Last modified at 5/7/2014 6:39 PM by Koen Zomers

​Note: this article assumes you have already installed the Active Directory Certificate Services role on your server

When running into the situation where you want to use certificates generated by your Active Directory Certificate Services server on the internet, you might face the situation where you're being told that the Certificate Revocation List (CRL) is not available and the certificate is considered not trusthworthy, even though you have imported your root authority certificate properly. The error might look like:


When this occurs, you have to verify that the certificate revocation path published in the certificates you generated points to a location which is accessible over the internet by the client wanting to access it. To verify the current path, open the certificate. In the above security alert click on View Certificate or in case you run into a different kind of error message letting you know there's something wrong with the CRL, click left of the URL in your webbrowser to reveal the certificate properties:


Once you have the certificate opened up, navigate to the Details tab. In the list with fields, scroll down to CRL Distribution Points:


By default, Active Directory Certificate Services only publishes it's CRL to Active Directory as you can see in the above sample. This location is obviously not available to clients accessing your site through the internet. In order to change the path to the CRL Distribution Points published by the certificate, follow the steps below:

  1. Log on to your server running Active Directory Certificate Services with remote desktop or by accessing it physically

  2. From the start menu, go to Administrative Tools and click on Certification Authority


  3. Within the certsrv application, right click on the node displaying your certificate authority name (Zomers Root Certificate Authority in the below sample screenshot). In the popup menu, click on Properties.


  4. In the properties screen, navigate to the Extensions tab, make sure CRL Distribution Point (CDP) is selected under Select extension and click on Add:


  5. In the Location field, type:

    http://<fully qualified domain name to your CA server on the internet>/<any name you wish to identify your CRL>

    Note: it must be over HTTP (https is not allowed!) and make sure the FQDN is accessible via the internet

    Make sure your cursor is at the end of the line in the Location field, select <CRLNameSuffix> from the Variable dropdown and click on Insert.

    Next, select <DeltaCRLAllowed> from the Variable dropdownlist and click on Insert.

    Add .crl to the end of the whole Location field so eventually it will contain something like:<CRLNameSuffix><DeltaCRLAllowed>.crl

    Click OK to close the Add Location dialog window.


  6. Back in the Properties window, make sure the location you have just added is being selected and put a checkmark in front of the two options Include in CRLs. Clients use this to find Delta CRL locations. and Include in the CDP extension of issued certificates. Leave the last option, Include in the IDP extension of issued CRLsunselected


  7. Click on Add again

  8. In the Add Location dialog window, in the Locationfield, enter the location on your local hard drive or an UNC path to another server where you want the CRL files to be published. Use the format:

    For local harddrive: C:\<location>\<same name you used at step 5 to identify your CA>
    For network share (UNC): \\<server>\<shared folder with write access>

    With the cursor being at the end of the Location field, select <CRLNameSuffix> from the Variable dropdownlist and click Insert.

    Next, select <DeltaCRLAllowed> from the Variable dropdownlist and click Insert.

    At the end of the Location field, append .crl
    so eventually it will contain something like:


    Click OK to close the Add Location dialog window.


  9. Back in the properties window, make sure the location you have just added is selected and put a checkmark in front of both Publish CRLs to this location and Publish Delta CRLs to this location.


  10. Make sure all other entries besides the one you created at step 5 and 8 are either completely removed from the list or at least none of them has any of the Include... options checked anymore.

    Click OK to close the properties window. You will receive a confirmation box asking you if you want to restart the Certification Authority, click on Yes.


  11. Once the service has been restarted (should only take a couple of seconds), right click on Revoked Certificates within the tree, click on All Tasks and click on Publish


  12. In the Publish CRL notification window, leave the check at New CRL and click OK to initiate the new CRL creation

  13. Now go to the location you set at step 8 to publish the CRL to and verify if the new CRL files indeed have been created. There should be two files, one with the name you used to identify your CA in steps 5 and 8 and one with a plus sign ( + ) added to it:


  14. Now make sure the CRL is available through the URL you used at step 8, if you haven't done so already. Test if it returns a valid CRL.

    In FireFox, the following popup should be opened:


    In Internet Explorer, a download window will be displayed:


    This both indicates that your CRL is not available through the internet.

  15. Next step will be to (re)create your certificates so they will contain the new CRL Distribution Path. There are many ways to do this. I'll demonstrate one way which I find to be the easiest way to go with in the following steps.

  16. Click on start and type MMC followed by pressing enter


  17. Click on File in the top menu, followed by a click on Add/Remove Snap-in...


  18. In the Available snap-ins list, select Certificates and click on Add > in the center.


  19. In the Certificates snap-in window that appears, select Computer account and click Next


  20. Click Finish in the Select Computerscreen.


  21. Click OK to close the Add or Remove Snap-ins screen.


  22. Now expand the tree untill you reach Personal / Certificates. Look for the certificate in the right column that you wish to renew to contain the new proper CRL location and right click on it. In the popup menu, click on All Tasks followed by a click on Advanced Operations followed by a click on Renew This Certificate with the Same Key...


  23. In the Certificate Enrollment screen that appears, click Next


  24. On the next step, click Enroll


  25. Verify that the status is succeeded and click Finish to close the Certificate Enrollment window.


  26. You can now double click on the certificate you just renewed to open up its properties. Navigate to the Details tab and browse to the CRL Distribution Points field. You should now see that it contains the publically available URL to the CRL that you have configured at step 8.


  27. Now you can export this certificate to use it on the server where you wish to use it. Clients accessing your site which uses this renewed certificate will automatically checked the revocation status at the public CRL location.

    In case you would still get an error message as shown at the top of this article and step 14 was successfull, IIS might be blocking requests to the Delta CRL (<name you provided to your CA+.crl). When requesting it in your browser, it will return 404 - page not found as verified by using Fiddler:


    To solve this, open up Internet Information Services (IIS) Manager from the Administrative Tools in the start menu on the server on which you publish your CRL. Expand your server node, expand Sites, click on the IIS Web Application hosting the CRL files and doubleclick on the feature Request Filtering.


    Next click on the Rules tab. At the right column click on Edit Feature Settings...


    In the Edit Request Filtering Settings dialog box, make sure the Allow double escaping option is checked and click OK


    Now try again to retrieve the delta CRL via the public URL. It should now succeed.