Thursday, December 30, 2010

Publish Offline Certificates and CRLs to Active Directory

This is refering to step 2 and 3 of the earlier post. Before publishing the Root CA cert, check the extensions on the Root CA server, esp on the CRL Distrisbution Point (CDP) extensions.

To publish the offline Root CA cert and CRL to AD, set the "Include in all CRLs" flag in the Root CA extension properties and use the certutil -dspublish command. Do note that file share CDP (FILE://) is not supported - only LDAP:// and HTTP://. I have tried and it's not going to work. Similarly, you would need to specify where clients and servers can obtain the root cert (i.e. LDAP and/or HTTP) in the "Authority Information Access (AIA)" drop-down setting.


The "Include in all CRLs" flag specifies that the Active Directory publication location should be included in the CRL itself. It can be used by an offline CA to specify the LDAP URL for manually publishing CRLs on the Active Directory. The explicit configuration container must be explicitly set in the URL. Alternatively, the DSConfigDN value can be set in the registry by using "certutil –setreg ca\DSConfigDN CN=Configuration,DC=contoso,DC=com". Note that the last two DC values (DC=contoso,DC=com for "contoso.com") are to be replaced by your actual Domain Name.


Export out the Root CA cert and CRL files and import them into a domain member server.
To publish the Root Cert to the Root CA store on the Active Directory: certutil -f -dspublish RootCA.cer RootCA 

To publish the CRL to Active Directory: certutil -f -dspublish Root-Test-CA.crl "LoneSrv1" "Root-Test-CA". The last 2 parameters to specify the containers are optional but could be needed if the offline RootCA is non-Microsoft.
Posted by samyee at 10:30 AM
Labels: ,

6 comments:

  1. Tee ChessApril 24, 2012 at 6:42 PM

    I followed the previous two posts too to know about public key infrastructure in detail. You have provided a brief overview about this complete process to publish offline certificates that is very helpful to me. Thanks a lot for sharing this info.
    public key infrastructure

    ReplyDelete
  2. AnonymousMarch 4, 2016 at 12:35 AM

    Thanks a lot this helped me.

    ReplyDelete
  3. aabJuly 3, 2021 at 4:02 PM

    "mcafee is an antivirus software providers that secure your computer for virus , worms ,trojens and other mailcious program .it provides full range of
    security product like antivirus , firewall etc .you have to do mcafee antivirus download "

    ReplyDelete
  4. aabJuly 3, 2021 at 4:04 PM

    Microsoft windows is a biggest group of operating system that is developed and marketed by microsoft .We know about this software products like windows NT ,windows vista ,window 10 , window 8 ,window XP etc. Microsoft product are Microsoft office tools, internet explorer , web browsers. to click on link [url=https://microsoftsupportsystem.weebly.com]Microsoft support[/url]

    ReplyDelete
  5. periyannanJanuary 5, 2022 at 2:26 PM

    Really awesome blog. Your blog is really useful for me. Thanks for sharing this informative blog. Keep update your blog.
    internship for web development | internship in electrical engineering | mini project topics for it 3rd year | online internship with certificate | final year project for cse

    ReplyDelete
  6. Gabriel MarshAugust 3, 2024 at 5:51 PM

    Thank you for beeing you

    ReplyDelete

Subscribe to: Post Comments (Atom)