Q: How can I publish a Certificate Revocation List (CRL) or Certification Authority (CA) certificate to an Active Directory (AD) Lightweight Directory Services (LDS) instance?

A: A Windows Enterprise CA (that is, an AD-integrated CA) automatically publishes its certificates and CRLs in AD. But if you're using a different LDAP server, such as an AD LDS instance, you must publish the certificates and CRLs manually. The easiest way to do this is to use the Certutil command line utility.

To manually publish a certificate to an AD LDS instance, use the command

certutil –addstore "ldap://<Server_name>/<Distinguished_Name>?CACertificate?base?ObjectClass=CertificationAuthority" <Cert_file_name>

For example,

certutil -addstore "ldap://myadldsserver.mycompany.net/CN=myCA,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=mycompany,DC=net?CACertificate?base?ObjectClass=CertificationAuthority" mycacertificate.cer

To manually publish a CRL to an AD LDS instance, use the command

certutil –addstore "ldap://<Server_name>/<Distinguished_Name>?CertificateRevocationList?base?Objectclass=CRLDistributionPoint" <CRL_file_name>

In the above commands, you must replace <Server_name> with the name of the AD LDS server, <Distinguished_Name> with the LDAP path you've used to publish CRLs in the CA configuration (this is a CRL Distribution Point), <CRL_file_name> with the file name of the CRL you want to publish, and <Cert_file_name> with the file name of the certificate you want to publish.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.