Certificate CRL and Delta CRL are not copied automatically to the HTTP Path

Posted by Ahmed Nabil In | 0 comments»
A common problem noted on several implementations of Active Directory Certificate Services is the CRL and Delta CRL copies to the HTTP Path.  By default Microsoft Enterprise CA only publishes CRL automatically to LDAP path defined in the CRL Distribution Point (CDP). Normally CA administrators could define CDP in many locations as LDAP and HTTP (Inetpub Folder). Since it’s only copied to LDAP, the HTTP location gets expired and the user would encounter this error.

HTTP CRL location get expired on daily basis

The certificate will try to retrieve the CRL and Delta CRL from each defined location (LDAP and HTTP) when system check the revocation status of certificate. If it can get the CRL from one and only one of these locations then it will pass the revocation process and function normally even if the CRL is not copied to the HTTP location. However it will give the above Expired Status for CRL and Delta CRL HTTP Location.

To solve this issue you have two options:

  1. Copy them manually from the CERTSRV folder to the Inetpub folder
  2. Create a batch file to copy them automatically and add this batch file to the daily scheduled tasks.

The Batch file should be something like this
Xcopy c:\windows\system32\certsrv\CertEnroll\*.crl  C:\Intetpub\



Post a Comment