Thursday, December 30, 2010

Publish Offline Certificates and CRLs to Active Directory

This is refering to step 2 and 3 of the earlier post. Before publishing the Root CA cert, check the extensions on the Root CA server, esp on the CRL Distrisbution Point (CDP) extensions.

To publish the offline Root CA cert and CRL to AD, set the "Include in all CRLs" flag in the Root CA extension properties and use the certutil -dspublish command. Do note that file share CDP (FILE://) is not supported - only LDAP:// and HTTP://. I have tried and it's not going to work. Similarly, you would need to specify where clients and servers can obtain the root cert (i.e. LDAP and/or HTTP) in the "Authority Information Access (AIA)" drop-down setting.


The "Include in all CRLs" flag specifies that the Active Directory publication location should be included in the CRL itself. It can be used by an offline CA to specify the LDAP URL for manually publishing CRLs on the Active Directory. The explicit configuration container must be explicitly set in the URL. Alternatively, the DSConfigDN value can be set in the registry by using "certutil –setreg ca\DSConfigDN CN=Configuration,DC=contoso,DC=com". Note that the last two DC values (DC=contoso,DC=com for "contoso.com") are to be replaced by your actual Domain Name.


Export out the Root CA cert and CRL files and import them into a domain member server.
To publish the Root Cert to the Root CA store on the Active Directory: certutil -f -dspublish RootCA.cer RootCA 

To publish the CRL to Active Directory: certutil -f -dspublish Root-Test-CA.crl "LoneSrv1" "Root-Test-CA". The last 2 parameters to specify the containers are optional but could be needed if the offline RootCA is non-Microsoft.

4 comments:

  1. I followed the previous two posts too to know about public key infrastructure in detail. You have provided a brief overview about this complete process to publish offline certificates that is very helpful to me. Thanks a lot for sharing this info.
    public key infrastructure

    ReplyDelete
  2. Thanks a lot this helped me.

    ReplyDelete
  3. خدماتنا متميزة عن غيرنا في مجال التسريبات سربات المياه والعوزال وحل بطرق سليمة دون التدمير فعندنا في شركة ركن البيت افضل يوجد افضل الفنين الممتزين في مجال التسربات والكشف عنها بدون اي مشاكل من خلال الطاقم التي تم تدريبه في شركة كشف تسربات المياه بالدمام فتعاملك معنا ستحصل علي خدمات متميزة

    شركة كشف تسربات المياه بجدة
    شركة كشف تسربات بجدة
    شركة عزل خزانات بالرياض
    شركة عزل اسطح بالرياض

    شركة كشف تسربات بالدمام
    شركة كشف تسربات بالرياض
    شركة كشف تسربات المياه بالرياض
    كشف تسربات المياه

    ReplyDelete