none
Certutil -crl RRS feed

  • Question

  • Hi,

    i'm following a tutorial to configure a two-tier pki hierarchy. I'm at the point to configure the AIA and CDP.

    When I enter certutil -crl on the issuing CA I get this:

    PS C:\Windows\system32> certutil -crl
    CertUtil: -CRL command FAILED: 0x8007005
    CertUtil: The parameter is incorrect.

    If I try it via the interface ( CA -> revoked certificiates -> publish ) I get an access denied error.

    I'm at an domain account who is Enterprise admin en Domain admin. Anyone who can help me?

    Thanks in advance. Jelle

    Monday, March 4, 2013 3:13 PM

Answers

  • If this is the local server, why are you using a share for the publication?

    If the \\TGSVIntCA.vdkdev.net\pki\ points to c:\inetpub\wwwroot\pki folder, I would not reference it by the share name, I would reference it as  c:\inetpub\wwwroot\pki\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl. 

    Now, if you were in the real world, you would *Never* have the CA as a publication point. You then would be looking at a permissions issue.

    The CA computer account (or a group containing the account) must have:
    Read and Change Share permissions

    Read, Write, modify NTFS permissions

    Brian

    • Marked as answer by Jelledc Tuesday, March 5, 2013 1:38 PM
    Tuesday, March 5, 2013 1:02 PM

All replies

  • Hi,

    Are you running the command prompt as an administrator?

    Open cmd as a Administrator should do the job.


    Regards, Rmknight

    Monday, March 4, 2013 3:53 PM
  • Hi,

    Thanks for the reply.

    Yes i'm running the command as administrator. I've done this also for a standalone Root CA and that worked but for the enterprise issuing CA i have this problem.


    Monday, March 4, 2013 4:42 PM
  • If you are running on Server 2008 R2 or higher, you must be running the command at an elevated command prompt (Run as Administrator)

    The error will also occur if you have incorrectly configured CDP publication points or are trying to publish to an area where the CA computer account does not have permissions.

    In the interface, review all CDP locations and ensure none say Unconfigured DSN or similar

    Brian

    Monday, March 4, 2013 7:11 PM
  • Hi Brian,

    I think I've found my problem.

    file ://\\TGSVIntCA.vdkdev.net\pki\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

    (no space between file and : but otherwise i couldn't post this.)

    If i remove this line in my CDP, i can publish CRL.

    certutil -crl isn't working yet (same error) but i can publish my CRL via the interface.

    My question is, what is wrong with this line or why can't I publish CRL via command prompt?

    TGSVIntCA is my Issuing CA

    vdkdev.net my domain

    Thanks in advance!

    Jelle



    • Edited by Jelledc Tuesday, March 5, 2013 10:44 AM
    Tuesday, March 5, 2013 8:15 AM
  • If this is the local server, why are you using a share for the publication?

    If the \\TGSVIntCA.vdkdev.net\pki\ points to c:\inetpub\wwwroot\pki folder, I would not reference it by the share name, I would reference it as  c:\inetpub\wwwroot\pki\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl. 

    Now, if you were in the real world, you would *Never* have the CA as a publication point. You then would be looking at a permissions issue.

    The CA computer account (or a group containing the account) must have:
    Read and Change Share permissions

    Read, Write, modify NTFS permissions

    Brian

    • Marked as answer by Jelledc Tuesday, March 5, 2013 1:38 PM
    Tuesday, March 5, 2013 1:02 PM