Manually publishing a CA certificate or CRL into a LDAP store


The CA is automatically publishing its own certificates and related CRLs into Active Directory if a LDAP reference is configured in the CA property “Extensions”.


If you are using a different LDAP server (such as Microsoft ADAM) to make the CA certificate and CRL available, certificates and CRLs must be published manually. The easiest way to do that is with certutil.


Perform the following command to publish the CRL manually into a LDAP-store.


certutil –addstore “LDAP://[server]/[DN]?certificateRevocationList?base?objectclass=cRLDistributionPoint” [CRL-File]


Replace [server] with the name of the LDAP server where you have write permissions.
Replace [DN] with the path that you have used in the CA configuration.
Replace [CRL-File] with the file name of the CRL that you want to publish.


Here is the command to publish a CA certificate manually:


certutil –addstore “LDAP://[server]/[DN]?cACertificate?base?objectClass=certificationAuthority” [cert-file]

To manually publish a CA certificate or CRL into Active Directory you should still use certutil –dspublish instead of certutil –addstore.

Comments (10)

  1. Anonymous says:

    Finally I figured out the reason why the binding was not successful. I had not configured correct SPNs for AD LDS service account. After registering the SPNs everything works fine.

  2. Anonymous says:

    Hi, it looks like it is a problem in certutil and Windows Server 2008 / 2008 R2. If I try to run certutil -viewstore from Windows Server 2003 it works, but certutil -viewstore on Windows Server 2008 fails with access denied. Also if I sniff the network traffice I see a successful LDAP bind (SASL) from 2003 machine, but I do not see any bind from 2008 machine.

  3. Anonymous says:

    Yes, however no change happend. When I try to view the store from XP/2003 machine I see a

    1) simple bind,

    2) request for the container,

    3) auth failure,

    4) another bind using NTLMSSP_CHALLENGE

    5) successful authentication and container retrival

    When I try to view the store from 2008 R2 machine I see a LDAP base object request twice, without any attempt to authenticate.

  4. Anonymous says:

    I’d like to import a CRL into Microsoft ADAM.  I need to do this so the CRL can be read by a third party app that is expecting the CRL to be loaded in ADAM.

    I’ve tried running the command listed above.  e.g.

    certutil –addstore "LDAP://[127.0.0.1:50000/ou=myou,dc=test,dc=net?cACertificate?base?objectClass=certificationAuthority" cert.crl

    However, i get the following error:

    Cannot open Cert store.

    CertUtil: -addstore command FAILED: 0x80070005 (WIN32: 5)

    CertUtil: Access is denied.

    I’m logged on as the administrator and have full privs to ADAM.  I’m guessing the error is caused by the fact certutil can’t create an object of class cRLDistributionPoint (as it’s not in the schema).

    My question is, how do i setup ADAM so it can accept a CRL using the command you’ve shown.

    Appreciate your help.

  5. Anonymous says:

    Hi,

    I have similar problem as posted before. I am able to import the CA certificate using LDIFDE but when I’m importing using certutil there is a access denied.

    CertUtil: -addstore command FAILED: 0x80070005 (WIN32: 5)

    CertUtil: Access is denied.

    The error occurs regardless from where I try to publish certificate (e.g. server hosting ADLDS or other domain joined server).

    Looking at network monitor I can see there is authentication missing (successful bind). The entire error is "LDAPMessage searchResDone(3) operationsError (000004DC: LdapErr: DSID-0C0906DC, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db0)"

    Any idea what could be misconfigured (probably at ADAM side)?

    Appreciate your help.

  6. Are you 100 % sure that the specified object/attribute exists in your ADAM? Have you tried certutil -viewstore instead? ADinsight (http://technet.microsoft.com/en-us/sysinternals/bb897539.aspx) could be helpful to troubleshoot the problem.

  7. I guess that "[127.0.0.1:50000" is a typo in your sample command. The bracket is definitely a misplaced character.

    Secondly, your command uses objectClass=certificationAuthority instead of objectclass=cRLDistributionPoint. This should be also corrected.

    You can try to use the -f option with -addstore. This forces certutil to create missing objects. If this does not work either, you have to extend the ADAM schema.

  8. Have you run certutil from an elevated command window?

  9. Ron says:

    I was trying to publish CRL to AD LDS but keep on getting this error: “Cannot open Cert store. -addstore command failed… Access is denied” I’ve followed this link to no avail. I’ve created SPNs. I even added the service account to the domain admin just
    for testing. I am using an administrator account of ADLDS instance. This is a CRL from a 3rd party CA. What do you think am I missing here? Will really appreciate your help. Thanks!

  10. JayEff says:

    I was having the same problem – this can indeed be set up on the AD-CS server – the problem is if you are following the Microsoft guide at

    https://blogs.technet.microsoft.com/nexthop/2012/12/17/updated-creating-a-certificate-revocation-list-distribution-point-for-your-internal-certification-authority/ you will be setting a network path to the location for the CRL. The AD-CS service on the
    CA will be running (by default) as system. Add the SYSTEM account to the share permissions (it will have NTFS by default) and grant it full rights – voila! At least this was the problem in my case. A well written article – I guess that’s what happens when
    you deviate even slightly.