none
Active Directory Certificate Server - CLR Distribution Points

    Question

  • I have a certificated created by our AD Team and it has a problem.

    When the certificate is used from IE11 it works.  But when used by a vendors .Net Application if fails - looking like the certificate has been revoked.

    I'm not conversant in how CRLs should look for this so I've pasted it in here.

    The part that seems odd to me is the /// on the ldap.

    Any thoughts???

    [1]CRL Distribution Point

         Distribution Point Name:

              Full Name:

                   URL=ldap:///CN=OUR-PolicyCA(3),CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=Corp,DC=nrc,DC=gc,DC=ca?certificateRevocationList?base?objectClass=cRLDistributionPoint


    david

    Friday, March 24, 2017 6:08 PM

All replies

  • Is the vendor on a domain joined machine?  I assume they are external or not on domain.  The CRL is in your AD domain and the vendors machine does not trust your CA.  If that scenario is correct, they need to setup trust to your Root CA (import your certificate onto their machine)
    Friday, March 24, 2017 6:42 PM
  • As Vaadadmin2010 said, your CRL Distribution Point (CDP) is configured only in your Active Directory.  If your vendor cannot access your Active Directory because they are not domain join, they can't have access to the CRL.

    If your vendor try to use a certificate that is published by your internal Cert. Authority, you need to publish the CRL so they will be able to access it.

    How long the Base CRL (or the Full) is the validity period ?

    Do you publish Delta CRL as well ? What is the refresh time ?

    You could change the CDP to add a public web site so in that case, your vendor will be able to access the CRL.  But, if you modify the CDP, the modification will only appear on certificates that will be issues after the modification.  You you have already issued certificates, you will have to issue those certificates (unless you keep the old path like ldap://... and you add a new path like http://...)

    This blog may help you
    https://blogs.technet.microsoft.com/nexthop/2012/12/17/updated-creating-a-certificate-revocation-list-distribution-point-for-your-internal-certification-authority/

    hth


    This posting is provided AS IS without warranty of any kind

    Saturday, March 25, 2017 1:23 AM
  • Hi david,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, March 31, 2017 9:19 AM
    Moderator
  • Okay, so IE11 and the Application is hosted in the same domain?

    The path /// is correct and nothing odd in that.

    Also, if your IE don't have the revocation checks disabled, that means the CRL path is accessible and working as expected.

    Now, my question is do you have any alternate path like http also configured for CDP and AIA?

    Does you vendor application is aware of CRL validation? Have you checked what path or how the application is trying to complete the CRL validation?

    There should be an event getting logged in Application event log at the time of the failure. Can you paste that here?

    For CRL validation to work, the basic thing you need to check is, make sure the CDP and AIA path is accessible from wherever you are trying.

    Another option will be to disable CRL validation which is not recommended.

    Please mark this as answer if it resolves your issue

    Friday, March 31, 2017 10:13 AM