Publish a CRL created with Openssl into Active Directory

When you sign a CRL with Openssl you don’t have the attribute “Published CRL Locations”. It tells where the revocation lists are or should be published. Without this attribute there is no way for certutil to know where to save your CRL in Active Directory.

Solution:
1. Remove existing cRLDistributionPoint in Active Directory with adsiedit.msc

CN=CA-Name,CN=Server,CN=CDP,CN=PublicKey Services,CN=Services,CN=Configuration,DC=Domain,DC=com?

2. Create an emtpy cRLDistributionPoint with the name according to your CDP location in your certificates.

3. Execute:
certutil -f -addstore “ldap:///CN=CA-Name,CN=Server,CN=CDP,CN=PublicKey Services,CN=Services,CN=Configuration,DC=Domain,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint” “Your new CRL”

This entry was posted in Active Directory, PKI and tagged , , , , , . Bookmark the permalink.