[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Unable to Revoke Certificate in Active Directory

Posted on 2013-01-29
4
Medium Priority
?
512 Views
Last Modified: 2013-01-30
Hi,

I have been trying to narrow down why when I revoke a certificate it it not being revoked in Active directory. The Certificate is being published in AD and can be used for authentication but not revoked.

We have 4 Domain Controllers and after some time I have the CDP/CRL in active directory, I can use the URL retrieval tool to find the CRL and AIA and the CRL location shows when I issue the:

certutil -urlcache crl

Command on each of the domain controllers.

When looking on the issuing CA (sub enterprise CA) the certificate is in the revoked section and clicking on its properties shows that it is revoked but under the: x.509 tab of AD it is still 'OK'.

Is there something else that I need to do so Active directory will look at the correct CRL?

I did notice when looking through the  "Active Directory Sites and Services" tool that there is another certificate and CRL listed there. This looks like it was an old CA that was made in 2010 and is no longer a server as it was decommissioned a while ago.  
Could this cause some issues?

Josh
0
Comment
Question by:Joshwright100
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38833742
I would guess that it is checking the other CRL, and when it doesn't see it there, marks the certificate as OK

The fact that the other CRL exists would make it appear that the previous CA was not cleanly removed from AD. Was it another subordinate CA of your current root CA ?
0
 
LVL 1

Author Comment

by:Joshwright100
ID: 38834691
There are no other sub CAs of this new root just the other CA whichI believe was a root on its own.

I have only just fond all of this out and no body in the office new that we had a CA it was built years ago and now no longer exists.

What is the best practice for either removing the old CAs certificates and CRL or just switching it so active directory looks at the new CRL from this new server?

Thank you for your help. It finally feels like I am on the right path now!
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 2000 total points
ID: 38834742
Granted this is for 2003, but the same applies to 2008 and 2012

http://support.microsoft.com/kb/889250

Your issue is that a new CA has been installed before the old one was removed, this turns a "simple" cleanup into a much more complex job...

http://technet.microsoft.com/en-us/library/cc753375.aspx
0
 
LVL 1

Author Comment

by:Joshwright100
ID: 38834758
Brilliant! This looks like its going to be fun!

Thank you so much.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question