Thursday, December 30, 2010

Publish Offline Certificates and CRLs to Active Directory

This is refering to step 2 and 3 of the earlier post. Before publishing the Root CA cert, check the extensions on the Root CA server, esp on the CRL Distrisbution Point (CDP) extensions.

To publish the offline Root CA cert and CRL to AD, set the "Include in all CRLs" flag in the Root CA extension properties and use the certutil -dspublish command. Do note that file share CDP (FILE://) is not supported - only LDAP:// and HTTP://. I have tried and it's not going to work. Similarly, you would need to specify where clients and servers can obtain the root cert (i.e. LDAP and/or HTTP) in the "Authority Information Access (AIA)" drop-down setting.


The "Include in all CRLs" flag specifies that the Active Directory publication location should be included in the CRL itself. It can be used by an offline CA to specify the LDAP URL for manually publishing CRLs on the Active Directory. The explicit configuration container must be explicitly set in the URL. Alternatively, the DSConfigDN value can be set in the registry by using "certutil –setreg ca\DSConfigDN CN=Configuration,DC=contoso,DC=com". Note that the last two DC values (DC=contoso,DC=com for "contoso.com") are to be replaced by your actual Domain Name.


Export out the Root CA cert and CRL files and import them into a domain member server.
To publish the Root Cert to the Root CA store on the Active Directory: certutil -f -dspublish RootCA.cer RootCA 

To publish the CRL to Active Directory: certutil -f -dspublish Root-Test-CA.crl "LoneSrv1" "Root-Test-CA". The last 2 parameters to specify the containers are optional but could be needed if the offline RootCA is non-Microsoft.

5 comments:

  1. I followed the previous two posts too to know about public key infrastructure in detail. You have provided a brief overview about this complete process to publish offline certificates that is very helpful to me. Thanks a lot for sharing this info.
    public key infrastructure

    ReplyDelete
  2. Thanks a lot this helped me.

    ReplyDelete
  3. "mcafee is an antivirus software providers that secure your computer for virus , worms ,trojens and other mailcious program .it provides full range of
    security product like antivirus , firewall etc .you have to do mcafee antivirus download "

    ReplyDelete
  4. Microsoft windows is a biggest group of operating system that is developed and marketed by microsoft .We know about this software products like windows NT ,windows vista ,window 10 , window 8 ,window XP etc. Microsoft product are Microsoft office tools, internet explorer , web browsers. to click on link [url=https://microsoftsupportsystem.weebly.com]Microsoft support[/url]

    ReplyDelete