Root CA missing in CDP folder in Active Directory Sites and Services

Ania D 0 Reputation points
2024-11-09T10:35:08.31+00:00

Hello,

In my 2-tier PKI my offline root CA isn't showing in CDP folder. When I executed those commands in PowerShell as administrator it showed no errors:
certutil.exe -dspublish -f "C:\CertData\ADDB Labs Certificate Authority.crt" RootCA

certutil.exe -addstore -f root "C:\CertData\i-win1_ADDB Labs Certificate Authority.crt"

certutil.exe -addstore -f root "C:\CertData\ADDB Labs Certificate Authority.crl"

but when I verified and saw that my root ca is not present in CDP AD Sites and Services, I tried to execute this command in cmd as admin from C:\CertData :

  • certutil -f -dspublish "ADDB Labs Certificate Authority.crl"
    and got this error:
    ldap:///CN=ADDB Labs Certificate Authority,CN=i-win1,CN=CDP,CN=Public Key Services,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPoint?certificateRevocationList ldap: 0xa: LDAP_REFERRAL: 0000202B: RefErr: DSID-03100835, data 0, 1 access points ref 1: 'unavailableconfigdn' CertUtil: -dsPublish command FAILED: 0x8007202b (WIN32: 8235 ERROR_DS_REFERRAL).

What may be the cause? Here is my config on root ca:
certutil.exe -getreg CA\CRLPublicationURLs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\ADDB Labs Certificate Authority\CRLPublicationURLs:

CRLPublicationURLs REG_MULTI_SZ =

0: 64:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl

CSURL_SERVERPUBLISHDELTA -- 40 (64)

1: 8:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10

CSURL_ADDTOCRLCDP -- 8

2: 0:http://%1/CertEnroll/%3%8%9.crl

3: 6:http://pki.addb.labs.com/CertData/%3%8%9.crl

CSURL_ADDTOCERTCDP -- 2

CSURL_ADDTOFRESHESTCRL -- 4
Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,799 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,853 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 25,296 Reputation points Microsoft Vendor
    2024-11-10T02:54:15.0466667+00:00

    Hello Ania D,

    Thank you for posting in Q&A forum.

    Did you mean root CA certificate is not in the Configuration partition on the Domain Controller?

    If so, you can try to copy the root CA certificate to Domain Controller and try the commands.

    Note: If the path in the CMD is not the current path of the root CA certificate file, please use the full path of the root CA certificate:

    certutil -dspublish -f <the full path of the certificate>

    User's image

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.