Windows PKI blog

News and information for public key infrastructure (PKI) and Active Directory Certificate Services (AD CS) professionals

Manually publishing a CA certificate or CRL into a LDAP store

Manually publishing a CA certificate or CRL into a LDAP store

  • Comments 8
  • Likes

The CA is automatically publishing its own certificates and related CRLs into Active Directory if a LDAP reference is configured in the CA property “Extensions”.

If you are using a different LDAP server (such as Microsoft ADAM) to make the CA certificate and CRL available, certificates and CRLs must be published manually. The easiest way to do that is with certutil.

Perform the following command to publish the CRL manually into a LDAP-store.

certutil –addstore "LDAP://[server]/[DN]?certificateRevocationList?base?objectclass=cRLDistributionPoint" [CRL-File]

Replace [server] with the name of the LDAP server where you have write permissions.
Replace [DN] with the path that you have used in the CA configuration.
Replace [CRL-File] with the file name of the CRL that you want to publish.

Here is the command to publish a CA certificate manually:

certutil –addstore "LDAP://[server]/[DN]?cACertificate?base?objectClass=certificationAuthority" [cert-file]

To manually publish a CA certificate or CRL into Active Directory you should still use certutil –dspublish instead of certutil –addstore.
  • I'd like to import a CRL into Microsoft ADAM.  I need to do this so the CRL can be read by a third party app that is expecting the CRL to be loaded in ADAM.

    I've tried running the command listed above.  e.g.

    certutil –addstore "LDAP://[,dc=test,dc=net?cACertificate?base?objectClass=certificationAuthority" cert.crl

    However, i get the following error:

    Cannot open Cert store.

    CertUtil: -addstore command FAILED: 0x80070005 (WIN32: 5)

    CertUtil: Access is denied.

    I'm logged on as the administrator and have full privs to ADAM.  I'm guessing the error is caused by the fact certutil can't create an object of class cRLDistributionPoint (as it's not in the schema).

    My question is, how do i setup ADAM so it can accept a CRL using the command you've shown.

    Appreciate your help.

  • I guess that "[" is a typo in your sample command. The bracket is definitely a misplaced character.

    Secondly, your command uses objectClass=certificationAuthority instead of objectclass=cRLDistributionPoint. This should be also corrected.

    You can try to use the -f option with -addstore. This forces certutil to create missing objects. If this does not work either, you have to extend the ADAM schema.

  • Hi,

    I have similar problem as posted before. I am able to import the CA certificate using LDIFDE but when I'm importing using certutil there is a access denied.

    CertUtil: -addstore command FAILED: 0x80070005 (WIN32: 5)

    CertUtil: Access is denied.

    The error occurs regardless from where I try to publish certificate (e.g. server hosting ADLDS or other domain joined server).

    Looking at network monitor I can see there is authentication missing (successful bind). The entire error is "LDAPMessage searchResDone(3) operationsError (000004DC: LdapErr: DSID-0C0906DC, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db0)"

    Any idea what could be misconfigured (probably at ADAM side)?

    Appreciate your help.

  • Are you 100 % sure that the specified object/attribute exists in your ADAM? Have you tried certutil -viewstore instead? ADinsight ( could be helpful to troubleshoot the problem.

  • Hi, it looks like it is a problem in certutil and Windows Server 2008 / 2008 R2. If I try to run certutil -viewstore from Windows Server 2003 it works, but certutil -viewstore on Windows Server 2008 fails with access denied. Also if I sniff the network traffice I see a successful LDAP bind (SASL) from 2003 machine, but I do not see any bind from 2008 machine.

  • Have you run certutil from an elevated command window?

  • Yes, however no change happend. When I try to view the store from XP/2003 machine I see a

    1) simple bind,

    2) request for the container,

    3) auth failure,

    4) another bind using NTLMSSP_CHALLENGE

    5) successful authentication and container retrival

    When I try to view the store from 2008 R2 machine I see a LDAP base object request twice, without any attempt to authenticate.

  • Finally I figured out the reason why the binding was not successful. I had not configured correct SPNs for AD LDS service account. After registering the SPNs everything works fine.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment