count: 1 CA name: EVENG02 Sanitized CA short name (DS name): EVENG02 CA type: 1 -- Enterprise Subordinate CA ENUM_ENTERPRISE_SUBCA -- 1 CA cert count: 2 KRA cert count: 0 KRA cert used count: 0 CA cert[0]: 4 -- Expired CA cert[1]: 3 -- Valid CA cert version[0]: 0 -- V0.0 CA cert version[1]: 0x10001 (65537) -- V1.1 CA cert verify status[0]: 0x800b0101 (-2146762495) CA cert verify status[1]: 0 CRL[0]: 3 -- Valid CRL[1]: 3 -- Valid CRL Publish Status[0]: 0x45 (69) CPF_BASE -- 1 CPF_COMPLETE -- 4 CPF_MANUAL -- 40 (64) CRL Publish Status[1]: 0x141 (321) CPF_BASE -- 1 CPF_MANUAL -- 40 (64) CPF_LDAP_ERROR -- 100 (256) Delta CRL Publish Status[0]: 6 CPF_DELTA -- 2 CPF_COMPLETE -- 4 Delta CRL Publish Status[1]: 0x102 (258) CPF_DELTA -- 2 CPF_LDAP_ERROR -- 100 (256) DNS Name: EVENG02.hqiads.mil.my Advanced Server: 1 CA locale name: en-MY CertUtil: -CAInfo command completed successfully.
Free Windows Admin Tool Kit Click here and download it now
January 16th, 2012 2:54am

Hi. Are you sure you dont publish a CRL for the Root CA anywhere, if that is the case its kinda bad. If you look at the certificate that the Sub CA has from the Root CA, doesnt it have a CRL distribution point? If you dont have a CRL for the Root CA you cant revoke if the Sub CA is compromised but have instead to put the Root CA as untrusted in all systems using certificates.Oscar Virot
January 16th, 2012 3:06am

Oscar, I've checked the Sub CA cert (issued by my root CA) and it does have a CRL distribution point. I've started my root CA and published the CRL. This is only to a http location as that's all that was defined. There were no error in the event log so I think this worked successfully. I should add that on the Sub CA I have a very similar http location defined as one of the CDPs and that also works fine. Question: should the http location for the root CA & Sub CA be the same? (my gut reaction is no, but then....) Regards, Iain
Free Windows Admin Tool Kit Click here and download it now
January 17th, 2012 11:50pm

Oscar, I've checked the Sub CA cert (issued by my root CA) and it does have a CRL distribution point. I've started my root CA and published the CRL. This is only to a http location as that's all that was defined. There were no error in the event log so I think this worked successfully. I should add that on the Sub CA I have a very similar http location defined as one of the CDPs and that also works fine. Question: should the http location for the root CA & Sub CA be the same? (my gut reaction is no, but then....) Regards, Iain It shouldn't matter because the file names will be different when clients are checking the CRL.
April 12th, 2012 4:31pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics