Manually publishing a CA certificate or CRL into a LDAP store

Published Jan 24 2020 01:41 PM 2,304 Views
Microsoft

First published on TECHNET on Apr 13, 2007

The CA is automatically publishing its own certificates and related CRLs into Active Directory if a LDAP reference is configured in the CA property “Extensions”.

 

 

 

If you are using a different LDAP server (such as Microsoft ADAM ) to make the CA certificate and CRL available, certificates and CRLs must be published manually. The easiest way to do that is with certutil.

 

 

 

Perform the following command to publish the CRL manually into a LDAP-store.

 

 

 

certutil –addstore "LDAP://[server]/[DN]?certificateRevocationList?base?objectclass=cRLDistributionPoint" [CRL-File]

 

 

 

Replace [server] with the name of the LDAP server where you have write permissions.
Replace [DN] with the path that you have used in the CA configuration.
Replace [CRL-File] with the file name of the CRL that you want to publish.

 

 

 

Here is the command to publish a CA certificate manually:

 

 

 

certutil –addstore "LDAP://[server]/[DN]?cACertificate?base?objectClass=certificationAuthority" [cert-file]

 

 

To manually publish a CA certificate or CRL into Active Directory you should still use certutil –dspublish instead of certutil –addstore .

%3CLINGO-SUB%20id%3D%22lingo-sub-1128382%22%20slang%3D%22en-US%22%3EManually%20publishing%20a%20CA%20certificate%20or%20CRL%20into%20a%20LDAP%20store%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1128382%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3E%20First%20published%20on%20TECHNET%20on%20Apr%2013%2C%202007%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin%3A%200cm%200cm%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%2010pt%3B%20color%3A%20%2331849b%3B%20line-height%3A%20115%25%3B%20font-family%3A%20'Lucida%20Sans%20Unicode'%2C'sans-serif'%3B%20mso-themecolor%3A%20accent5%3B%20mso-themeshade%3A%20191%3B%20mso-ansi-language%3A%20EN-US%3B%22%3E%20The%20CA%20is%20automatically%20publishing%20its%20own%20certificates%20and%20related%20CRLs%20into%20Active%20Directory%20if%20a%20LDAP%20reference%20is%20configured%20in%20the%20CA%20property%20%E2%80%9CExtensions%E2%80%9D.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin%3A%200cm%200cm%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%2010pt%3B%20color%3A%20%2331849b%3B%20line-height%3A%20115%25%3B%20font-family%3A%20'Lucida%20Sans%20Unicode'%2C'sans-serif'%3B%20mso-themecolor%3A%20accent5%3B%20mso-themeshade%3A%20191%3B%20mso-ansi-language%3A%20EN-US%3B%22%3E%20If%20you%20are%20using%20a%20different%20LDAP%20server%20(such%20as%20Microsoft%20%3CA%20title%3D%22Active%20Directory%20Application%20Mode%22%20href%3D%22http%3A%2F%2Fwww.microsoft.com%2Fadam%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20ADAM%20%3C%2FA%3E%20)%20to%20make%20the%20CA%20certificate%20and%20CRL%20available%2C%20certificates%20and%20CRLs%20must%20be%20published%20manually.%20The%20easiest%20way%20to%20do%20that%20is%20with%20certutil.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin%3A%200cm%200cm%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%2010pt%3B%20color%3A%20%2331849b%3B%20line-height%3A%20115%25%3B%20font-family%3A%20'Lucida%20Sans%20Unicode'%2C'sans-serif'%3B%20mso-themecolor%3A%20accent5%3B%20mso-themeshade%3A%20191%3B%20mso-ansi-language%3A%20EN-US%3B%22%3E%20Perform%20the%20following%20command%20to%20publish%20the%20CRL%20manually%20into%20a%20LDAP-store.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin%3A%200cm%200cm%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%208pt%3B%20color%3A%20black%3B%20line-height%3A%20115%25%3B%20font-family%3A%20'Courier%20New'%3B%20mso-themecolor%3A%20text1%3B%20mso-ansi-language%3A%20EN-US%3B%22%3E%20certutil%20%E2%80%93addstore%20%22LDAP%3A%2F%2F%5Bserver%5D%2F%5BDN%5D%3FcertificateRevocationList%3Fbase%3Fobjectclass%3DcRLDistributionPoint%22%20%5BCRL-File%5D%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin%3A%200cm%200cm%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%2010pt%3B%20color%3A%20%2331849b%3B%20line-height%3A%20115%25%3B%20font-family%3A%20'Lucida%20Sans%20Unicode'%2C'sans-serif'%3B%20mso-themecolor%3A%20accent5%3B%20mso-themeshade%3A%20191%3B%20mso-ansi-language%3A%20EN-US%3B%22%3E%20Replace%20%5Bserver%5D%20with%20the%20name%20of%20the%20LDAP%20server%20where%20you%20have%20write%20permissions.%20%3CBR%20%2F%3EReplace%20%5BDN%5D%20with%20the%20path%20that%20you%20have%20used%20in%20the%20CA%20configuration.%20%3CBR%20%2F%3EReplace%20%5BCRL-File%5D%20with%20the%20file%20name%20of%20the%20CRL%20that%20you%20want%20to%20publish.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin%3A%200cm%200cm%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%2010pt%3B%20color%3A%20%2331849b%3B%20line-height%3A%20115%25%3B%20font-family%3A%20'Lucida%20Sans%20Unicode'%2C'sans-serif'%3B%20mso-themecolor%3A%20accent5%3B%20mso-themeshade%3A%20191%3B%20mso-ansi-language%3A%20EN-US%3B%22%3E%20Here%20is%20the%20command%20to%20publish%20a%20CA%20certificate%20manually%3A%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin%3A%200cm%200cm%2010pt%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%208pt%3B%20color%3A%20black%3B%20line-height%3A%20115%25%3B%20font-family%3A%20'Courier%20New'%3B%20mso-themecolor%3A%20text1%3B%20mso-ansi-language%3A%20EN-US%3B%22%3E%20certutil%20%E2%80%93addstore%20%22LDAP%3A%2F%2F%5Bserver%5D%2F%5BDN%5D%3FcACertificate%3Fbase%3FobjectClass%3DcertificationAuthority%22%20%5Bcert-file%5D%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-size%3A%2010pt%3B%20color%3A%20%2331849b%3B%20line-height%3A%20115%25%3B%20font-family%3A%20'Lucida%20Sans%20Unicode'%2C'sans-serif'%3B%20mso-themecolor%3A%20accent5%3B%20mso-themeshade%3A%20191%3B%20mso-ansi-language%3A%20EN-US%3B%20mso-fareast-font-family%3A%20Calibri%3B%20mso-fareast-theme-font%3A%20minor-latin%3B%20mso-fareast-language%3A%20EN-US%3B%20mso-bidi-language%3A%20AR-SA%3B%22%3ETo%20manually%20publish%20a%20CA%20certificate%20or%20CRL%20into%20Active%20Directory%20you%20should%20still%20use%20%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22font-size%3A%208pt%3B%20color%3A%20black%3B%20line-height%3A%20115%25%3B%20font-family%3A%20'Courier%20New'%3B%20mso-themecolor%3A%20text1%3B%20mso-ansi-language%3A%20EN-US%3B%20mso-fareast-font-family%3A%20Calibri%3B%20mso-fareast-theme-font%3A%20minor-latin%3B%20mso-fareast-language%3A%20EN-US%3B%20mso-bidi-language%3A%20AR-SA%3B%22%3E%20certutil%20%E2%80%93dspublish%20%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22font-size%3A%2010pt%3B%20color%3A%20%2331849b%3B%20line-height%3A%20115%25%3B%20font-family%3A%20'Lucida%20Sans%20Unicode'%2C'sans-serif'%3B%20mso-themecolor%3A%20accent5%3B%20mso-themeshade%3A%20191%3B%20mso-ansi-language%3A%20EN-US%3B%20mso-fareast-font-family%3A%20Calibri%3B%20mso-fareast-theme-font%3A%20minor-latin%3B%20mso-fareast-language%3A%20EN-US%3B%20mso-bidi-language%3A%20AR-SA%3B%22%3E%20instead%20of%20%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22font-size%3A%208pt%3B%20color%3A%20black%3B%20line-height%3A%20115%25%3B%20font-family%3A%20'Courier%20New'%3B%20mso-themecolor%3A%20text1%3B%20mso-ansi-language%3A%20EN-US%3B%20mso-fareast-font-family%3A%20Calibri%3B%20mso-fareast-theme-font%3A%20minor-latin%3B%20mso-fareast-language%3A%20EN-US%3B%20mso-bidi-language%3A%20AR-SA%3B%22%3E%20certutil%20%E2%80%93addstore%20%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22font-size%3A%2010pt%3B%20color%3A%20%2331849b%3B%20line-height%3A%20115%25%3B%20font-family%3A%20'Lucida%20Sans%20Unicode'%2C'sans-serif'%3B%20mso-themecolor%3A%20accent5%3B%20mso-themeshade%3A%20191%3B%20mso-ansi-language%3A%20EN-US%3B%20mso-fareast-font-family%3A%20Calibri%3B%20mso-fareast-theme-font%3A%20minor-latin%3B%20mso-fareast-language%3A%20EN-US%3B%20mso-bidi-language%3A%20AR-SA%3B%22%3E%20.%20%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1128382%22%20slang%3D%22en-US%22%3E%3CP%3EFirst%20published%20on%20TECHNET%20on%20Apr%2013%2C%202007%20The%20CA%20is%20automatically%20publishing%20its%20own%20certificates%20and%20related%20CRLs%20into%20Active%20Directory%20if%20a%20LDAP%20reference%20is%20configured%20in%20the%20CA%20property%20%E2%80%9CExtensions%E2%80%9D.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1128382%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECarstenKinder%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Feb 20 2020 02:40 PM
Updated by: