Unable to Revoke Certificate in Active Directory
Posted on 2013-01-29
I have been trying to narrow down why when I revoke a certificate it it not being revoked in Active directory. The Certificate is being published in AD and can be used for authentication but not revoked.
We have 4 Domain Controllers and after some time I have the CDP/CRL in active directory, I can use the URL retrieval tool to find the CRL and AIA and the CRL location shows when I issue the:
certutil -urlcache crl
Command on each of the domain controllers.
When looking on the issuing CA (sub enterprise CA) the certificate is in the revoked section and clicking on its properties shows that it is revoked but under the: x.509 tab of AD it is still 'OK'.
Is there something else that I need to do so Active directory will look at the correct CRL?
I did notice when looking through the "Active Directory Sites and Services" tool that there is another certificate and CRL listed there. This looks like it was an old CA that was made in 2010 and is no longer a server as it was decommissioned a while ago.
Could this cause some issues?