Share via


Event ID 130 — AD CS Certificate Revocation List (CRL) Publishing

Applies To: Windows Server 2008

Providing clients with the information that they need to determine whether to trust a certificate is one of the most important security functions of a certification authority (CA) and public key infrastructure (PKI). For the administrator, this means promptly revoking untrusted certificates that have not reached their scheduled expiration dates and publishing this information in certificate revocation lists (CRLs). Monitoring and addressing problems with CRL publication and availability is a critical aspect of PKI security.

Event Details

Product: Windows Operating System
ID: 130
Source: Microsoft-Windows-CertificationAuthority
Version: 6.0
Symbolic Name: MSG_E_CRL_CREATION
Message: Active Directory Certificate Services could not create a certificate revocation list (CRL). %1. This may cause applications that need to check the revocation status of certificates issued by this CA to fail. You can recreate the CRL manually by running the following command: "certutil -CRL". If the problem persists, restart Certificate Services.

Resolve

Create a certificate revocation list

Active Directory Certificate Services (AD CS) could not create a certificate revocation list (CRL), which may cause applications that need to check the revocation status of certificates issued by this certification authority (CA) to fail.

The event log message should contain more specific information regarding the CRL creation failure. To correct this error:

  • Fix any problems listed in the event log message.
  • Try to create a CRL manually.

To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Create a CRL

To manually create a CRL by using the Certification Authority snap-in:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.
  2. In the console tree, click Revoked Certificates.
  3. On the Action menu, point to All Tasks, and click Publish
  4. Select New CRL to overwrite the previously published CRL, or select Delta CRL only to publish a current delta CRL.
  5. Click OK.

To manually create a CRL by using the Certutil command-line tool:

  1. On the computer hosting the CA, click Start, type cmd and press ENTER.
  2. Type certutil -CRL and press ENTER.

If attempts to manually create a CRL fail, select the CA name in the the Certification Authority snap-in, and click Restart. Then, attempt to create the CRL again.

Verify

To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.

To confirm that certificate revocation list (CRL) publishing is working properly, perform the following procedure on a recently issued end-entity (user or computer) certificate:

  1. Open a command prompt window on a computer that is connected to the network.

  2. Type certutil -url <cert.cer> and press ENTER.

    Replace <cert.cer> with the name of a certificate file that you created by exporting a certificate using the Certificate Export Wizard.

  3. In the dialog box that appears, under Retrieve, click CRLs (from CDP), and click Retrieve.

  4. Confirm that the status of all retrieved CRL distribution points is listed as Verified.

AD CS Certificate Revocation List (CRL) Publishing

Active Directory Certificate Services