Publishing Certificates and CRLs to Active Directory

In addition to publishing the CA certificates and CRLs to the local machine store of subordinate CAs, you can publish CA certificates and CRLs for any offline CAs to Active Directory. By publishing the CA certificates to Active Directory, you ensure the automatic propagation of CA certificates and CRLs to all Windows 2000, Windows XP, and Windows Server 2003 forest members. The published CA certificates and CRLs are automatically downloaded to the Windows 2000, Windows XP, and Windows Server 2003 forest members through Group Policy application. The application of Group Policy triggers the autoenrollment mechanism, initiating the automatic download of any certificates or CRLs published in Active Directory to the forest members. Figure 6-3 shows where the CA certificates and CRLs are published when they are published into Active Directory.

if, ADSI Edit

-ln|x|

^¿j, File Action View Window Help

-» BE ff ® ¡§

I Class | Distinguished

□ CN=Certificate Templates CD CN=Certification Authorities

_i CN=Enrollment Services

CN=AIAj CN=Public Key Services, CN=5ervices, CN=Configurationj DC=examptej DC=com CN=CDPj CN=Public Key Services, CN=5er vices, Cl\l=Configuration, DC=exampleJ DC=com CN=Certificate Templates, CN=Public Key Services, CN=Ser vices, CN=ConfigurationjDC=exa,,, CN=Certif ¡cation Authorities, CN=Public Key Services, CN=Services.,CN=Configuration,DC=e... CN=Enrollment Services, CN=Public Key Services, CN=ServiceSjCN=Configuration,DC=exam... CN=KRAj CN=Public Key Services, CN=5er vices, CN=Configuration, DC=example, DC=com CN=OID, CN=Public Key Services, CN=Services, CN=Conf iguration, DC=example, DC=com

I Class | Distinguished r

AD5I Edit

3 Domain [DC 1, example, com] 3 Configuration [DC 1, example, o É Q CN=ConfigurationjDC=ex< O CN=DisplaySpecifiers ■CI CN=Extended-Rights O CN=ForestUpdates

CN=LostAndFoundCor Ù CN=NTDS Quotas •Ù CN=Partitions ■O CN=Physical Locations CN=Services

•D CN=CDP •Cl CN=Certificate •Cl CN=Certificati( CN=Enrollment •D CN=KRA J CN OX LJ -N= 'l'Ai LJ -f.=»» I

_l CN=WellKnown SecurijzJ

□ CN=Certificate Templates CD CN=Certification Authorities

_i CN=Enrollment Services

CN=AIAj CN=Public Key Services, CN=5ervices, CN=Configurationj DC=examptej DC=com CN=CDPj CN=Public Key Services, CN=5er vices, Cl\l=Configuration, DC=exampleJ DC=com CN=Certificate Templates, CN=Public Key Services, CN=Ser vices, CN=ConfigurationjDC=exa,,, CN=Certif ¡cation Authorities, CN=Public Key Services, CN=Services.,CN=Configuration,DC=e... CN=Enrollment Services, CN=Public Key Services, CN=ServiceSjCN=Configuration,DC=exam... CN=KRAj CN=Public Key Services, CN=5er vices, CN=Configuration, DC=example, DC=com CN=OID, CN=Public Key Services, CN=Services, CN=Conf iguration, DC=example, DC=com

Figure 6-3 Active Directory publication locations

In Figure 6-3, CA certificates are published into the following locations:

■ All CA certificates are published into the CN=AIA,CN=Public Key Services, CN=Services,CN=Configuration,ForestRootDomain (where ForestRootDomain is the LDAP distinguished name of your organization's forest root domain) container.

■ Root CA certificates are also published into the CN=Certification Authori-ties,CN=Public Key Services,CN=Services,CN=Configuration,ForestRootDomain container.

■ Enterprise CA certificates are published into the CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain object.

Note The AIA container and Certification Authorities container are used by the certificate chaining engine to acquire certificates for chain building. For example, subordinate CA certificates are only included in the AIA container, while root CA certificates are included in both the AIA and Certification Authorities container. The NTAuthCertificates container indicates CAs that can issue certificates used for smart card logon.

Figure 6-3 shows how CRLs are published into unique containers within the CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,ForestRootDomain container. For example, the CRL for the server with the NetBIOS name GAXGPCA01PK is published within the CN=GAXGPCA01PK,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,ForestRootDomain container.

Use the following certutil.exe command line to publish a CA's CRL into Active Directory:

certutil -dspublish -f CAName.crl, where CAName is the logical name of the root CA.

Note If the CA certificate file's name contains spaces, you must delimit the file name with quotes. For example, the command line to publish the Fabrikam root CA certificate would be certutil -dspublish -f "Fabrikam Cor porate Root CA.crt " RootCA.

When adding a CA's CRL into Active Directory, there is no difference between publishing a root CA and a subordinate CA CRL. Use the following command to publish the CRL:

certutil -dspublish -f CACRLFile.crl, where CACRLFile is the file name of the CA's CRL file.

Note If publication fails, an error in the CRL might contain insufficient LDAP information regarding the CRL publication location. You can force pub lication into Active Directory by adding the CA's NetBIOS name to the publi cation command. For example, if the NetBIOS name of Fabrikam's root CA is FABINCCA01, the command to publish the Fabrikam root CA's CRL is certutil -dspublish -f "Fabrikam Corporate Root CA.crl" FABINCCA01.

Once the CA certificates and CRLs are published into Active Directory, you can force their propagation at each client computer using the Group Policy application to trigger the autoenrollment engine, resulting in the propagation of the certificates and CRLs to the client computer.

■ At Windows 2000 computers, a user can type secedit /refreshpolicy machine _policy /enforce.

■ At Windows XP and Windows Server 2003 computers, a user can type gpupdate /target:computer /force.

Alternatively, publication also takes place the next time the computer restarts. The restart forces the triggering of the autoenrollment engine. If you do not want to restart the computer, you could wait for a period of 90 minutes for the default Group Policy application to trigger the autoenrollment period.

Was this article helpful?

0 0

Responses

  • Adonay
    How to publish a CRL with the LDAP directory ?
    6 years ago
  • EULALIA
    What is the public key services aia container?
    10 months ago
  • Mungo
    Why publish CRLs to AD?
    9 months ago
  • dominik fleming
    Can we store crl information in active directory?
    7 months ago
  • Jordan
    Is my CRL stored in active directory?
    7 months ago
  • Kalimac
    Why publish certificates to active directory?
    7 months ago
  • haile
    How to force publish a certificate to ad?
    5 months ago
  • marco
    How do i reset crls in active directory?
    5 months ago
  • vittore
    Do you need to embed the location of crl in a certificate?
    2 months ago
  • jenni
    How to publish a certificate in ad for the first time?
    1 day ago

Post a comment