?
Solved

Unable to Revoke Certificate in Active Directory

Posted on 2013-01-29
4
Medium Priority
?
503 Views
Last Modified: 2013-01-30
Hi,

I have been trying to narrow down why when I revoke a certificate it it not being revoked in Active directory. The Certificate is being published in AD and can be used for authentication but not revoked.

We have 4 Domain Controllers and after some time I have the CDP/CRL in active directory, I can use the URL retrieval tool to find the CRL and AIA and the CRL location shows when I issue the:

certutil -urlcache crl

Command on each of the domain controllers.

When looking on the issuing CA (sub enterprise CA) the certificate is in the revoked section and clicking on its properties shows that it is revoked but under the: x.509 tab of AD it is still 'OK'.

Is there something else that I need to do so Active directory will look at the correct CRL?

I did notice when looking through the  "Active Directory Sites and Services" tool that there is another certificate and CRL listed there. This looks like it was an old CA that was made in 2010 and is no longer a server as it was decommissioned a while ago.  
Could this cause some issues?

Josh
0
Comment
Question by:Joshwright100
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38833742
I would guess that it is checking the other CRL, and when it doesn't see it there, marks the certificate as OK

The fact that the other CRL exists would make it appear that the previous CA was not cleanly removed from AD. Was it another subordinate CA of your current root CA ?
0
 
LVL 1

Author Comment

by:Joshwright100
ID: 38834691
There are no other sub CAs of this new root just the other CA whichI believe was a root on its own.

I have only just fond all of this out and no body in the office new that we had a CA it was built years ago and now no longer exists.

What is the best practice for either removing the old CAs certificates and CRL or just switching it so active directory looks at the new CRL from this new server?

Thank you for your help. It finally feels like I am on the right path now!
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 2000 total points
ID: 38834742
Granted this is for 2003, but the same applies to 2008 and 2012

http://support.microsoft.com/kb/889250

Your issue is that a new CA has been installed before the old one was removed, this turns a "simple" cleanup into a much more complex job...

http://technet.microsoft.com/en-us/library/cc753375.aspx
0
 
LVL 1

Author Comment

by:Joshwright100
ID: 38834758
Brilliant! This looks like its going to be fun!

Thank you so much.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question