Certificate Revocation List not working
Posted on 2013-01-27
I have recently setup a microsoft certificate authority server to issue certificates for mobile devices.
My setup is an offline enterprise root CA that is on the domain and a sub CA that is on the domain. I am able to issue certificates and they are then published in active directory and I can use the certificate on my iPhone to receive email but I am unable to revoke it effectivly.
I have revoked a number of certificates on the sub CA and they have gone into the revoked section, clicking on their properties shows that they are revoked but looking on one of the 4 domain controllers shows that the certificates are still listed in the x.509 section of the users properties and they are still vaild.
The certificate is also installed on a client PC and the PC is still classing the certificate as vaild, my iPhone also still receives emails using this same certificate.
It looks like the CRL list on the Sub CA is not being looked at by the domain controllers. All client Certificates are issued by the sub CA. This was setup a few days ago and I have already tried to publish the CRL from the Sub CA.
Is there something I have missed when setting this up?
Any help will be appreciated as I cannot issue more certificates until I have found a way to revoke them.