Thursday, December 8, 2011

Certificates issued by root Certificate Authority is missing CRL distribution URL in “CRL Distribution Points” field value


You’ve just deployed a new enterprise root Certificate Authority in your Active Directory environment to replace an old CA that will be decommissioned.  As you browse through the properties in the Detail tab of a certificate issued by the new CA, you notice that the CRL Distribution Points field’s value appears to be missing the URL to allow clients to download the CRL (Certificate Revocation List).  See the following screenshot that demonstrates this:


You proceed to try and manually navigate to the standard URL to download the CRL file and receive the following HTTP Error 404.0 – Not Found page:


You proceed and try to the URL for the old CA and you’re able to download the CRL:



The solution is actually quite simple.  Simply open the Certificate Authority administration console, open up the properties of the Certificate Authority:


… and navigate to the Extensions tab.  Notice that the following 2 checkboxes are unchecked:

Include in CRLs. Clients use this to find Delta CRL locations.

Include in the CDP extension of issued certificates


Simply check the 2 checkboxes and click Apply and then OK:


Here is a side by side comparison of the difference after the settings have been applied:


Hope this helps anyone who may come across this problem.

No comments: