Solved

Unable to Revoke Certificate in Active Directory

Posted on 2013-01-29
4
473 Views
Last Modified: 2013-01-30
Hi,

I have been trying to narrow down why when I revoke a certificate it it not being revoked in Active directory. The Certificate is being published in AD and can be used for authentication but not revoked.

We have 4 Domain Controllers and after some time I have the CDP/CRL in active directory, I can use the URL retrieval tool to find the CRL and AIA and the CRL location shows when I issue the:

certutil -urlcache crl

Command on each of the domain controllers.

When looking on the issuing CA (sub enterprise CA) the certificate is in the revoked section and clicking on its properties shows that it is revoked but under the: x.509 tab of AD it is still 'OK'.

Is there something else that I need to do so Active directory will look at the correct CRL?

I did notice when looking through the  "Active Directory Sites and Services" tool that there is another certificate and CRL listed there. This looks like it was an old CA that was made in 2010 and is no longer a server as it was decommissioned a while ago.  
Could this cause some issues?

Josh
0
Comment
Question by:Joshwright100
  • 2
  • 2
4 Comments
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38833742
I would guess that it is checking the other CRL, and when it doesn't see it there, marks the certificate as OK

The fact that the other CRL exists would make it appear that the previous CA was not cleanly removed from AD. Was it another subordinate CA of your current root CA ?
0
 
LVL 1

Author Comment

by:Joshwright100
ID: 38834691
There are no other sub CAs of this new root just the other CA whichI believe was a root on its own.

I have only just fond all of this out and no body in the office new that we had a CA it was built years ago and now no longer exists.

What is the best practice for either removing the old CAs certificates and CRL or just switching it so active directory looks at the new CRL from this new server?

Thank you for your help. It finally feels like I am on the right path now!
0
 
LVL 36

Accepted Solution

by:
ArneLovius earned 500 total points
ID: 38834742
Granted this is for 2003, but the same applies to 2008 and 2012

http://support.microsoft.com/kb/889250

Your issue is that a new CA has been installed before the old one was removed, this turns a "simple" cleanup into a much more complex job...

http://technet.microsoft.com/en-us/library/cc753375.aspx
0
 
LVL 1

Author Comment

by:Joshwright100
ID: 38834758
Brilliant! This looks like its going to be fun!

Thank you so much.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now