Solved

Unable to Revoke Certificate in Active Directory

Posted on 2013-01-29
4
487 Views
Last Modified: 2013-01-30
Hi,

I have been trying to narrow down why when I revoke a certificate it it not being revoked in Active directory. The Certificate is being published in AD and can be used for authentication but not revoked.

We have 4 Domain Controllers and after some time I have the CDP/CRL in active directory, I can use the URL retrieval tool to find the CRL and AIA and the CRL location shows when I issue the:

certutil -urlcache crl

Command on each of the domain controllers.

When looking on the issuing CA (sub enterprise CA) the certificate is in the revoked section and clicking on its properties shows that it is revoked but under the: x.509 tab of AD it is still 'OK'.

Is there something else that I need to do so Active directory will look at the correct CRL?

I did notice when looking through the  "Active Directory Sites and Services" tool that there is another certificate and CRL listed there. This looks like it was an old CA that was made in 2010 and is no longer a server as it was decommissioned a while ago.  
Could this cause some issues?

Josh
0
Comment
Question by:Joshwright100
  • 2
  • 2
4 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38833742
I would guess that it is checking the other CRL, and when it doesn't see it there, marks the certificate as OK

The fact that the other CRL exists would make it appear that the previous CA was not cleanly removed from AD. Was it another subordinate CA of your current root CA ?
0
 
LVL 1

Author Comment

by:Joshwright100
ID: 38834691
There are no other sub CAs of this new root just the other CA whichI believe was a root on its own.

I have only just fond all of this out and no body in the office new that we had a CA it was built years ago and now no longer exists.

What is the best practice for either removing the old CAs certificates and CRL or just switching it so active directory looks at the new CRL from this new server?

Thank you for your help. It finally feels like I am on the right path now!
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 500 total points
ID: 38834742
Granted this is for 2003, but the same applies to 2008 and 2012

http://support.microsoft.com/kb/889250

Your issue is that a new CA has been installed before the old one was removed, this turns a "simple" cleanup into a much more complex job...

http://technet.microsoft.com/en-us/library/cc753375.aspx
0
 
LVL 1

Author Comment

by:Joshwright100
ID: 38834758
Brilliant! This looks like its going to be fun!

Thank you so much.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

838 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question