Status of revoked certificate shown by ca console
- Maybe i'm to stupid ...
In testenvironment i revoked many certificates during work on different cases. In the view of the "Certificate Authority" mmc snap in i open some of the revoked certificates and take a look at the tab "Certification Path" ... i saw following.
Certificate Status:
The certificate is OK!
What's wrong?
br Michael
All Replies
- the GUI does NOT check nor display revocation status. you need to test by CERTUTIL -VERIFY
ondrej. Ondrej is correct. The GUI when you view a certificate simply builds a chain. If there are application, basic, or name constraints in the chain, it will show you any issues, but never checks for revocation.
If it is a recently revoked certificate, you can force download of the new CRL by running certutil -verify -urlfetch certificate.crt (Ondrej's command will use cached CRLs)
Brian- Thank you both, it's what i'm afraid of - no way to trigger crl check in the certificate store.
br Michael - Actually, that is not a true statement.
The Certificate display interface (when you double-click a certificate anywhere) does not do revocation checking
Brian Thank you both, it's what i'm afraid of - no way to trigger crl check in the certificate store.
br Michael
It might help if you'd tell us what exactly you're trying to accomplish and why. There maybe a way to accomplish what you're trying to do but we'd need to understand what that is first.
Paul Adare CTO IdentIT Inc. ILM MVP- In detail:
During setup of the test environment a CA (in following i call this on CA4) wrongly issues certificates to DCs based on the default template "Domain Controller". Another CA (following CA2) should issue to DCs based on a copy of the template "Kerberos Authentication". I've revoked all issued certs on CA4.
In the environment only crl publishing is active, lifetime 7 days, overlap 12 hours. So the DCs got in their view valid certs.
With EA Admin rights we try to force deletion of the wrong certs:
certutil -dcinfo deleteall
certutil -dcinfo deletebad
in every domain of our forest - didn't work.
The CAs are based on 2008 Ent., DCs are 2003 Ent.
I'm searching for a solution to distributed ad once new certs for all DCs.
br Michael Hi,
The command certutil –dcinfo deleteAll should be able to delete the KDC certificate for the domain controller. To better understand the issue, please post the output of the command here.
In addition, you can refer to the following article to decommission the CA4:
How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003 and from Windows Server 2000
http://support.microsoft.com/kb/889250
This posting is provided "AS IS" with no warranties, and confers no rights.- "certutil –dcinfo deleteAll"
I understand that this could'nt solve the problem.
The linked article above had the following note:
"Important Do not use this procedure if you are using certificates that are based on version 1 domain controller templates."
Above i described the issued certs are from an v1 template "Domain Controller".
I'll delete manual any entry in AD and the local stores of the DCs of one Domain. So there's no way to force updating DCs certs at once ...? - Auto-enrollment will eventually cause the DCs to request new certificates once you've deleted the ones you want to delete. You can try forcing things with gpupdate /force and/or certutil -pulse. You can also reboot the DCs in question.
Paul Adare CTO IdentIT Inc. ILM MVP
