Solved

Unable to Revoke Certificate in Active Directory

Posted on 2013-01-29
4
481 Views
Last Modified: 2013-01-30
Hi,

I have been trying to narrow down why when I revoke a certificate it it not being revoked in Active directory. The Certificate is being published in AD and can be used for authentication but not revoked.

We have 4 Domain Controllers and after some time I have the CDP/CRL in active directory, I can use the URL retrieval tool to find the CRL and AIA and the CRL location shows when I issue the:

certutil -urlcache crl

Command on each of the domain controllers.

When looking on the issuing CA (sub enterprise CA) the certificate is in the revoked section and clicking on its properties shows that it is revoked but under the: x.509 tab of AD it is still 'OK'.

Is there something else that I need to do so Active directory will look at the correct CRL?

I did notice when looking through the  "Active Directory Sites and Services" tool that there is another certificate and CRL listed there. This looks like it was an old CA that was made in 2010 and is no longer a server as it was decommissioned a while ago.  
Could this cause some issues?

Josh
0
Comment
Question by:Joshwright100
  • 2
  • 2
4 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38833742
I would guess that it is checking the other CRL, and when it doesn't see it there, marks the certificate as OK

The fact that the other CRL exists would make it appear that the previous CA was not cleanly removed from AD. Was it another subordinate CA of your current root CA ?
0
 
LVL 1

Author Comment

by:Joshwright100
ID: 38834691
There are no other sub CAs of this new root just the other CA whichI believe was a root on its own.

I have only just fond all of this out and no body in the office new that we had a CA it was built years ago and now no longer exists.

What is the best practice for either removing the old CAs certificates and CRL or just switching it so active directory looks at the new CRL from this new server?

Thank you for your help. It finally feels like I am on the right path now!
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 500 total points
ID: 38834742
Granted this is for 2003, but the same applies to 2008 and 2012

http://support.microsoft.com/kb/889250

Your issue is that a new CA has been installed before the old one was removed, this turns a "simple" cleanup into a much more complex job...

http://technet.microsoft.com/en-us/library/cc753375.aspx
0
 
LVL 1

Author Comment

by:Joshwright100
ID: 38834758
Brilliant! This looks like its going to be fun!

Thank you so much.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question